Additional Guard is a rogue antispyware program. It is a clone of Windows Additional Guard, which is also a fake antivirus program. Both programs are from the family of VirusDoctor scareware. It is distributed through malicious web sites that are disguised as online anti spyware scanners. It will stat that your computer is infected and you must install the software to clean your PC. The software is a trojan downloader. Once started, it will install the Additional Guard and create numerous files with random names in %UserProfile%\Recent folder. The files are made to appear as infections, but are in reality harmless.
Once running, Additional Guard will perform a scan of your computer and display false scan results. It will state that your computer is infected with adware, malware and trojans and that you should purchase the software to remove these infections. Of course, these infections are all fake, because Additional Guard identifies harmless files as dangerous infections. So you can safely ignore the scan results.
Additional Guard – scan results
While Additional Guard is running, it blocks Task Manager and legitimate antivirus and antispyware programs (Kaspersky Antivirus, DrWeb, AdAware, McAfee, Norton AV and much more). Your computer will display fake warnings and fake security alerts from your Windows task bar. Some of the alerts:
System alert!
Suspicious software which may be malicious has been
detected on your PC. Click here to remove this threat
immediately using Additional Guard.
System message
Your PC may still infected with dangerous viruses.
Additional Guard protection is needed to prevent data loss
and avoid theft of your personal data and credit card details.
Click here to activate protection.
Warning! Virus Detected
Threat detected: Trojan-PSW.Win32.Dripper
Also Additional Guard will hijack Internet Explorer and randomly shows a “There is a problem with this websites`s secuirty” warning page. Of course, all of these alerts and warnings are scam and like scan false results should be ignored! If you find that your system is infected with this malware, then most importantly, do not purchase it. Instead, uninstall Additional Guard from your PC as soon as possible. Please follow the guidelines below to remove this infection.
More screen shoots of Additional Guard
Symptoms in a HijackThis Log
O1 – Hosts: 74.125.45.100 4-open-davinci.com
O1 – Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 – Hosts: 74.125.45.100 privatesecuredpayments.com
O1 – Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 – Hosts: 74.125.45.100 getantivirusplusnow.com
O1 – Hosts: 74.125.45.100 secure-plus-payments.com
O1 – Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 – Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 – Hosts: 74.125.45.100 www.getavplusnow.com
O1 – Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 – Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 – Hosts: 74.125.45.100 paysoftbillsolution.com
O4 – HKLM\..\Run: [Additional Guard] “C:\Documents and Settings\All Users\Application Data\17c1f\WIf9a.exe” /s /d
Use the following instructions to remove Additional Guard (Uninstall instructions)
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Additional Guard infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Additional Guard removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Additional Guard creates the following files and folders
C:\Documents and Settings\All Users\Application Data\WINAGSys
%UserProfile%\Application Data\Additional Guard
C:\Documents and Settings\All Users\Application Data\17c1f\WIf9a.exe
C:\Documents and Settings\All Users\Application Data\WINAGSys\winag.cfg
%UserProfile%\Application Data\Additional Guard\Instructions.ini
%UserProfile%\Desktop\Additional Guard.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Additional Guard.lnk
%UserProfile%\Start Menu\Additional Guard.lnk
%UserProfile%\Start Menu\Programs\Additional Guard.lnk
Additional Guard creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\additional guard
want to get rid of additional guard
Jacob, if the instructions above does not help you, then ask for help in our Spyware removal forum.
I’ve used Malwarebytes Anti-malware and Spybot twice (after making sure it was up to date). Malware says it removed Additional Guard but it is still there. Spybot removes all but 15 infections which it says it can’t remove. So Additional Guard is still on my system. Any advice?
Chaim, open a new topic in our Spyware removal forum. I will help you.
patrik, you rock. I fight these everyday and just wanted to say thank you for your time and effort… this is a particularly pernicious nasty…. thanks buddy. (i still haven’t gotten rid of it but i’m hitting it with EVERYTHING)
Client has this booger on a single PC. Malware found 167 infections and I removed. Symantec Endpoint also found a few traces and quarantined as well!
I’ve also done a search for
dont forget to first run is safe mode…… then run Malware
thankyou vry much..m really thankful to your malware.it helped me getting rid of additional guard which proved to be a constant headache for me and ofcourse my computer.i just want thank you with utmost respect.thankyou again.
I cannot delete Additional Guard, Malware does not find it, SUPERAntiSpyware neither. What can I do? Thanks in advance.
JM, probably your PC is infected with a new variant of the rogue. Ask for help in our Spyware removal forum.