Spyware Protect 2009

[richzebro]

I am currently running avast! version 4.8 Home Edition on Windows XP.  Today I was infected by "Spyware Protect 2009" which, I'm reading, is a scam.

It seems avast did not detect it and protect my machine.  Can avast clean my machine?  I found a sysguard.exe in my \Windows directory.  I renamed it, which seemed to stop some of the reoccurring popups/problems.   I still see IE is behaving strange, so I'm using Firefox.

Help!

[Lisandro]

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

[richzebro]

Many thanks - I'll provide an update.

[DavidR]

The actual scam of fake security alerts doesn't actually do anything other than but out the bait, e.g. your system is infected/vulnerable, etc. inviting you to visit a site and or run a scan. It is at that point that you are likely to become properly infected or asked for payment.

avast does pick up on some of these but they are constantly changing, send the sysguard.exe to avast for analysis, so it might be added.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

After you have sent the sample.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

• 1. SUPERantispyware On-Demand only in free version.
• 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

[richzebro]

I ran through the suggested procedures twice.   I don't see evidence of the Spyware Protect 2009 but I do see:
* My machine is running slower, perhaps because of the additional scanning software.
* I get a periodic IE problem, where it redirects to:

http://browser-security.microsoft.com/blocked.php?r=21.0

I can try refreshing my original target page.  I may get the desired page or I may get this browser-security page.  I always get this browser-security page if I Google "spyware" - hmmm.

So, I suspect something is still wrong with IE.

[richzebro]

Also, I'm very appreciative of the quick response.   Overall, I've been impressed with Avast!

[Lisandro]

Also, I'm very appreciative of the quick response.   Overall, I've been impressed with Avast!

You've discover us

[DavidR]

Also, I'm very appreciative of the quick response.   Overall, I've been impressed with Avast!

You're welcome.

I would suggest continuing with the steps Tech gave, completing one and reporting the findings before proceeding to the next step.

[richzebro]

Also, I'm very appreciative of the quick response.   Overall, I've been impressed with Avast!

You're welcome.

I would suggest continuing with the steps Tech gave, completing one and reporting the findings before proceeding to the next step.

I've executed the 8 steps in the first  "I suggest:" posting - twice.  It seemed to kick-off reinstalls of some software items.
It was afterwards that I was still observing the IE browser-security problem.
I emailed the sysguard.exe.
I've attached my hijackthis.log to this posting.

I have not done the "MalwareBytes Anti-Malware" yet.

[richzebro]

Also, I'm very appreciative of the quick response.   Overall, I've been impressed with Avast!

You're welcome.

I would suggest continuing with the steps Tech gave, completing one and reporting the findings before proceeding to the next step.

I'm also running a "Thorough" scan.

[Spiritsongs]

   Hi :

 Malwarebytes Anti-Malware is the PRIMARY program that should be used to
 combat "Rogue" programs .

[CharleyO]

***

MBAM may resolve some (or all) of the problems shown below from your HJT log :

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall.


C:\Program Files\iWin Games\iWinGamesInstaller.exe
Bad entry that should be fixed with HJT.
http://www.prevx.com/filenames/X335343130068451638-X1/IWINGAMESINSTALLER.EXE.html

C:\Program Files\Search Settings\SearchSettings.exe
Generally considered to be a trojan and should be Bad entry that should be fixed with HJT.fixed with HJT.
http://www.pcpitstop.com/libraries/process/i/SearchSettings.exe.html

R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
Bad entry that should be fixed.
http://www.spyandseek.com/Search.php?search_for=E312764E-7706-43F1-8DAB-FCDD2B1E416D&search=SAS-Search

O1 - Hosts: 91.212.65.127 browser-security.microsoft.com
O1 - Hosts: 91.212.65.127 spywareprotector-2009.com
O1 - Hosts: 91.212.65.127 www(dot)spywareprotector-2009(dot)com
O1 - Hosts: 91.212.65.127 secure.spywareprotector-2009.com
Bad entries that must be fixed.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Unnecessary (deactivated) entry that can be fixed. Related to Yahoo Companion!

O2 - BHO: BHO - {ABD42510-9B22-41cd-9DCD-8182A2D07C63} - C:\WINDOWS\system32\iehelper.dll
Bad entry that should be fixed with HJT.
http://www.what-is-exe.com/filenames/iehelper-dll.html

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
Bad entry that should be fixed.
http://www.spyandseek.com/Search.php?search_for=E312764E-7706-43F1-8DAB-FCDD2B1E416D&search=SAS-Search

O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
Bad entry that should be fixed.
http://www.spyandseek.com/Search.php?search_for=E312764E-7706-43F1-8DAB-FCDD2B1E416D&search=SAS-Search

O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
Bad entry that should be fixed.
http://www.prevx.com/filenames/X335343130068451638-X1/IWINGAMESINSTALLER.EXE.html


***