|
free virus removal tool for FlashGuard.exe's fix (Autorun.tz)
|
|
Written by Administrator |
Thursday, 17 September 2009 19:21
|
|
This virus tries to impersonate a friendly application one that wants to protect your removable drives from other pieces of malware.
This application detects if any of the following processes are running
- alg.exe
- csrss.exe
- cssrs.exe
- cssrss.exe
- explore.exe
- expIorer.exe
- iexplorer.exe
- iexplore.exe
- lexplore.exe
- lsass.exe
- lssas.exe
- lssass.exe
- scshost.exe
- scvhost.exe
- scvhsot.exe
- smss.exe
- smsss.exe
- spoolss.exe
- spoolsv.exe
- spoolvs.exe
- ssms.exe
- sssms.exe
- ssvhost.exe
- svchost.exe
- svchsot.exe
- serivces.exe
- taskmgr.exe
- wilnogon.exe
- winl0g0n.exe
- winlgoon.exe
- winlogno.exe
- winlogon.exe
- wlnlogon.exe
Kill them if not one of :
- <Program Files>\Internet Explorer\iexplore.exe
- <system>\svchost.exe
- <system>\lsass.exe
- <system>\csrss.exe
- <system>\alg.exe
- <system>\winlogon.exe
- <system>\smss.exe
- <system>\spoolsv.exe
- <system>\taskmgr.exe
Puts two files in all removable drives inserted :
- System\Security\DriveGuard.exe
- autorun.inf
The autorun.inf file contains the text : [autorun] open=System\Security\DriveGuard.exe -run shell\Open=&Open shell\Open\Command=System\Security\DriveGuard.exe -run shell\Explore=&Explore shell\Explore\Command=System\Security\DriveGuard.exe -run
Creates a folder named FlashGuard in Program Files directory and copy there FlashGuard.exe
Creates another folder "FlashGuard" in the system's root and puts there two files
- FlashGuard.exe
- ReadMe.txt , that contains : "This tiny software is used to protect removable storage devices from
worms that are spread from one PC to another. "
Registry keys created :
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- FlashGuard : "%windrive%\FlashGuard\FlashGuard.exe" -run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- FlashGuard : "%windrive%\FlashGuard\FlashGuard.exe" -run
To be launched automatically on Windows start up This virus runs automatically each time you open or explore a partition, it is preferable to download the patch and unpack it on the desktop, reboot your machine in Safe Mode and run the patch, always in safe mode. Note however that the restarting in safe mode is not an obligation.

|
Comments
RSS feed for comments to this post.