The Anatomy of Windows Guardian 2010

News

Contributed by: Daniel Stoyanov
Date: March 10, 2010

	2 Vote 0	The Anatomy of Windows Guardian 2010

Windows Guardian 2010 is one of the fake antivirus programs that flooded Internet these days. This malicious program pretends to be a legitimate antispyware application and can easily abuse you to install it. If you are trustful enough - you are the next victim of Windows Guardian 2010! So try to be careful!

The usual symptoms that your system is infected with this trojan are:
- your machine becomes slow and unstable;
- programs that you usually use without any problems suddenly crash;
- your firewall is suddenly disabled;
- the most obvious symptoms of Windows Guardian 2010 are the annoying pop-ups and screens, informing you that your Pc is infected!

Image 1. Windows Guardian 2010 Fake Scan Results

In general, all fake alerts and warnings force you to buy the full version of Windows Guardian 2010 immediately in order to disinfect the threats. Just don't be tricked. Even if you pay to remove Windows Guardian 2010 fake viruses, the rogue will keep scamming you for your money. It will display a little bit modified alerts, inviting to get extended protection, or to buy additional features.

When this trojan installs the following files are created:

File Name	File Size	MD5 Signature
av.exe	unknown	unknown
WRblt8464P	unknown	unknown

Table 1. Windows Guardian 2010 File Names

Like most other rouge programs, Windows Guardian hides itself in the Windows registry. It is hard (and usually unsafe) for the common user to navigate through registry and edit or remove registry keys. For this reason, manual disinfecting of the trojan is not an easy task. After Windows Guardian 2010 installs, the following registry keys are created:

Registry path	Registry Key Name	Value
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command	(Default)	"av.exe" /START "%1? %
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command	(Default)	"av.exe" /START "%1? %
HKEY_CLASSES_ROOT\.exe\shell\open\command	(Default)	"av.exe" /START "%1? %
HKEY_CLASSES_ROOT\secfile\shell\open\command	(Default)	"av.exe" /START "%1? %
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command	(Default)	"av.exe" /START "firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command	(Default)	"av.exe" /START "firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command	(Default)	"av.exe" /START "iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center	AntiVirusOverride	1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center	FirewallOverride	1

Image 1. Created Registry Keys After the Installation of Windows Guardian 2010

If you really want to remove the trojan manually, please keep in mind to stop the running Windows Guardian process (usually av.exe), delete the trojan files from your hard disk and edit (not delete) the proper registry keys.

Resources:
Remove Windows Guardian 2010
Removal Guide

User Comments

Top 10 Malware Threats

1.	Security Monitor
2.	Win 7 Home Security
3.	AV Protection 2012
4.	Cloud AV 2012
5.	System Fix
6.	Privacy Protection
7.	System Security 2012
8.	Duqu Trojan
9.	Windows Monitor
10.	PC Shield 2012

Most searched files

1.	vprot.exe
2.	GameXNGO.exe
3.	setup.ovr
4.	RosebudMUI.msi
5.	fp_ax_cab_installer.exe
6.	phoenix.exe
7.	InfDefaultInstall.exe
8.	AcroPro.msi
9.	FlashUtil11c_ActiveX.exe
10.	WinBootstrapper.msi

Newest files

1.	FlashUtil32_11_2_202_228_ActiveX.exe
2.	sisnicxp.sys
3.	NTIDrvr.sys
4.	int15.sys
5.	anbmServ.exe
6.	E_FATIADA.EXE
7.	HP_IZE.exe
8.	viaagp1.sys
9.	SISAGPX.sys
10.	R8139n51.SYS

Home Tips Downloads Videos Files Virus list Vulnerabilities

Home > Latest Rogue AntiSpyware > The Anatomy of Windows Guardian 2010