Jump to content

Recommended Posts

Posted (edited)

My aunt got infected with the Malware "Spy Guard 2008" software. After researching the software it is confirmed EEEVVVIIILLL :)

After reading how to remove it from forums, I made a remover tool.

It is using this removal strategy: How to Detect & Remove Spyware Guard 2008

http://www.411-spyware.com/spyware-guard-2008

#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>

$Form1 = GUICreate("Spyware Guard Remover", 175, 60, 193, 125, -1, $WS_EX_TOOLWINDOW)
$Button1 = GUICtrlCreateButton("Remove", 8, 16, 153, 33, 0)
GUISetState(@SW_SHOW)

While 1
    $nMsg = GUIGetMsg()
    Switch $nMsg
        Case $GUI_EVENT_CLOSE
            Exit
        Case $Button1
            _clean()
    EndSwitch
WEnd

Func _clean()
    ;Stop Spyware Guard Process
    ProcessClose("SpywareGuard.exe")
    ProcessClose("syscert.exe")
    ProcessClose("spoolsystem.exe")
    ProcessClose("reged.exe")
    ProcessClose("spywareguard.exe")
    ProcessClose("reged.exe")
    ProcessClose("spoolsystem.exe")
    ProcessClose("syscert.exe")
    ProcessClose("sysexplorer.exe")
    ProcessClose("uninstall.exe ")

    ; Delete  dll files
    FileDelete(@UserProfileDir & "\Application Data\Microsoft\Internet Explorer\olesys.dll")
    FileDelete("C:\WINDOWS\vmreg.dll")

    ; Remove Files
    FileDelete("C:\WINDOWS\sys.com")
    FileDelete(@UserProfileDir & "\Desktop\Spyware Guard 2008.lnk")
    FileDelete(@UserProfileDir & "\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk")
    FileDelete(@UserProfileDir & "\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk")
    FileDelete("C:\Program Files\Spyware Guard 2008\conf.cfg")
    FileDelete("C:\Program Files\Spyware Guard 2008\mbase.vdb")
    FileDelete("C:\Program Files\Spyware Guard 2008\quarantine.vdb")
    FileDelete("C:\Program Files\Spyware Guard 2008\queue.vdb")
    FileDelete("C:\Program Files\Spyware Guard 2008\vbase.vdb")

    ; Remove Dirctorys
    DirRemove(@ProgramFilesDir & "Spyware Guard 2008", 1)
    DirRemove(@UserProfileDir & "Start Menu\Programs\Spyware Guard 2008", 1)

    ; Clean Reg
    RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "SpywareGuard2008")

    MsgBox(1, "Success", "Spyware Guard 2008 REMOVED!!!")

    Exit
EndFunc   ;==>_clean

sg2008_remover.exe

Edited by onestcoder

Need a website: http://www.iconixmarketing.com

Posted

Hi!

Confuzzled, tu es mauvais coucheur.

The example by Onestcoder is a good way of showing an usage of Autoit.

Sadly, the malware in question also drops some other randomly named files that the original posted script does not kill, so it will only be partly effective until the next reboot at which time the chances of re-infection are fairly high. A false sense of security is like that warm feeling you get when you silently urinate in your pants - it eventually grows cold and damp.

Recent malware has self-defensive mechanisms that detects if you are killing some of their tasks and resurrects them, even killing off well known anti-malware programs. I know, as one of my custom malware-killer programs (yeah I write them too!) was included in a signature pattern recognition nasty that originating from Russia that has lookup by program name functionality to defensively kill efforts to eliminate it - what a way to become famous! I had to update my program to copy the program to a random file name and then launch that as a separate process before my program had been killed off by the malware. Now the malware writers are doing the same with their code. It's a race to the death - good vs evil...

Unfortunately most anti-malware works on a blacklist concept, where they recognise things that shouldn't be running from a list or algorithm. What would be more effective is a whitelist concept - only allow things to run that are on my good list and nothing else. That way if there is anything running on my computer that shouldn't be there, then it must be a nasty. Sadly, computer science has a long way still to go with this concept before it becomes a reality in the M$ Windoze world.

You only have a short time window to deploy your code as the malware writers keep updating their code too. You have to be one leap ahead, and running furiously. It pays to join up with well respected anti-malware organisations that employ highly skilled people, full time, to isolate, detect, and write code to eliminate this malware.

Psst: For fun times, deploy your updated anti-malware AutoIT compiled code that is packed with UPX and then watch one of the vendors update their signature codes which gives a false positive and zaps it out of existence... Happens all the time! Grrr.

Posted

...

Psst: For fun times, deploy your updated anti-malware AutoIT compiled code that is packed with UPX and then watch one of the vendors update their signature codes which gives a false positive and zaps it out of existence... Happens all the time! Grrr.

The Irony of it all!!!

8)

NEWHeader1.png

Posted

I'm not trying to put a damper on your success, but I honestly don't know why you bothered to make this when there are utilities out there which do a better job (Such as ComboFix)

ComboFix can kill your computer is used incorrectly

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...