Spyware Protect 2009 Descriptions:
Spyware Protect 2009, also known as SpywareProtect 2009 or Spyware Protection 2009, is one of the latest and hottest counterfeit antispyware that devastates the Internet community. As expected, Spyware Protect 2009 is simply the variant of Antivirus 2009. Spyware Protect 2009 usually come up after you installed a video codec that come with Trojan, malware and virus. You might get infected by visiting some malicious websites. Spyware Protect 2009 normally generates fake and misleading system popup error messages so end-users will be tricked into purchase Spyware Protect 2009.
No matter how terrible Spyware Protect 2009 is, if it can be created, it can be also removed. Please be patient and expect failures, but if you don’t give up, you would be successful in fighting Spyware Protect 2009. Good luck!
Manual Spyware Protect 2009 Removal Instructions:
Stop Spyware Protect 2009 Processes:
(Learn how to do this)
SpywareProtect2009.exe
SpywareProtection2009.exe
sysguard.exe
Find and Delete these Spyware Protect 2009:
(Learn how to do this)
c:\Program Files\Spyware Protect 2009
c:\Program Files\Spyware Protect 2009\gfx.bin
c:\Program Files\Spyware Protect 2009\options.ini
c:\Program Files\Spyware Protect 2009\SpywareProtect2009.exe
c:\Program Files\Spyware Protect 2009\SpywareProtect2009.exe.MANIFEST
c:\Program Files\Spyware Protect 2009\SpywareProtect2009_start_setup.exe
c:\Program Files\Spyware Protect 2009\tp_starter.exe
c:\Program Files\Spyware Protect 2009\uninstall.exe
c:\Program Files\Spyware Protect 2009\uninstall.log
c:\Program Files\Spyware Protect 2009\vbase.ini
c:\Program Files\Spyware Protect 2009\lang
c:\Program Files\Spyware Protect 2009\lang\english.lng
c:\WINDOWS\system32\vbzlib2.dll
c:\WINDOWS\aazalirt.exe
c:\WINDOWS\dkekkrkska.exe
c:\WINDOWS\dkewiizkjdks.exe
c:\WINDOWS\iddqdops.exe
c:\WINDOWS\ienotas.exe
c:\WINDOWS\iqmcnoeqz.exe
c:\WINDOWS\irprokwks.exe
c:\WINDOWS\jikglond.exe
c:\WINDOWS\jiklagka.exe
c:\WINDOWS\jrjakdsd.exe
c:\WINDOWS\jungertab.exe
c:\WINDOWS\kitiiwhaas.exe
c:\WINDOWS\kkwknrbsggeg.exe
c:\WINDOWS\klopnidret.exe
c:\WINDOWS\krkdkdkee.exe
c:\WINDOWS\krkmahejdk.exe
c:\WINDOWS\krtawefg.exe
c:\WINDOWS\krujmmwlrra.exe
c:\WINDOWS\ktknamwerr.exe
c:\WINDOWS\kuruhccdsdd.exe
c:\WINDOWS\ooorjaas.exe
c:\WINDOWS\oranerkka.exe
c:\WINDOWS\oropbbsee.exe
c:\WINDOWS\otnnbektre.exe
c:\WINDOWS\otowjdseww.exe
c:\WINDOWS\otpeppggq.exe
c:\WINDOWS\rkaskssd.exe
c:\WINDOWS\ronitfst.exe
c:\WINDOWS\seeukluba.exe
c:\WINDOWS\skaaanret.exe
c:\WINDOWS\sysguardn.exe
c:\WINDOWS\tobmygers.exe
c:\WINDOWS\tobykke.exe
c:\WINDOWS\zibaglertz.exe
sysguard.exe
LdPinch V
Advanced Stealth Email Redirector 6.2
Sinowal.VXR
Antivirus360
BankerFox.A
P2PShared.U
BitTera.C
Azero.B
Sality.AN
WinWebSecurity2008
Downloader.JS.Small.fi
PSW.Win32.OnLineGames.sxa
Downloader_Win32_Agent.nmi
Downloader.Win32.Braidupdate.c
Downloader.JS.Agent.sg
GameThief.Win32.OnLineGames.tnys
PSW.Win32.OnLineGames.rlh
Downloader.Win32.Delf.cgx
Backdoor.Win32.Small.x
VMalum AWS
CNNIC Update U
Bancos DMD
Win32.Grams.I
Zlob AN
SillyDl BCL
CPush
Win32/Wadnock
Best search
Win32/Nuqel.E
Edge Tech
DisableKey
Emogen.B
MoonLight.V
Autorun.AOL
Remove Spyware Protect 2009 Registry Values:
(Learn how to do this)
HKEY_CURRENT_USER\Software\Spyware Protect 2009
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\uninstall\Spyware Protect 2009
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Spyware Protect 2009
Hello. I was infected by sys guard(muwe sys guard). I have a toshiba l25 with windows XP sp2.
It had disabled both my ethernet and wifi inet connections. It had diabled the regedit and the system restore ( when i try i get a msg saying contact your admin & Im logged in as the admin! ). What do I do? I have tried to go to ‘safe mode with networking’ but it wont work. I have tried ‘safe mode’ but it to doesnt load. In order to get to safe mode I have to select ‘directory services restore mode’,
and this way I get to safe mode. Yet when I do get to safe mode, regedit & system restore is still disabled! Also the shortcut icon trojan
(called security tool) is still on the desktop.
PLEASE HELP!
I found an easier way to remove the program after an hour of trying.
step 1. open task manager and look for a program that resembles sysguard.exe. mine was labeled ssyslvg.exe. make sure you write the name of the task down before step 2.
step 2. right click the program and end the process. it won’t have any affect on your computer besides stopping the popups.
step 3. go to the start menu and click search. type the name of the task you wrote down in the search bar.
step 4. rename the the files that are found GAY because the files are infact gay buttfucking fags. also so you can remember the name to find them again incase it doesn’t work the first time.
step 5. right click the files and click delete to recycling bin. if the files don’t delete the first time try again. it took me 2 attempts.
step 6. empty your recycling bin and restart your computer.
step 7. TURN YOUR FIREWALL ON.
Exactly HOW did you remove it? Nothing is working for me.
Found this on a guy’s computer 11/14/09. New varient. The main running process was named xjwlsysguard.exe. Created registry key HKey_Current_User\Software\AVScan. Also found the installer that ran at every reboot as imrppoiw. This installer needs to be removed too, or you will just have the program back again when you reboot! HKey_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Also somewhere else I forget now. To all the people who think these change themselves, they do not. There is a guy or team of guys out there writing this for thier own profit, enough people are dumb enough to pay them to fix the problem caused by this program to make it a million dollar business for the writers! The writers change the program regularly to make it harder to remove so you will knuckle under and pay them. Don’t do it! The program is set up to install under one of several different names, so that it is harder to find and remove. It has a huge list to choose from, which is changed with each new release. The best way to find this is with Search. Look for files created about the time you first saw the “AntiVirus” or “AntiSpyware” scanner. Right click and look at thier properties. If they are from Microsoft or a Card vendor (Ati, Creativelabs etc.) you don’t have the right one, keep looking. The one you are looking for will be an .exe, probably will not have an icon picture (it’ll be the white box with the blue border), will not have a Company name! Found mine to be about 255kb (567.exe) So limit your search to be at least 254kb or more it will reduce the number of entries you need to check. It may also be more likely to be in a Temp folder or Temporary Internet Files. Mine was in C:\Documents and Settings\\Local Settings\Applicatioin Data\Temp Do not delete it. Rename it by just adding a chacter at the front so that you can put it back if you choose wrongly! When you find the one that reinstalls the program you will be able to kill and remove the ?sysgaurd.exe and when you reboot the thing won’t start again. This is how you know you won! If you are clean for awhile with no other problems then you can safely go back and delete the files you renamed. Good Luck! Happy hunting.
Spyware Protect is a terrible pest. In my case the exe file was called gtmosysguard.exe I killed that process with ProcesXP but when I restarted the machine, Spyware P. appear again and now it don´t let me open ProcessXP. I called my support service and I´m going to format the machine.
Another thing, I´m almost sure that I get infected when I visited the website of AMCIS 2010 conference, an international conference about IT, maybe the website was infected and the webmaster didn’t notice
Good info MWRadio. I originally found the program in C:\Documents and Settings\\Local Settings\Application Data\…. The file name was rrmosysguard.exe. Deleted it and once I was able to get back on the internet did some searching and found this page. Sure enough under HKey_Current_User\Software\AVScan i found many of the files mentioned in the original manual removal instructions. Removed those and then sure enough as MWRadio mentions, in HKey_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, I found a file called dukfmwau which pointed to rrmosysguard.exe. One more thing, I was unable to run any progams including task manager because of the virus. When one of the fake messages appeared, I right clicked on the message and went to properties. This is how I first found out the name of file. Then during a reboot, I was able to start task manager before the Antivirus2009 had a chance to start up. From here I stopped the rrmosysguard.exe process and then I was able to open programs without the fake message stopping me. Good luck. This thing sucks!
you can open task manager but you have to be quik to open task manager before sysguard loads itself after booting up windows.
For those of you that lost the internet… once you kill the stupid thing… do a system restore back to before you got it and your internet should be back.
Got this on one of my locked-down PCs. Cannot open command prompt/task manager if I logged in as the infected user. I was able to find the offending (offensive too!) task under %userprofile%\local Settings\Application Data\some-name\????sysguard.exe. After renaming the file and removing the registry entry life is back to normal. Also found out afterwards that the installed Trend Micro Antivirus/Antispyware could detect the infection but could not fix the problem
Still don’t know how the pc got infected. Only clue that may be of interest is that the browsing history showed an entry for today as kaka://c:\document and settings\username\local settings\application data\kjkpjk\qlrcsysguard.exe/alert.htm. But then when I googled kaka: I did not find anything relevant.
daughter got the virus on computer i tried to locate it, nothing, unfortunately i did not look here, i tried resintalling windows with cd, i get desktop but its empty. say missing ie something, what else can i do thank u
I followed these instructions which I found on another site and it worked for me. Equally important, it’s easy!:
Restart computer. As soon as windows opens pull up the task manager (ctrl+atl+del) and click on “processesâ€. Wait for the .exe file with the word “guard†in it (it will probably be four random letters followed by sysguard: ie: “xxxxsysguard.exe”) . Write down the file name and end the process (this will keep the virus from hijacking your system while you get rid of it)
Go to the start up menu and hit “run†and type in “msconfig†then go to the “startup†tab and find the .exe file previously terminated to see where the .exe file is located. (On my computer it was in “documents and settings\owner\local settings\ etc. etc.”).
In ‘Explore’ open up the to the folder it was in (you may want to view “hidden filesâ€) and delete the .exe file and the folder (the folder name was a bunch of random mixed up letters) and empty the recycle bin to make sure it’s gone.
Restart system it should be gone!”
I then did a scan with McAfee (which the bloody virus had made unusable) just as a double check.
Good luck!
Be careful of antimalware-do not use Antimalware Pro-its a fraud
Found best way to remove sysguard2010 was task manager (Control,Alt,Del)…remove the one ending in sysguard.exe…then Norton Antivirus – advanced version picked this up as a Trojan Horse…after running it several times…if you can’t get internet, I found that you have about a 2 minute time frame after task manager deletion to get on the internet.
I had a new variation of this Spyware Protection 2009 (still tries to send you to the website and hi-jacks internet explorer). I had Malwarebytes and avast but both were disabled by the virus. I tried downloading new ones but they would say they were infected and wouldn’t allow me to install. Tried to use task manager and start-run-cmd but it blocked those as well. I deleted sysguard.exe but that did nothing but when I search sysguard another program came up I believe it was igcsysguard.exe or something like that I know it started with an i and had sysguard in it. It would not allow me to delete because it was running. I could not get my computer in safemode but what I was able to do was restart my computer and before all the process were running I was able to pull up task manager (ctr alt del) went to processes and stopped the program (it was on there several times) once those processes were stopped I was able to run Malwarebytes and removed the problem. So I would advise to search the SYSGUARD in your search area and see if this thing pops up. You can also manually delete the file. Hopefully this helps someone.
My sons Dell had this and “registry defender”. I was able to remove both thru the regedit, but I am still having issues getting IE, FF, chrome to hit the internet. Any advice? I see a few people talking about removing svchost.exe, but that hasnt worked either. Help???
One thing I noticed after looking at a user’s computer who had the virus is it looks like the virus changes the Internet settings to use a proxy at 127.0.0.1 on port 555. It must be using this to do the redirection you speak of. To fix this open Internet Options from the Tools menu in IE. Then click on the Connections tab. Click on the “LAN Settings” button and make sure the “Use proxy server for….” check box is not on or that the proper Proxy Server settings are entered.
Thanks heaps Chris I had the ‘vthbsysguard.exe’ version and after killing the tasks, deleting the exe and cleaning out the registry I still had the proxy server setting you mention.
All I did to get this thing on my computer was click on a pop up – something about how to whiten teeth cheaply!!! I’ll never click on a pop up ever again
(To remove proxy setting; goto “Tools/ Internet Options/ Connections/ LAN settings” and untick the “proxy server” settings.)
My kid inadvertently clicked on a popup and I had the “hnhosysguard.exe” variant and could not kill process in task manager.I got into safemode and tried removing temp files and pc crashed( should have killed process from there first,duh). Could not boot into safemode again.
Luckily had a utility called “Emergency Repair Disc” (ERD) which allowed me to boot from the cd and edit registry and also remove the necessary files/folders. Then logged back as normal and ran antivirus software which picked up and removed trojan virus. Took a couple of hours but Job Done!
************To All That Got Infected with Spyware Protection 2009 **************
If you boot up in Safe mode and run system restore and restore your computer to “yesterday” or the day before infection it WILL be gone.
Simple solution to beat this (If I did it, you can as well).
1) Start task manager as soon as your windows starts up(if Spyware Protect 2009 or Sysguard.exe begins operating before you get task manager open, you wont be able to open task manager. Simply reboot your computer and try again.).
2) Go to processes from task manager menu, then end the process for it by whatever name it may be (mine used the name qhbisysguard.exe).
3) Go to internet explorer, tools, manage add ons and disable any add ons related to the process you terminated last step.
4) From there you should be able to use most programs regularily, I had to go to internet explorer, tools, internet options, connections, LAN settings, then click off use a proxy server and click automatically detect settings. This allowed me to log on the internet.
5) Go to the start menu, click Run, type regedit, click edit and find, then type in the name of the process you ended in step 2 and search. Delete anything associated with the name of the process (qhbisysguard for me), Spyware Protect 2009, sysguard and iehelper.
Thanks Gary! Your instructions were perfect.
Gary’s instructions worked perfectly.. Thanks Gary. My file was odqssysguard.exe and for some reason the regular windows search wouldn’t find it but it was in two places, c:\windows\prefetch and another directory related to my name documents & settings\\ etc..
When I did the regedit search 3 of the related files had names like “001″ so I right clicked on it and selected modify and it showed me the nasty file name inside so I deleted the 4 or 5 registration items that had it, cleaned out all my IE history, cookies, everything.. empty the recycle bin and reboot, she’s as good as new.
i ended abfsysguard.exe……stops pop-ups, what other processes should i end?
thx very much gary, i followed ur instructions and i can use google chrome and safari again!!!(and IE)
If you have the means, set up a dual-boot system (so you can boot into a different OS if one should get infected).
.
It tried to block my ability to reboot, run task manager, run virus/spyware scanners, and any number of other things on Windows XP. All I did was reboot (the attempted block was too late to stop the computer from shutting off) – and boot into Windows 7. From there I ran Spybot S&D to get the name, popped online; and started having Windows 7 search for and remove those files from the XP hard drive – as well as saving a file on the drive with which registry entries to delete/modify to get the internet back up and running in XP.
(I have 7 and XP because my copy of 7 was delivered later than my computer; and I’ve kept XP so that I can still run programs currently incompatible with 7).
If you can pull it off, I would suggest dedicated a little file space to install a second OS (Linux may require a different hard drive if what I’ve heard is true). Definitely research how to do it first though just to make it easier on yourself
Gary, Thanks so much for the clear instructions! So far, so good. Merry Christmas!!
You also need to delete the files in the registry or it will regenerate itself
start, select run, type regedit
click on my computer on left tree
select edit, find, sysguard
As each one pops up delete then hit F3 to continue
Be very careful as there is no recovery from editing the registry directly
The problem with sysguard is it replicates itself from the registry on hidden files…definitely a problem.
Gary…you the man.
Changing the LAN settings was key to getting my internet restored once I deleted the all the sysguard crap.
First of all … thanks to all of you for posting your suggested fixes. I seem to have gotten sysguard off of my computer. It hit me on Christmas Eve (Merry Christmas, right?!). In any case, by following what I read on this site, I was able to get sysguard off of my computer (I think). At least it is no longer popping up. But I still can’t get Internet Explorer, Google Chrome, or Firefox to work. I was, however, able to make a call on Skype. So I know my internet connection is working. (Btw, I’m obviously typing this on a different computer.) In any case, I got rid of iehelper.dll as some suggested and this doesn’t seem to have solved my problem. I thought maybe I’d need to reinstall Google Chrome and IE, but since I installed Firefox after making all these fixes and it doesn’t work, I’m guessing reinstalling IE or Chrome won’t solve things either. Any thoughts? Thanks for sharing your genius with me … and the world.
I was hit with sysguard, too (for me, it was named fnhesysguard.exe). It ended up being a Christmas Day ‘present’ for me! I found out the trick about getting my anti-virus program (Symantec) running from the task bar before sysguard fired up. I also found out that sysguard had listed itself in the Symantec scan exceptions menu – these culprits are tricky!
Now I have 2 remaining problems that I wonder if anyone has any suggestions for my XP machine. 1. I was able to get my IE proxy settings working, but the proxy excpetions list won’t take. 2. Any attachments on Outlook have a generic icon. Specific icons such as those for Word or Powerpoint do not appear.
Any advice would be appreciated.
Thank you Larry!!
I had used MalWarebytes and SpyBot and thought my computers were free of that mess. I did what you suggested in the registry and sure enough, there they were again!
My wife got this malware on our computer after clicking on a friends picture at myspace.
What a nightmare!
I used the “get task manager open pronto” method to turn off the offending process. After that i removed all items found searching sysguard from the registry. After this was done i couldn’t get the internet connection to work so i did a system restore back a day.
I stop the task right away when I login
Mine came up as ytjasysguard.exe
Location:
C:\Documents and Settings\Owner\Local Settings\Application Data\wfndpn
As well I did find the PF in the prefetch folder.
In the registry that wfndpn folder came up as Sandboxie so something else to look out for
GARY! Your post on Dec. 05, 2009 was the best solution to my encounter with this virus! THANK YOU! My file name was aqjksysguard.exe you usually find the name easily on task manager and click the processes tab then click on user name below to show you the programs running in your user name only. You should see some weird name that you don’t recognize. Then follow Gary’s instructions…
thanks again gary!
Thank you for the information, very helpful for removing the pop-ups, and X Rated content that showed up on screen. Don’t need this content showing up with kids at home.
Thank you.
i also have recently adopted this virus it came to me on a normal looking windows pc scan and i sheepishly went along with it. but thanks to you guys i was able to get rid of it …i think i had to search for aaepsysguard.exe but im pretty sure its gone thanks Everyone
I found the malware installed at the following location on my computer: D:\Documents and Settings\{USERNAME HERE}\Local Settings\Application Data\gxexoo\mryisysguard.exe
It also modified my startup routine to include refrence to this mryisysguard.exe such that it start up anytime I start my computer
Then it modified my IE internet option – Connection – LAN Settings – Use Automatic Configuration Script. It placed a refrence to a .pac file from my C:drive that direct the IE to a website!!!
Clean the malware by searching for text that contain sysguard in safe mode, you will probably get some variant of the spellings with sysguard.exe Delete the file and the folder, restore your IE LAN settings by removing text in the Address field on the: Use Automatic Configuration Script
More importantly, follow all the suggested steps by good people on this thread
Boot to Safe Mode. Go to run and type msconfig>click on Launch system restore>choose restore my computer to an earlier time>pick a date from when you know the system was not infected (it will be in bold) and restore your system to that time. It will reboot and finish up the job after the reboot and you log in.
For those of you who can’t access the internet after being hit by this marware, I found that it had added a value in my system registry to the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ProxyServer If you remove this value you should be able to access the internet again. (Start -> Run -> Type regedit, browse to the directory above, and remove the value (don’t delete the key though, just remove the value).
Just got hit today, filename was “ukamsysguard.exe” had to use three spyware apps to finally track it down.
The program called itself “Total XP Security” which is actually the name of a rogue program that uses worms and Trojans. In Task Manager it shows as “ave.eve” which cannot be found under Search. Luckily it didn’t restrict access to taskmgr, regedit, etc. It did however randomly shut down Firefox which made it a pain to find info. My AVG was destroyed, will have to reinstall it. Tried searching filenames, but now I can tell you to do a keyword search for “sysguard”.
Whoever is writing this program is learning. It won’t be long before he/she makes it unkillable. BEWARE!!!!
WATCH OUT FOR the new improved piece-0-shiit “XP Security” – i.e. – the “ave.eve” version. Got it this morning…task manager could stop it quick, but by then it executed. and would execute with every .exe file i opened. it was corrupting things bad – and FAST. within an hour Windows functionality was getting crippled to the point I HAD TO install some security.
got so bad when i would download a new security program (Like AVS, or Norton, or ANY .exe files) it would NOT EXECUTE the file to install the program to get rid of it!!!! somma-bitches!!
Luckily (?) i had a version of Spyhunter already on my harddrive so i was forced into using it (and the 40 bucks was worth it) to remove this nasty nasty trojan mother-f*&$%#er.
The Spyhunter worked…but now ALL my shortcuts are gone and i can’t open anything from the Start Menu – plus control panel won’t open anything there – says “application not found” – WTF!??
Anyone know how to re-enable ALL of your shortcuts? It’s hard to use a graphical user interface (what Windows is) when everything you click on doesn’t work….even msconfig is gone..
Dear Mark, can you launch regiedit or not?
I can’t do any of the fixes mentioned in these comments. I can’t open task manager and i can’t use any spyware i have (Kaspersky), and if i can’t use any new software i download as this virus says they are infected. None of the files mentioned are on my computer (not that i can see anyway) and i am very pissed off. If i ever find out who made this virus i will beat the crap out of them!!
Any ideas?
I got this virus a second time. The first time I got it removed somehow with loading AVG and Combofix.exe using Puppy-Linux to run instead Windows.
Then AVG slowed down my laptop nearly to worthlessnes, so I changed to Avira – and got this virus again after some month.
This time I cannot load AVG because it says there is a Avira Desktop (which I do not find) and Microsoft denies access to registry (I am working in safe mode).
Somewhere I read that if you hold the shift key while starting Windows this will delay the popup. I discovered the first program I start after starting Windows works, despite the virus-Popups.
Windows search still did not find sysguard.exe, it’s running a while now.
Don’t throw your laptop away, get a Puppy-Linux-CD for a few bucks somewhere, and use this laptop with Puppy-Linux! It looks nice and the few differences to Windows are to learn shortly.
Never had this problem but good info for my lookout.
Man.. this is a nasty one. It`s called spyware protection, but dont see any version or something, so that i could find an solution online. Only spyware protection2009 and 2010 i could find. But prob it`s a newer version. Also i can`t find the files anywhere. Also i can`t open the award winning spywaredoctor. And also in safe mode it can`t find anything. Death to the guy who made this. Making cash with this sick virus. Burn in hell please
I found the virus located in C:\Windows\temp and C:\Documents and Settings\user folder\Local Settings\Application Data\syssvc.exe. Run Windows in safe mode, empty the temp folder and delete syssvc.exe in C:\Documents and Settings\user folder\Local Settings\Application Data\. Ta da no more virus.