TechSpot

Infected by the Spyware Protect 2009

By Manolo
Mar 25, 2009
  1. Meh, got it. I ran Hijackthis and this is the logfile. So far no major damage, although I cannot load security websites and forums (like this one) and not even run the mbam-setup.exe, SUPERAntiSpyware.exe and HijackThisInstaller.exe unless I change the filename. I can use explorer because I disabled a bunch of add-ons but that might not be the reason. Help please?
     

    Attached Files:

    • hjt.log
      File size:
      5.6 KB
      Views:
      7
  2. han solo

    han solo TS Rookie

    FOUND this:

    http://www.2-spyware.com/remove-spyware-protect-2009.html

    Or if you can't:

    Download this:
    http://www.pctools.com/downloads/afl_2-spyware/sdsetup.exe

    Or do it manually:
    Kill processes:
    c:\\WINDOWS\\aazalirt.exe
    c:\\WINDOWS\\dkekkrkska.exe
    c:\\WINDOWS\\dkewiizkjdks.exe
    c:\\WINDOWS\\iddqdops.exe
    c:\\WINDOWS\\ienotas.exe
    c:\\WINDOWS\\iqmcnoeqz.exe
    c:\\WINDOWS\\irprokwks.exe
    c:\\WINDOWS\\jikglond.exe
    c:\\WINDOWS\\jiklagka.exe
    c:\\WINDOWS\\jrjakdsd.exe
    c:\\WINDOWS\\jungertab.exe
    c:\\WINDOWS\\kitiiwhaas.exe
    c:\\WINDOWS\\kkwknrbsggeg.exe
    c:\\WINDOWS\\klopnidret.exe
    c:\\WINDOWS\\krkdkdkee.exe
    c:\\WINDOWS\\krkmahejdk.exe
    c:\\WINDOWS\\krtawefg.exe
    c:\\WINDOWS\\krujmmwlrra.exe
    c:\\WINDOWS\\ktknamwerr.exe
    c:\\WINDOWS\\kuruhccdsdd.exe
    c:\\WINDOWS\\ooorjaas.exe
    c:\\WINDOWS\\oranerkka.exe
    c:\\WINDOWS\\oropbbsee.exe
    c:\\WINDOWS\\otnnbektre.exe
    c:\\WINDOWS\\otowjdseww.exe
    c:\\WINDOWS\\otpeppggq.exe
    c:\\WINDOWS\\rkaskssd.exe
    c:\\WINDOWS\\ronitfst.exe
    c:\\WINDOWS\\seeukluba.exe
    c:\\WINDOWS\\skaaanret.exe
    c:\\WINDOWS\\sysguardn.exe
    c:\\WINDOWS\\tobmygers.exe
    c:\\WINDOWS\\tobykke.exe
    c:\\WINDOWS\\zibaglertz.exe


    Delete registry values:
    HKEY_CURRENT_USER\Software\AvScan
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "sysguardn"


    Delete files:
    Spyware Protect 2009.lnk Uninstall Spyware Protect 2009.lnk

    Hope it helps...

    peace
    han
     
  3. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    We request that all members follow this guide and attach the logs:
    UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

    Note there is no need to purchase software and I would not recommend SpywareDoctor for that reason

    Also killing "processes" does not remove the infection

    Personally I would recommend that you also uninstall AVG Antivirus and then run the AVG Removal Tool, and then install the better Avira Antivirus. (ie AVG didn't save you this time - as per normal)
     
  4. han solo

    han solo TS Rookie

  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    My email Server has gone on the blink so please excuse the late reply. (presently just checking threads)

    Anyway "system restore" is not advised on a possible Malware infected computer
    As System Restore is usually the first place where infection is hit, therefore if run Windows itself may corrupt.

    I refer you to this ruling that states the 8-Step guide must be followed and the the logs checked:
    Special governing rules for the Virus & Malware removal board
     
  6. han solo

    han solo TS Rookie

    Fair enough...I let this problem/solution fall into "better" hands...
     
  7. Manolo

    Manolo TS Rookie Topic Starter Posts: 23

    Ok, I ran Malwarebytes and found a bunch of stuff, but advised that I had to reboot to delete some of the files. Of course when I reboot I get the blue screen of death. After restarting I run HijackThis again. Attached are the logfiles. Btw, I had to rename the executable of Malwarebytes because the whatever I have avoids its execution.

    Meh, definitely AVG did not save me. Why do I need the AVG Removal Tool?
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well do this.

    Uninstall your AVG Antivirus
    Then run the removal tool
    Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
    Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

    Install Avira free AntiVirus

    Start up Malwarebytes again; Update it; then run a full scan (remove all found Malwares)
    You need to run this multiple times, until all hidden Malwares are uncovered and removed

    And this time also run SuperAntispyware (which will now likely work from doing the above) and provide that log too.

    By the way if you have any P2P software as recently discussed h e r e
    Please remove that too.
     
  9. Manolo

    Manolo TS Rookie Topic Starter Posts: 23

    I ran first SuperAntiSpyware, then MAlwarebytes and then HijackThis. Attached are the logfiles.
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Ah huh.
    And you decided to keep AVG even though it, well, it didn't help before :confused:
    That's sad :(
     
  11. Manolo

    Manolo TS Rookie Topic Starter Posts: 23

    Nono, i'm going to remove AVG as soon as I get rid of this trojan. I'm actually removing AVG right now in my laptop.
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Ok

    Please run a full scan with Avira once you do
    When it pops up with a found Virus, tick the option to apply this to all found malwares (quarantine that is)
    But you need to do this for the first one it finds.

    Please then provide the Avira log
     
  13. Manolo

    Manolo TS Rookie Topic Starter Posts: 23

    Ran Avira. Attached is the logfile
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I'm just going to post in Red a couple of results from the Avira scan (after AVG scan)
    This is highlighted because constantly other support members state I shouldn't say remove the useless AVG Antivirus :confused:

    Anyway, back to the issue at hand

    Combofix Instructions

    • Download [​IMG]Combofix to your desktop.
    • Double click Combofix & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
    Also attach a fresh HiJackThis scan ran afterwards
     
  15. Manolo

    Manolo TS Rookie Topic Starter Posts: 23

    ok, ran Combofix and then HijackThis; it went pretty smooth
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Repair HijackThis entries

    Please run HijackThis scan and put a check beside the following entries. • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    I have highlighted one (DNS) entry "017" above if this entry is not provided by your ISP then it can be safely removed.
    I found that it is related to: University of California


    Remove ComboFix
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK
    • [​IMG]
    • When shown the disclaimer, Select "2"
    (Note: 1 space after ComboFix in that uninstall command)


    Clear & Reset System Restore's Cache

    Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
    * Tick on the checkbox - Turn off System Restore on all drives
    * Click Apply
    Turn it back 'On' by unticking the same checkbox & click Apply, and then OK


    Restart

    Have a nice day ;)
     
  17. Manolo

    Manolo TS Rookie Topic Starter Posts: 23

    All right, all done. I'll check later if everything is smooth/clean. If I find something off, I'll post here.

    Thank you for your help and making me remove AVG :). I'm installing AVIRA in all my computers and it's finding ugly stuff everywhere.
     
  18. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Do me a BIG favor.

    Reply on this thread with your findings and general thoughts on AVG8 and Avira http://www.techspot.com/vb/topic124174.html
    Basically "support" don't believe me :(

    And I'm fighting a one man show! ie me against the rest
     
  19. Manolo

    Manolo TS Rookie Topic Starter Posts: 23

    Done, ty for your help
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...