Once installed, the rogue program runs a smart system scan and detects only one infection called TrustWarrior (it's a rogue application too by the way). This infection is supposedly removed by the rogue program and then Guard Pro won't detect any infections or computer security threats during next scans. As a matter of fact, Guard Pro is detected as Trojan.Qhosts (Trojan.Qhosts is a Trojan Horse that will modify the TCP/IP settings to point to a different DNS server [Information from Symantec]). This virus will attempt to create a file called "host_new" in C:\Windows\System32\drivers\etc\ folder.
Now, how to remove Guard Pro? The easiest way is using a legitimate anti-malware application such as SUPERAntispyware or MalwareBytes Anti-malware. Don't forger to update these programs before scanning. Manual removal is also available, but obviously it's more complicated. In some cases GuardPro may block anti-malware/virus programs, so you have to end its process: VH339.exe for example. The full list of files to remove:
Folders:
- C:\Documents and Settings\All Users\Application Data\[RANDOM], for example 117fc
- %UserProfile%\Application Data\Guard Pro
- C:\Documents and Settings\All Users\Application Data\VHMELHOOOK
Files:
- VH339.exe
- VHOOK.ico
- VHJJOOK.cfg
- cookies.sqlite
- mozcrt19.dll
- sqlite3.dll
- Guard Pro.lnk
Registry values:
- HKEY_CURRENT_USER\Software\3
- HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
- HKEY_CLASSES_ROOT\trial_ca8cf.DocHostUIHandler
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Guard Pro"
No comments:
Post a Comment