trojan worm

What is WinFlashGuard.exe?

WinFlashGuard.exe is an EMail worm/trojan which was first seen on Oct 31st 2008 in Spain and India. Later on this worm has duplicated under different names and has somehow missed the watchful eyes of most of the anti-virus and anti-spyware software.

In my company given laptop, I am using CA eTrust antivirus which failed to detect this trojan. I had to open the Task Manager and analyze each and every process to know the culprit.


WINFLASHGUARD.EXE has been seen to perform the following behavior:

* The Process is packed and/or encrypted using a software packing process
* Executes a Process
* This process creates other processes on disk
* Executes Processes stored in Temporary Folders
* This Process Deletes Other Processes From Disk
* Modifies System Runtime Policies to limit system usability
* Writes to another Process’s Virtual Memory (Process Hijacking)

Ironically, it identifies itself as a Worm Protection Tool in the task manager process description!! It creates a folder ‘WinFlashGuard‘ under C:/Program Files. It also adds itself to Startup processes. More often than not it gets transferred through the pen drive / flash drive.

WINFLASHGUARD.EXE can also use the following file names:

* 80561806.SVD
* 90694831.SVD
* 99288998.SVD
* FLASHGUARD.EXE

Since it runs in the background, it is very tough to know if you are infected. You have to manually check for the process in Task Manager.

How to Fix WinFlashGuard worm?

At this point of time, I could not find a free fix for this. Prevx CSI provides a fix but that comes at a premium price. Anyway, I figured out a simple workaround to remove it –

1. Go to Task Manager and click on Processes Tab.
2. Look for WinFlashGuard.exe process, right click on it and click on End Process button.
3. Go to C:/Program Files/WinFlashGuard folder and delete the whole directory. No need to worry about uninstalling.
4. Go to Start –> Run and type regedit and press Ok. A new window opens called Registry Editor.
5. Click on Edittab and then Find. Search for flashguard
6. Right click on the registry strings found and click on Delete.

If you have used a flash drive, format it if you can. Else look for System folder and delete it completely.

Consider this as a temporary fix until all major Security software recognize this worm.

 
Founder-Editor

Raju is the founder-editor of Technology Personalized. A proud geek and an Internet freak, who is also a social networking enthusiast. You can follow him on Facebook and on Twitter. Mail Raju PP. Follow rajupp

 
 
  • http://www.stratos.me stratosg

    a good antivirus would have caught that. so i guess the second move would be to get one :) nice guide!

  • http://computersservicing.blogspot.com/2008/07/how-to-remove-antivirus2008-step-by.html venkat

    @raju your troubleshooting guide is very valuable to users affected with WinflashGuard ,you forget to add one step to your post that is once flashguard is deleted from registry ,the system should be restarted to make the changes work .For trojans and malware removal we can use malwarebytes antimalware it’s freeware and very effective.