Jump to content

Removal instructions for SafeGuard


Recommended Posts

  • Staff

What is SafeGuard?

The Malwarebytes research team has determined that SafeGuard is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by SafeGuard?

You may see this entry in your list of installed programs:

warning4.png

and this warning during install:

main.png

and you may see this entry in your "Installed Apps":

icons.png

How did SafeGuard get on my computer?

Adware applications use different methods for distributing themselves. This particular one was promoted as a weather alert application.

How do I remove SafeGuard?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.

Is there anything else I need to do to get rid of SafeGuard?

  • No, Malwarebytes' Anti-Malware removes SafeGuard completely.

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the SafeGuard adware. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

protection1.png

Technical details for experts

You will see these signs in a HijackThis log:

O4 - HKLM\..\Run: [SafeGuard] "C:\Program Files (x86)\SafeGuard\SafeGuardApp.exe"O4 - Startup: SafeGuard.lnk = C:\Program Files (x86)\SafeGuard\SafeGuard.exeO23 - Service: SafeGuard Update Service - Unknown owner - C:\Program Files (x86)\SafeGuard\SafeGuardSrv.exeO23 - Service: SGUpdaterSvc (SGUpdater) - Alerts LLC - C:\Program Files (x86)\SafeGuard\SGUpdaterSvc.exe

Possible signs in FRST logs:

 HKLM-x32\...\Run: [SafeGuard] => C:\Program Files (x86)\SafeGuard\SafeGuardApp.exe [1537552 2015-04-01] () Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeGuard.lnk [2015-04-24] ShortcutTarget: SafeGuard.lnk -> C:\Program Files (x86)\SafeGuard\SafeGuard.exe (Alerts LLC) R2 SafeGuard Update Service; C:\Program Files (x86)\SafeGuard\SafeGuardSrv.exe [585744 2015-04-01] () R2 SGUpdater; C:\Program Files (x86)\SafeGuard\SGUpdaterSvc.exe [16392 2015-03-17] (Alerts LLC) () C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafeGuard () C:\Users\{username}\AppData\Local\SafeGuard () C:\Users\{username}\AppData\Local\Alerts_LLC () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SafeGuard () C:\Program Files (x86)\SafeGuardSafeGuard (HKLM-x32\...\SafeGuard) (Version: 1.0.2.45 - SafeGuard)

Alterations made by the installer:

File system details [View: All details] (Selection)---------------------------------------------------    Adds the folder C:\Program Files (x86)\SafeGuard       Adds the file ICSharpCode.SharpZipLib.dll"="22-Nov-14 3:37 PM, 196608 bytes, A       Adds the file SafeGuard.exe"="17-Mar-15 8:44 PM, 235000 bytes, A       Adds the file SafeGuard.exe.config"="17-Mar-15 8:37 PM, 1727 bytes, A       Adds the file SafeGuardApp.exe"="01-Apr-15 8:30 PM, 1537552 bytes, A       Adds the file SafeGuardappuninstall.exe"="24-Apr-15 1:03 PM, 98178 bytes, A       Adds the file SafeGuardSrv.exe"="01-Apr-15 8:30 PM, 585744 bytes, A       Adds the file sg-icon.gif"="17-Nov-14 11:03 PM, 1027 bytes, A       Adds the file SGUpdaterSvc.exe"="17-Mar-15 8:44 PM, 16392 bytes, A       Adds the file SGUpdaterSvc.exe.config"="22-Nov-14 3:37 PM, 184 bytes, A       Adds the file uninstall.exe"="24-Apr-15 1:03 PM, 86212 bytes, A       Adds the file wx-icon.png"="17-Nov-14 11:03 PM, 969 bytes, A    Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SafeGuard       Adds the file Uninstall SafeGuard.lnk"="24-Apr-15 1:03 PM, 1190 bytes, A    Adds the folder C:\Users\{username}\AppData\Local\Alerts_LLC\SafeGuard.exe_Url_f5m53hnx3p524irce0kvdh2j2smgdiun\2.0.0.0       Adds the file user.config"="24-Apr-15 1:05 PM, 1075 bytes, A    Adds the folder C:\Users\{username}\AppData\Local\SafeGuard       Adds the file SafeGuardApp.dat"="24-Apr-15 1:03 PM, 3374 bytes, A    Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafeGuard       Adds the file SafeGuard.lnk"="24-Apr-15 1:03 PM, 1043 bytes, A    In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup       Adds the file SafeGuard.lnk"="24-Apr-15 1:03 PM, 1061 bytes, A    Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\SafeGuard       Adds the file SafeGuardSrv.dat"="24-Apr-15 1:03 PM, 1762 bytes, ARegistry details [View: All details] (Selection)------------------------------------------------    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4D6A5312-AB4D-41AA-8BED-0E019B87CA11}]       "LocalService"="REG_SZ", "SafeGuard Update Service"    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SafeGuard_RASAPI32]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableAutoFileTracing"="REG_DWORD", 0       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SafeGuard_RASMANCS]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableAutoFileTracing"="REG_DWORD", 0       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]       "SafeGuardApp.exe"="REG_DWORD", 65535    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]       "SafeGuard"="REG_SZ", ""C:\Program Files (x86)\SafeGuard\SafeGuardApp.exe""    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SafeGuard]       "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\SafeGuard\SafeGuardappuninstall.exe"       "DisplayName"="REG_SZ", "SafeGuard"       "DisplayVersion"="REG_SZ", "1.0.2.45"       "EstimatedSize"="REG_DWORD", 700       "InstallParams"="REG_SZ", " /S /S /distid=11159 /tpchannelid=internaltestinstall01 /install=1"       "NoModify"="REG_DWORD", 1       "NoRepair"="REG_DWORD", 1       "Publisher"="REG_SZ", "SafeGuard"       "UninstallString"="REG_SZ", "C:\Program Files (x86)\SafeGuard\SafeGuardappuninstall.exe"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SafeGuard]       "GUID"="REG_SZ", "{0FC90C5C-72B9-449E-8AC8-7EDEA33DD13E}"       "Installed"="REG_SZ", "1"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SafeGuardApp]       "Path"="REG_SZ", "C:\Program Files (x86)\SafeGuard"    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SafeGuard Update Service]       "DependOnService"="REG_MULTI_SZ, "RPCSS "       "Description"="REG_SZ", "Keep your SafeGuard software up to date."       "DisplayName"="REG_SZ", "SafeGuard Update Service"       "ErrorControl"="REG_DWORD", 1       "FailureActions"="REG_BINARY, ......................       "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\SafeGuard\SafeGuardSrv.exe""       "ObjectName"="REG_SZ", "LocalSystem"       "Start"="REG_DWORD", 2       "Type"="REG_DWORD", 16       "WOW64"="REG_DWORD", 1    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SGUpdater]       "DisplayName"="REG_SZ", "SGUpdaterSvc"       "ErrorControl"="REG_DWORD", 1       "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\SafeGuard\SGUpdaterSvc.exe"       "ObjectName"="REG_SZ", "LocalSystem"       "Start"="REG_DWORD", 2       "Type"="REG_DWORD", 16       "WOW64"="REG_DWORD", 1    [HKEY_CURRENT_USER\Software\SafeGuardApp]       "appdata"="REG_BINARY, {"conf":"{\"brand_id\":\"165\",\"brand_name\":\"SafeGuard\",\"default_bundle_id\":\"7598617\",\"brand_fullname\":\"SafeGuard\",\"ad_url\":\"https://da.safeguardalerts00.safeguardalerts.com/desktopAdRequest.aspx\",\"report_url\":\"https://am.safeguardalerts00.safeguardalerts.com/event\",\"ad_request_interval\":180,\"first_ad_delay\":7200,\"ad_redirect_timeout\":4900,\"ad_request_timeout\":30,\"display_mode\":0,\"latest_ver\":\"1.0.0.0\",\"update_url\":\"\",\"ad_partner_id\":\"safeguard\",\"config_interval\":21600,\"ad_nav_expire\":180,\"ad_throttle\":{\"0\":0,\"5\":15},\"ad_width\":1025,\"ad_height\":770,\"accessible_path\":\"Chrome_WidgetWin_1`9,9,a,a,a,16,14,2a;9,9,9,a,14,14,2a;9,9,9,a,16,14,2a;9,9,a,14,14,16,14,a,2a||MozillaWindowClass`9,e,16,2e,2a;9,e,14,26,16,2e,2a;9,e,26,16,2e,2a||IEFrame`9,a,9,a,9,a,9,a,9,2a||{1C03B488-D53B-4a81-97F8-754559640193}`9,a,9,a,9,a,9,a,9,f,a,14,2a\",\"enable_cef\":1,\"cef_pkgurl\":\"https://assets.safeguardalerts00.safeguardalerts.com/packages/cbsetup/1426874490_cbsetup.pkg\",\"adlabel_url\":\"https://assets.safeguardalerts00.safeguardalerts.com/label?brandid=%d&cbmode=%d\",\"adlabel_popurl\":\"http://safeguardalerts.com\",\"telemetry_sample_rate\":0,\"ad_click_report_url\":\"https://da.safeguardalerts00.safeguardalerts.com/click\",\"uid\":\"12f72b7f94a8ba3cc5937e9ce72312d2ceb8f6c24580d63ea0fd5ad81dc5c23b\",\"server_params\":{\"install_id\":767578827,\"install_create_date\":\"2015-04-24T04:03:00\",\"bundle_id\":\"7598633\",\"sgf\":\"\",\"sgte\":\"\"}}","scookie":"","installarg":" /S /S /distid=11159 /tpchannelid=internaltestinstall01 ","cef_last_url":"","uid":"12f72b7f94a8ba3cc5937e9ce72312d2ceb8f6c24580d63ea0fd5ad81dc5c23b"}       "uid"="REG_BINARY, 12f72b7f94a8ba3cc5937e9ce72312d2ceb8f6c24580d63ea0fd5ad81dc5c23b

Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 24-Apr-15Scan Time: 1:11:41 PMLogfile: mbamSafeGuard.txtAdministrator: YesVersion: 2.01.4.1018Malware Database: v2015.04.24.02Rootkit Database: v2015.04.21.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 8.1CPU: x64File System: NTFSUser: {username}Scan Type: Threat ScanResult: CompletedObjects Scanned: 342965Time Elapsed: 27 min, 57 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 4PUP.Optional.Alerts.A, C:\Program Files (x86)\SafeGuard\SafeGuardApp.exe, 5088, Delete-on-Reboot, [560c541c35552c0a2e4f1a23d42efc04]PUP.Optional.Alerts.A, C:\Program Files (x86)\SafeGuard\SafeGuard.exe, 4204, Delete-on-Reboot, [10523f31f8926cca4b32e15c04fe926e]PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SafeGuardSrv.exe, 3948, Delete-on-Reboot, [293990e053373df99a4809bc12f1cb35]PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SGUpdaterSvc.exe, 4844, Delete-on-Reboot, [293990e053373df99a4809bc12f1cb35]Modules: 0(No malicious items detected)Registry Keys: 6PUP.Optional.SafeGuard.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SafeGuard, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SafeGuard Update Service, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SGUpdater, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, HKLM\SOFTWARE\WOW6432NODE\SafeGuardApp, Quarantined, [5d052f415c2e979fd211eadb48bb34cc], PUP.Optional.IGS.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IGS, Quarantined, [f36fc5ab07834beb558a045121e44fb1], PUP.Optional.SafeGuard.A, HKCU\SOFTWARE\SafeGuardApp, Quarantined, [88daaac64f3bff37dd07ad1834cfff01], Registry Values: 2PUP.Optional.Alerts.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SafeGuard, "C:\Program Files (x86)\SafeGuard\SafeGuardApp.exe", Quarantined, [560c541c35552c0a2e4f1a23d42efc04]PUP.Optional.IGS.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IGS|DisplayIcon, C:\Program Files (x86)\IGS\uninstall.exe, Quarantined, [f36fc5ab07834beb558a045121e44fb1]Registry Data: 0(No malicious items detected)Folders: 7PUP.Optional.SafeGuard.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SafeGuard, Quarantined, [2c36462ad0bafa3cb527eada6f9453ad], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafeGuard, Quarantined, [c39fc2ae5f2bb87ef19cf9ccb053c33d], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Local\SafeGuard, Quarantined, [550db1bf4446b383bd241ca96e95de22], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard, Delete-on-Reboot, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Local\Alerts_LLC, Quarantined, [baa8c8a8d9b176c099e09230e3207888], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Local\Alerts_LLC\SafeGuard.exe_Url_f5m53hnx3p524irce0kvdh2j2smgdiun, Quarantined, [baa8c8a8d9b176c099e09230e3207888], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Local\Alerts_LLC\SafeGuard.exe_Url_f5m53hnx3p524irce0kvdh2j2smgdiun\2.0.0.0, Quarantined, [baa8c8a8d9b176c099e09230e3207888], Files: 17PUP.Optional.Alerts.A, C:\Program Files (x86)\SafeGuard\SafeGuardApp.exe, Delete-on-Reboot, [560c541c35552c0a2e4f1a23d42efc04], PUP.Optional.Alerts.A, C:\Program Files (x86)\SafeGuard\SafeGuard.exe, Delete-on-Reboot, [10523f31f8926cca4b32e15c04fe926e], PUP.Optional.Alerts.A, C:\Users\{username}\Desktop\SafeGuardsetup.exe, Quarantined, [bca6e68ae4a6e25493eac07d33cf6799], PUP.Optional.SafeGuard.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SafeGuard\Uninstall SafeGuard.lnk, Quarantined, [2c36462ad0bafa3cb527eada6f9453ad], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafeGuard\SafeGuard.lnk, Quarantined, [c39fc2ae5f2bb87ef19cf9ccb053c33d], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeGuard.lnk, Quarantined, [4b170b65f09af145be2251749b68b14f], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Local\SafeGuard\SafeGuardApp.dat, Quarantined, [550db1bf4446b383bd241ca96e95de22], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SafeGuard.exe.config, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\ICSharpCode.SharpZipLib.dll, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SafeGuardappuninstall.exe, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SafeGuardSrv.exe, Delete-on-Reboot, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\sg-icon.gif, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SGUpdaterSvc.exe, Delete-on-Reboot, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SGUpdaterSvc.exe.config, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\uninstall.exe, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\wx-icon.png, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Local\Alerts_LLC\SafeGuard.exe_Url_f5m53hnx3p524irce0kvdh2j2smgdiun\2.0.0.0\user.config, Quarantined, [baa8c8a8d9b176c099e09230e3207888], Physical Sectors: 0(No malicious items detected)(end)

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Edited by Metallica
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.