How to Remove System Guard 2009 [Removal Guide]

This guide will give you easy instructions on how to remove System Guard 2009 for free.


What is System Guard 2009? (Information)

System Guard 2009 is a fake security software which uses fraudulent strategies by displaying false or exaggerated security issues on your computer rather than any legitimate ones to coerce you into purchasing their software.


System Guard 2009 Screenshot:




Symptoms in a HijackThis Log:

O4 - HKLM\..\Run: [systemguard] C:\Program Files\System Guard 2009\systemguard.exe
O21 - SSODL: ieModule - {77C96E10-FDA7-4AA7-B318-0631C0D27DBB} - C:\Documents and Settings\All Users\Application Data\Microsoft\Network\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {AB6DAA8C-F726-4FDD-8B06-9537C5878612} - C:\Documents and Settings\All Users\Application Data\Microsoft\Network\DLLs\eewhptdpyl.dll

---

Follow these instructions to continue:

1. Please download this official version of Malwarebytes' Anti-Malware.




2. Install Malwarebytes' Anti-Malware by double clicking on mbam-setup




3. Follow the prompts. Make sure that Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware are checked. Then click finish.




4. Malwarebytes' Anti-Malware will automatically update itself after the installation, click the OK button to close that box and you will now be at the main program Window as shown below.

If you are having problems with the updater, you can use this link to manually update Malwarebytes' Anti-Malware with the latest database. Make sure that Malwarebytes' Anti-Malware is closed before installing the update.


5. Close All opened Windows, Programs, File or Folders.


6. Make sure you are on the Scanner tab. Select Perform quick scan then click the Scan button as shown below.




7. Malwarebytes' Anti-Malware will now start scanning your computer for infected files as shown below.




8. When the scan is finished a message box will appear, click OK to continue.




9. Click Show Results.




10. You will now be presented with a screen showing you the malware infections like shown below. Yours may look different depending on the infection you have.


11. Click on Remove selected.




12. When removing the files, Malwarebytes' Anti-Malware may require you to restart the computer in order to do a complete removal. If it displays a message stating that it needs to restart, click Yes.




13. After that you can close the Malwarebytes' Anti-Malware window, your computer is now cleaned from the malware infection.


To protect and prevent your computer from experiencing future threats like this, we highly recommend purchasing the FULL version of Malwarebytes' Anti-Malware with real-time protection from this link.


Malicious files associated with System Guard 2009 (click):

---

If you are still experiencing problems or difficulties following this guide or require any assistance removing this malware, please post your questions in our Virus, Spyware & Malware Removal forums for free help.

You have to be logged in to post questions. Registration is free. By registering you will be privileged to other resources and to ask questions.

Last edited by Doctor Inferno on Sat May 29, 2010 1:10 am; edited 12 times in total (Reason for editing : Information Update)

I have downloaded the malwarebytes removal tool but when I try to run it I loose the whole internet page and have to start over. Any suggestions?

Can you try posting us a Hijack This log?

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

This is the virus I am trying to conquer on my PC, unfortuneately it has completely taken over. Anytime I go to any virus protection site, my I.E will disappear. I can not download the Malwarebytes nor can I download the HiJack form. What else can I do?

Are you able to download HijackThis from any of the links provided here?

http://www.geekpolice.net/HiJackThis-202-Download-h1.htm

No =(

It's TDSS, if you want help awhite, please open a thread in the Hijack This log area.

I had a problem (System Guard 2009) with my PC and I solved all with the help of your forum. Thanks a lot!

Hi there i downloaded MalwareBytes but when i start to download there an error occured - error:399 or somethinglike that and i cannot start the malware, please help me

Hello tmitev23,

Seems you might have a rootkit, please start a new thread here post a HijackThis log:

http://www.geekpolice.net/virus-spyware-malware-removal-f11/

somehow an antivirus got downloaded on my computer...its called WnPC Antivirus...please help me to get it off

computeruser wrote:

somehow an antivirus got downloaded on my computer...its called WnPC Antivirus...please help me to get it off

Hello,

Please read this: http://www.geekpolice.net/-t3821.htm

And post your HijackThis log here: http://www.geekpolice.net/virus-spyware-malware-removal-f11/

I ran the program and can not connect to the internet now?

Hey folks.

Found you through a search on malware removal for the bankerfox.a problem.

Windows XP, AVG antivirus.

At first it was just a nuisance. Now I can't get to the internet Am writing from a spare computer.

I've read the thread on "How to Remove System Guard 2009 [Removal Guide]". I tried downloading the recommended software to another computer on a wired network and scanning the infected computer. The program just hangs.

What should my first steps be? Many thanks in advance.

Mark

My apologies for posting this in the intro section

Hello,I'm new...I can't open any files or programs...Everything that I download,I can't install it...Anything...How do I remove System Security if I can't open or install anything?
(sorry,my english in not very good,but I need to help)...

Hello everyone.

Open a new topic here regarding your problems: http://www.geekpolice.net/virus-spyware-malware-removal-f11/

having the same problem as awhite above need help not sure where topost but trying here first

Hello,

Read this: http://www.geekpolice.net/-t3821.htm

And open a new topic here: http://www.geekpolice.net/virus-spyware-malware-removal-f11/

Thank you guys for all you have done for me. As an ex-victim of this horrible, annoyingly stupid virus, I can honestly say you guys are like saints or angels to those people who youhelp. So I just wanted to say... thank you all ^^

I aminfected with the win32/nuqel.e and bankerfox virus. I cannot access the internet to download new software and I cannot run anything on my desktop - I get message saying that xyz file is infected do I want to activate antivirus software which of course is Antivirus Pro. I tried downloading another antivirus software to usb drive and could not run it from there also...told me file was infected. I think you are proposing that I download Avenger to a usb drive and run it - is tthat correct. I cannot diabel any software either - can you help?

Hello,

Read this: http://www.geekpolice.net/-t3821.htm

And open a new topic here: http://www.geekpolice.net/virus-spyware-malware-removal-f11/

many thanks for the thread showing how to get rid of this crap, but now that the malware has been removed, my internet doesn't appear to "see" my wireless router anymore - or so it would appear as all of my attempts to get to a site come up with "Internet Explorer cannot display the webpage" message.

I type in www/cnnsi.com for instance and get back the following:

"Internet Explorer cannot display the webpage"

and in the address bar is reads: "http//search.live.com/results.aspx?FORM=IEFM1&q=www.cnnsi.com"

Do I still have a problem here?

I know the woreless router is working as my other computer is picking it up (that is how I am writing this).

I am also getting a system configuration Utility coming up automatically on start-up - are the two of these things linked?

Thanks in advance for any insights!

Pittsburghcuse

update - my saved "Favorites" come up and I can navigate within them but I still can't type a site into the bar and have it go there. I also am getting an error message when trying to open a link from excel or word - I get "unable to open ... Cannot locate the internet server or proxy server"

Thoughts?

Hi,
I am new to your forum and trying to get this terrible whatever it is off of my laptop and am froze up on this page over there. I worked on removing it about 2 weeks ago for about 4 days and got so frustrated that I left it alone for a week and a half. So I just tried to move the page down and it moved so I clicked on the malware download and I'm sure it will take until tomorrow to know whether or not it gets installed. I'll be back to let you know how it's coming along. Thanks for being here. MaryAnn

OK hello again,
The program Malwarebytes downloaded and installed but that virus won't let it run the scan. I shut it down and restarted it and saw that the Security System icons were gone from my toolbar so I tried to run it again and the Security Scan window popped up and no scan. Mcafee tells me that I need to back up and restore but it won't let me do that either. Now what? Am I doing something wrong? I am using Win XP.
Thanks, I'll check back tomorrow. MaryAnn

I think I got the "bigger stronger faster" version of this... it keeps closing the install on the malwarebytes tool. Can I run the tool effectively in safe mode?

Well it didn't work in safemode. It ran, and said it was working, etc but the malware is still there in windows mode. I downloaded the HijackThis (version 2.0.2): and it closes that install also. Trying that in safe mode now....

i have already download malwarebytes but it wont pop up and neither will other things and i usually really great with computers but this has got me stumped. so please someone help me!!!!
Thank you

I'm new at this as far as posting but I like this site and I'm in trouble with this worm Win32/Nuqel.E . I've downloaded Malwarebytes followed instructions removed 2 trojans
Also ran TuneuP and found 41 problems with the registry. Removed them but they just come back. I recently ran Hijack this and have a report to share in hopes someone can help me.This worm has to have some sort of launcher or something like that and If I could find that I might be able to remove the rest without fear of them comming back. Anyway here is the log report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:00 PM, on 3/2/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\Explorer.EXE
D:\mozilla firefox\firefox.exe
D:\Hijack This\winlogon.scr

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 69.253.151.209 idenupdate.motorola.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SpyBot\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Logmein\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [HP Software Update] D:\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CPMonitor] "D:\Roxio\Roxio 2010\5.0\CPMonitor.exe"
O4 - HKLM\..\Run: [Desktop Disc Tool] "D:\Roxio\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\ItUNES\iTunesHelper.exe"
O4 - HKLM\..\Run: [sesbneds] C:\Documents and Settings\Potters Trucking\Local Settings\Application Data\ksnbae\vnkksftav.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "D:\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\SpyBot\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [sesbneds] C:\Documents and Settings\Potters Trucking\Local Settings\Application Data\ksnbae\vnkksftav.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = D:\WinDVR3\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SpyBot\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SpyBot\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.cinemanow.com
O15 - Trusted Zone: http://*.qflix.com
O15 - Trusted Zone: http://*.roxio.com
O15 - Trusted Zone: http://redirect.sonic.com
O15 - Trusted Zone: http://redirect2.sonic.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - https://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Logmein\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Logmein\x86\LogMeIn.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RoxMediaDB12 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe
O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
--
End of file - 9728 bytes

The last form post that I read required this as I'm not sure what to remove.
I have no money to donate but I will be more than happy to post a link on websites that I'm hosting to drive some traffic your way.

Hello,
I also suffer from this virus or whatever it is. Tried to install the above-mentioned malwarebytes, but I can't install it. Tried to install hijackthis, same problem. I even tried to upgrade to windows7 but I can't do that either so I'm really stuck. (I only have this computer for a few weeks...)
What else dan I do, can someone please advice me?

edit 2010-03-05

I managed to install back to original settings and in doing that lost the virus. So at this point no more help is needed.
However, thanks for this great forum!