Spyware Guard 2008 is a new entrant to the family of rogue security software. It is not to be confused with SpywareGuard a fine freeware from Javacool software.
A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
Note: Visiting any of the malware hosting domains mentioned below may be injurious to the health of your computer system.
Analysis of Spyware Guard 2008 Installation
This rogue anti-spyware currently lives in spywareguard2008.com. Spywareguard2008.com has the IP 220.127.116.11 hosted by bb.b0.1343.static.theplanet.com. The domain name appears to be registered by MAMBA on 26-Aug-2008 and the registrant details are protected by Protect Details, Inc out of Saint Petersburg, Russia. This IP is shared with Porn-movies-online.net, notorious for pushing fake video codecs. This IP is also used as a nameserver for pyroscanner.com.
A temporary redirect from gosg2008.com and Sg8go.com points to spywareguard2008.com.
Curiously their payment processor at innovagest2000s.com is not yet working, gives off a message “Invalid product !”.
The executable installer file is named SpywareGuard2008.exe (1.51 MB). This file must be manually executed for the installation of the rogue anti-spyware. At this point only a couple of engines detects this as suspicious over at VirusTotal.
True to its genre, it installs a few suspicious files of its own in the Windows directory. They are reged.exe, spoolsystem.exe, sys.com, syscert.exe, sysexplorer.exe and vmreg.dll.
Spyware Guard 2008 – Associated Files and Folders
- C:\Documents and Settings\Shanmuga\Start Menu\Programs\Spyware Guard 2008
- C:\Program Files\Spyware Guard 2008
- C:\Program Files\Spyware Guard 2008\quarantine
- C:\Program Files\Spyware Guard 2008\conf.cfg
- C:\Program Files\Spyware Guard 2008\mbase.vdb
- C:\Program Files\Spyware Guard 2008\quarantine.vdb
- C:\Program Files\Spyware Guard 2008\queue.vdb
- C:\Program Files\Spyware Guard 2008\spywareguard.exe
- C:\Program Files\Spyware Guard 2008\uninstall.exe
- C:\Program Files\Spyware Guard 2008\vbase.vdb
- C:\Documents and Settings\Shanmuga\Desktop\Spyware Guard 2008.lnk
- C:\Documents and Settings\Shanmuga\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk
- C:\Documents and Settings\Shanmuga\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk
- C:\Documents and Settings\Shanmuga\Application Data\Microsoft\Internet Explorer\olesys.dll
Note: File names may be randomly generated.
Spyware Guard 2008 – Associated Registry keys and values
REG_SZ, 106 bytes, “C:\Program Files\Spyware Guard 2008\spywareguard.exe”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Spyware Guard 2008\spywareguard.exe
REG_SZ, 26 bytes, “spywareguard”
- HKEY_CURRENT_USER\Software\Spyware Guard\NP\NP
REG_SZ, 66 bytes, “F620C418B59F44D289B18E1D1B5D896E”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008\Display Name
REG_SZ, 38 bytes, “Spyware Guard 2008″
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008\DisplayName
REG_SZ, 38 bytes, “Spyware Guard 2008″
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008\UninstallString
REG_SZ, 100 bytes, “C:\Program Files\Spyware Guard 2008\uninstall.exe”
Spyware Guard 2008 – Associated Domains
Spyware Guard 2008 – Removal (How to remove Spyware Guard 2008)
At the time of writing this none of the popular free anti-malware programs were detecting this. I tested with MalwareBytes’s Anti-Malware, SuperAntiSpyware, Ad-Aware 2008, Spybot Search & Destroy, A-squared free and PCTools SpywareDoctor starter edition. I will update this post once any of the above vendors include detection and removal for this rogue.
Update Oct 04: SUPERAntiSpyware free version detects and removes this rogue completely with the latest definitions update.
Update Nov 13: Malwarebytes’ Anti-Malware free version is updated to remove this rogue.
Update: If the Internet Explorer and other IE dependent programs have lost their ability to show pictures, try the following, it seems to restore the pictures for some users:
- Open Internet Options in Control Panel
- Click on the Advanced tab.
- Look for the Multimedia section
- Place a check mark in the Show Pictures option.
- Restart Internet Explorer if running.
Advanced users may manually remove this pest by deleting the associated folders, files, registry keys and values mentioned above. I would also recommend turning off and on the System Restore to clear any infected restore points and using CCleaner to clear the temp folders and files to avoid recurrence.
If you still see symptoms associated with this rogue anti-spyware, please post your problem at one of the Recommended Online Forums for Malware Help.
Spyware Guard 2008 – Rogue Gallery
Spyware Guard 2008 – Video
Note: The above installation was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer 7 and Firefox 3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.