Trojaner-Board - Dr. Guard entfernen

Trojaner-Board (https://www.trojaner-board.de/)

- Anleitungen, FAQs & Links (https://www.trojaner-board.de/anleitungen-faqs-links/)

- - Dr. Guard entfernen (https://www.trojaner-board.de/83418-dr-guard-entfernen.html)

Dr. Guard entfernen

Dr. Guard entfernen

Was ist Dr. Guard?
Dr. Guard ist eine weitere Rogue-Malware (verwandt mit Paladin Antivirus) in Form einer gefälschten Scan-Software, die mittels eines trojanischen Pferdes in den PC eindringt und dem Benutzer weissmacht, den PC nach Malware abzusuchen. Diese Software (Dr. Guard) ist ein Fake und selbst eine Schadsoftware und sollte nicht gekauft werden.

Verbreitet wird Dr. Guard nicht mehr ausschliesslich über 'dubiose Seiten' für Cracks, KeyGens und Warez, sondern auch seriöse Seiten werden zunehmend für die Verbreitung dieser mißbraucht (http://www.trojaner-board.de/90880-d...tallation.html).

Wenn Dr. Guard startet versucht es u.a. folgende Software zu stoppen:

• Malwarebytes' Anti-Malware
• F-Secure
• NOD32
• Norton Internet Security
• Avira AntiVir
• Agnitum Outpost Security Suite
• AVG8
• avast!
• AntiVir

http://www.trojaner-board.de/attachm...ntfernen-1.jpg http://www.trojaner-board.de/attachm...ntfernen-2.jpg

Symptome von Dr. Guard:

ständige Fake Virenmeldungen von Dr. Guard
PC läuft langsamer als üblich
Kommt mit TDSS oder TDL3 rootkit

http://www.trojaner-board.de/attachm...ntfernen-4.jpg http://www.trojaner-board.de/attachm...ntfernen-3.jpg http://www.trojaner-board.de/attachm...ntfernen-6.jpg http://www.trojaner-board.de/attachm...ntfernen-7.jpg http://www.trojaner-board.de/attachm...ntfernen-8.jpg http://www.trojaner-board.de/attachm...ntfernen-5.jpg

ANTIVIRUS IS RUN IN DEMO MODE. ACTIVATE YOUR ANTIVIRUS OTHERWISE ALL THE DATA WILL BE LOST OR DAMAGED!

DANGEROUS! ANTIVIRUS DETECTED SOME HARMFUL PROGRAMS ON YOUR PC! THEY MAY CORRUPT YOUR INFORMATION OR SEND IT TO HACKERS.
PLEASE, OPTIMIZE YOUR PC. IT RUN ONLY 10%.
NEED HELP? PLEASE, CONTACT DR. GUARD CUSTOMER SUPPORT SERVICE.

Windows Firewall has detected unauthorized activity, but unfortunately it cannot help
you to remove viruses, keyloggers and other spyware threats that steal your personal
information from your computer

System files of your computer are damaged. Please, restart your system ASAP.

There are some serious security threats detected on your computer. Please, remove them ASAP.
There are some serious security threats detected on your computer: viruses, trojans, keyloggers, exploits etc.
Your computer and all your personal data are in serious danger.
Protection: Click the balloon to install antivirus software.

Defenseless OS: Windows 2000/XP/Vista
Description: Spyware. Blocks access to computer. Attacks porn sites visitors.
Protection: Click the balloon to install antivirus software.

Dateien von Dr. Guard:

Code:

c:\Documents and Settings\Bleeping\Desktop\Dr. Guard Support.lnk

c:\Documents and Settings\Bleeping\Desktop\Dr. Guard.lnk

c:\Documents and Settings\Bleeping\Start Menu\Programs\Dr. Guard

c:\Documents and Settings\Bleeping\Start Menu\Programs\Dr. Guard\About.lnk

c:\Documents and Settings\Bleeping\Start Menu\Programs\Dr. Guard\Activate.lnk

c:\Documents and Settings\Bleeping\Start Menu\Programs\Dr. Guard\Buy.lnk

c:\Documents and Settings\Bleeping\Start Menu\Programs\Dr. Guard\Dr. Guard Support.lnk

c:\Documents and Settings\Bleeping\Start Menu\Programs\Dr. Guard\Dr. Guard.lnk

c:\Documents and Settings\Bleeping\Start Menu\Programs\Dr. Guard\Scan.lnk

c:\Documents and Settings\Bleeping\Start Menu\Programs\Dr. Guard\Settings.lnk

c:\Documents and Settings\Bleeping\Start Menu\Programs\Dr. Guard\Update.lnk

c:\Documents and Settings\Bleeping\Application Data\Microsoft\Internet Explorer\Quick Launch\Dr. Guard.lnk

c:\Program Files\Dr. Guard

c:\Program Files\Dr. Guard\about.ico

c:\Program Files\Dr. Guard\activate.ico

c:\Program Files\Dr. Guard\buy.ico

c:\Program Files\Dr. Guard\drg.db

c:\Program Files\Dr. Guard\drgext.dll

c:\Program Files\Dr. Guard\drghook.dll

c:\Program Files\Dr. Guard\drguard.exe

c:\Program Files\Dr. Guard\help.ico

c:\Program Files\Dr. Guard\scan.ico

c:\Program Files\Dr. Guard\settings.ico

c:\Program Files\Dr. Guard\splash.mp3

c:\Program Files\Dr. Guard\uninstall.exe

c:\Program Files\Dr. Guard\update.ico

c:\Program Files\Dr. Guard\virus.mp3

%Temp%\asr64_ldm.exe

Registry-Einträge von Dr. Guard:

Code:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SimpleShlExt

HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt

HKEY_LOCAL_MACHINE\SOFTWARE\Dr. Guard

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dr. Guard

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Dr. Guard"

HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E2121EE-0300-11D4-8D3B-444553540000}"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"

Dr. Guard im HijackThis-Log:

Code:

O4 - HKCU\..\Run: [asr64_ldm.exe] %Temp%\asr64_ldm.exe

O4 - HKCU\..\Run: [Dr. Guard] "C:\Program Files\Dr. Guard\drguard.exe" -noscan

Dr. Guard entfernen

Dr. Guard entfernen

Tool: rkill.com Download Link (umbenannt: iExplore.exe) von Grinler herunterladen und mit doppelklick ausführen.
Sollte rkill.com nicht starten, versuche es mit der umbenannten Version iExplore.exe

http://www.trojaner-board.de/attachm...aning-tool.png

Das Tool stoppt alle Prozesse von Dr. Guard.

Bei Bedarf mehrmals ausführen, bis alle ungewünschten Prozesse beendet wurden.

Starte einen vollständigen Scan mit Malwarebytes Anti-Malware

Achtung: Diese Fake Software wird versuchen, den Einsatz von Malwarebytes zu verhindern. Benenne das Setup vor dem speichern in etwas anderes um (z.B. Herbert.exe).

Falls es vorher nicht funktioniert hat, sollte das Setup jetzt starten.

Wenn das Programm nach der Installation nicht starten sollte, dann benenne die "mbam.exe" in "herbert.exe" um und versuche es erneut.

Sollte MBAM trotzdem nicht starten: Malwarebytes Anti-Malware startet nicht

http://www.trojaner-board.de/attachm...ntfernen-2.png

http://www.trojaner-board.de/attachm...1&d=1267631717

Code:

Memory Processes Infected: 2 Memory Modules Infected: 1 Registry Keys Infected: 2 Registry Values Infected: 2 Registry Data Items Infected: 2 Folders Infected: 2 Files Infected: 30 Memory Processes Infected: C:\Documents and Settings\{username}\Local Settings\Temp\asr64_ldm.exe (Trojan.FakeAlert) -> Unloaded process successfully. C:\Program Files\Dr. Guard\drguard.exe (Malware.Packer.Gen) -> Unloaded process successfully. Memory Modules Infected: C:\Program Files\Dr. Guard\drghook.dll (Malware.Packer.Gen) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dr. guard (Rogue.DrGuard) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Dr. Guard (Rogue.DrGuard) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dr. guard (Malware.Packer.Gen) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asr64_ldm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Program Files\Dr. Guard (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Programs\Dr. Guard (Rogue.DrGuard) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\{username}\Local Settings\Temp\asr64_ldm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\drguard.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\drghook.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Local Settings\Temp\dhdhtrdhdrtr5y (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\about.ico (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\activate.ico (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\buy.ico (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\drg.db (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\drgext.dll (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\help.ico (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\scan.ico (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\settings.ico (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\splash.mp3 (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\uninstall.exe (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\update.ico (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Program Files\Dr. Guard\virus.mp3 (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Programs\Dr. Guard\About.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Programs\Dr. Guard\Activate.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Programs\Dr. Guard\Buy.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Programs\Dr. Guard\Dr. Guard Support.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Programs\Dr. Guard\Dr. Guard.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Programs\Dr. Guard\Scan.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Programs\Dr. Guard\Settings.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Programs\Dr. Guard\Update.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Desktop\nudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Desktop\pornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Desktop\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Desktop\Dr. Guard Support.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Desktop\Dr. Guard.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Application Data\Microsoft\Internet Explorer\Quick Launch\Dr. Guard.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully.

Dr. Guard entfernen

Dr. Guard immer noch nicht entfernt?

OTH - OTHelper - Kill All Processes

Mit aktualisiertem (!!) Malwarebytes Anti-Malware nach Ausführen von OTH nochmal QUICKSCAN ausführen.

Bitte alle temporären Dateien löschen und Speicherplatz freigeben.

Weitergehende Prüfung

Das System könnte noch nicht vollständig sauber sein.

Daher unbedingt ein Thema erstellen: Für alle Hilfesuchenden! Was muss ich vor der Eröffnung eines Themas beachten?

Nicht vergessen mit FRST-Logfiles wie in der Anleitung beschrieben.

Wie man Hilfe bekommt steht auch hier.