Friday, January 8, 2010

How do I get rid of Guard Pro virus? (Removal guide)

Guard Pro is a rogue anti-virus program, fake antivirus scanner that is promoted through the use of Trojans, bogus websites and various malicious software. It's a typical scareware that scares users into thinking that their computers are infected when in reality the only real infection is Guard Pro itself. Most of the time, this misleading application comes from fake websites, but it may be also manually installed from its homepage which is winguard-pro .com. Of course, you shouldn't visit this site. The graphical user interface of GuardPro is provided in the image below:



Once installed, the rogue program runs a smart system scan and detects only one infection called TrustWarrior (it's a rogue application too by the way). This infection is supposedly removed by the rogue program and then Guard Pro won't detect any infections or computer security threats during next scans. As a matter of fact, Guard Pro is detected as Trojan.Qhosts (Trojan.Qhosts is a Trojan Horse that will modify the TCP/IP settings to point to a different DNS server [Information from Symantec]). This virus will attempt to create a file called "host_new" in C:\Windows\System32\drivers\etc\ folder.



Now, how to remove Guard Pro? The easiest way is using a legitimate anti-malware application such as SUPERAntispyware or MalwareBytes Anti-malware. Don't forger to update these programs before scanning. Manual removal is also available, but obviously it's more complicated. In some cases GuardPro may block anti-malware/virus programs, so you have to end its process: VH339.exe for example. The full list of files to remove:

Folders:
  • C:\Documents and Settings\All Users\Application Data\[RANDOM], for example 117fc
  • %UserProfile%\Application Data\Guard Pro
  • C:\Documents and Settings\All Users\Application Data\VHMELHOOOK

Files:
  • VH339.exe
  • VHOOK.ico
  • VHJJOOK.cfg
  • cookies.sqlite
  • mozcrt19.dll
  • sqlite3.dll
  • Guard Pro.lnk

Registry values:
  • HKEY_CURRENT_USER\Software\3
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_CLASSES_ROOT\trial_ca8cf.DocHostUIHandler
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Guard Pro"

No comments:

Post a Comment