I just purchased the full version of SD because I wanted to prevent malware from reaching my machine in the first place, rather than just finding it on a scan. My understanding was that OnGuard would do just this. However, it doesn't seem to work that way, so please correct me if I misunderstood what OnGuard is supposed to do.

I am running SD 5.5.0.178. I ran an Intelli-Scan last night and it was clean. This morning, about 9 hours later and without having used the machine AT ALL, I ran another Intelli-Scan and it said I was infected with Trojan.Bankem. How did this happen with OnGuard running? I'm using Vista 32-bit and have the firewall turned on.

Since then I've done some normal web browsing (Google, Yahoo, Gizmodo, Engadget) and have run a few more scans, only to have it find Trojan-Dropper.Agent.XT, and then on the next scan (two minutes later) it found both Trojan.Virtumonde and Adware.Transponder_Twain-tech.

Again... I thought OnGuard was supposed to prevent this stuff from getting on my machine. If not, why did I just pay for the full version?

Hi
You seem to be accumulating a lot of infections. What kind of websites are you browsing? OnGuard should prevent many of these infections, please check that it is ON. What Anti-Virus are you using?
Hope that helps

I listed the sites I regularly visit (Google, Yahoo, Gizmodo, Engadget.) Add to that Gmail and that's about it. I use AVG anti-virus and have the paid version of that so it checks for new updates every three hours.

OnGuard is definitely on, and I even changed FileGuard to check "All Files and Processes."

BTW, I just ran another scan and it found Trojan.SC_Keylogger. This is frustrating; I upgraded SD to stop these from getting in, and hopefully figure out where in the world they were coming from. So far, no luck.

Hi
Would it be possible for you to attach log files to this thread? As I am curious as to how you are getting these infections.

Matt,

I'd be happy to attach the log files but I'm not sure what you're after. I see a folder called c:\Program Files\Spyware Doctor\log but it's empty. I don't see a setting in SD to have it log all activity. I see the history and I exported that to HTML but that doesn't seem to be what you're after.

Please let me know how I can get you the logs you're after and I'll be happy to post them. Thanks.

Hi
If you could attach the html file that would be a great start.

Matt, here is an edited version of the file (it was too large to upload.)

Here are some details to notice: I finished a scan 2/4/2008 10:13:53 PM and it was clean. At 2/5/2008 5:00:08 AM a scheduled scan ran. It was clean. At 2/5/2008 7:05:57 AM I kicked off a scan and it found Trojan.Bankem, even though I hadn't yet used the machine, including not even opening a browser.

A scan at 2/5/2008 9:40:48 AM detected Trojan-Dropper.Agent.XT. A scan at 2/5/2008 9:42:51 AM found Adware.Transponder_Twain-tech and Trojan.Virtumonde.

UPDATE: I added a second file, SD2. I closed IE7 and had no apps running. I ran a scan and all was clear. 1 minute later I ran another scan and it found Backdoor.Blackhole. Again, I just very confused: 1) why OnGuard is not blocking such things, and 2) what hole I have open that allows this stuff to find me in the first place. Again, Matt, thanks for the help so far.

Hi
One of the infections detected was a backdoor and several look to have rootkit like behaviour. It could be that your machine is compromised :(
My advice is to head over to www.malwareremoval.com/forum and post a HijackThis log there for the experts to assist you.
Hope that helps

Matt, here is an edited version of the file (it was too large to upload.)

Here are some details to notice: I finished a scan 2/4/2008 10:13:53 PM and it was clean. At 2/5/2008 5:00:08 AM a scheduled scan ran. It was clean. At 2/5/2008 7:05:57 AM I kicked off a scan and it found Trojan.Bankem, even though I hadn't yet used the machine, including not even opening a browser.

A scan at 2/5/2008 9:40:48 AM detected Trojan-Dropper.Agent.XT. A scan at 2/5/2008 9:42:51 AM found Adware.Transponder_Twain-tech and Trojan.Virtumonde.

UPDATE: I added a second file, SD2. I closed IE7 and had no apps running. I ran a scan and all was clear. 1 minute later I ran another scan and it found Backdoor.Blackhole. Again, I just very confused: 1) why OnGuard is not blocking such things, and 2) what hole I have open that allows this stuff to find me in the first place. Again, Matt, thanks for the help so far.

It looks like you have an infection on your which is downloading all those other infections. This could be a new variant or an older infection in which a signature has not yet been created. Best thing to do here would be to run the Malware log which passes this info to pc tools. If you have sent a support ticket before, you could possibly use this ticket number when running the tool, otherwise just PM achen and he can create one for you.

c_edge

I was just going to add that when infections start popping out of nowhere like that it usually means the main variant of the infection was already on your computer before Spyware Doctor was installed.

Thanks for all the suggestions. Here is what I have done:

1. Ran F-Secure Blacklight to search for rootkits. Nothing found.
2. Ran the Malware Detective in Spyware Doctor and sent the results.
3. Ran HijackThis and posted a question at MalwareRemoval (http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=27645)
4. Booted to safe mode and ran a full scan of Spyware Doctor (nothing found).

Hi
Well the results of the blacklight scan are promising. I will follow your topic at MalwareRemoval with interest (please bear in mind that that forum is quite busy).

Hi
Having been following your log at www.malwareremoval.com, it seems that your "infections" may well be false positives. If you could follow askey127's advice and make note of the files/registry being flagged and report them here that would be great.

I've been following the log as well, trying everything askey127 suggests. I'm not yet convinced that Spyware Doctor is finding false positives because a scan will come up clean, I won't use the computer at all for a few hours, and the next scan shows problems. Below are three items that popped up yesterday.

2/12/2008 10:07:35 AM:46 Infection cleaned
Threat Name - Application.KeyKey2000_Professional_Keylogger
Type - Startup
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Se ssion Manager, BootExecute = %system%\loadkk.exe

2/12/2008 10:07:35 AM:56 Infection quarantined
Threat Name - Trojan-Spy.Delf.GEN
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Se ssion Manager, BootExecute = %system%\logga.dll

2/12/2008 4:41:19 PM:378 Infection was detected on this computer
Threat Name - Backdoor.Sdbot.AAD
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Se ssion Manager, BootExecute = %system%\lrsys.exe

Crunge - are you running an application called KeyKey Professional? if so, SD will detect this as a commercial keylogger. Our detection name with the prefix Application. doesn't mean its an infection, but will raise this as an awareness to the user.

Also if you are using this keylogger, logga.dll is a legitimate component of Trojan-Spy.Delf.Gen. In order for us to check this, could you send us logga.dll and the same applies to lrsys.exe. Please send to my email.

Crunge - are you running an application called KeyKey Professional?
No.

Also if you are using this keylogger, logga.dll is a legitimate component of Trojan-Spy.Delf.Gen. In order for us to check this, could you send us logga.dll and the same applies to lrsys.exe. Please send to my email.
Anthony, I can't find these files anywhere on my machine. I had SD fix these items so did it remove these files?

Hi
Did you have Spyware Doctor quarantine them or remove them? Please check the quarantine (under Settings).

No.


Anthony, I can't find these files anywhere on my machine. I had SD fix these items so did it remove these files?

We'll definitely need these files before we can do anything. So if they do return, send us these files and we can investigate this further.

Hi
Did you have Spyware Doctor quarantine them or remove them? Please check the quarantine (under Settings).

Sorry for the delay in replying. I'm on the road and don't have access to that machine at the moment. Whever SD finds nasties, I have them quarantined. I can go there and see them in the quarantine area. But if I look on the disk before I do that, I don't actually see the files. Once I have put them in quarantine, is it possible to get a copy to then send on to PC Tools?

Hi
I believe that whatever files are in quarantine are included in the report created by the Malware Detective Tool when you run that.
Otherwise you could post a screenshot of the quarantine page.