What is SafeGuard?
The Malwarebytes research team has determined that SafeGuard is adware. These adware applications display advertisements not originating from the sites you are browsing.
How do I know if my computer is affected by SafeGuard?
You may see this entry in your list of installed programs:
and this warning during install:
and you may see this entry in your "Installed Apps":
How did SafeGuard get on my computer?
Adware applications use different methods for distributing themselves. This particular one was promoted as a weather alert application.
How do I remove SafeGuard?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-version.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes' Anti-Malware removes SafeGuard completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the SafeGuard adware. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
You will see these signs in a HijackThis log:
O4 - HKLM\..\Run: [SafeGuard] "C:\Program Files (x86)\SafeGuard\SafeGuardApp.exe" O4 - Startup: SafeGuard.lnk = C:\Program Files (x86)\SafeGuard\SafeGuard.exe O23 - Service: SafeGuard Update Service - Unknown owner - C:\Program Files (x86)\SafeGuard\SafeGuardSrv.exe O23 - Service: SGUpdaterSvc (SGUpdater) - Alerts LLC - C:\Program Files (x86)\SafeGuard\SGUpdaterSvc.exePossible signs in FRST logs:
HKLM-x32\...\Run: [SafeGuard] => C:\Program Files (x86)\SafeGuard\SafeGuardApp.exe [1537552 2015-04-01] () Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeGuard.lnk [2015-04-24] ShortcutTarget: SafeGuard.lnk -> C:\Program Files (x86)\SafeGuard\SafeGuard.exe (Alerts LLC) R2 SafeGuard Update Service; C:\Program Files (x86)\SafeGuard\SafeGuardSrv.exe [585744 2015-04-01] () R2 SGUpdater; C:\Program Files (x86)\SafeGuard\SGUpdaterSvc.exe [16392 2015-03-17] (Alerts LLC) () C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafeGuard () C:\Users\{username}\AppData\Local\SafeGuard () C:\Users\{username}\AppData\Local\Alerts_LLC () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SafeGuard () C:\Program Files (x86)\SafeGuard SafeGuard (HKLM-x32\...\SafeGuard) (Version: 1.0.2.45 - SafeGuard)Alterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\SafeGuard Adds the file ICSharpCode.SharpZipLib.dll"="22-Nov-14 3:37 PM, 196608 bytes, A Adds the file SafeGuard.exe"="17-Mar-15 8:44 PM, 235000 bytes, A Adds the file SafeGuard.exe.config"="17-Mar-15 8:37 PM, 1727 bytes, A Adds the file SafeGuardApp.exe"="01-Apr-15 8:30 PM, 1537552 bytes, A Adds the file SafeGuardappuninstall.exe"="24-Apr-15 1:03 PM, 98178 bytes, A Adds the file SafeGuardSrv.exe"="01-Apr-15 8:30 PM, 585744 bytes, A Adds the file sg-icon.gif"="17-Nov-14 11:03 PM, 1027 bytes, A Adds the file SGUpdaterSvc.exe"="17-Mar-15 8:44 PM, 16392 bytes, A Adds the file SGUpdaterSvc.exe.config"="22-Nov-14 3:37 PM, 184 bytes, A Adds the file uninstall.exe"="24-Apr-15 1:03 PM, 86212 bytes, A Adds the file wx-icon.png"="17-Nov-14 11:03 PM, 969 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SafeGuard Adds the file Uninstall SafeGuard.lnk"="24-Apr-15 1:03 PM, 1190 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Alerts_LLC\SafeGuard.exe_Url_f5m53hnx3p524irce0kvdh2j2smgdiun\2.0.0.0 Adds the file user.config"="24-Apr-15 1:05 PM, 1075 bytes, A Adds the folder C:\Users\{username}\AppData\Local\SafeGuard Adds the file SafeGuardApp.dat"="24-Apr-15 1:03 PM, 3374 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafeGuard Adds the file SafeGuard.lnk"="24-Apr-15 1:03 PM, 1043 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Adds the file SafeGuard.lnk"="24-Apr-15 1:03 PM, 1061 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\SafeGuard Adds the file SafeGuardSrv.dat"="24-Apr-15 1:03 PM, 1762 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4D6A5312-AB4D-41AA-8BED-0E019B87CA11}] "LocalService"="REG_SZ", "SafeGuard Update Service" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SafeGuard_RASAPI32] "ConsoleTracingMask"="REG_DWORD", -65536 "EnableAutoFileTracing"="REG_DWORD", 0 "EnableConsoleTracing"="REG_DWORD", 0 "EnableFileTracing"="REG_DWORD", 0 "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD", -65536 "MaxFileSize"="REG_DWORD", 1048576 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SafeGuard_RASMANCS] "ConsoleTracingMask"="REG_DWORD", -65536 "EnableAutoFileTracing"="REG_DWORD", 0 "EnableConsoleTracing"="REG_DWORD", 0 "EnableFileTracing"="REG_DWORD", 0 "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD", -65536 "MaxFileSize"="REG_DWORD", 1048576 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION] "SafeGuardApp.exe"="REG_DWORD", 65535 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "SafeGuard"="REG_SZ", ""C:\Program Files (x86)\SafeGuard\SafeGuardApp.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SafeGuard] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\SafeGuard\SafeGuardappuninstall.exe" "DisplayName"="REG_SZ", "SafeGuard" "DisplayVersion"="REG_SZ", "1.0.2.45" "EstimatedSize"="REG_DWORD", 700 "InstallParams"="REG_SZ", " /S /S /distid=11159 /tpchannelid=internaltestinstall01 /install=1" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "SafeGuard" "UninstallString"="REG_SZ", "C:\Program Files (x86)\SafeGuard\SafeGuardappuninstall.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SafeGuard] "GUID"="REG_SZ", "{0FC90C5C-72B9-449E-8AC8-7EDEA33DD13E}" "Installed"="REG_SZ", "1" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SafeGuardApp] "Path"="REG_SZ", "C:\Program Files (x86)\SafeGuard" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SafeGuard Update Service] "DependOnService"="REG_MULTI_SZ, "RPCSS " "Description"="REG_SZ", "Keep your SafeGuard software up to date." "DisplayName"="REG_SZ", "SafeGuard Update Service" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ...................... "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\SafeGuard\SafeGuardSrv.exe"" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SGUpdater] "DisplayName"="REG_SZ", "SGUpdaterSvc" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\SafeGuard\SGUpdaterSvc.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\SafeGuardApp] "appdata"="REG_BINARY, {"conf":"{\"brand_id\":\"165\",\"brand_name\":\"SafeGuard\",\"default_bundle_id\":\"7598617\",\"brand_fullname\":\"SafeGuard\",\"ad_url\":\"https://da.safeguardalerts00.safeguardalerts.com/desktopAdRequest.aspx\",\"report_url\":\"https://am.safeguardalerts00.safeguardalerts.com/event\",\"ad_request_interval\":180,\"first_ad_delay\":7200,\"ad_redirect_timeout\":4900,\"ad_request_timeout\":30,\"display_mode\":0,\"latest_ver\":\"1.0.0.0\",\"update_url\":\"\",\"ad_partner_id\":\"safeguard\",\"config_interval\":21600,\"ad_nav_expire\":180,\"ad_throttle\":{\"0\":0,\"5\":15},\"ad_width\":1025,\"ad_height\":770,\"accessible_path\":\"Chrome_WidgetWin_1`9,9,a,a,a,16,14,2a;9,9,9,a,14,14,2a;9,9,9,a,16,14,2a;9,9,a,14,14,16,14,a,2a||MozillaWindowClass`9,e,16,2e,2a;9,e,14,26,16,2e,2a;9,e,26,16,2e,2a||IEFrame`9,a,9,a,9,a,9,a,9,2a||{1C03B488-D53B-4a81-97F8-754559640193}`9,a,9,a,9,a,9,a,9,f,a,14,2a\",\"enable_cef\":1,\"cef_pkgurl\":\"https://assets.safeguardalerts00.safeguardalerts.com/packages/cbsetup/1426874490_cbsetup.pkg\",\"adlabel_url\":\"https://assets.safeguardalerts00.safeguardalerts.com/label?brandid=%d&cbmode=%d\",\"adlabel_popurl\":\"http://safeguardalerts.com\",\"telemetry_sample_rate\":0,\"ad_click_report_url\":\"https://da.safeguardalerts00.safeguardalerts.com/click\",\"uid\":\"12f72b7f94a8ba3cc5937e9ce72312d2ceb8f6c24580d63ea0fd5ad81dc5c23b\",\"server_params\":{\"install_id\":767578827,\"install_create_date\":\"2015-04-24T04:03:00\",\"bundle_id\":\"7598633\",\"sgf\":\"\",\"sgte\":\"\"}}","scookie":"","installarg":" /S /S /distid=11159 /tpchannelid=internaltestinstall01 ","cef_last_url":"","uid":"12f72b7f94a8ba3cc5937e9ce72312d2ceb8f6c24580d63ea0fd5ad81dc5c23b"} "uid"="REG_BINARY, 12f72b7f94a8ba3cc5937e9ce72312d2ceb8f6c24580d63ea0fd5ad81dc5c23bMalwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 24-Apr-15 Scan Time: 1:11:41 PM Logfile: mbamSafeGuard.txt Administrator: Yes Version: 2.01.4.1018 Malware Database: v2015.04.24.02 Rootkit Database: v2015.04.21.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 8.1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 342965 Time Elapsed: 27 min, 57 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 4 PUP.Optional.Alerts.A, C:\Program Files (x86)\SafeGuard\SafeGuardApp.exe, 5088, Delete-on-Reboot, [560c541c35552c0a2e4f1a23d42efc04] PUP.Optional.Alerts.A, C:\Program Files (x86)\SafeGuard\SafeGuard.exe, 4204, Delete-on-Reboot, [10523f31f8926cca4b32e15c04fe926e] PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SafeGuardSrv.exe, 3948, Delete-on-Reboot, [293990e053373df99a4809bc12f1cb35] PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SGUpdaterSvc.exe, 4844, Delete-on-Reboot, [293990e053373df99a4809bc12f1cb35] Modules: 0 (No malicious items detected) Registry Keys: 6 PUP.Optional.SafeGuard.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SafeGuard, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SafeGuard Update Service, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SGUpdater, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, HKLM\SOFTWARE\WOW6432NODE\SafeGuardApp, Quarantined, [5d052f415c2e979fd211eadb48bb34cc], PUP.Optional.IGS.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IGS, Quarantined, [f36fc5ab07834beb558a045121e44fb1], PUP.Optional.SafeGuard.A, HKCU\SOFTWARE\SafeGuardApp, Quarantined, [88daaac64f3bff37dd07ad1834cfff01], Registry Values: 2 PUP.Optional.Alerts.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SafeGuard, "C:\Program Files (x86)\SafeGuard\SafeGuardApp.exe", Quarantined, [560c541c35552c0a2e4f1a23d42efc04] PUP.Optional.IGS.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IGS|DisplayIcon, C:\Program Files (x86)\IGS\uninstall.exe, Quarantined, [f36fc5ab07834beb558a045121e44fb1] Registry Data: 0 (No malicious items detected) Folders: 7 PUP.Optional.SafeGuard.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SafeGuard, Quarantined, [2c36462ad0bafa3cb527eada6f9453ad], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafeGuard, Quarantined, [c39fc2ae5f2bb87ef19cf9ccb053c33d], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Local\SafeGuard, Quarantined, [550db1bf4446b383bd241ca96e95de22], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard, Delete-on-Reboot, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Local\Alerts_LLC, Quarantined, [baa8c8a8d9b176c099e09230e3207888], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Local\Alerts_LLC\SafeGuard.exe_Url_f5m53hnx3p524irce0kvdh2j2smgdiun, Quarantined, [baa8c8a8d9b176c099e09230e3207888], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Local\Alerts_LLC\SafeGuard.exe_Url_f5m53hnx3p524irce0kvdh2j2smgdiun\2.0.0.0, Quarantined, [baa8c8a8d9b176c099e09230e3207888], Files: 17 PUP.Optional.Alerts.A, C:\Program Files (x86)\SafeGuard\SafeGuardApp.exe, Delete-on-Reboot, [560c541c35552c0a2e4f1a23d42efc04], PUP.Optional.Alerts.A, C:\Program Files (x86)\SafeGuard\SafeGuard.exe, Delete-on-Reboot, [10523f31f8926cca4b32e15c04fe926e], PUP.Optional.Alerts.A, C:\Users\{username}\Desktop\SafeGuardsetup.exe, Quarantined, [bca6e68ae4a6e25493eac07d33cf6799], PUP.Optional.SafeGuard.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SafeGuard\Uninstall SafeGuard.lnk, Quarantined, [2c36462ad0bafa3cb527eada6f9453ad], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafeGuard\SafeGuard.lnk, Quarantined, [c39fc2ae5f2bb87ef19cf9ccb053c33d], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeGuard.lnk, Quarantined, [4b170b65f09af145be2251749b68b14f], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Local\SafeGuard\SafeGuardApp.dat, Quarantined, [550db1bf4446b383bd241ca96e95de22], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SafeGuard.exe.config, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\ICSharpCode.SharpZipLib.dll, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SafeGuardappuninstall.exe, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SafeGuardSrv.exe, Delete-on-Reboot, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\sg-icon.gif, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SGUpdaterSvc.exe, Delete-on-Reboot, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\SGUpdaterSvc.exe.config, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\uninstall.exe, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Program Files (x86)\SafeGuard\wx-icon.png, Quarantined, [293990e053373df99a4809bc12f1cb35], PUP.Optional.SafeGuard.A, C:\Users\{username}\AppData\Local\Alerts_LLC\SafeGuard.exe_Url_f5m53hnx3p524irce0kvdh2j2smgdiun\2.0.0.0\user.config, Quarantined, [baa8c8a8d9b176c099e09230e3207888], Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention