Try running Malwarebytes in Safe Mode .. you may also need to rename it so the virus will let it install.
See link here (print it out and follow the steps)
http://www.bleepingcomputer.co...ove-spyware-guard-2008
And here:
http://www.malwarehelp.org/spy...-and-removal-2008.html
And here are most of the directions (in case you can't get to those sites)
Spyware Guard 2008 Analysis and Removal
October 3, 2008 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
Leave a comment
Spyware Guard 2008 is a new entrant to the family of rogue security software. It is not to be confused with SpywareGuard a fine freeware from Javacool software.
A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
Note: Visiting any of the malware hosting domains mentioned below may be injurious to the health of your computer system.
Analysis of Spyware Guard 2008 Installation
spyware-guard-2008-0010a Spyware Guard 2008 Analysis and Removal
This rogue anti-spyware currently lives in spywareguard2008.com. Spywareguard2008.com has the IP 67.19.176.187 hosted by bb.b0.1343.static.theplanet.com. The domain name appears to be registered by MAMBA on 26-Aug-2008 and the registrant details are protected by Protect Details, Inc out of Saint Petersburg, Russia. This IP is shared with Porn-movies-online.net, notorious for pushing fake video codecs. This IP is also used as a nameserver for pyroscanner.com.
A temporary redirect from gosg2008.com and Sg8go.com points to spywareguard2008.com.
Curiously their payment processor at innovagest2000s.com is not yet working, gives off a message ?Invalid product !?.
The executable installer file is named SpywareGuard2008.exe (1.51 MB). This file must be manually executed for the installation of the rogue anti-spyware. At this point only a couple of engines detects this as suspicious over at VirusTotal.
spyware-guard-2008-virustotal-results Spyware Guard 2008 Analysis and Removal
True to its genre, it installs a few suspicious files of its own in the Windows directory. They are reged.exe, spoolsystem.exe, sys.com, syscert.exe, sysexplorer.exe and vmreg.dll.
Spyware Guard 2008 - Associated Files and Folders
* C:\Documents and Settings\Shanmuga\Start Menu\Programs\Spyware Guard 2008
* C:\Program Files\Spyware Guard 2008
* C:\Program Files\Spyware Guard 2008\quarantine
* C:\Program Files\Spyware Guard 2008\conf.cfg
* C:\Program Files\Spyware Guard 2008\mbase.vdb
* C:\Program Files\Spyware Guard 2008\quarantine.vdb
* C:\Program Files\Spyware Guard 2008\queue.vdb
* C:\Program Files\Spyware Guard 2008\spywareguard.exe
* C:\Program Files\Spyware Guard 2008\uninstall.exe
* C:\Program Files\Spyware Guard 2008\vbase.vdb
* C:\Documents and Settings\Shanmuga\Desktop\Spyware Guard 2008.lnk
* C:\Documents and Settings\Shanmuga\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk
* C:\Documents and Settings\Shanmuga\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk
* C:\Documents and Settings\Shanmuga\Application Data\Microsoft\Internet Explorer\olesys.dll
* C:\Windows\reged.exe
* C:\Windows\spoolsystem.exe
* C:\Windows\sys.com
* C:\Windows\syscert.exe
* C:\Windows\sysexplorer.exe
* C:\Windows\vmreg.dll
Note: File names may be randomly generated.
Spyware Guard 2008 - Associated Registry keys and values
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\spywareguard
REG_SZ, 106 bytes, ?C:\Program Files\Spyware Guard 2008\spywareguard.exe?
* HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Spyware Guard 2008\spywareguard.exe
REG_SZ, 26 bytes, ?spywareguard?
* HKEY_CURRENT_USER\Software\Spyware Guard\NP\NP
REG_SZ, 66 bytes, ?F620C418B59F44D289B18E1D1B5D896E?
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008\Display Name
REG_SZ, 38 bytes, ?Spyware Guard 2008?
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008\DisplayName
REG_SZ, 38 bytes, ?Spyware Guard 2008?
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008\UninstallString
REG_SZ, 100 bytes, ?C:\Program Files\Spyware Guard 2008\uninstall.exe?
Spyware Guard 2008 - Associated Domains
* spywareguard2008.com
* Porn-movies-online.net
* pyroscanner.com
* gosg2008.com
* Sg8go.com
* innovagest2000s.com
Spyware Guard 2008 - Removal (How to remove Spyware Guard 2008)
At the time of writing this none of the popular free anti-malware programs were detecting this. I tested with MalwareBytes?s Anti-Malware, SuperAntiSpyware, Ad-Aware 2008, Spybot Search & Destroy, A-squared free and PCTools SpywareDoctor starter edition. I will update this post once any of the above vendors include detection and removal for this rogue.
Update Oct 04: SUPERAntiSpyware free version detects and removes this rogue completely with the latest definitions update.
Update Nov 13: Malwarebytes? Anti-Malware free version is updated to remove this rogue.
Update: If the Internet Explorer and other IE dependent programs have lost their ability to show pictures, try the following, it seems to restore the pictures for some users:
* Open Internet Options in Control Panel
* Click on the Advanced tab.
* Look for the Multimedia section
* Place a check mark in the Show Pictures option.
* Restart Internet Explorer if running.
Advanced users may manually remove this pest by deleting the associated folders, files, registry keys and values mentioned above. I would also recommend turning off and on the System Restore to clear any infected restore points and using CCleaner to clear the temp folders and files to avoid recurrence.
If you still see symptoms associated with this rogue anti-spyware, please post your problem at one of the Recommended Online Forums for Malware Help.