Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 9: Scareware -- fake antivirus programs, data recovery utilities and like

Dr Guard

News

Recommended Links Spyware Spyware fighting strategy XP Antivirus 2012 Dr Guard

[Feb 28, 2010] Remove Dr. Guard (Uninstall Guide)

Another Rogue Antivirus that uses internal proxy of port 5555 to control internet access. Install a couple of drivers (names vary, you need to compare with baseline to detect (actually names are random and can be detected as such). Put initial "bootstrap" executable into %UserProfile%\Application Data subfolder with a random name. Windows Defender actually registers the moment of infection but does not prevent it with default settings. Probably contain root kit or shell-hooks or something of this nature as computer stops responding and sometimes crashes often even after the deletion of those three components (I have found two drivers in system32/drivers folder and executable in %UserProfile%\Application Data folder that is referenced in one of the keys in CurrentVersion/Run). Check using See Remove Dr. Guard (Uninstall Guide). Again the main lesson is to have an image of C-drive and remember what data to copy from the current drive to bootable USB drive (you need to put the drive into USB enclose and boot from USB drive is image first) to the restored image. Disinfection involved too much troubles: it is not an easy task to try to outsmart those extortionists...

What this programs does:

Dr. Guard is a rogue anti-spyware program from the same family as Paladin Antivirus. This rogue is promoted and installed through the use of fake alert Trojans that advertise the program on your desktop. This rogue is also known to be bundled with the TDSS, or TDL3, rootkit. As MBAM is not capable of removing this rootkit, you may need to request further assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum to remove all of the malware on your computer.

Once downloaded and installed, Dr. Guard will attempt to uninstall various security applications in order to protect itself from being removed. The anti-malware programs that it tries to uninstall include:

The program will then load and start to scan your computer for infections. Once the scan is finished it will state that there are numerous infections on your computer, but will not allow you to remove them until you purchase the program. In reality, the infections that it shows are all fake and do not actually exist on your computer. Therefore, please do not purchase this program based upon any of the scan results it shows.

Dr. Guard screen shot
For more screen shots of this infection click on the image above.
There are a total of 8 images you can view.

Dr. Guard also employs numerous methods where it tries to trick you into thinking you are infected. The first method is the display of a Window that impersonates the legitimate Windows Security Center. The difference is that this fake version suggests you purchase Dr. Guard to protect yourself. While the program is running you will also see a constant display of fake security alerts and warnings appear on your desktop and Windows taskbar. These alerts contain dire messages stating that your computer is under attack, all of your data is being deleted, or that personal information is being sent to a remote location. Some examples of the alerts you may see include:

ANTIVIRUS IS RUN IN DEMO MODE. ACTIVATE YOUR ANTIVIRUS OTHERWISE ALL THE DATA WILL BE LOST OR DAMAGED!

DANGEROUS! ANTIVIRUS DETECTED SOME HARMFUL PROGRAMS ON YOUR PC! THEY MAY CORRUPT YOUR INFORMATION OR SEND IT TO HACKERS.
PLEASE, OPTIMIZE YOUR PC. IT RUN ONLY 10%.
NEED HELP? PLEASE, CONTACT DR. GUARD CUSTOMER SUPPORT SERVICE.

Windows Firewall has detected unauthorized activity, but unfortunately it cannot help
you to remove viruses, keyloggers and other spyware threats that steal your personal
information from your computer

System files of your computer are damaged. Please, restart your system ASAP.
There are some serious security threats detected on your computer. Please, remove them ASAP.

There are some serious security threats detected on your computer: viruses, trojans, keyloggers, exploits etc.
Your computer and all your personal data are in serious danger.
Protection: Click the balloon to install antivirus software.

Defenseless OS: Windows 2000/XP/Vista
Description: Spyware. Blocks access to computer. Attacks porn sites visitors.
Protection: Click the balloon to install antivirus software.

Just like the fake scan results, these fake alerts are just another tactic where Dr. Guard is trying to convince you that you have a security problem on your computer.

As you can see, Dr. Guard was created to trick you into thinking you are infected so that you will then purchase the program. It goes without saying that you should definitely not purchase this program, and if you already have, please contact your credit card company to dispute the charges. To remove this infection and any related malware, please use the removal guide below.

Threat Classification:

Advanced information:

View Dr. Guard files.
View Dr. Guard Registry Information.

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SimpleShlExt
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt
HKEY_LOCAL_MACHINE\SOFTWARE\Dr. Guard
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dr. Guard
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Dr. Guard"
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E2121EE-0300-11D4-8D3B-444553540000}"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"

Entries for this program found in the Add or Remove Programs control panel:

Dr. Guard

Tools Needed for this fix:

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [asr64_ldm.exe] %Temp%\asr64_ldm.exe
O4 - HKCU\..\Run: [Dr. Guard] "C:\Program Files\Dr. Guard\drguard.exe" -noscan

Guide Updates:

02/19/10 - Initial guide creation.



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 08, 2017