swp2009 demo hit my computer tonight
FurPaw
was a message that my firewall was not on. (??) I restarted it.
I updated virus defs and ran a deep scan with BitDefender, and it
did not detect anything. Sometime while it was running, a big
black square appeared in the middle of the screen.
I checked Task manager and saw swp2009 demo.exe running, and
killed it, which removed the big black square.
Windows popped up a message saying
DLL C:\WINDOWS\system32\digeste.dll is not a valid Windows image.
Sure enough, it appeared on the computer at 6:33 PM tonight,
about the time I got the firewall message.
I can't find out much about this - googling turns up a few
instances of people who have been affected, but not much help. I
can't find it mentioned on McAfee or Symantec sites.
I run Windows Firewall, a BitDefender scan daily, and the system
sits behind a router. I suspect I inadvertently clicked on the a
hidden link around 6:33 tonight.
How do I get rid of this, or am I going to have to reformat and
reinstall windows? (I have a complete backup from last night.)
Thanks for your help!
Carol
--
Don't believe everything that you think.
To reply, unleash the dog.
Malke
You can try the normal malware removal routines described here:
http://www.elephantboycomputers.com/page2.html#Removing_Malware
If they don't work for you, get guided help at one of these specialty forums
below.
PLEASE DO NOT POST LOGS IN THE MS NEWSGROUPS.
http://aumha.org/downloads/hijackthis.zip
http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/
http://www.thespykiller.co.uk/index.php?board=3.0
http://forums.subratam.org/index.php?showforum=7
Only you can decide how much time you want to spend on this. If you don't
have much on the machine, doing a clean install might be the better choice.
Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
http://www.elephantboycomputers.com/#FAQ
John Doe
removed it; for this one Malwarebytes nor Spybot caught it correctly. Run
those after SAS tho' . . .
"FurPaw" <furrea...@gmail.com> wrote in message
news:gmm1dg$2ms$1...@reader.motzarella.org...
l@discussions.microsoft.com steve l
removal tool and then Malwarebytes. Phew. SAS, a favorite did not work for me
this time around. I think the MST was the one that did the trick.
veruschkan
I got rid of this SWP2009 demo malware by doing the following:
1) Stop the following service using Ctrl+Alt+Delete and Task Manager:
sysguard.exe. This will stop the popups and the fictious scanning of
the PC by the rouge antivirus.
2) Do a search for the sysguard.exe file on your PC (make sure you can
see hidden files) and delete any file with that name, including the
prefetch file. This will avoid it from reloading when you restart your
PC.
3) Control Panel-->Internet Option-->Advanced Tab-->Click on Reset
button to reset Internet Explorer to default settings. This will remove
any Plug Ins/Ad-Ons that the program loaded to Internet Explorer. Also,
it will default the home page to factory settings.
4) Control Panel-->Internet Option-->General Tab-->Delete all temporary
files, paswords, etc.
5) Microsoft� Windows� Malicious Software Removal Tool
(KB890830)http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en
6) Run the tool to scan and remove the spyware.
7) Control Panel-->Internet Option-->Advanced Tab-->Click on Restore
Advanced Settings. This will restore factory default security settings
for your Internet Explorer.
8) Restart your PC. At this point, when you log back in, you should no
longer have sysguard service that runs the SWP2009 virus will no longer
load. You should also be able to open internet explorer to factory
default page and be able to return your costumized home page as you want
under the Control Panel-->Internet Option-->General Tab and entering
the website of your choosing.
I hope this helps!!!
--
veruschkan
------------------------------------------------------------------------
veruschkan's Profile: http://forums.techarena.in/members/103690.htm
View this thread: http://forums.techarena.in/security-virus/1118668.htm
VetteLover
> I got rid of this SWP2009 demo malware by doing the following:
>
> 1) Stop the following service using Ctrl+Alt+Delete and Task Manager:
> sysguard.exe. This will stop the popups and the fictious scanning of
> the PC by the rouge antivirus.
>
> 2) Do a search for the sysguard.exe file on your PC (make sure you can
> see hidden files) and delete any file with that name, including the
> prefetch file. This will avoid it from reloading when you restart your
> PC.
>
> 3) Control Panel-->Internet Option-->Advanced Tab-->Click on Reset
> button to reset Internet Explorer to default settings. This will remove
> any Plug Ins/Ad-Ons that the program loaded to Internet Explorer. Also,
> it will default the home page to factory settings.
>
> 4) Control Panel-->Internet Option-->General Tab-->Delete all temporary
> files, paswords, etc.
>
> 5) Microsoft® Windows® Malicious Software Removal Tool
>
> 6) Run the tool to scan and remove the spyware.
>
> 7) Control Panel-->Internet Option-->Advanced Tab-->Click on Restore
> Advanced Settings. This will restore factory default security settings
> for your Internet Explorer.
>
> 8) Restart your PC. At this point, when you log back in, you should no
> longer have sysguard service that runs the SWP2009 virus will no longer
> load. You should also be able to open internet explorer to factory
> default page and be able to return your costumized home page as you want
> under the Control Panel-->Internet Option-->General Tab and entering
> the website of your choosing.
>
> I hope this helps!!!
>
> --
> veruschkan
> ------------------------------------------------------------------------
> veruschkan's Profile:http://forums.techarena.in/members/103690.htm
> View this thread:http://forums.techarena.in/security-virus/1118668.htm
>
> http://forums.techarena.in
Yesterday my desktop was ferociously attacked by the "swp2009 demo"
malware. It was the worst thing I've ever seen, almost lost total
control of the computer. Veruschkan's advise saved me. His step "1"
didn't work for me. In order to access the computer I had to operate
in "Safe Mode". Microsoft® Windows® Malicious Software Removal Tool
worked, I used "Malwarebytes Anti-Malware", and I used "Super Anti
Spyware". Once I got back control I ran "McAfee" for a scan. MBAM
found 2300 infected files, McAfee found 230 Trojans.
Bongo
of these up before and it was pretty alarming. You provided the clearest and
most effective instrhctions. One thing I might add, the version I picked up
told me that task manager was infected and unusable, same when I tried to
delete the files, told me I couldn't. You just have to keep hitting CTRL ALT
DLT and eventually it overrides the thing, same with delete.
Peter Foldes
Use the following
http://www.malwarebytes.org/mbam.php
and
http://www.superantispyware.com/superantispywarefreevspro.html
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"Bongo" <Bo...@discussions.microsoft.com> wrote in message
news:24370788-EDA6-432C...@microsoft.com...
happyscientist
Please help! Somehow I got the SWP 2009 demo on my computer. I have
searched for the sysguard.exe file and deleted it and the folder that it
was in under C:/Program Files. I have Norton 2010 and it keeps blocking
it but won't remove it. I cannot get Internet Explorer to connect even
to google.com to get to the websites to download the malware removal
programs. I cannot even do ctrl+alt+del (it says Task Manager has been
disabled by your system administrator), which I know we did not do, so I
cannot end the task. I deleted the sysguard.exe and restarted and the
program still started up. What do I do???
--
happyscientist
------------------------------------------------------------------------
happyscientist's Profile: http://forums.techarena.in/members/146099.htm
NT Canuck
news:happyscien...@DoNotSpam.com...
>
> Please help! Somehow I got the SWP 2009 demo on my computer. I have
> searched for the sysguard.exe file and deleted it and the folder that it
> was in under C:/Program Files. I have Norton 2010 and it keeps blocking
> it but won't remove it. I cannot get Internet Explorer to connect even
> to google.com to get to the websites to download the malware removal
> programs. I cannot even do ctrl+alt+del (it says Task Manager has been
> disabled by your system administrator), which I know we did not do, so I
> cannot end the task. I deleted the sysguard.exe and restarted and the
> program still started up. What do I do???
If you can access the files but not actually delete them
then they are usually locked by some process or in use
via some 'tether' like another file or a registry entry.
Registrar lite will help to collate/search for entries,
the MS regedit only picks one at a time.
http://www.resplendence.com/reglite
Enter name of the file in this and should delete on reboot.
http://killbox.net/
Click on the file with this tool and select unlock
(it will show you if it's being 'held') then delete file.
http://www.filehippo.com/download_unlocker/
Look to running this little browser if IE won't start..
http://offbyone.com/offbyone/
Or download it via another machine and copy
to yours..it's small and portable.
If you have a disk/i386 folder then expand the
iexplore.exe
'delete' the one in C:\Program Files\Internet Explorer
and place the new (clean) file in it's place, normally
that will re-enable the Internet for awhile.
Most of above could be sent as attachments via
your email program from a local machine or
nearby friend/family. if you needed that 'idea'. ;)
Other than that immediate help, the Norton forum
should be able to assist, it's iirc a paid program.
So make sure your updates are current.
Finally, even when/if IE is not operating the
OB1 browser usually is fine, and some download
manager like flashget (free) can download the
files if you have a direct link to paste into it.
http://www.flashget.com/en/download.htm
A good help forum (if needing direct help)
(forum link at top...right side)
http://www.malwareremoval.com/downloads.php
hth
'Seek and ye shall find'
NT Canuck
Rich
"happyscientist" wrote:
> .
>
SWP2009 is intercepting the call to task manager and causing the reported
message. The version that hit my computer did not cover all the bases,
though, and I could get to the process listing by using Ctrl+Shift+Esc. Once
you have shut down the offending task continue as in the previous post(s).
One other thing to note is that the version that hit me added entries into
the local hosts list that redirected internet access to additional malware
bearing pages. Be sure to remove these as well.
karinkitten
I had the same problem with this virus. The trick to opening task
manager is to immediately hit control+alt+delete the moment the computer
shows your desktop background. The swp2009demo virus takes a moment to
load and your computer will start other regular startup programs first
like aim etc before it starts the virus program. The task manager will
come up blank until the virus loads, then end program it when it pops
up.
--
karinkitten
------------------------------------------------------------------------
karinkitten's Profile: http://forums.techarena.in/members/157017.htm
Stephanie Good
Malwarebytes did not detect it (it did last year) and the swp2009demo
was preventing any executables as in previous versions. It seems like
it is my Christmas present now for the past 2 years. I did
veruschkan's approach with karinkitten's restart method and everything
seems to work. I'll try the superantispyware now... See everyone again
next Christmas!
On Nov 22, 2:10 am, karinkitten <karinkitten.421...@DoNotSpam.com>
wrote:
dkcobbs
me:
1) Trick to opeinning task manager on boot-up is a life saver.
2) Running the Malicious Software Removal Tool took almost 5 hours and
reported finding nothing
3) Followed up with Malwarebytes which found 3 items
4) Rebooted and everything seems to be fine
Pretty certian I got this virus following a link to an article on Tiger
Woods - I only hope his behavior has given him a virus that is more touble
than this one was. (Thanks to your help)
lvjesus
this goober off of People of Walmart.com and have been wrestling with it for
days. I just got rid of another virus a few months ago by having my hard
drive wiped and losing all my data, so I am glad to find this since I thought
I might have the same situation. I do have my docs saved this time but would
have lost a few days of Quickbooks. I am in process as I write this but have
gotten through part already and am able to get on the internet again now. I
am downloading the removal tool now. Thanks again and God Bless.