Wednesday, July 9, 2014

How to remove Smart Guard Protection

Smart Guard Protect (Fake Antivirus)

Performing a bogus scan.


After the scan it shows the threats found.


If you click Repair All, it will show this screen.


After clicking Buy Full Edition you get this.  At this stage, don't get scared and never spend a dime on it.




While it is active and you want to launch for example taskman, you'll get this warning screen.  With the exception of explorer, mspaint and cmd anything else you run gives a warning.



Analysis

Values added

HKU\S-1-5-21-746137067-1078145449-682003330-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce\AS2014: "C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33.exe"

Files Added

C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33.exe
C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33.exe.manifest
C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33.ico
C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33aQDsaggg.in
C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33aQDsaggg.lg


Folder added

C:\Documents and Settings\All Users\Application Data\d9ngVr33


Virustotal Scan
 

Removal 

Since CMD is not disabled we will be using it kill the Fake AV's process.  Launch CMD and run the following commands

TASKLIST 






Take note of the RandomName.exe on the list 

TASKKILL /F /IM snUa339g.exe





We can use explorer and regedit to remove Smart Guard Protection

Launch regedit.  Navigate to 

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

and delete the entry.  Take note of the path of snUa339g.exe


Launch explorer and navigate to the path of snUa339g.exe and delete the folder.





Run an updated MBAM to finish the cleaning process


Note:  This is just a quick analysis.  I'll update in case there are other registry keys that I've missed.

No comments:

Post a Comment