Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Spyware Protect 2009 Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Though Spyware Protect 2009, a rogue security software made its appearance early this year, recently it’s in the news due to the fact that the notorious Conficker botnet gang chose to push it to the infected systems.

Spyware Protect 2009 is your typical scareware with slight variations. Incessant, hard-to-get-away popups warn about hundred’s of imaginary malware infecting the computer systems. Scary warnings about trojans creeping in through the open ports. Hijacking Internet Explorer, diversion of certain keyword searches and generally misleading the victims about the state of their system security are all part of Spyware Protect 2009s arsenal towards its goal of extracting USD 49.95.

I define a rogue security software as one belonging to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

During installation Spyware Protect 2009 replaces the Windows HOSTS file, note that it does not add to the existing file, it completely replaces the HOSTS file. The new HOSTS file contained the following entries:

  • www.spy-wareprotector2009 .com

Once installed a fake scan of the victim system is run. The interface is Window-less, thus cannot be minimized. But it does have a close button which when clicked minimizes the scan interface to the Windows System Tray.


The scare popups are very frequent, there are three different popups which just bombard the victim one after another. One fakes the appearance of a Windows yellow bubble message that pops up from the Windows System Tray.


Another popup is also from the Windows System Tray, this mimics an alert from a security software. This message includes fictitious threats from random IPs and ports.


The third one pops up bang in the middle of the desktop and stubbornly stays on top of all application windows. This message cannot be moved out of the way or closed. Thankfully it can be temporarily minimized by clicking on the button “stay unprotected“.


Think you can survive long by minimizing all of the prompts that seem to appear every few seconds? Think again! Spyware Protect 2009 has an ace up its sleeve. In the background, when the victim is busy clicking on the myriad of popups, it has hijacked the Internet Explorer and Windows Explorer. Internet Explorer is allowed access only to the following domains:


Even then any search query that contains the words “spyware” or “protect” and performed on the above domains is blocked and hijacked to the URL h**p:// All other searches go through normally. Trying to visit any other Website in Internet Explorer also redirects to the above URL.

This behavior affects only Internet Explorer, alternate browsers like Firefox, Chrome and Opera are not hijacked.


This URL displays fake internet explorer warning, which tries to hard-sell spyware protect 2009 and where all links lead to their order page. Internet Explorer is also opened automatically and directed to this page at random intervals. Opening Windows Explorer also opens this URL in a new Internet Explorer tab.


If the user presses any affirmative buttons, he is taken to the order page at h**p://, continuing with the order lands the victim at the final order page at h**p:// which blatantly claims to be a secure page, when it’s not.

Methodology of Spyware Protect 2009 Infection

There are three key components to this infection.

It replaces the Windows HOSTS file with its own.

It drops two files, one is the main executable sysguard.exe ( size – 304656B, MD5: C57CAF9E230A32C1B123E2BEFEA952AF) with a detection rate of 20/39 (51.29%) at VirusTotal. This file insists that its original file name is NOTEPAD.EXE. sysguard.exe also autoruns on Windows startup.

Another file iehelper.dll (size – 10240B, MD5: B1487F5B3644AB6EEE33B303D72332FD) attaches to the Internet Explorer as an add-on (Browser Helper Object). This file has a detection rate of 20/40 (50%) at VirusTotal. This file hijacks the Internet Explorer and Windows Explorer.

Spyware Protect 2009 Associated Files and Folders

  • C:\WINDOWS\sysguard.exe
  • C:\WINDOWS\system32\iehelper.dll
  • C:\WINDOWS\Prefetch\

Spyware Protect 2009 Associated Registry Values and Keys

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{abd45510-9b22-41cd-9acd-8182a2da7c63}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abd45510-9b22-41cd-9acd-8182a2da7c63}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run system tool C:\WINDOWS\sysguard.exe
  • HKEY_CLASSES_ROOT\CLSID\{abd45510-9b22-41cd-9acd-8182a2da7c63}
  • HKCR\CLSID\{ABD45510-9B22-41CD-9ACD-8182A2DA7C63}\InProcServer32
  • HKCR\CLSID\{ABD45510-9B22-41CD-9ACD-8182A2DA7C63}\InProcServer32#ThreadingModel

Spyware Protect 2009 Associated Domains

Note: Visiting the domains mentioned below may harm your computer system.


Dancho Danchev reports finding more domains serving this rogue:

  • sysguard2009 .com ( AS34187, RENOME-AS Renome-Service: Joint Multimedia Cable Network Odessa, Ukraine

Spyware Protect 2009 Removal (How to remove Spyware Protect 2009)

The free versions of MalwareBytes’s Anti-Malware Free edition and SuperAntiSpyware appear to remove this rogue security software.

  1. Use an alternate browser like Firefox or Chrome to download and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
  2. Also download CCleaner.
  3. Boot in to Windows Safe mode.
  4. Click to scan with your chosen software. Check mark all instances of the rogue security software and delete them.
  5. Turn System Restore off and on.
  6. Install, scan and clean the temporary files with CCleaner.

You should now be clean of this rogue.

Note: While MalwareBytes’s Anti-Malware and SuperAntiSpyware remove the harmful files associated with this rogue software, they do not help with the hijacked HOSTS file. Use a free software HostXpert (345 KB), you don’t need to install it.

Download, run HostsXpert.exe and then click “Restore MS Hosts file” on the left menu. Click “OK” to confirm. This will restore the default HOSTS file pertaining to your Windows OS.


If you still see symptoms associated with this rogue security software, please post your problem at one of the Recommended Online Forums for Malware Help.

Spyware Protect 2009 – More Screenshots

Spyware Protect 2009 – video

Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer 7 and Firefox 3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 7 comments… read them below or add one }

Eric April 17, 2009 at 9:07 AM

delete: sysguard.exe and iehelper.dll

iehlper has to be deleted at a command prompt under safe mode


balidaplex April 22, 2009 at 8:37 AM

what if i cant access the internet. im on my old cpu i ran malware it god rid of all teh popups but still no gonna try and manually remove everything ill be back…


steve t May 3, 2009 at 10:16 PM

spyware protect 2009
infected with this trojan
tried removal instructions above – and others
can’t get past step 1! only allowed to download/save malwarebyte’s or superantispyware exe files to my computer (no ‘run’ option appears)
when try to execute file… get one – two spins of the hourglass next to pointer,
then hourglass disappears and nothing happens!
have tried this several times and several different ways, all with same result
This spyware is blocking everything I am downloading everything using Firefox now (Explorer out of the picture). still no go. i can’t get to this thing and am trying to avoid reformatting at this time. Any suggestions? steve t


bill May 17, 2009 at 6:12 PM

steve t I realize this may be to late for you as your post was a couple weeks ago but hopefully this will help anyone else.

When trying to remove malware like this and it is blocking you from executing it go into program files where it is setup find the executable file for the program and rename it. Then execute the file directly and it will run. It is typically that easy to fool the malware that is blocking the execution of the program. If you have trouble even setting it up do the same for the setup file, you will just have to download first.


Topper June 15, 2009 at 3:58 AM

I was also hit by this malware. I found the source file “sysguard.exe” in the %Windows/System% directory, deleted and the system was operational, except one thing…

The program changed both the Firefox and Internet Explorer LAN settings to a proxy server. No internet access from either. In Internet Explorer 7, go to >Tools>Internet Options>Connections Tab>LAN Settings button, and reset the program to “automaticaally detect settings”. Took me about 6 hours to figure this out, so I hope it helps others.

By the way, I had Norton Internet Security updated and running when this hit. How can we both trust sources and survive malware? Comments?


mike fink August 18, 2009 at 11:09 PM

This is an awful Malware. I had the Window Anti Virus Pro version. It took over my desktop and could not run any exexutables including any anti spyware. I found Spyhunter by Enigmasoftware and purchased Spyhunter which runs off a .bat not a .exe. This released my other programs and the executables would function. Both IE and CHOME however were not cleaned. Pop-ups and new tabs kept opening and opening wanting me to purchase the beast. I could not open in Safe mode or attempt restores either. Firefox was not impacted. Spyhunter kept telling me that I was clean. I tried a few other spyware programs (Sypbot). They didn’t find it either.
I finally found It recommended SuperAntispyware (which is free.) After running that — I was finally clean. This program found 3 Trojan’s that Spyhunter did not. I needed a combo treatmeant. Spent hours on this. — Mike


SkyDivr420 November 28, 2009 at 4:58 PM

Two words…”SYSTEM RESTORE”!!! I got the “Antivirus System Pro” version, which seems to be almost identical and affects your system the same as “Spyware Protect 2009”. I found a couple differences as the scumbags behind this have simply changed a couple names of files…for example, mine was named “pfxwsysguard.exe” rather than the “sysguard” that preceded it. Anyway, I tried a couple of recommended methods for removal involving free anti-spyware programs and had no luck at all. Then I restored my system to a date of two days prior to being infected with this malicious program and all traces of the rogue security software are non-existant, and none of the debilitating symptoms that I was previously experiencing are occurring any longer. Which was a good reminder for myself to always enable System Restore and have it automatically create restore points on a regular basis! I could have saved a few hours of frustration had I performed this simple procedure first. Hope this helps!


Leave a Comment

Previous post:

Next post: