Spyware Protect 2009 comes on a computer with a single purpose: to get your money and possibly hijack your online banking account. SpywareProtect 2009 is presented as anti-spyware as you may guess by reading its name. Spyware Protect 2009 is not anti-spyware although it is able to mimic some actions performed by security applications.
At 2:40 PM local time (the time the HOSTS file was modified) - Backdoor Trogan file captured and modified the following:
1. Placed sysguard in C:\Windows
2. Registered iehelper.dll with the registry and placed in c:\windows\system32\
3. Modified hosts file and added a fake entry.
4. Added registry settings for Browser Helper.
Everytime Windows Explorer or IE would go to website or change folder, the following website would pop up:
I took the following actions:
1. Terminated sysguard out of Tasks List
2. Deleted sysguard.exe out of c:\windows\
3. Deleted iehelper.dll out of c:\windows\system32\
4. Deleted following entry out of HOSTS file c:\windows\system32\drivers\etc\
5. Deleted the following registry settings:
Rebooted workstation and now verified that all is working.
If the user was running an iMac or Linux this problem wouldn't happen. ;-)