Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Saturday, October 8, 2011

How to Remove Guard Online (Uninstall Guide)

Tell your friends:
Guard Online is a re-branded and re-designed version of the AV Guard Online scareware. It does the usual stuff -- displays fake virus alerts claiming that your computer is infected with spyware, Trojans, and other malcode and blocks legitimate security products and Windows utilities. Buying rogue antivirus program won't help because it can't remove anything and it obviously won't protect your computer against emerging security threats, you know, viruses, spam emails, keyloggers, etc. However, malware creators are constantly coming up with new ways to deceive people into paying for bogus security products. Just take a look at this rogue. It's an iPad. Guard Online looks almost exactly the same. I find it truly disrespectful that they decided to make such rogue in the context of the recent news about Steve Jobs.



But that's not all, cyber criminals decided that it would be a lot better to drop a rootkit from the notorious TDSS malware family to make the removal procedure a lot more complicated. To remove Guard Online from your computer, please follow the removal instructions below. Although, the removal guide was originally created to help you to remove the AV Guard Online scareware, this guide identifies the procedures to be followed to ensure appropriate Guard Online removal as well. If you have any questions, please leave a comment below. Good luck and be safe online!

http://deletemalware.blogspot.com


Guard Online removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. Remove the TDSS rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Manual Guard Online removal guide:

1. Right-click on Guard Online icon and select Properties. Then select Shortcut tab.

The location of the malware is in the Target box.

2. In our case the malicious file was located in C:\Windows\System32 folder. Select the malicious file, rename it and change a file name extension.

Original file: TcS22bF3nGaQWKf.exe



Renamed file: TcS22bF3nGaQWKf.vir



3. Restart your computer. After a reboot, download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. Remove the TDSS rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Manual activation and Guard Online removal:

1. Choose to remove threats and manually activate the rogue program. Enter one of the following codes to activate AV Guard Online.

9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197
1835437232
1837663686
1961232582

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. Remove the TDSS rootkit (if exists). Please follow this removal guide: http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html


Associated Guard Online files and registry values:

Files:

  • C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\[UserName]\Application Data\csrss.exe
  • C:\Documents and Settings\[UserName]\Application Data\hTrkd58DeORldrQGuard Online.ico
  • C:\Documents and Settings\[UserName]\Application Data\Microsoft\csrss.exe
  • C:\Documents and Settings\[UserName]\Desktop\Guard Online.lnk
  • C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].tmp
  • C:\Documents and Settings\[UserName]\Start Menu\Programs\Guard Online\Guard Online.lnk

Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
Share this information with your friends:

6 comments:

Anonymous said...

Thanks a lot! It worked. I really appreciate it.
What's the shame to create a virus shaped like iPhone right after Steve Jobs's death!?? Terrible people (those hackers), nothing holly(((

Anonymous said...

Thanks a lot! I followed your instructions and I think I could removed this annoying malware. My best wishes are all with you right now.

Anonymous said...

Didn't work. Can't connect to the internet (Even in Safe Mode with Networking). Tried the manual route and got it too stop popping up but still no internet. :'-(

Anonymous said...

go to Internet explorer Internet options and check your connection settings for the Internet

Anonymous said...

This didn't work well for me - I think I may have encountered some more novel version of this awful malware. I obviously had some type of rootkit since my google searches were redirected by TDSSkill didn't detect anything. I couldn't run (not matter how much I tried with name changes etc) MalwareBytes Anti-malware or SUPERAntispyware and Spybot S&D didn't find anything. Hitman pro did do something - it seemed to locate the threat but ended up making my unoperational - couldn't log into windows anymore. Had to repair my windows installation - then things worked. I'm guessing Hitman did the trick but at a somewhat too high cost :P

Anonymous said...

Now that I've got rid of Guard Online, I'm left with some desktop files that my computer won't let me erase - specifically, the renamed .exe files of the programs I (unsuccessfully) tried to use to get rid of Guard Online: gmer, rkill, tdsskill. I'm worried that these corrupted files will somehow launch a new malware attack on me at some point, so is there anyway to get rid of them? When I try to erase them, I get an alert telling me I'm not allowed to erase, and that I should check if the disk is full, if they are write-protected or if they are currently running. None of those things apply as far as I can tell so I'm at a loss.