FrEn

E-mail Print PDF

Spyware Guard Remover
Written by Administrator  |  Thursday, 17 September 2009 18:18
AddThis Social Bookmark Button

Information

The particularity of this virus is that it disables all services and networks you can not connect to other networks.

Some variants of this malware prohibits launching of any application. So how could this patch happens to run? Just renaming the file to rundll32.exe? The advantage of this patch is that it removes all restrictions in your system and your system's parameters. Other tools or Antivirus only remove the virus without restauring your system.

Variantes:

  • Mal/EncPk-CZ [Sophos]
  • Rootkit.Win32.TDSS [Ikarus]
  • SpywareGuard2008 [Symantec]
  • Program:Win32/FakeSpyguard [Microsoft]


File

  • <CommonAppData>\svhost.exe
  • <DesktopDir>\Spyware Guard 2008.lnk
  • <Windir>\reged.exe
  • <Windir>spoolsystem.exe
  • <Windir>sys.com
  • <Windir>syscert.exe
  • <Windir>\sysexplorer.exe
  • <Windir>\vmreg.dll
  • <System>\winscenter.exe
  • <Programs>\Spyware Guard 2008\Spyware Guard 2008.lnk
  • <Programs>\Spyware Guard 2008\Uninstall.lnk
  • <ProgramFiles>\Spyware Guard 2008\conf.cfg
  • <ProgramFiles>\Spyware Guard 2008\mbase.vdb
  • <ProgramFiles>\Spyware Guard 2008\quarantine.vdb
  • <ProgramFiles>\Spyware Guard 2008\queue.vdb
  • <ProgramFiles>\Spyware Guard 2008\spywareguard.exe
  • <ProgramFiles>\Spyware Guard 2008\uninstall.exe
  • <ProgramFiles>\Spyware Guard 2008\vbase.vdb


Process :

  • <ProgramFiles>\spyware guard 2008\spywareguard.exe
  • <System>\winscenter.exe
  • <CommonAppData>\svhost.exe


Registre

  • Created keys :
  • HKEY_CURRENT_USER\Software\Spyware Guard
  • HKEY_CURRENT_USER\Software\Spyware Guard 2008
  • HKEY_CURRENT_USER\Software\Spyware Guard 2008\Info
  • HKEY_CURRENT_USER\Software\Spyware Guard 2008\Lic
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A5261D-ED19-44E2-9CBD-B3CD262311BF}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A5261D-ED19-44E2-9CBD-B3CD262311BF}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E1F38E8-7785-430C-958D-B9E219BB8E9D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E1F38E8-7785-430C-958D-B9E219BB8E9D}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
  • Created values :
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    • CTEMON.EXE = ""%CommonAppData%\svhost.exe" /h" /*Variante*/
    • spywareguard = "%ProgramFiles%\Spyware Guard 2008\spywareguard.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A5261D-ED19-44E2-9CBD-B3CD262311BF}\InprocServer32]
    • (Default) = "%CommonAppData%\Microsoft\Internet Explorer\DLLs\pgiobxtrjv.dll"
    • ThreadingModel = "Apartment"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A5261D-ED19-44E2-9CBD-B3CD262311BF}]
    • (Default) = "InternetConnection"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    • ieModule = "{9E1F38E8-7785-430C-958D-B9E219BB8E9D}"
    • InternetConnection = "{09A5261D-ED19-44E2-9CBD-B3CD262311BF}"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E1F38E8-7785-430C-958D-B9E219BB8E9D}\InprocServer32]
    • (Default) = "%CommonAppData%\Microsoft\Internet Explorer\DLLs\ieModule.dll"
    • ThreadingModel = "Apartment"
  • Et tous les restrictions dans
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System


ATTENTION You should download this patch on another machine and run it on the infected machine. Do not change the name of the patch (rundll32.exe). It is better to launch the patch in safe mode but the patch will still be effective even in normal mode.

 

 

Download
 

Add comment


Security code
Refresh

Related articles
Latest posts
Free malware removal tool to remove Total Vista Security
_WRITTEN_BY Administrator 16/03/2010
Total Vista Security is a rogue antispyware that may reprensent security risk for your system, it's a malware that pretends to be an Antivirus. Total Vista Security conducts a fake scan of your…Read more...
Free malware removal tool to remove Virus Protector
_WRITTEN_BY Administrator 15/03/2010

Virus Protector is a rogue Antispyware that pretends to be an Antivirus. It is a wolf in sheep's clothing. It conducts a fake scan of your system; you are warned by a fake alarm that there are…Read more...

Free malware removal tool to remove Dr. Guard
_WRITTEN_BY Administrator 01/03/2010
Dr. Guard is a rogue Antispyware from the Paladin Antivirus Family, it's a malware that pretends to be an Antivirus. It is a wolf in sheep's clothing. It conducts a fake scan of your system; you are…Read more...
Free malware removal tool to remove Paladin Antivirus
_WRITTEN_BY Administrator 27/02/2010
Paladin Antivirus is a rogue Antispyware, a scareware, it's a malware that pretends to be an Antivirus. It is a wolf in sheep's clothing. It conducts a fake scan of your system; you are warned by a…Read more...
Free malware removal tool to remove PC Defender
_WRITTEN_BY Administrator 24/02/2010
PC Defender is a rogue Antispyware, it's a malware that pretends to be an Antivirus. It is a wolf in sheep's clothing. It conducts a fake scan of your system; you are warned by a fake alarm that…Read more...
.
Information | Contact

© All Rights Reserved. net-studio.org 2009