I am currently running avast! version 4.8 Home Edition on Windows XP. Today I was infected by “Spyware Protect 2009” which, I’m reading, is a scam.
It seems avast did not detect it and protect my machine. Can avast clean my machine? I found a sysguard.exe in my \Windows directory. I renamed it, which seemed to stop some of the reoccurring popups/problems. I still see IE is behaving strange, so I’m using Firefox.
Help!
I suggest:
Many thanks - I’ll provide an update.
The actual scam of fake security alerts doesn’t actually do anything other than but out the bait, e.g. your system is infected/vulnerable, etc. inviting you to visit a site and or run a scan. It is at that point that you are likely to become properly infected or asked for payment.
avast does pick up on some of these but they are constantly changing, send the sysguard.exe to avast for analysis, so it might be added.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
After you have sent the sample.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
I ran through the suggested procedures twice. I don’t see evidence of the Spyware Protect 2009 but I do see:
http://browser-security.microsoft.com/blocked.php?r=21.0
I can try refreshing my original target page. I may get the desired page or I may get this browser-security page. I always get this browser-security page if I Google “spyware” - hmmm.
So, I suspect something is still wrong with IE.
Also, I’m very appreciative of the quick response. Overall, I’ve been impressed with Avast!
You’ve discover us ;D
You’re welcome.
I would suggest continuing with the steps Tech gave, completing one and reporting the findings before proceeding to the next step.
I’ve executed the 8 steps in the first “I suggest:” posting - twice. It seemed to kick-off reinstalls of some software items.
It was afterwards that I was still observing the IE browser-security problem.
I emailed the sysguard.exe.
I’ve attached my hijackthis.log to this posting.
I have not done the “MalwareBytes Anti-Malware” yet.
I’m also running a “Thorough” scan.
Hi :
Malwarebytes Anti-Malware is the PRIMARY program that should be used to
combat “Rogue” programs .
MBAM may resolve some (or all) of the problems shown below from your HJT log :
We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.
C:\Program Files\iWin Games\iWinGamesInstaller.exe
Bad entry that should be fixed with HJT.
http://www.prevx.com/filenames/X335343130068451638-X1/IWINGAMESINSTALLER.EXE.html
C:\Program Files\Search Settings\SearchSettings.exe
Generally considered to be a trojan and should be Bad entry that should be fixed with HJT.fixed with HJT.
http://www.pcpitstop.com/libraries/process/i/SearchSettings.exe.html
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
Bad entry that should be fixed.
http://www.spyandseek.com/Search.php?search_for=E312764E-7706-43F1-8DAB-FCDD2B1E416D&search=SAS-Search
O1 - Hosts: 91.212.65.127 browser-security.microsoft.com
O1 - Hosts: 91.212.65.127 spywareprotector-2009.com
O1 - Hosts: 91.212.65.127 www(dot)spywareprotector-2009(dot)com
O1 - Hosts: 91.212.65.127 secure.spywareprotector-2009.com
Bad entries that must be fixed.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Unnecessary (deactivated) entry that can be fixed. Related to Yahoo Companion!
O2 - BHO: BHO - {ABD42510-9B22-41cd-9DCD-8182A2D07C63} - C:\WINDOWS\system32\iehelper.dll
Bad entry that should be fixed with HJT.
http://www.what-is-exe.com/filenames/iehelper-dll.html
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
Bad entry that should be fixed.
http://www.spyandseek.com/Search.php?search_for=E312764E-7706-43F1-8DAB-FCDD2B1E416D&search=SAS-Search
O4 - HKLM..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
Bad entry that should be fixed.
http://www.spyandseek.com/Search.php?search_for=E312764E-7706-43F1-8DAB-FCDD2B1E416D&search=SAS-Search
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
Bad entry that should be fixed.
http://www.prevx.com/filenames/X335343130068451638-X1/IWINGAMESINSTALLER.EXE.html