FlashGuard.exe Remover

This virus tries to impersonate a friendly application one that wants to protect your removable drives from other pieces of malware.

This application detects if any of the following processes are running

• alg.exe
• csrss.exe
• cssrs.exe
• cssrss.exe
• explore.exe
• expIorer.exe
• iexplorer.exe
• iexplore.exe
• lexplore.exe
• lsass.exe
• lssas.exe
• lssass.exe
• scshost.exe
• scvhost.exe
• scvhsot.exe
• smss.exe
• smsss.exe
• spoolss.exe
• spoolsv.exe
• spoolvs.exe
• ssms.exe
• sssms.exe
• ssvhost.exe
• svchost.exe
• svchsot.exe
• serivces.exe
• taskmgr.exe
• wilnogon.exe
• winl0g0n.exe
• winlgoon.exe
• winlogno.exe
• winlogon.exe
• wlnlogon.exe

Kill them if not one of :

• <Program Files>\Internet Explorer\iexplore.exe
• <system>\svchost.exe
• <system>\lsass.exe
• <system>\csrss.exe
• <system>\alg.exe
• <system>\winlogon.exe
• <system>\smss.exe
• <system>\spoolsv.exe
• <system>\taskmgr.exe

And rename the file with a ".bak" extension

Puts two files in all removable drives inserted

• System\Security\DriveGuard.exe
• autorun.inf

The autorun.inf file contains the text :
[autorun]
open=System\Security\DriveGuard.exe -run
shell\Open=&Open
shell\Open\Command=System\Security\DriveGuard.exe -run
shell\Explore=&Explore
shell\Explore\Command=System\Security\DriveGuard.exe -run

Creates a folder named FlashGuard in Program Files directory and copy there FlashGuard.exe

Creates another folder "FlashGuard" in the system's root and puts there two files

• FlashGuard.exe
• ReadMe.txt , that contains : "This tiny software is used to protect removable storage devices from
  worms that are spread from one PC to another. "

Registry keys created :

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
FlashGuard
"%windrive%\FlashGuard\FlashGuard.exe" -run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
FlashGuard
"%windrive%\FlashGuard\FlashGuard.exe" -run

To be launched automatically on Windows start up.