Removal Tool? No.

A little detected “tool” is downloading and executing bots. A version of “driveguard.exe”, with promises of cleaning up your system from infections and keeping it clean, is worming its way onto machines and downloading strains of Poison Ivy as “WinSecSys.exe”, a bot capable of stealing screenshots, keystrokes, spreading to other machines, etc. We wrote about these “RAT” tools in previous posts and the characters behind them, some of whom are sentenced to prison terms now. TF detects it as a worm.

This entry was posted in Online Fraud. Bookmark the permalink.

3 Responses to Removal Tool? No.

  1. HosurOnline.Com says:

    DriveGuard.exe is a virus – Trojen -spyware and its spread by micro-soft.tripod.com. This trojen reaches your computer from unknown source, even if you run any anti-virus, say Kaspersky or McAfee (Internet security suite).

    This trojen generates a file called “verupdate.tmp” in the temp folder of the computer and it runs as a system process collecting datas along with the main file driveguard.exe.

    After collecting datas it generates a jpg file at internet temp folder and connects to the said tripod site as a process of IE and executes a CGI file at micro-soft.tripod.com. Even though the file has jpg extension, its not a picture file but an exe file.

    To remove this, go to task manager, stop the running services of this trojen and then delete it from the program files folder.

    It labels itself as windriveguard.exe in the latest varients.

  2. kannadi says:


    Thanks for the information.
    But does it solve the problem?
    I have serious doubt about that.
    Because I had deleted the file from Program Files few days back. But I see some serious problem with my machine.
    When I use any Internet connection in India with a Public IP, any trace route show the first hop at an Australian IP!

    See a sample here:

    Tracing route to http://www.yahoo-ht3.akadns.net []
    over a maximum of 30 hops:

    1 412 ms 224 ms 239 ms
    2 218 ms 239 ms 219 ms
    3 218 ms 239 ms 319 ms
    4 * * * Request timed out.
    5 * * * Request timed out.
    6 * * * Request timed out.
    7 * * * Request timed out.
    8 * * * Request timed out.
    9 * * * Request timed out.
    10 * * * Request timed out.
    11 * * * Request timed out.
    12 * * * Request timed out.
    13 591 ms 539 ms 459 ms f1.us.www.vip.ird.yahoo.com []

    Why is it so?

    I wonder why no Anti Virus company has come up with a solution for this.

    Another very serious observation:

    I have noticed this software (Macrosoft Corporation‘s DriveGuard.exe) presence soon after a Windows Update!!!

    Is there something very fishy?

  3. kannadi says:

    Latest Update on “Macrosoft Corporation’s DriveGuard.exe”

    Earlier today, I had submitted sample of this file to
    McAfee’s Virus Sample Upload Site
    McAfee has communicated me saying this is a new detection named “w32/autorun.worm.c”.
    Their current release of DAT v5327 does not have detection or cure for this file.
    They promise a future release of the DAT file will cover this virus too.

    But they have sent me an EXTRA.DAT which in turn started detection and deletion of this menace.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>