I have fallen victem to the guard online virus - its of the fake alert variety, where there is a big pop up with all this doom and gloom about how my computer is infected and that I need to purchase some scan thing. Obviously I'm a little annoyed (really annoyed actually) in that I have McCaffe AT and T internet security suite. It is now disabled as part of the virus, I can turn it on in safe mode but it does not detect anything.
The next thing I did was download the fake scan stinger. I was able to get it to work but it detects nothing.
I then used a few itger free ware scans, they all detected stuff and removed it but the virus remains.
Does anyone have any clues on how to get rid of this virus? I'm using my work computer right now, and need my personal to do school work and what not. Thanks
Here is the full removal guide from Bleeping computer.Basically you will need to download Rkill and Malwarebytes.Here is the link.
http://www.bleepingcomputer.com/virus-removal/remove-av-guard-online First run rkill then Malwarebytes.Read instructions first.Good luckMessage was edited by: newjack on 10/8/11 2:23:18 PM EDT
I suppose you've got the newest version of this scareware called "Guard Online" and not the previous one "AV Guard Online". Anyway, Bleepingcomputer's guide should work just fine. They are almost identical except the GUI. The new one looks like an iPad In short, clikc to register the rogue and enter this code: 9992665263. It's a kill code. Then run any removal tool you like. Please note that this rogue drops a TDL4 rookit. You should remove it too; otherwise the rogue may return.
Message was edited by: techrumy on 10/8/11 1:44:04 PM CDTMessage was edited by: techrumy on 10/8/11 1:47:34 PM CDT
According to a malware expert from another forum, AV Guard is a renamed variant of Open Cloud Security. The screenshot of this Fake AV looks very similar to both of those, so it's probably related - another variant. If that's the case, this thread should be in Top Threats along with the OCS discussions so I'm moving it there.
@techrumy : confirmed. This is from the same family of malware as Open Cloud Security and is associated with the Zero Access rootkit, which is the subject of discussions in other threads.
There is a description of this malware and a removal guide (with the proviso that if a rootkit is also installed the fix will not work) at BleepingComputer HERE.
The relevant part of the description follows -
Some installations of the Rogue.WinAVPro family may be bundling the ZeroAccess rootkit along with the rogue. This rootkit will terminate any process that scans one of the items it is protecting in the Windows Registry or the file system. It will then change the permissions on that program so that when you attempt to run it again you will receive an access denied message. If you are infected with this Rootkit, then the following guide will not be able to remove the infection unless you first remove the rootkit. You can attempt to remove the rootkit using TDSSKiller ...
Hi I'm new here... Looks like everyone is giving great advice on removing Guard online. I work for a local virus removal company and I usually MBAM to remove most infections (thats the recommeded software on bleepingcomputer.)
However, Guard online is very similar to open clud virus and av guard virus and lust like with those infections every now and then we find that malwarebytes will not work to remove it.
If that is the case for anyone reading this and has already tried MBAM and it did not work, this is what we have been following in those instances. This site has a pretty good alternative to remove Guard online virus when MBAM doesn't work: http://www.ihowtoremove.com/guard-online-virus/
Also, I have not had to use RKILL once when removing Guard Online in safe mode. I know the instructions on bleep say to use it but you can easily skip that step as the virus is pretty nonexistant in safe mode.
Hope it helps!
Actually from what I read in the removal guide.They say there is a good possiblity of a rootkit or other malware being installed.I would go through the entire guide and after removal.You may still want to start a post at bleeping computer or on of the others listed here at the bottom.Post at links below Hijack this to play it safe.Message was edited by: newjack on 10/9/11 3:26:04 PM EDT
New name: Cloud Protection. Everything else just stays the same. Sample submited to McAfee. Cheers!
Message was edited by: techrumy on 10/10/11 3:57:13 PM CDT