swp2009 demo hit my computer tonight

Discussion in 'Virus Information' started by FurPaw, Feb 8, 2009.

  1. FurPaw

    FurPaw Guest

    My computer was hit by swp 2009 tonight. The first indication
    was a message that my firewall was not on. (??) I restarted it.

    I updated virus defs and ran a deep scan with BitDefender, and it
    did not detect anything. Sometime while it was running, a big
    black square appeared in the middle of the screen.

    I checked Task manager and saw swp2009 demo.exe running, and
    killed it, which removed the big black square.

    Windows popped up a message saying
    DLL C:\WINDOWS\system32\digeste.dll is not a valid Windows image.

    Sure enough, it appeared on the computer at 6:33 PM tonight,
    about the time I got the firewall message.

    I can't find out much about this - googling turns up a few
    instances of people who have been affected, but not much help. I
    can't find it mentioned on McAfee or Symantec sites.

    I run Windows Firewall, a BitDefender scan daily, and the system
    sits behind a router. I suspect I inadvertently clicked on the a
    hidden link around 6:33 tonight.

    How do I get rid of this, or am I going to have to reformat and
    reinstall windows? (I have a complete backup from last night.)

    Thanks for your help!

    Carol
     
    FurPaw, Feb 8, 2009
    #1
    1. Advertisements

  2. FurPaw

    Malke Guest

    You can try the normal malware removal routines described here:

    http://www.elephantboycomputers.com/page2.html#Removing_Malware

    If they don't work for you, get guided help at one of these specialty forums
    below.

    PLEASE DO NOT POST LOGS IN THE MS NEWSGROUPS.

    http://aumha.org/downloads/hijackthis.zip
    http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
    the stickies *first*.
    http://www.atribune.org/forums/index.php?showforum=9
    http://aumha.net/viewforum.php?f=30
    http://www.bleepingcomputer.com/forums/forum22.html
    http://www.dslreports.com/forum/cleanup
    http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
    http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
    http://www.malwarebytes.org/forums/index.php?showforum=7
    http://gladiator-antivirus.com/forum/index.php?showforum=170
    http://spywarewarrior.com/viewforum.php?f=5
    http://forums.techguy.org/54-security/
    http://forums.tomcoyote.org/
    http://www.thespykiller.co.uk/index.php?board=3.0
    http://forums.subratam.org/index.php?showforum=7

    Only you can decide how much time you want to spend on this. If you don't
    have much on the machine, doing a clean install might be the better choice.

    Malke
     
    Malke, Feb 8, 2009
    #2
    1. Advertisements

  3. FurPaw

    John Doe Guest

    Just cleaned a machine with that; SuperAntiSpyware was the only one that
    removed it; for this one Malwarebytes nor Spybot caught it correctly. Run
    those after SAS tho' . . .
     
    John Doe, Feb 8, 2009
    #3
  4. FurPaw

    steve l Guest

    Just killed this bastard swp2009 with a cocktail of MS Malicious software
    removal tool and then Malwarebytes. Phew. SAS, a favorite did not work for me
    this time around. I think the MST was the one that did the trick.


     
    steve l, Feb 23, 2009
    #4
  5. FurPaw

    veruschkan Guest

    I got rid of this SWP2009 demo malware by doing the following:

    1) Stop the following service using Ctrl+Alt+Delete and Task Manager:
    sysguard.exe. This will stop the popups and the fictious scanning of
    the PC by the rouge antivirus.

    2) Do a search for the sysguard.exe file on your PC (make sure you can
    see hidden files) and delete any file with that name, including the
    prefetch file. This will avoid it from reloading when you restart your
    PC.

    3) Control Panel-->Internet Option-->Advanced Tab-->Click on Reset
    button to reset Internet Explorer to default settings. This will remove
    any Plug Ins/Ad-Ons that the program loaded to Internet Explorer. Also,
    it will default the home page to factory settings.

    4) Control Panel-->Internet Option-->General Tab-->Delete all temporary
    files, paswords, etc.

    5) Microsoft® Windows® Malicious Software Removal Tool
    (KB890830)http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en

    6) Run the tool to scan and remove the spyware.

    7) Control Panel-->Internet Option-->Advanced Tab-->Click on Restore
    Advanced Settings. This will restore factory default security settings
    for your Internet Explorer.

    8) Restart your PC. At this point, when you log back in, you should no
    longer have sysguard service that runs the SWP2009 virus will no longer
    load. You should also be able to open internet explorer to factory
    default page and be able to return your costumized home page as you want
    under the Control Panel-->Internet Option-->General Tab and entering
    the website of your choosing.

    I hope this helps!!!
     
    veruschkan, Jun 5, 2009
    #5
  6. FurPaw

    VetteLover Guest

     
    VetteLover, Jun 20, 2009
    #6
  7. FurPaw

    VetteLover Guest

    Yesterday my desktop was ferociously attacked by the "swp2009 demo"
    malware. It was the worst thing I've ever seen, almost lost total
    control of the computer. Veruschkan's advise saved me. His step "1"
    didn't work for me. In order to access the computer I had to operate
    in "Safe Mode". Microsoft® Windows® Malicious Software Removal Tool
    worked, I used "Malwarebytes Anti-Malware", and I used "Super Anti
    Spyware". Once I got back control I ran "McAfee" for a scan. MBAM
    found 2300 infected files, McAfee found 230 Trojans.
     
    VetteLover, Jun 20, 2009
    #7
  8. FurPaw

    Bongo Guest

    Thank you so much! That seems to have done the trick. I've never picked one
    of these up before and it was pretty alarming. You provided the clearest and
    most effective instrhctions. One thing I might add, the version I picked up
    told me that task manager was infected and unusable, same when I tried to
    delete the files, told me I couldn't. You just have to keep hitting CTRL ALT
    DLT and eventually it overrides the thing, same with delete.
     
    Bongo, Sep 1, 2009
    #8
  9. FurPaw

    Peter Foldes Guest

    You are still infected from what you are posting

    Use the following
    http://www.malwarebytes.org/mbam.php
    and
    http://www.superantispyware.com/superantispywarefreevspro.html
     
    Peter Foldes, Sep 1, 2009
    #9
  10. Please help! Somehow I got the SWP 2009 demo on my computer. I hav
    searched for the sysguard.exe file and deleted it and the folder that i
    was in under C:/Program Files. I have Norton 2010 and it keeps blockin
    it but won't remove it. I cannot get Internet Explorer to connect eve
    to google.com to get to the websites to download the malware remova
    programs. I cannot even do ctrl+alt+del (it says Task Manager has bee
    disabled by your system administrator), which I know we did not do, so
    cannot end the task. I deleted the sysguard.exe and restarted and th
    program still started up. What do I do??
     
    happyscientist, Oct 20, 2009
    #10
  11. FurPaw

    NT Canuck Guest

    If you can access the files but not actually delete them
    then they are usually locked by some process or in use
    via some 'tether' like another file or a registry entry.

    Registrar lite will help to collate/search for entries,
    the MS regedit only picks one at a time.
    http://www.resplendence.com/reglite

    Enter name of the file in this and should delete on reboot.
    http://killbox.net/

    Click on the file with this tool and select unlock
    (it will show you if it's being 'held') then delete file.
    http://www.filehippo.com/download_unlocker/

    Look to running this little browser if IE won't start..
    http://offbyone.com/offbyone/
    Or download it via another machine and copy
    to yours..it's small and portable.

    If you have a disk/i386 folder then expand the
    iexplore.exe
    'delete' the one in C:\Program Files\Internet Explorer
    and place the new (clean) file in it's place, normally
    that will re-enable the Internet for awhile.

    Most of above could be sent as attachments via
    your email program from a local machine or
    nearby friend/family. if you needed that 'idea'. ;)

    Other than that immediate help, the Norton forum
    should be able to assist, it's iirc a paid program.
    So make sure your updates are current.

    Finally, even when/if IE is not operating the
    OB1 browser usually is fine, and some download
    manager like flashget (free) can download the
    files if you have a direct link to paste into it.
    http://www.flashget.com/en/download.htm

    A good help forum (if needing direct help)
    (forum link at top...right side)
    http://www.malwareremoval.com/downloads.php

    hth

    'Seek and ye shall find'
    NT Canuck
     
    NT Canuck, Oct 20, 2009
    #11
  12. FurPaw

    Rich Guest

    SWP2009 is intercepting the call to task manager and causing the reported
    message. The version that hit my computer did not cover all the bases,
    though, and I could get to the process listing by using Ctrl+Shift+Esc. Once
    you have shut down the offending task continue as in the previous post(s).
    One other thing to note is that the version that hit me added entries into
    the local hosts list that redirected internet access to additional malware
    bearing pages. Be sure to remove these as well.
     
    Rich, Oct 23, 2009
    #12
  13. FurPaw

    karinkitten Guest

    I had the same problem with this virus. The trick to opening task
    manager is to immediately hit control+alt+delete the moment the computer
    shows your desktop background. The swp2009demo virus takes a moment to
    load and your computer will start other regular startup programs first
    like aim etc before it starts the virus program. The task manager will
    come up blank until the virus loads, then end program it when it pops
    up.
     
    karinkitten, Nov 22, 2009
    #13
  14. Just had the infection come across as 'iuhesysguard.exe' this morning.
    Malwarebytes did not detect it (it did last year) and the swp2009demo
    was preventing any executables as in previous versions. It seems like
    it is my Christmas present now for the past 2 years. I did
    veruschkan's approach with karinkitten's restart method and everything
    seems to work. I'll try the superantispyware now... See everyone again
    next Christmas!
     
    Stephanie Good, Dec 26, 2009
    #14
  15. FurPaw

    dkcobbs Guest

    Following the above instructions provided by veruschkan on 6/5/09 worked for
    me:
    1) Trick to opeinning task manager on boot-up is a life saver.
    2) Running the Malicious Software Removal Tool took almost 5 hours and
    reported finding nothing
    3) Followed up with Malwarebytes which found 3 items
    4) Rebooted and everything seems to be fine

    Pretty certian I got this virus following a link to an article on Tiger
    Woods - I only hope his behavior has given him a virus that is more touble
    than this one was. (Thanks to your help)
     
    dkcobbs, Dec 30, 2009
    #15
  16. FurPaw

    lvjesus Guest

    Just wanted to say thanks for taking the time to post this. I just caught
    this goober off of People of Walmart.com and have been wrestling with it for
    days. I just got rid of another virus a few months ago by having my hard
    drive wiped and losing all my data, so I am glad to find this since I thought
    I might have the same situation. I do have my docs saved this time but would
    have lost a few days of Quickbooks. I am in process as I write this but have
    gotten through part already and am able to get on the internet again now. I
    am downloading the removal tool now. Thanks again and God Bless.
     
    lvjesus, Jan 5, 2010
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.