Spyware Guard Remover

Written by Administrator | Thursday, 17 September 2009 18:18

Information

The particularity of this virus is that it disables all services and networks you can not connect to other networks.

Some variants of this malware prohibits launching of any application. So how could this patch happens to run? Just renaming the file to rundll32.exe? The advantage of this patch is that it removes all restrictions in your system and your system's parameters. Other tools or Antivirus only remove the virus without restauring your system.

Variantes:

Mal/EncPk-CZ [Sophos]
Rootkit.Win32.TDSS [Ikarus]
SpywareGuard2008 [Symantec]
Program:Win32/FakeSpyguard [Microsoft]

File

<CommonAppData>\svhost.exe
<DesktopDir>\Spyware Guard 2008.lnk
<Windir>\reged.exe
<Windir>spoolsystem.exe
<Windir>sys.com
<Windir>syscert.exe
<Windir>\sysexplorer.exe
<Windir>\vmreg.dll
<System>\winscenter.exe
<Programs>\Spyware Guard 2008\Spyware Guard 2008.lnk
<Programs>\Spyware Guard 2008\Uninstall.lnk
<ProgramFiles>\Spyware Guard 2008\conf.cfg
<ProgramFiles>\Spyware Guard 2008\mbase.vdb
<ProgramFiles>\Spyware Guard 2008\quarantine.vdb
<ProgramFiles>\Spyware Guard 2008\queue.vdb
<ProgramFiles>\Spyware Guard 2008\spywareguard.exe
<ProgramFiles>\Spyware Guard 2008\uninstall.exe
<ProgramFiles>\Spyware Guard 2008\vbase.vdb

Process :

<ProgramFiles>\spyware guard 2008\spywareguard.exe
<System>\winscenter.exe
<CommonAppData>\svhost.exe

Registre

Created keys :

HKEY_CURRENT_USER\Software\Spyware Guard

HKEY_CURRENT_USER\Software\Spyware Guard 2008

HKEY_CURRENT_USER\Software\Spyware Guard 2008\Info

HKEY_CURRENT_USER\Software\Spyware Guard 2008\Lic

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A5261D-ED19-44E2-9CBD-B3CD262311BF}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A5261D-ED19-44E2-9CBD-B3CD262311BF}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E1F38E8-7785-430C-958D-B9E219BB8E9D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E1F38E8-7785-430C-958D-B9E219BB8E9D}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Created values :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

CTEMON.EXE = ""%CommonAppData%\svhost.exe" /h" /*Variante*/

spywareguard = "%ProgramFiles%\Spyware Guard 2008\spywareguard.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A5261D-ED19-44E2-9CBD-B3CD262311BF}\InprocServer32]

(Default) = "%CommonAppData%\Microsoft\Internet Explorer\DLLs\pgiobxtrjv.dll"

ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A5261D-ED19-44E2-9CBD-B3CD262311BF}]

(Default) = "InternetConnection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

ieModule = "{9E1F38E8-7785-430C-958D-B9E219BB8E9D}"

InternetConnection = "{09A5261D-ED19-44E2-9CBD-B3CD262311BF}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E1F38E8-7785-430C-958D-B9E219BB8E9D}\InprocServer32]

(Default) = "%CommonAppData%\Microsoft\Internet Explorer\DLLs\ieModule.dll"

ThreadingModel = "Apartment"

Et tous les restrictions dans

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

ATTENTION You should download this patch on another machine and run it on the infected machine. Do not change the name of the patch (rundll32.exe). It is better to launch the patch in safe mode but the patch will still be effective even in normal mode.