I got a sort of virus, but not really. It's this super clever malware / extortionware that F'ed up my computer out of nowhere. It pretends to be spyware removal software - and it does a damn good job of looking legit. If it were not so brazen by popping up every two minutes and running its "scans" over and over, I might have even ignored it. However, it was bogging down my memory, my internets connection, limited access to many Web sites, and was just annoying.
It automatically installs itself without any pop-ups or lame trickery like that. It then runs or (pretends to run) scans of the hard drive for other spyware. It pulls up a list of all the infected files and franticly urges the user to purchase the full version to get rid of it all. On top of this generic front, there is a program called Windows Security Center (winscenter.exe) that looks very much like a real Microsoft program, which tells you that the virus software is running, the firewall is fine, but then it says in red that Spywareguard 2008 needs to be upgraded immediately. Doubtful at best. There's also a blurb at the bottom that mentions something to the effect of "Microsoft puts your privacy first," which is screaming "bullshit." Microsoft doesn't need to attest to it's privacy policy on any of its interfaces.
Further, Spyware Guard 2008 blocks access to certain web sites - specifically spyware removal software, virus scan/protection, or sites with keywords like "Remove" and "Spyware Guard." When attempting to view these sites, I kept getting "Connection failed" messages, or I was forwarded to some weird unique IP address. This limits the ability to not only download new tools, but it also hinders the updating of my current Ad-Aware / Spybot programs.
All of this is enraging me, of course, though I'm also intrigued at the chutzpah and brilliance of this idea and how well it's pulled off! I can't believe that the people behind it aren't caught and shut down because they're asking for money out in the open! That's serious fortitude right there.
How to get rid of Spyware Guard 2008 / Spywareguard 2008:
There is a good technical review of what is included in this infection at Wiki-Security.com:
http://www.wiki-security.com/wiki/Parasite/SpywareGuard2008
The main problem is that when you delete the folder C:\Program Files\Spyware Guard 2008\, it is automatically restored. The same thing happens with C:\Windows\System32\winscenter.exe. Don't even bother with the uninstall file. Since these know when the file is missing, the next best thing to do is to break the executable files. This won't solve the problem, but it will at least stop the programs from opening and bogging down your memory.
- Open Notepad, and Open a document
- From the "Files of type:" pull down menu, choose "All Files"
- Navigate to C:\Program Files\Spyware Guard 2008
- Open Spywareguard.exe
- This will be machine language so don't expect to be able to decipher anything. Start from the top and start removing a few lines of code at a time. I took around a dozzen or so lines at a time scattered throughout the very top, and very bottom of the document and that worked well. Every time you hit delete or backspace, be sure to save. Don't remove everything; the point is to break the file, not remove it entirely.
- Do the same thing to C:\Windows\System32. Now you won't be bothered by the programs as much, but every two minuts or so, a command prompt/MS-DOS window (attempting to launch spywareguard.exe) would VERY briefly open and close itself. Additionally, my internet access was slow and many sites were blocked.
- Next, download and install SpyHunter Spyware Detection Tool. This is free to install and scan, but it will not remove anything until you buy the full version, HOWEVER when installing, it recognizes that other malware is attempting to inhibit its processes and effectivly stops it! Now turn to freeware!
- Download and install the latest version of Malwarebytes' Anti-Malware. This software is free to scan and remove infections, and upgrades are around $25. The free version kicked Spyware Guard 2008 to the curb. Be careful not to remove EVERYTHING it finds, because it found some Ad-Aware files that were safe.
- You're done! Go ahead and update your AVG, Ad-Aware, etc.
(Click to enlarge)
(Update)
How to get rid of Spyware if you already have Malwarebytes:
I returned home from the holidays to find that my roommate had contracted the same problem, however he had Malwarebytes installed on his machine already.
- Start Windows in Safe Mode (At startup / when you power up the computer, tap the F8 key eight times or until the Windows Advanced Options Menu appears, and select "Safe Mode" from the top of the menu.)
- Run Malwarebytes' Anti-Malware program from here. This scan took around three hours to complete.
2 comments:
Your a lifesaver. Thank you.
I just wanted to thank you for this. It worked perfectly and wasn't very hard. I thought I was going to have to risk removing the files myself or reinstalling windows. THANKS! now I'll check out the rest of your blog.
Post a Comment