onestcoder Posted December 26, 2008 Posted December 26, 2008 (edited) My aunt got infected with the Malware "Spy Guard 2008" software. After researching the software it is confirmed EEEVVVIIILLL After reading how to remove it from forums, I made a remover tool. It is using this removal strategy: How to Detect & Remove Spyware Guard 2008http://www.411-spyware.com/spyware-guard-2008expandcollapse popup#include <GUIConstantsEx.au3> #include <WindowsConstants.au3> $Form1 = GUICreate("Spyware Guard Remover", 175, 60, 193, 125, -1, $WS_EX_TOOLWINDOW) $Button1 = GUICtrlCreateButton("Remove", 8, 16, 153, 33, 0) GUISetState(@SW_SHOW) While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE Exit Case $Button1 _clean() EndSwitch WEnd Func _clean() ;Stop Spyware Guard Process ProcessClose("SpywareGuard.exe") ProcessClose("syscert.exe") ProcessClose("spoolsystem.exe") ProcessClose("reged.exe") ProcessClose("spywareguard.exe") ProcessClose("reged.exe") ProcessClose("spoolsystem.exe") ProcessClose("syscert.exe") ProcessClose("sysexplorer.exe") ProcessClose("uninstall.exe ") ; Delete dll files FileDelete(@UserProfileDir & "\Application Data\Microsoft\Internet Explorer\olesys.dll") FileDelete("C:\WINDOWS\vmreg.dll") ; Remove Files FileDelete("C:\WINDOWS\sys.com") FileDelete(@UserProfileDir & "\Desktop\Spyware Guard 2008.lnk") FileDelete(@UserProfileDir & "\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk") FileDelete(@UserProfileDir & "\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk") FileDelete("C:\Program Files\Spyware Guard 2008\conf.cfg") FileDelete("C:\Program Files\Spyware Guard 2008\mbase.vdb") FileDelete("C:\Program Files\Spyware Guard 2008\quarantine.vdb") FileDelete("C:\Program Files\Spyware Guard 2008\queue.vdb") FileDelete("C:\Program Files\Spyware Guard 2008\vbase.vdb") ; Remove Dirctorys DirRemove(@ProgramFilesDir & "Spyware Guard 2008", 1) DirRemove(@UserProfileDir & "Start Menu\Programs\Spyware Guard 2008", 1) ; Clean Reg RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "SpywareGuard2008") MsgBox(1, "Success", "Spyware Guard 2008 REMOVED!!!") Exit EndFunc ;==>_cleansg2008_remover.exe Edited December 26, 2008 by onestcoder Need a website: http://www.iconixmarketing.com
Confuzzled Posted December 28, 2008 Posted December 28, 2008 Malwarebytes might also do the trick a little more thoroughly and pick up other nasties that are probably highly likely to be lurking.
Michel Claveau Posted December 28, 2008 Posted December 28, 2008 Hi! Confuzzled, tu es mauvais coucheur. The example by Onestcoder is a good way of showing an usage of Autoit.
Confuzzled Posted December 28, 2008 Posted December 28, 2008 Hi! Confuzzled, tu es mauvais coucheur.The example by Onestcoder is a good way of showing an usage of Autoit.Sadly, the malware in question also drops some other randomly named files that the original posted script does not kill, so it will only be partly effective until the next reboot at which time the chances of re-infection are fairly high. A false sense of security is like that warm feeling you get when you silently urinate in your pants - it eventually grows cold and damp.Recent malware has self-defensive mechanisms that detects if you are killing some of their tasks and resurrects them, even killing off well known anti-malware programs. I know, as one of my custom malware-killer programs (yeah I write them too!) was included in a signature pattern recognition nasty that originating from Russia that has lookup by program name functionality to defensively kill efforts to eliminate it - what a way to become famous! I had to update my program to copy the program to a random file name and then launch that as a separate process before my program had been killed off by the malware. Now the malware writers are doing the same with their code. It's a race to the death - good vs evil...Unfortunately most anti-malware works on a blacklist concept, where they recognise things that shouldn't be running from a list or algorithm. What would be more effective is a whitelist concept - only allow things to run that are on my good list and nothing else. That way if there is anything running on my computer that shouldn't be there, then it must be a nasty. Sadly, computer science has a long way still to go with this concept before it becomes a reality in the M$ Windoze world.You only have a short time window to deploy your code as the malware writers keep updating their code too. You have to be one leap ahead, and running furiously. It pays to join up with well respected anti-malware organisations that employ highly skilled people, full time, to isolate, detect, and write code to eliminate this malware.Psst: For fun times, deploy your updated anti-malware AutoIT compiled code that is packed with UPX and then watch one of the vendors update their signature codes which gives a false positive and zaps it out of existence... Happens all the time! Grrr.
Valuater Posted December 28, 2008 Posted December 28, 2008 ...Psst: For fun times, deploy your updated anti-malware AutoIT compiled code that is packed with UPX and then watch one of the vendors update their signature codes which gives a false positive and zaps it out of existence... Happens all the time! Grrr.The Irony of it all!!!8)
NerdFencer Posted December 29, 2008 Posted December 29, 2008 I'm not trying to put a damper on your success, but I honestly don't know why you bothered to make this when there are utilities out there which do a better job (Such as ComboFix) _________[u]UDFs[/u]_________-Mouse UDF-Math UDF-Misc Constants-Uninstaller Shell
TooManySecrets Posted December 29, 2008 Posted December 29, 2008 I'm not trying to put a damper on your success, but I honestly don't know why you bothered to make this when there are utilities out there which do a better job (Such as ComboFix)ComboFix can kill your computer is used incorrectly
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now