Sodding virus / spyware

[k4p84]

Hi all

One of my guys laptops in the office has been infected by SpywareProtect2009.

This is proving very difficult to get rid of.

Yes i have run the Symantec program the company uses. It says it has quarantined the little blighter but it keeps popping up.

It clearly is hiding itself in new an irritating places.

I'm going to go and hunt through the registry now to see what i can find there.

Does anyone know of a sure fire way of getting it, freeware too.

Windows defender and windows malicious software remover have not worked.

Yes doing a complete reinstall is my preferred option but this laptop has not been backed up so i need to get it back to an uninfected state to remove all vital files before i wipe her clean.

Any help is greatly appreciated

ED

 

[Bungral]

One thing to try that seems really stupid but has worked for me before is to try a system restore to before you got the spyware.

I had one that I just couldn't get rid of with any of the fixes / massive registry hacks on the net but a simple restore took care of it completely for me.

 

[Rastalovich]

Try these guyz:

http://forum.overclock3d.net/showpost.php?p=269506&postcount=4

Post is a bit old, so be sure u get the newest versions.

I remember the one u got their as being a particular pita. My sister had it at one point and it kept coming back cos of the underlying files never being removed.

 

[llwyd]

Had to remove this a few times for people.

Search for spyware protect with windows search, copy and paste the path of the folder (unless youve removed it) into notepad, start task manager and end:

sysguard.exe

%SYSTEMROOT%\sysguard.exe

sysguardn.exe

SpywareProtect2009.exe

run regedit and delete:

HKEY_CURRENT_USER\Software\Spyware Protect 2009

Launch command prompt as administrator and locate the files

run> dir/*volume* *filepath*

Example: dir/c C:\ProgramFiles\SpywareProtect2009

That'll display everything, including hidden files, once you know youve got the right place, use cd *filepath* to change to that directory. Then get deleting

Example:

C:\Windows\system32>dir/c C:\Users\Llwyd\Pictures

Volume in drive C has no label.

Volume Serial Number is 68DA-735C

Directory of C:\Users\Llwyd\Pictures

19/05/2009 12:08 <DIR> .

19/05/2009 12:08 <DIR> ..

02/11/2006 16:05 276,216 Autumn Leaves.jpg

04/05/2009 20:55 665 Sample Pictures.lnk

2 File(s) 276,881 bytes

2 Dir(s) 4,602,621,952 bytes free

C:\Windows\system32>cd C:\Users\Llwyd\Pictures

C:\Users\Llwyd\Pictures>del "Autumn Leaves.jpg"

NB: the "" either side of the filename only need to be there if it contains a space.

You can delete a load at once like this:

del "filename 1.txt" "filename 2.txt" del "filename 3.txt"

You can also delete the folders and the contents like this:

rmdir foldername

eg: rmdir "Sample Music"

Google says these are what need to go:

sysguardn

sysguard.exe

sysguardn.exe

Uninstall Spyware Protect 2009.lnk

Spyware Protect 2009.lnk

SpywareProtect2009.exe

%SYSTEMROOT%\sysguard.exe

Check task manager after youre done too

 

[k4p84]

Cheers for the help so far.

Alas it has not saved itself under its own name as described in nearly all the online guides i have read through.

I can not find it anywhere yet it pops up !!

Spyware scanners see it but do sweat FA about it or point me to a source.

ED

 

[JN]

I've always found Trendmicro's house call quite good and removing that spyware-that-claims-to-stop-spyware crap.

 

[mrapoc]

The best two antispywares out atm that you can generally count on is superantispyware and malwarebytes.

Malwarebytes does not catch as much but usually is better at cleaning the proper nazis/nasties