Tuesday, August 26, 2008

DriveGuard.exe Or FlashGuard.exe Virus

This virus also known as Worm.Win32.Autoit.au - kaspersky, this worm tries to impersonate a friendly application one that wants to protect your removable drives from other pieces of malware.

It also includes a readme file that reads:
"This tiny software is used to protect removable storage devices from
worms that are spread from one PC to another. "

But at the same time it will download backdoor files..

You can locate the virus at c:\Program Files\FlashGuard\FlashGuard.exe only if you unhide hidden files already(How to Unhide Hidden Files Guide)





The malicious file would copy itself to :

c:\Program Files\FlashGuard\FlashGuard.exe
c:\Program Files\FlashGuard\ReadMe.txt
c:\DocumentsandSettings\**UserProfile\LocalSettings\Temp\DriveGuard.tmp.exe
c:\DocumentsandSettings\**UserProfile\LocalSettings\Temp\gHmpg.tmp.exe

It create folders in your pendrive & copy itself to :

f:\System\Security\DriveGuard.exe *
f:\autorun.ini *

*[f:\] drive letter could vary depend on how Windows assign/mount your pendrive

Create startup launcher(Registry) :

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard

To see these virus you must set Windows to show hidden files - Guide

Removal Guide :



Press Ctrl+Alt+Del to open 'Task Manager', select FlashGuard.exe & click 'End Process'



You can browse to the folder mentioned above or you can find it quickly by using 'Search' feature(Start Menu>>Search). In the search box type, flashguard.exe or flashguard. Don't hit the search button yet..



Scroll down & expand 'More Advanced Options'.Check the all the box as you see in the screenshot below & hit 'Search' button..




Delete all the files found..



Also serch for .tmp.exe, delete DriveGuard.tmp.exe & gHmpg.tmp.exe files found..



The virus files can easily recognized with pendrive like icon..



Your pc now clean from the virus, since the virus load at startup, it left an entry in your registry, you can delete it in registry or you can go to Start Menu>>Run, type msconfig & click 'Ok'.



Select 'Startup' tab, select & uncheck FlashGuard. Click 'Apply' to take effect..


Delete Registry Entry : Go to Start Menu>>Run, type regedit & click 'Ok'
Browse to :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
Select FlashGuard, right-click on it & delete..




FlashGuard.exe cleaned..
If you new on manually on removing virus, this guide also useful for other type of virus too, especially the type that infecting removable drive(pendrive/flashdrive/memory card). It also depend on how strong the viruses, some viruses replicate itself with random/different file name(hard to find). As you can see FlashGuard.exe replicate itself as DriveGuard.tmp.exe & gHmpg.tmp.exe.

















4 comments:

maga said...

Hi!
Thanks for that help!
do you know how do i remove the that virus from my ipod??
thanks!

Rishi Acharya said...

Does driveguard.exe harms the computer.it is of the microsoft .

LadingMerah said...

Ipod memory using a removable disk (such as Pendrive, flashdrive etc) ... so delete these file (usually its an hidden file so u need to unhide system file first)

- %memory root%:\System\Security\DriveGuard.exe *
- %memory root%:\autorun.ini *

LadingMerah said...

driveguard.exe is a self duplication malware and the level of thread is low