I was recently asked by a client to look at a laptop infected with some form of virus. This isn’t my core business but I was willing to assess the situation and let him know if he needed more help than I could provided.
How do I know I have Additional Guard on my computer?
The infection becomes evident when warnings began to pop up on the screen reporting infections and attacks. (This raised the alarm with the owner because she didn’t have any anti-virus software (?!?) on the computer.)
When I first looked at the screen there were a number of warnings displayed with plenty of exclamation marks and red writing. It looked like the real thing and if I clicked on cancel I received a dialog box asking me if I was sure I wanted to continue without protection.
Will my antivirus software remove Additional Guard?
I thought I would try running Trend Micro’s Housecall. This is a free online scan which I have used in the past with great results. It has found and repaired infections missed by McAfee and Norton AV. But this time it didn’t work.
Why? Because Additional Guard was stopping it from downloading and installing properly. It has been reported that Additional Guard will also disable existing antivirus software.
Is there a tool to remove Additional Guard?
I ran a Google search for “Remove Additional Guard” but all I found were unknown sites asking me to download removal tools. I had tried to download from Trend Micro but it didn’t work. Also I was reluctant to download any more potentially unsafe software anyway.
This left me with the choice one option: tell my client to buy a new computer or remove the software manually.
How to remove Additional Guard manually?
First thing to do was find the offending files. I had a look in the Program Files folder and found a folder created only 24 hours earlier. Just about when the PC started playing up. The folder was neame Psecurity and contained a program files, Psecurity.exe and an icon file. I deleted both files and the folder. Holding shift while pressing the delete key permanently removes them from the computer.
I knew this was only part of the problem, because the warnings kept flashing up on the screen.
Editing the Registry
Before you do anything else you must understand that editing the registry incorrectly can render your computer inoperable. If you are at all unsure about the process outlined below I recommend you take your computer to a professional.
I knew a registry entry would lead me to the suspect files so I typed ‘regedit’ at the run command and opened the registry editor.
Searching for the word ‘guardian’ found one entry in the Registry. The entry was found in ApprovedApplications and referenced a folder with an obscure name in “Documents and Settings\All Users\Application Data\” .
Navigating to this folder I found a number of suspect files, all created at the same time as the Psecurity files I deleted earlier. I was able to delete all but one of the files.
The one I couldn’t delete I was able to rename by changing the extension from .exe.
I restarted the computer and additional guard was no longer running. I went to the folder with the renamed file and I was now able to delete it permanently.
The last thing to do was delete the registry entry. It bears repeating – DON”T EDIT THE REGISTRY UNLESS YOU ARE SURE OF WHAT YOU ARE DOING.
I restarted the computer again and Additional Guard was gone.
How do I know I have Additional Guard on my computer?
Several of the signs I found have been reported by others also.
You may see all or none of the signs listed:
Popup windows warning of infection.
Popup notifications from the system tray warning of an attack with a bogus IP address.
Your Google homepage is set to Google.nl (Netherlands).
You can’t download software from the internet.
Internet Explorer displays warning signs when you navigate to certain sites. The window has a grey background and warsn you that the site is potentially risky. This most likely happens when you try to visit an antivirus site.
Your Task Manager is disabled.
I am not sure if I have completely removed Additional Guard, only time will tell. I also don’t know how the software got onto the computer but it was most likely from a sharing site. If this works for you, that’s great. But if you try all this and it still won’t go away, you may have to try one of the malware removal tools.
