CoreGuard Antivirus 2009 is a rogue antivirus/antispyware program. Like other rogue antispyware programs, it uses fake alerts and false positives to trick you into buying the software.
When installed, CoreGuard Antivirus 2009 configures itself to run automatically every time, when you start your computer. Also the rogue software during installation, detects and attempts to uninstall antvirus/antispyware software (MalwareBytes Antimalware, NOD32, Avast – a few examples).
CoreGuard Antivirus 2009 – Remove Malwarebytes Anti-malware
Once running, CoreGuard Antivirus 2009 will scan your computer and reports false or exaggerated system security threats on the computer that cannot be removed unless you first purchase the software. Running of CoreGuard Antivirus 2009 may drastically slow the performance of your computer.
While CoreGuard Antivirus 2009 is running your computer will display fake firewall alerts. Please ignore these alerts. Use the free instructions below to remove the rogue antispyware and any associated malware from your computer.
Symptoms in a HijackThis Log
O4 – HKCU\..\Run: [Coreguard Antivirus 2009] C:\Program Files\Coreguard Antivirus 2009\Coreguard 2009.exe
O10 – Unknown file in Winsock LSP: c:\program files\coreguard antivirus 2009\firewall.dll
Removal Instructions for CoreGuard Antivirus 2009 using SmitfraudFix
Download Smitfraudfix and save it to your desktop. When file has finished downloading you will now see SmitfraudFix icon on your desktop similar to the one below.
SmitfraudFix Icon
Reboot your computer in Safe Mode by doing the following steps:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear.
- Select the first option, to run Windows in Safe Mode.
Double-click SmitfraudFix icon that is residing on your desktop. You may see a screen similar to the one below.
Security Warning
Windows is issuing “Security Warning” prompt, this is normal and safe. Cick on the Run button to continue. If you are using Windows Vista, and receive UAC prompt asking if you would like to continue running the program, you should press the Continue button.
When SmitfraudFix first starts you will see a credits screen. Press Enter and you will now see a menu as shown in the screen below.
SmitfraudFix Menu
Select 2 and hit Enter. SmitfraudFix will now start cleaning your computer. This procedure can take some time, so please be patient.
SmitfraudFix Cleaning Process
When Smitfraudfix has finished cleaning process, it will automatically start the Disk Cleanup program and you will see a screen as shown below.
Disk Cleanup
You will be prompted: Do you want to clean the registry ? Answer Y (yes) and hit Enter in order to clean registry keys associated with malware.
When the Disk Cleanup step is done, you will see a red screen stating Computer will reboot now. Close all applications. Press Enter.
When reboot is completed, a log will open in Notepad.
Removal Instructions for CoreGuard Antivirus 2009 using Malwarebytes Anti-malware
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select “Perform Quick Scan”, then click Scan. The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
CoreGuard Antivirus 2009 creates the following files and folders
%UserProfile%\Start Menu\Programs\Coreguard Antivirus 2009
C:\Program Files\Coreguard Antivirus 2009
C:\Program Files\Coreguard Antivirus 2009\Help
C:\Program Files\Coreguard Antivirus 2009\Help\images
C:\Program Files\Coreguard Antivirus 2009\Help\images\buttons
%UserProfile%\Start Menu\\Programs\Coreguard Antivirus 2009
C:\Program Files\Coreguard Antivirus 2009\Coreguard 2009.exe
%UserProfile%\Start Menu\Programs\Coreguard Antivirus 2009\Coreguard 2009.lnk
%UserProfile%\Start Menu\Programs\Coreguard Antivirus 2009\Uninstall Coreguard Antivirus 2009.lnk
C:\Program Files\Coreguard Antivirus 2009\blacklist.cga
C:\Program Files\Coreguard Antivirus 2009\core.cga
C:\Program Files\Coreguard Antivirus 2009\CoreExt.dll
C:\Program Files\Coreguard Antivirus 2009\firewall.dll
C:\Program Files\Coreguard Antivirus 2009\Uninstall.exe
C:\Program Files\Coreguard Antivirus 2009\Help\reg.html
C:\Program Files\Coreguard Antivirus 2009\Help\support.png
C:\Program Files\Coreguard Antivirus 2009\Help\unreg.html
C:\Program Files\Coreguard Antivirus 2009\Help\images\delete.png
C:\Program Files\Coreguard Antivirus 2009\Help\images\info.png
C:\Program Files\Coreguard Antivirus 2009\Help\images\plus_circle.png
C:\Program Files\Coreguard Antivirus 2009\Help\images\tick.png
C:\Program Files\Coreguard Antivirus 2009\Help\images\warn.png
C:\Program Files\Coreguard Antivirus 2009\Help\images\buttons\offline.gif
C:\Program Files\Coreguard Antivirus 2009\Help\images\buttons\online.gif
C:\Program Files\Coreguard Antivirus 2009\Help\images\buttons\voice.gif
%UserProfile%\Start Menu\\Programs\Coreguard Antivirus 2009\Coreguard 2009.lnk
%UserProfile%\Start Menu\\Programs\Coreguard Antivirus 2009\Uninstall Coreguard Antivirus 2009.lnk
%UserProfile%\Desktop\Coreguard 2009.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Coreguard 2009.lnk
CoreGuard Antivirus 2009 creates the following registry keys and values
HKEY_CLASSES_ROOT\CLSID\{5e2121ee-0300-11d4-8d3b-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\coreguard antivirus 2009
HKEY_CURRENT_USER\SOFTWARE\CoreGuard
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coreguard antivirus 2009
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5e2121ee-0300-11d4-8d3b-444553540000}
