"Scareware"! Spyware Protect 2009, sysguard.exe

This scareware hit hard earlier in the year, and is making a new attack. My son just called and he was getting those annoying popups that he had a serious virus and the "only" way to fix it was to buy the software that was linked to the popup.

It took us about two hours to find all the variations of 'sysguard.exe' in his registry and files/folders. Even after deleting them and rebooting, it was back. The 'trigger' was a file in one of the registry run strings renamed EPHQsysguard.exe, that reinstalled the thing upon reboot.

More Internet searching found this new variant which seems to be generated in the Philippines keeps changing the name, but 'sysguard' is in there someplace.

We finally booted to safemode, killed the beast, emptied the recycle bin and rebooted.

Finally got it, but beware of this new strain of scareware.

 

Tell me about it!! I was just hit with this very same one last night. I was up for hours cleaning my system. The name was XXXXsysguard and it was blocking internet, task manager, etc...all the usual stuff.

One other thing I noticed which I'm not sure if you checked or not, but my router got hacked too as there was another virtual server(port forwarding) created in it. Make sure to check your router settings!

I now have some issues with my security event viewer which I'm trying to determine if normal or not.

Thanks!

 

Ouch! We had to use safemode to kill the thing, or it reproduced itself on every normal reboot. It renames itself every time but "[4 odd digits]sysguard" is part of the folder/file.

No, didn't think about the router. I will alert my son.

Thanks!

 

robertpri, Welcome to WindowsBBS

Whilst you alert your son about the router you may wish to confirm the system is clean.

Advise him to read this and post requested logs in the Malware and virus removal board.

Be aware that only Malware analysts will advise and they are extremly busy at the moment. Your post will be taken on a first come first served basis and it may take a few days before you receive a reply.

EDIT:
I've just noticed you started this thread 3 weeks ago, if the symptoms haven't re-occurred then please ignore the above unless you still have cause for concern.

 

Hi, Robertpri,

Wow, what a great dad you are!!! Lucky son!

Now, I think it might be very illuminating/educational/useful for us to know, if you don't mind sharing, which apps yr son was running when this disgusting thing got in; which firewall, which antivirus and, if any, which antispy with real time protection if any?

 

No, we got lucky.
I am not sure what he has, we were on the phone long distance the whole time. I was able to research this virus because he was locked out. Nothing worked, no Internet, no scanning, disabled firewall, disables Task Manager, etc.

But here is the bizarre thing. I mentioned it a friend the next day, and he had the exact same problem two weeks earlier! He called his computer guru pal who said to shut off machine - turn it back on -- and boot to safemode. Then use Restore to a week earlier. It worked.

His friend said the SOB's who do this, hijack an innocent web site. You click there, and this ransom-wear runs. His said, "Pay $49.95 and we will unlock your computer ".

Big companies can afford web site protection, but the typical sites cannot, so it could come from any site.

He also said my friend's mistake was in clicking the cancel button or the X close on the ransom-wear, which only installs it. The key is to just click Alt-F4 to close the menu, and continue to click Alt-F4 until all tabs are closed. Do not click any other key--even the space bar. Just Alt-F4 until all tabs are closed.

Then close the browser and scan for any crumbs left over.

 

Hi again,

Thanks for sharing details re yr friend's mistake.

Perhaps no given amalgam of protection apps would have prevented this disgusting, but I am still interested in knowing what your son had in place re the different categories of protection apps when the evil thing arrived, just in case we can learn from that.

I am also interested in what his default browser is.

But it's not urgent.

I have chosen to forego routers in my apartment and stick with my RCN coaxial modem and plain old ethernet, including when I am on my laptop in here.

 

Not a good idea Jilly, for the price nowadays NAT routers do offer a reasonable first line of defence for the home/small office user.

Even before I went wireless, when we had broadband installed a NAT router was the first thing that went in. Now this system is behind one router and basic security but my other systems are behind a second router and a secure firewall system, and this is stll a home setup

 

Robertpri, does your son have any weird security event logs since this virus happened?

As I posted in http://www.windowsbbs.com/general-s...-advapi-logon-process-my-computer-secure.html

after this exact same virus I now see a bunch of odd security logs, so although sysguard is gone from the registry, etc...I'm wondering if it didn't change some local or group policy settings that may need to be adjusted back as well.

This is one nasty malware/virus.

Thanks

 

Truly, Sean???? Well! I will now explore this!

I am, as always, grateful to be opened up to something viable my paranoia and ignorance may have precluded my getting!!

It really is annoying to always be unplugging the ethernet cable to move it from one system to another.

I thought routers made us MORE vulnerable to those insects I have never had, but live in mortal fear of and try to fend off as intelligently as I can.

And, perhaps unrelatedly, but not really, I understand your transfer rates over there are dramatically higher than here. i.e., i have the fastest of the 4 my provider, RCN offers, 20 mps.....and it ain't cheap.

 

Helen, stop calling me Sean, it's Paddy

Don't confuse wireless with routers, yes Wifi does have additional risks but a hard wired system behind a NAT router is better protected than one connected directly to the internet.

I'm on upto 10Mb's (usually ~8Mb's) which is the cheapest my provider supplies, I can go up to 50 (and soon to be in Dundee anyway 100) but I don't need any faster than I have. The internet costs me around £15 a month.

In saying that my father is upto 16Mb's but at best achieves 2Mb's (Different provider and 150+ miles away).

Anyway, It is unrelated so start a new thread if you wish to discuss it further

 

PS, I am following up re the above and should now put that in a new thread in either Internet or Hardware, not sure which yet, but it will say RCN in the title.

Edit: http://www.windowsbbs.com/general-internet/89593-adding-router-my-rcn-cable-modem.html#post490121

 

Yep I got the I need to start a new thread before you posted and I shall.

I know it's Paddy, i am playin re Mr. Connery. It's a compliment. Well, was meant to be.

 

I will check with him. Yes, nasty indeed! Want to read some horror stories?

run a google search on:


sysguard

Lots of infections

 

I would very much appreciate your checking; again, I feel we can all learn from the report.

I demure on the reading about the terrifying insects for now....I wanna sleep later.

 

Just FYI, here, at least, using RCN, the cheapest is 1.5Mbs!

I also saw on the RCN page that here, we too will soon be able to get much faster than twhat I have. One can only wonder what they will charge for that given what they now charge for my "Mach20. "

But, it's also true, at least in this building where everything is done like the inside of a Patek, there is a J-Box with leads to every apartment on that floor on every landing in the service stairwell RCN has hardwired.

And on every third landing as the building rises, a huge, gorgeous amp to keep the signal up to par consistently. So, when you test yr speeds, they are pretty close to what you are paying for.

But truly, isn't it all AMAAAAZING?????

 

Quiet Night Broni,

Surely you're not looking for more work

Posted earlier in this thread

BTW Thanks for the heads up with Athena, it looks good so far.

 

Invaluable post; this is what someone told me early on and I felt it was dead on accurate then too.

Re more than one bad guy, i have JFK the Collector's Edition on DVD, and this post also works back to that I think!

Boy, this stuff creeps me out.