Trojaner-Board - Security Guard entfernen

Trojaner-Board (https://www.trojaner-board.de/)

- Anleitungen, FAQs & Links (https://www.trojaner-board.de/anleitungen-faqs-links/)

- - Security Guard entfernen (https://www.trojaner-board.de/83956-security-guard-entfernen.html)

Security Guard entfernen

Security Guard entfernen

Was ist Security Guard?
Security Guard ist eine weitere Rogue-Malware in Form einer gefälschten Scan-Software, die mittels eines trojanischen Pferdes in den PC eindringt und dem Benutzer weissmacht, den PC nach Malware abzusuchen. Diese Software (Security Guard) ist ein Fake und selbst eine Schadsoftware und sollte nicht gekauft werden.

Verbreitet wird Security Guard nicht mehr ausschliesslich über 'dubiose Seiten' für Cracks, KeyGens und Warez, sondern auch seriöse Seiten werden zunehmend für die Verbreitung dieser mißbraucht (http://www.trojaner-board.de/90880-d...tallation.html).

http://www.trojaner-board.de/attachm...ntfernen-1.jpg http://www.trojaner-board.de/attachm...ntfernen-2.jpg

Symptome von Security Guard:

ständige Fake Virenmeldungen von Security Guard
PC läuft langsamer als üblich

http://www.trojaner-board.de/attachm...ntfernen-3.jpg http://www.trojaner-board.de/attachm...ntfernen-4.jpg http://www.trojaner-board.de/attachm...ntfernen-5.jpg

An unauthorized program has been prevented from accessing your PC remotely. #Port:433 from 92.11.127.10

An unauthorized software C:\Program Files\Internet Explorer\Iexplore.exe which is potentially malicious and able to modify system files has been prevented from being installed on your PC.

Security Guard has detected potentially harmful software in your system. It is strongly recommended that you register Security Guard to remove all found threats immediately.

Process Mbam.exe attempted to modify the address space.

Potentially harmful programs have been detected in your system and need to be dealt with immediately. Click here to remove them using Security Guard.

Notepad.exe cannot be executed. The file is infected. Please activate your antivirus software.
Your PC may still be infected with dangerous viruses. Security

Guard protection is needed to prevent data loss and avoid theft of your personal data and credit card details. Click here to activate protection.

Suspicious software which may be malicious has been detected on your PC. Click here to remove this threat immediately using Security Guard.
malicious applications, which may contain Trojans, were found on your computer and are to be removed immediately. Click here to remove these potentially harmful items using Security Guard.

Dateien von Security Guard:

Code:

c:\Documents and Settings\All Users\Application Data\345d567

c:\Documents and Settings\All Users\Application Data\345d567\24.mof

c:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll

c:\Documents and Settings\All Users\Application Data\345d567\SG345d.exe

c:\Documents and Settings\All Users\Application Data\345d567\SGD.ico

c:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll

c:\Documents and Settings\All Users\Application Data\345d567\BackUp\

c:\Documents and Settings\All Users\Application Data\345d567\Quarantine Items\

c:\Documents and Settings\All Users\Application Data\345d567\SGDSys\

c:\Documents and Settings\All Users\Application Data\345d567\SGDSys\vd952342.bd

c:\Documents and Settings\All Users\Application Data\SGZIQYEXRD

c:\Documents and Settings\All Users\Application Data\SGZIQYEXRD\SGWNLED.cfg

%UserProfile%\Application Data\Security Guard

%UserProfile%\Application Data\Security Guard\cookies.sqlite

%UserProfile%\Application Data\Security Guard\Instructions.ini

%UserProfile%\Desktop\Security Guard.lnk

%UserProfile%\Recent\ANTIGEN.sys

%UserProfile%\Recent\ANTIGEN.tmp

%UserProfile%\Recent\cb.exe

%UserProfile%\Recent\cid.dll

%UserProfile%\Recent\ddv.sys

%UserProfile%\Recent\eb.dll

%UserProfile%\Recent\eb.drv

%UserProfile%\Recent\energy.exe

%UserProfile%\Recent\exec.exe

%UserProfile%\Recent\exec.tmp

%UserProfile%\Recent\fan.drv

%UserProfile%\Recent\fix.tmp

%UserProfile%\Recent\grid.exe

%UserProfile%\Recent\kernel32.exe

%UserProfile%\Recent\runddlkey.drv

%UserProfile%\Recent\SICKBOY.exe

%UserProfile%\Recent\tempdoc.tmp

%UserProfile%\Start Menu\Security Guard.lnk

%UserProfile%\Start Menu\Programs\Security Guard.lnk

c:\Program Files\Mozilla Firefox\searchplugins\search.xml

Registry-Einträge von Security Guard:

Code:

HKEY_CURRENT_USER\Software\3

HKEY_CLASSES_ROOT\SG345d.DocHostUIHandler

HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=1002&q={searchTerms}"

HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=1002&q={searchTerms}"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "layout/2.01002"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Guard"

HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=1002&q={searchTerms}"

Security Guard im HijackThis-Log:

Code:

O1 - Hosts: 74.125.45.100 4-open-davinci.com

O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com

O1 - Hosts: 74.125.45.100 privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getavplusnow.com

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 urs.microsoft.com

O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com

O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com

O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com

O1 - Hosts: 84.19.171.6 www.google.com

O1 - Hosts: 84.19.171.6 www.bing.com

O1 - Hosts: 84.19.171.6 search.yahoo.com

O4 - HKCU\..\Run: [Security Guard] "C:\Documents and Settings\All Users\Application Data\345d567\SG345d.exe" /s /d

Security Guard entfernen

Security Guard entfernen

Tool: rkill.com Download Link (umbenannt: iExplore.exe) von Grinler herunterladen und mit doppelklick ausführen.

Sollte rkill.com nicht starten, versuche es mit der umbenannten Version iExplore.exe

http://www.trojaner-board.de/attachm...aning-tool.png

Das Tool stoppt alle Prozesse von Security Guard.

Bei Bedarf mehrmals ausführen, bis alle ungewünschten Prozesse beendet wurden.

Starte einen vollständigen Scan mit Malwarebytes Anti-Malware

Achtung: Diese Fake Software wird versuchen, den Einsatz von Malwarebytes zu verhindern. Benenne das Setup vor dem speichern in etwas anderes um (z.B. Herbert.exe).

Falls es vorher nicht funktioniert hat, sollte das Setup jetzt starten.

Wenn das Programm nach der Installation nicht starten sollte, dann benenne die "mbam.exe" in "herbert.exe" um und versuche es erneut.

Sollte MBAM trotzdem nicht starten: Malwarebytes Anti-Malware startet nicht

http://www.trojaner-board.de/attachm...ntfernen-2.png

http://www.trojaner-board.de/attachm...1&d=1269225361

Code:

Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 758 Registry Values Infected: 16 Registry Data Items Infected: 8 Folders Infected: 1 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe (Security.Hijack) -> Quarantined and deleted successfully. <snipped long list of IFEO hijacks that were removed> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfwsvc.exe (Security.Hijack) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\security guard (Rogue.SecurityGuard) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Arrakis3.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdreinit.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdsubwiz.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdtkexec.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdwizreg.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiscan.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upgrepl.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=1002&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=1002&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-19\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=1002&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=1002&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-20\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=1002&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=1002&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=1002&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=1002&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\{username}\Application Data\Security Guard (Rogue.SecurityGuard) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\{username}\Local Settings\Temporary Internet Files\Content.IE5\18GY3K5D\xp_ee855[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Application Data\Security Guard\Instructions.ini (Rogue.SecurityGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Desktop\Security Guard.lnk (Rogue.SecurityGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Guard.lnk (Rogue.SecurityGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Security Guard.lnk (Rogue.SecurityGuard) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Programs\Security Guard.lnk (Rogue.SecurityGuard) -> Quarantined and deleted successfully.

Lade Dir *HostsXpert*
auf dem Desktop speichern und entpacken

* Ordner HostsXpert öffnen
* HostsXpert.exe doppelklicken
* klicke auf Restore Microsoft's Hosts File, dann OK

Security Guard entfernen

Security Guard immer noch nicht entfernt?

OTH - OTHelper - Kill All Processes

Mit aktualisiertem (!!) Malwarebytes Anti-Malware nach Ausführen von OTH nochmal QUICKSCAN ausführen.

Bitte alle temporären Dateien löschen und Speicherplatz freigeben.

Weitergehende Prüfung

Das System könnte noch nicht vollständig sauber sein.

Daher unbedingt ein Thema erstellen: Für alle Hilfesuchenden! Was muss ich vor der Eröffnung eines Themas beachten?

Nicht vergessen mit FRST-Logfiles wie in der Anleitung beschrieben.

Wie man Hilfe bekommt steht auch hier.