Sysguard.exe
Sysguard.exe is a process found in most rogue anti-spyware applications. These rogue anti-spyware programs are basically fake malware removers. Typically, sysguard.exe sneaks onto your computer as a trojan and infects the Windows registry, launching fake pop-up windows stating that your PC is infected. You will then be persuaded to purchase the fake spyware remover advertised.
File System Modifications
- The following files were created in the system:
# File Name 1 [%WINDOWS%]\sysguard
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell=[%PROGRAM_FILES%]\sysguard\sysguard.exeHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell=[%WINDOWS%]\sysguard\sysguard.exeHKEY_CURRENT_USER\SOFTWARE\sysguard
I just discovered (5-Dec-2009) that my friend\'s computer was infected with apparently a brand new version of \"AntiSpyware\", and your instructions do not work directly anymore for that, but they did help point the way for me to remove it (I think). The offensive process is named \"bjxipqut\" and it no longer runs SYSGUARD.EXE but rather AHBKSYSGUARD.EXE. At lease it did on my friend\'s machine. (I wonder if the\'ve introduced some kind of variable name to make it harder to find.) And it was no longer locared in %WINDOWS%, but rather at C:\\Documents and Settings\\%username%\\Local Settings\\Application Data\\jyvnwm\\ahbksysguard.exe\" (I wonder if the lowest level folder name is also a variable.)
I had to open Windows XP in safe mode to remove it, in fact to do anything at all, because this new version of \"AntiVirus\" effectively shut down every other tool available to me. It prevented me from running Regedit, or Computer Management or opening a command window or even the Task Manager (Ctrl-Alt-Del). It reported these and apparently any program you tried to run as \"infected\".
So in Safe Mode I was able to remove two registry references to ahbksysguard.exe, both in HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Run\\ and in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Run\\ . And of course I deleted the executable AHBKSYSGUARD.EXE.
I also deleted key HKEY_CURRENTUSER\\SOFTWARE\\AVSCAN as per SYSGUARD.EXE removal instructions found on other web sites.
This sems to have done the job, so far.