System Guard 2009 is a rogue application, which is distributed by one or more sites such as systemguard2009.com, I will try to give you the detailed and updated info for its removal. [All the tools/ software mentioned in this article are fully functional freeware]
Trojan Removers: As you know, that this malware could be installed by a Trojan, therefore you will also need to search for remove the Trojans as well. Try these free tools. Click here to read more...
Preparation: Search for and keep the windows operating system disk ready, if you got one with your computer. Or check if there is a Restore Partition on your hard disk, in that case you won't require an extra disk.
Turn off - system restore : The malicious files are saved in the system restore backup. You need to turn system restore off to remove them. You can turn it ON after cleaning the computer. Click here to read more...
If you are unable to open Task Manager Sometimes you are not able to open the task manager, the run command etc. The virus does this. There are free tools to solve this problem. They are listed here. See which is helpful for you. Click here to read more...
Remove Processes from Task Manager Press Ctrl Shift Esc to open Task Manager. See in the list of the processes for processes named systemguard.exe, winscenter.exe select if found and press the End Process button. It will prompt you , say yes, and then close the Task Manager. Although the file names may differ. There may be more processes belonging to this malware. If you use a freeware tool called "Zenturi program checker" You may be able to see the path of a process in the task manager, and from the list of malware files given in this article you may be able to locate the malware processes from windows genuine processes .
Removing a Program from windows startup: The system configuration utility can be started in xp and in vista by typing msconfig in the run box. The run box can be opened in xp by clicking on Start > run The best part of windows startup is that the setting is reversible, therefore you can check / uncheck any entry from windows startup any number of times. So do not hesitate to uncheck anything that you find doubtful. You can always check it back if you later come to know that it is something useful.
After the system configuration utility window is open, Click on the Startup tab, that will list all the programs that are scheduled to start when you turn your computer On. Expand the middle column using your mouse pointer so that you can see the path of the program on the hard disk, that will give you a clear idea, what program that is. Locate and uncheck the entries if found C:\Program Files\System Guard 2009 C:\Windows\system32\winscenter.exe (look for any suspicious names) Uncheck the boxes in front of these entries. Also look at other entries, if you find an entry of any of the malware files listed in this article, uncheck that too. This step is very important. The further cleaning depends on cleaning this list. Press Apply , Press Close/Ok , at the next prompt select "Restart the computer".
View Hidden Files: You may need to enable to view hidden files and folders before you could search for the files, click here to read more...
Boot in safe mode: If you are unable to delete the malware files/ folders, try doing it while in windows safe mode. Click here to read more...
Searching and Deleting the Folders / files on the hard disk After restarting the computer, use the windows search utility to search for"system guard 2009". This search will find all its folders on the hard disk , delete the folders from the hard disk. You may find the folder in more than one location. Delete its all instances.
C:\Windows\reged.exe C:\Window\spoolsystem.exe C:\Windows\sys.com C:\Windows\syscert.exe C:\Windows\sysexplorer.exe C:\Windows\vmreg.dll C:\Windows\system32\winscenter.exe (the presence of this file indicates that your windows security center has been disabled and a fake security center is displayed in its place) C:\Documents and Settings\All Users\Application Data\winlogon.exe C:\Documents and Settings\All Users\Application Data\Microsoft\Network\svchost.exe C:\Documents and Settings\All Users\Application Data\Microsoft\Network\track.sys C:\Documents and Settings\All Users\Application Data\Microsoft\Network\DLLs (delete this folder entriely) C:\Documents and Settings\All Users\Application Data\Microsoft\Network\DLLs\c.cgm C:\Documents and Settings\All Users\Application Data\Microsoft\Network\DLLs\eewhptdpyl.dll C:\Documents and Settings\All Users\Application Data\Microsoft\Network\DLLs\ieModule.dll C:\Documents and Settings\All Users\Application Data\Microsoft\Network\DLLs\moduleie.dll
Delete the following registry entries. HKEY_CLASSES_ROOT\CLSID\{77C96E10-FDA7-4AA7-B318-0631C0D27DBB} HKEY_CLASSES_ROOT\CLSID\{AB6DAA8C-F726-4FDD-8B06-9537C5878612} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Guard 2009 HKEY_LOCAL_MACHINE\SOFTWARE\System Guard 2009 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "systemguard" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad "ieModule" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad "InternetConnection" You should also seach the registry for the entries of "winscenter.exe" and delete any keys if found. If you are comfortable with editing the registry, then remove the above entries, in case you are not comfortable in editing the registry , then using ccleaner should do the same.
Using CCleaner: CCleaner is a freeware temp files and registry cleaner. We need to use this type of software because almost all the infection that occur through internet, come through the temp files, and unfortunately windows does not remove temp files automatically.
Using the system file checker: Follow this step if you notice trouble in the normal functioning of windows. Click here to read more...
If you are unable to access one or more sites during the repair process
- if possible use another computer to download the software needed for repairing your computer, and then copy and transfer it to the infected computer using any available means like a pen drive. - if you are using only internet explorer, and if it is blocked from visiting some of the security related sites, try to download/ install Firefox browser, and see if you can use it for the same purpose.
Using Firewall to block unwanted communication
Use a firewall to block any unsolicited communication to and from your computer.
i have tried all the steps above, but this virus has disabled my AV from starting and disabled the USB ports and CD drives so I cannot install the great freeware I have downloaded from a clean computer. How can I re-enable these devices? Thanks
:idea: there are two things you can try. One is run the system file checker tool as explained above, and also try the VBS script and the UnHookExec tool. If the problem remains, then go for a repair install (if you are using xp) , you can find more info on the link given under the last para of the article
I have thought i removed all the parts associated with the virus but it still affects my browsers. When i click a search result in a search engine it still redirects me to different sites. I don't know where i went wrong :(
ive managed to stop it from popping up by removing it from the start-up process but i cant seem to find any of the files where it should be found, i have no idea how to find any of those files stated above.
Download/ install a small tool called HijackThis from TrendSecure com, and run
it , it will generate a log
file, mail it to support@comprolive.com, after
seeing the log, i can tell you the exact files and the steps to remove them
Download/ install a small tool called HijackThis from TrendSecure com, and run it , it will generate a log
file, mail it to support@comprolive.com, after seeing the log, i can tell you the exact files and the steps to remove them
