AdminBot | 10.05.2011 02:21 | PC Security Guardian entfernen Liste der Anhänge anzeigen (Anzahl: 1) PC Security Guardian entfernen Was ist PC Security Guardian?
PC Security Guardian ist eine weitere Rogue-Malware in Form einer gefälschten Scan-Software, die mittels eines sog. Trojaners in den PC eindringt und dem Benutzer weissmacht, den PC nach Malware abzusuchen. Diese Software (PC Security Guardian) ist ein Fake und selbst eine Schadsoftware und sollte nicht gekauft werden.
Da solche Software wie PC Security Guardian sich gegen jede Entfernung wehren wird und PC Security Guardian oftmals noch Rootkits mitinstalliert, sollte eine Neuinstallation des Systems in Erwägung gezogen werden.
Verbreitet wird Scareware wie PC Security Guardian nicht mehr ausschliesslich über 'dubiose Seiten' für Cracks, KeyGens und Warez, sondern auch seriöse Seiten werden zunehmend für die Verbreitung dieser mißbraucht ( http://www.trojaner-board.de/90880-d...tallation.html).
Der wichtigste Schutz vor einer Infizierung ist ein aktuelles Windows (mit allen Updates) und aktuelle Drittanbietersoftware wie Java oder Adobe Flash! http://www.trojaner-board.de/attachm...1&d=1305076135 Symptome von PC Security Guardian:- ständige Fake Virenmeldungen von PC Security Guardian
- PC läuft seit PC Security Guardian langsamer als üblich
Fake-Meldungen von PC Security Guardian:%UserProfile%\Recent\cid.drv %UserProfile%\Recent\CLSV.tmp %UserProfile%\Recent\DBOLE.exe %UserProfile%\Recent\delfile.sys %UserProfile%\Recent\fan.dll %UserProfile%\Recent\grid.sys %UserProfile%\Recent\kernel32.exe %UserProfile%\Recent\kernel32.sys %UserProfile%\Recent\PE.dll %UserProfile%\Recent\PE.tmp %UserProfile%\Recent\runddlkey.drv %UserProfile%\Recent\SICKBOY.drv %UserProfile%\Recent\std.dll %UserProfile%\Recent\tempdoc.tmp %UserProfile%\Recent\tjd.sys Warning! Access conflict detected! An unidentified program is trying to access system process address space. Process Name: AllowedForm Location: C:\Windows\...\notepad.exe Warning! Identity theft attempt detected Memory access problem WindowsErrorForm has encountered a problem at address 0x1FC408. We are sorry for the inconvenience. If you see this error again, operational information can be irrevocably lost. Warning! Virus detected Threat Detected: Trojan-PSW.VBS.Half Description: This is a VBScript-virus. It steals user's passwords. Dateien von PC Security Guardian: Code:
%AllUsersProfile%\PSRWKWWDAG\
%AllUsersProfile%\PSRWKWWDAG\PSYITOENDG.cfg
%AllUsersProfile%\<random characters>\
%AllUsersProfile%\<random characters>\2218.mof
%AllUsersProfile%\<random characters>\288416.reg
%AllUsersProfile%\<random characters>\PSG.ico
%AllUsersProfile%\<random characters>\PSGSys\
%AllUsersProfile%\<random characters>\<random characters>_<random numbers>.exe
%AllUsersProfile%\<random characters>\Quarantine Items\
%AllUsersProfile%\<random characters>\mcp.ico
%AppData%\Microsoft\Internet Explorer\Quick Launch\PC Security Guardian.lnk
%AppData%\Microsoft\Windows\Recent\ANTIGEN.dll
%AppData%\Microsoft\Windows\Recent\CLSV.drv
%AppData%\Microsoft\Windows\Recent\CLSV.sys
%AppData%\Microsoft\Windows\Recent\FW.dll
%AppData%\Microsoft\Windows\Recent\PE.dll
%AppData%\Microsoft\Windows\Recent\PE.drv
%AppData%\Microsoft\Windows\Recent\PE.sys
%AppData%\Microsoft\Windows\Recent\SICKBOY.drv
%AppData%\Microsoft\Windows\Recent\energy.drv
%AppData%\Microsoft\Windows\Recent\dudl.exe
%AppData%\Microsoft\Windows\Recent\energy.sys
%AppData%\Microsoft\Windows\Recent\exec.sys
%AppData%\Microsoft\Windows\Recent\exec.tmp
%AppData%\Microsoft\Windows\Recent\fan.tmp
%AppData%\Microsoft\Windows\Recent\snl2w.dll
%AppData%\Microsoft\Windows\Recent\tempdoc.sys
%AppData%\Microsoft\Windows\Start Menu\Programs\PC Security Guardian.lnk
%AppData%\Microsoft\Windows\Start Menu\PC Security Guardian.lnk
%AppData%\PC Security Guardian\
%AppData%\PC Security Guardian\Instructions.ini
%AppData%\PC Security Guardian\cookies.sqlite
%UserProfile%\Desktop\PC Security Guardian.lnk Registry-Einträge von PC Security Guardian: Code:
HKCU\Software\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=289&q={searchTerms}"
HKCU\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PC Security Guardian = ""%AllUsersProfile%\<random characters>\<random characters>_<random numbers>.exe" /s /d"
HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKLM\SOFTWARE\Classes\PSc99_289.DocHostUIHandler
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsImSvc.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PskSvc.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe\Debugger = "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe\Debugger = "svchost.exe"
... <Many more entryies> PC Security Guardian im HijackThis-Log: Code:
O4 – HKCU\..\Run: [PC Security Guardian] “%AllUsersProfile%\<random characters>\<random characters>_<random numbers>.exe” /s /d |