   | Junior Member with 1 posts. | | | |  Spyware Protect 2009 and keylogger First, I want to say thanks. I found a lot of useful information here, and I wanted to share my experience to help others.
Last Friday our laptop became infected with a virus that called itself "Spyware Protect 2009." And I want to caution EVERYONE to be very careful even after this virus is "removed." Our computer was still infected, but with a different virus.
Spyware Protect 2009 made a similar showing as others have described for the Antivirus 2009. The pc ran really slow and access to websites was very slow or blocked with claims of infection. The virus produced lots of pop-ups telling me the pc was infected with viruses and claimed to have found a few. Then, a McAfee (antivirus that was installed and running) pop-up indicated that a virus was found and quarantined.
It's a clever strategy that the real virus program actually starts loading other real viruses on your pc to trick you. Your resident antivirus program flags one or two, but their pop-ups tell you about that and more to convince you that you need their product. It's also impossible to close their pop-ups in a safe way.
We never fell for the virus tricks, and we'd power down the computer and start-over, but over time the virus becomes more aggressive in blocking internet access.
The real virus program will not let you even visit the malwarebytes website by name -- the website is blocked as an infected site. If you search the malware hjt forums, you can find links to the malwarebytes download website where the IP address (numbers) is given. That work-around worked for me. As already mentioned in the forums, the virus will not allow you to run the set-up or executable until you change the name.
A few days after we thought we were clean, my wife tried to visit our bank online. The login page was ok, but the next page that came-up was different. She got a form asking for social security, bank account, credit card, ATM, phone numbers... she immediately called the bank and they confirmed this was not their webpage.
I then ran some other anti-virus software that found an agent32 virus AND Matewatcher. Matewatcher is a keylogger program. Everytime I cleaned the pc and re-booted the virus executable was back, but with a slightly different name (semi-random number generator).
To shorten the story: I ran HJT and looked at the log file. I noticed that the entries in the list of start-up programs seemed to be chronological. There was still an entry to load/start sysguard.exe (the name of the Spyware Protect 2009 virus) and immediately after a dll buried in each user account's Application -> Macromedia -> (can't remember the exact path name, sorry) was being run.
I had already un-installed Flash Player, Adobe Acrobat, etc. knowing they might have a security risk and planning to re-install after the pc was cleaned. After those entries I saw the newer anti-virus program start-up entry... so I told HJT this to "fix" the sysguard and dll entries. But 2 of the dll entries didn't go away (I assumed because they were loaded at start up and still running).
So I then I booted in safe mode and deleted the Macromedia folders from each user account. I ran a clean up program and then re-ran HJT. The log file was free of the dlls. Subsequent runs of the Asquared antivirus, Malwarebytes and Trend Micro all showed no Agent virus anymore.
Booted in normal mode and re-checked antivirus status using multiple products: all clean reports. Checked bank website and all was normal.
It took me almost 6 hours to figure all this out and get my pc clean. But it really scared me to find the key logger. Who knows if this got loaded last Friday or maybe was from before. McAfee never flagged any of that.
I'm still nervous that none of the Antivirus program detected the dll virus that kept running at start up and installing the keylogger and browser "helper" program that faked my bank's webpage(s) to trick me into giving my personal/credit information. Be careful!!
We have backed up all important data, and that computer's HD will be re-formatted and such this weekend. I feel it's the best/only way to make sure there are no timebombs hidden somewhere.
Anyways...sorry for the long story. Just wanted to share my experience. Good Luck. |  | Distinguished Member with 2,134 posts. | | Join Date: Dec 2004 Location: S.C Experience: Malware Fighter | | Hi AnnArborStephen and Welcome to TSG
Thanks for your interesting story...  There's a lot Rogue Security Software and keyloggers
out there. Sad!
Here is some useful information on keeping your computer clean: - Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
- Here are two great Preventive programs
: - SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
- Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
- Red for Warning
- Yellow for Use Caution
- Green for Safe
- Grey for Unknown
Here are the link to install SiteAdisor in Internet Explorer and Firefox
Now you should Clean up your PC
Here are some additional links for you to check out to help you with your computer security. How did I get infected in the first place. Secunia software inspector & update checker Good free tools and advice on how to tighten your security settings. |  | Distinguished Member with 3,158 posts. | | Join Date: Jan 2006 Experience: Intermediate | | | | | | Junior Member with 1 posts. | | | | thanks for this story AnnArborStephen..this actually helped me a lot..i just got this virus this morning..and i kinda just followed your story..i think its gone. I had to install HJT and after I 'fixed' the sysguard the fake antivirus program just vanished..along with false antivirus warnings that were beginning to pop up. I hope it is gone for good..but I just wanted to say thanks for posting that story | | | Junior Member with 3 posts. | | | | | |  THIS THREAD HAS EXPIRED.
Are you having the same problem?
We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.
| | |
Smart Search
| Find your solution! | | |
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | | WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
| You Are Using:  |
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 11:43 AM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
|  |
|
Welcome to Tech Support Guy! Read our Welcome Guide or take a minute to watch the video below!
General Security 
Search 
