This page is here to inform you about the GuardGo extension, what it does, and how to successfully remove it. Don’t worry, the guide is real, we tested and removed GuardGo already and we are not faking it like the other guides out there. We are real malware researchers and we’ve ben doing this for 10 years.
The only reason we are writing a thousand words before the guide is because there are other malware pieces on your PC. You need to read their names, but they vary and what is installed by the extension also changes. So the only thing we can do is inform you so you are vigilant or you’ll be back in a few days removing GuardGo again.
GuardGo and its ilk have the nasty habit to reinstall each other; that’s the point. That’s why there are several different malware operators on the infected PC at the same time. The cybercriminals do this because after the removal of each component you need to restart the computer and/or browser. But the other components you didn’t remove, just restore the one you got rid of.
This creates a situation where you need to break all the malware at the same time, hence the need for a dedicated guide. It’s very easy to say “go to the extensions and remove GuardGo” but that will frankly just not serve you. These things will actively try to stop you by employing a “managed by policy” mode.
We created several different sets of instructions on how to remove the GuardGo extension. Choose whichever ones you like, but we caution you to go through them all if you are able. You never know – if you miss these things you’ll suddenly have to start over.
If all else fails, we recommend downloading SpyHunter from one of our ads. We already tested that it removes GuardGo. You don’t need to do this if you are confident you can follow the instructions below exactly. It’s just for the people who prefer extra protection.
What is the GuardGo extension?
GuardGo is a rogue extension which does not appear on the Chrome web store at all. It has zero legitimacy and is simply a fake with the purpose to drive you into external search engines no sane person would choose. These are designed by malware creators as modified google searches. The reason for their existence is to generate revenue for a little bit by corralling you into unsafe websites for the benefit of whoever decided to pay that day. Most of the times these are small scams that try to trick you into subscribing for something.
Then the entire anti-malware community takes notice of these engines, and the creators of GuardGo start switching to other extensions and engines. This is a never ending cycle which has persisted for the better part of 20 years. Just in the last month alone we’ve had about 10 engines and extensions we wrote about. We will list some of these below because they are related to GuardGo.
You will hear more about them in-depth in the guide, but namely these are the MegaGuard extension, which is basically GuardGo under another name, and the boyu com tr and bangsearch search engines. All the links are to the other pages where we wrote about them. They are not part of the hijacker.
The last name (bangsearch) is what you will probably encounter the most. If we find any more culprits we will research them and add them to the removal guide. There may be other names which appear after the time of writing this article. You need to look out for everything while you are removing GuardGo.
We tracked the current infection spread to mods for Minecraft (e.g. skins). If this is something you recently installed, we recommend removing those mods. Refrain from downloading new ones without scanning everything in VirusTotal or our own virus scanner, which you can find here.
GuardGo Virus Removal Guide
Here are some general tips and instructions before the guide proper. We decided to add these as explanations at the start of the instructions because they are needed. For example GuardGo will enforce a “managed by organization” state. But depending on how the extension and the hijacker were installed on your PC, the removal of that state can be more difficult. This is why we added several options for the removal, both automatic and manual. You may need to do things even if it feels you’ve already done it, or it’s unneeded.
One thing we are wary of is someone damaging their system. We cannot be blamed for such a thing. You take and perform these instructions at your own risk. For the same reason we recommend you go and create a system restore point immediately. That way if something’s messed up, you can just revert.
If you don’t know how to do it, just hit the Winkey and type Restore. “Create a restore point” should come up right away.
In the new system properties dialog just choose “Create”, name the restore point, and click Create.
We recommend SpyHunter again. Yes, we know it’s annoying. We still insist on recommending it because there are multiple things you can miss. They can reinstall everything you do end up removing successfully. SH has a free trial, so we still recommend it.
If you don’t want to use SpyHunter, the guide below WILL still help you.
How to delete GuardGo from the extension list
You can remove the GuardGo Extension by deleting some Windows registries. This is relatively simple, but comes with another recommendation from us. Don’t be annoyed, it’s not about SpyHunter.
We will tell you to look at ALL of your extensions in Chrome. Anything you can’t remove through normal means is part of the malware even if it’s not named GuardGo. Copy all of the IDs of the infected extensions, then delete anything you can find on them in the registry editor. Only THEN restart Chrome.
1.Type chrome://extensions in Chrome’s address bar and press Enter.
2. At the top right of the Extensions page turn on “Developer Mode.” You will now be able to see the GuardGo Extension’s dedicated ID.
3. Scroll down to GuardGo and any other extension that has the Remove button greyed out. There should now be an ID below the extension’s name. Highlight and copy it with Ctrl+C.
Note: it’s possible there’s a malware that doesn’t have it’s Remove button greyed out. Look at all the extensions. If you didn’t install them, just remove them. You can add them back later if you feel they’re safe.
Note 2: MegaGuard is another frequent infected extension you will encounter.
4. Next you need to enter the Registry Editor. On your desktop press the Winkey+R then type regedit and press Enter.
5. Press Ctrl+F then paste GuardGo’s ID from earlier. Delete the whole registry value wherever the ID is found, then click “Find Next” until the ID is no longer found anywhere. Do the same thing for other infection IDs you found earlier.
6. The two most important keys containing the ID should be in these two locations.:
HKEY_USERS\Group Policy Objects\Machine\Software\Policies\Google\Chrome\ExtensionInstallForcelist
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
How to uninstall GuardGo from the rest of your PC
Don’t restart Chrome yet. We need to check whether something will force back the items you removed. Go to the Windows Control Panel. Just press the Win key and type Control Panel. Click on Uninstall a Program. After you are there, list the items by installation date.
You want to look at all the recent entries. If there’s something with no Publisher, it’s suspicious. If you can’t tell why something is there it’s suspicious too. Uninstall anything with a weird name like JoisApp or CiviApp that you can’t determine the purpose of.
Once you are done proceed to the next step.
How to remove GuardGo from Chrome
This should be performed after the registry deletion. Don’t skip that part. The instructions won’t work at all if you just try to remove it from Chrome without tweaking the registries. You’ve been warned.
- Restart Chrome and go to the extensions tab. The removal buttons for GuardGo and the other extensions should all be available now. Remove them from the browser.
- Go to the Search Engine tab. See if your Search engine was changed, in this case probably to Bangsearch or Boyu com tr. If it was, change it back to whatever you prefer.
- Restart Chrome again. See if any of the malware extensions returned, or if your search engine is back to the infected one.
If everything seems normal, restart your PC. If after that you’re still good – congratulations you’re done.
If not, you missed something. We know this guide works, so the only thing we can recommend is to go through the steps again or download SpyHunter to do the removal for you.
GuardGo and the other malware it’s related to
You will find several pieces of malware linked or referred to in the page above. We wanted to talk a little bit more about them here. This is not just for fluff content, but to inform you that regardless of the guide here, these other pieces of malware are removed similarly – but they can also change.
So the problem with a malware suite is that usually they work as modules of it. That means whatever we put here is not a finished product. Depending on when GuardGo was installed it will switch which search engine it drives traffic to and which other extensions or apps are present. Some of these present unique challenges on their own. For example, some apps cannot be removed normally from the control panel – just nothing happens when you click uninstall. Then you are forced to search for them throughout system folders until you finally delete them.
All of this is to say that we can’t really be sensitive to when things change. There’s a boatload of malware out there and this guide should be viewed current as of the date it was created.
That being said, the malware we have detected to relate to Guardgo is: boyu com tr, Bangsearch, Megaguard, CiviApp, JoisApp. Look for them and inform us if something changes. We want to help!
Leave a Comment