FlashGuard.exe/DriveGuard.exe Virus Removal Guide
This virus also known as Win32.Worm.Autoit.AL – BitDefender, this worm tries to impersonate a friendly application one that wants to protect your removable drives from other pieces of malware.
It also includes a readme file that reads:
“This tiny software is used to protect removable storage devices from
worms that are spread from one PC to another. “
If you follow the link above, this virus was discovered by BitDefender on 24th July 2008. I scanned using Avira Antivir Personal – Free Edition(Updated) on 18 August 2008 & the scan finished without any virus detection. That is almost a month, Avira still doesn’t recognized it as a virus. I read through the virus information on BitDefender(above link) & found nice thing about the virus :
“this worm will remove all files from C:\heap41a that are related to other malicious programs it enables TaskManager if is disabled” – BitDefender
But at the same time it will download backdoor files..
You can locate the virus at c:\Program Files\FlashGuard\FlashGuard.exe only if you unhide hidden files already(How to Unhide Hidden Files Guide)
The malicious file would copy itself to :
c:\Program Files\FlashGuard\FlashGuard.exe
c:\Program Files\FlashGuard\ReadMe.txt
c:\DocumentsandSettings\**UserProfile\LocalSettings\Temp\DriveGuard.tmp.exe
c:\DocumentsandSettings\**UserProfile\LocalSettings\Temp\gHmpg.tmp.exe
It create folders in your pendrive & copy itself to :
f:\System\Security\DriveGuard.exe *
f:\autorun.ini *
*[f:\] drive letter could vary depend on how Windows assign/mount your pendrive
Create startup launcher(Registry) :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
To see these virus you must set Windows to show hidden files – Guide
Removal Guide :
Press Ctrl+Alt+Del to open ‘Task Manager’, select FlashGuard.exe & click ‘End Process’
You can browse to the folder mentioned above or you can find it quickly by using ‘Search’ feature(Start Menu>>Search). In the search box type, flashguard.exe or flashguard. Don’t hit the search button yet..
Scroll down & expand ‘More Advanced Options’.Check the all the box as you see in the screenshot below & hit ‘Search’ button..
Delete all the files found..
Also serch for .tmp.exe, delete DriveGuard.tmp.exe & gHmpg.tmp.exe files found..
The virus files can easily recognized with pendrive like icon..
Your pc now clean from the virus, since the virus load at startup, it left an entry in your registry, you can delete it in registry or you can go to Start Menu>>Run, type msconfig & click ‘Ok’.
Select ‘Startup’ tab, select & uncheck FlashGuard. Click ‘Apply’ to take effect..
Delete Registry Entry : Go to Start Menu>>Run, type regedit & click ‘Ok’
Browse to :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
Select FlashGuard, right-click on it & delete..
FlashGuard.exe cleaned..
If you new on manually on removing virus, this guide also useful for other type of virus too, especially the type that infecting removable drive(pendrive/flashdrive/memory card). It also depend on how strong the viruses, some viruses replicate itself with random/different file name(hard to find). As you can see FlashGuard.exe replicate itself as DriveGuard.tmp.exe & gHmpg.tmp.exe.