The Emsisoft malware research team has discovered a new outbreak of the Antivirus Smart Protection. Emsisoft Anti-Malware detects this malware as Rogue.Win32.AntivirusSmartProtection.

Antivirus Smart Protection is a rogue scanner application, another variant of Malware Protection Center and Internet Security Guard. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfile%\Application Data\5c678c\
• %AllUsersProfile%\Application Data\5c678c\sqlite3.dll
• %AllUsersProfile%\Application Data\5c678c\ASPSys\
• %AllUsersProfile%\Application Data\5c678c\BackUp\
• %AllUsersProfile%\Application Data\5c678c\Quarantine Items\
• %AllUsersProfile%\Application Data\5c678c\582.mof
• %AllUsersProfile%\Application Data\5c678c\AS9c5_8046.exe
• %AllUsersProfile%\Application Data\5c678c\ASP.ico
• %AllUsersProfile%\Application Data\5c678c\mozcrt19.dll
• %AllUsersProfile%\Application Data\ASLNP\
• %AllUsersProfile%\Application Data\ASLNP\ASUUDJRRJXP.cfg
• %AppData%\Antivirus Smart Protection\
• %AppData%\Antivirus Smart Protection\cookies.sqlite
• %AppData%\Microsoft\Internet Explorer\Quick Launch\Antivirus Smart Protection.lnk
• %UserProfile%\Desktop\Antivirus Smart Protection.lnk
• %Temp%\scandsk211d_8046.exe
• %UserProfile%\Start Menu\Antivirus Smart Protection.lnk
• %UserProfile%\Start Menu\Programs\Antivirus Smart Protection.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\Software\Classes\AS9c5_8046.DocHostUIHandler
  Default = Implements DocHostUIHandler
  Clsid  = {3F2BBC05-40DF-11D2-9455-00104BC936FF}

• HKEY_LOCAL_MACHINE\Software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  Default = Implements DocHostUIHandler
  LocalServer32  = %AllUsersProfile%\Application Data\5c678c\AS9c5_8046.exe
  ProgID  = AS9c5_8046.DocHostUIHandler

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe \
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\
  Debugger = svchost.exe

• HKEY_CURRENT_USER\software\3

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\
  ltTST = 7F3E0000

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures = no
  RunInvalidSignatures = 01000000

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
  Home Security Solutions = “%AllUsersProfile%\Application Data\5c678c\AS9c5_8046.exe” /s /d

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\
  HSS = “%Temp%\scandsk211d_8046.exe” /cs:1

Screenshots:

To register and uninstall this rogue application, you can try one of the following serial number:

K7LY-R5GU-SI9D-EVFB 
U2FD-S2LA-H4KA-UEPB

How to remove the infection of Antivirus Smart Protection (Rogue.Win32.AntivirusSmartProtection)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Malware Protection Center. Emsisoft Anti-Malware detects this malware as Rogue.Win32.MalwareProtectionCenter.

Malware Protection Center is a rogue scanner application, another variant of Internet Security Guard. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfile%\Application Data\5c678c\
• %AllUsersProfile%\Application Data\5c678c\sqlite3.dll
• %AllUsersProfile%\Application Data\5c678c\BackUp\
• %AllUsersProfile%\Application Data\5c678c\MPCSys\
• %AllUsersProfile%\Application Data\5c678c\Quarantine Items\
• %AllUsersProfile%\Application Data\5c678c\73.mof
• %AllUsersProfile%\Application Data\5c678c\mozcrt19.dll
• %AllUsersProfile%\Application Data\5c678c\MP5c6_8040.exe
• %AllUsersProfile%\Application Data\5c678c\MPC.ico
• %AllUsersProfile%\Application Data\MPJCENSJC\
• %AllUsersProfile%\Application Data\MPJCENSJC\MPSJQIC.cfg
• %AppData%\Malware Protection Center\
• %AppData%\Malware Protection Center\cookies.sqlite
• %AppData%\Malware Protection Center\Instructions.ini
• %AppData%\Microsoft\Internet Explorer\Quick Launch\Malware Protection Center.lnk
• %UserProfile%\Desktop\Malware Protection Center.lnk
• %UserProfile%\Start Menu\Malware Protection Center.lnk
• %UserProfile%\Start Menu\Programs\Malware Protection Center.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\Software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\
  Default = Implements DocHostUIHandler
  LocalServer32  = %AllUsersProfile%\Application Data\5c678c\MP5c6_8040.exe
  ProgID  = MP5c6_8040.DocHostUIHandler
• HKEY_LOCAL_MACHINE\Software\Classes\MP5c6_8040.DocHostUIHandler\
  Default  = Implements DocHostUIHandler
  Clsid  = {3F2BBC05-40DF-11D2-9455-00104BC936FF}

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe \
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\
  Debugger = svchost.exe

• HKEY_CURRENT_USER\software\3

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\
  ltTST = 7F3E0000

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures = no
  RunInvalidSignatures = 01000000

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
  Malware Protection Center = “%AllUsersProfile%\Application Data\5c678c\MP5c6_8040.exe” /s /d

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\
  MPC = “%Temp%\setup.exe” /cs:1

Screenshots:

To register and uninstall this rogue application, you can try one of the following serial number:

K7LY-R5GU-SI9D-EVFB 
K7LY-H4KA-SI9D-U2FD 
U2FD-S2LA-H4KA-UEPB

How to remove the infection of Malware Protection Center (Rogue.Win32.MalwareProtectionCenter)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Smart Protection 2012. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SmartProtection2012.

Smart Protection 2012 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfile%\Application Data\B7E85B320179A6C600266C1CD151FC4E\
• %AllUsersProfile%\Application Data\B7E85B320179A6C600266C1CD151FC4E\B7E85B320179A6C600266C1CD151FC4E
• %AllUsersProfile%\Application Data\B7E85B320179A6C600266C1CD151FC4E\B7E85B320179A6C600266C1CD151FC4E.exe
• %UserProfile%\Desktop\Smart Protection 2012.lnk
• %UserProfile%\Start Menu\Programs\Smart Protection 2012\
• %UserProfile%\Start Menu\Programs\Smart Protection 2012\Smart Protection 2012.lnk

Create new registry entries:

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\
  B7E85B320179A6C600266C1CD151FC4E = %AllUsersProfile%\Application Data\B7E85B320179A6C600266C1CD151FC4E\B7E85B320179A6C600266C1CD151FC4E.exe

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\Smart Protection 2012\
  DisplayName = Smart Protection 2012
  ShortcutPath = “%AllUsersProfile%\Application Data\B7E85B320179A6C600266C1CD151FC4E\B7E85B320179A6C600266C1CD151FC4E.exe” Uninstall
  UninstallString = “%AllUsersProfile%\Application Data\B7E85B320179A6C600266C1CD151FC4E\B7E85B320179A6C600266C1CD151FC4E.exe” Uninstall
  DisplayIcon = %AllUsersProfile%\Application Data\B7E85B320179A6C600266C1CD151FC4E\B7E85B320179A6C600266C1CD151FC4E.exe,0

Screenshots:

To register this rogue application, you can use any email and try the following serial number:

AA39754E-715219CE

How to remove the infection of Smart Protection 2012 (Rogue.Win32.SmartProtection2012)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Internet Security 2012. Emsisoft Anti-Malware detects this malware as Rogue.Win32.InternetSecurity2012.

Internet Security 2012 is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfile%\Application Data\isecurity.exe
• %AllUsersProfile%\Desktop\Internet Security 2012.lnk
• %UserProfile%\Start Menu\Internet Security 2012.lnk

Create new registry entry:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  Internet Security 2012 = %AllUsersProfile%\Desktop\Internet Security 2012.lnk

Screenshots:

To register this rogue application, you can use any email and try the following serial number:

Y86REW-T75FD5-U9VBF4A

How to remove the infection of Internet Security 2012 (Rogue.Win32.InternetSecurity2012)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the Internet Security Guard. Emsisoft Anti-Malware detects this malware as Rogue.Win32.InternetSecurityGuard.

Internet Security Guard is a rogue application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfile%\Application Data\5c678c\
• %AllUsersProfile%\Application Data\5c678c\Quarantine Items\
• %AllUsersProfile%\Application Data\5c678c\BackUp\
• %AllUsersProfile%\Application Data\5c678c\ISGSys\
• %AllUsersProfile%\Application Data\5c678c\5285.mof
• %AllUsersProfile%\Application Data\5c678c\IS5c6_8027.exe
• %AllUsersProfile%\Application Data\5c678c\ISG.ico
• %AllUsersProfile%\Application Data\5c678c\mozcrt19.dll
• %AllUsersProfile%\Application Data\5c678c\sqlite3.dll
• %AllUsersProfile%\Application Data\ISVLVYG\
• %AllUsersProfile%\Application Data\ISVLVYG\ISVJG.cfg
• %AppData%\Internet Security Guard\
• %AppData%\Internet Security Guard\Instructions.ini
• %AppData%\Internet Security Guard\cookies.sqlite
• %AppData%\Microsoft\Internet Explorer\Quick Launch\Internet Security Guard.lnk
• %UserProfile%\Desktop\Internet Security Guard.lnk
• %UserProfile%\Start Menu\Internet Security Guard.lnk
• %UserProfile%\Start Menu\Programs\Internet Security Guard.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  (Default)  = Implements DocHostUIHandler
  LocalServer32  = %AllUsersProfile%\Application Data\5c678c\IS5c6_8027.exe
  ProgID  = IS5c6_8027.DocHostUIHandler

• HKEY_LOCAL_MACHINE\software\Classes\IS5c6_8027.DocHostUIHandler
  (Default)  = Implements DocHostUIHandler
  Clsid  = {3F2BBC05-40DF-11D2-9455-00104BC936FF}

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe \
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe\
  Debugger = svchost.exe

• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\
  Debugger = svchost.exe

• HKEY_CURRENT_USER\software\3

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\
  ltTST = 7F3E0000

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures = no
  RunInvalidSignatures = 01000000

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
  Home Security Solutions = “%AllUsersProfile%\Application Data\5c678c\IS5c6_8027.exe” /s /d

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\
  HSS = “%Temp%\%malwarefile%.exe” /cs:1

Screenshots:

To register and uninstall this rogue application, you can try one of the following serial number:

K7LY-R5GU-SI9D-EVFB
K7LY-H4KA-SI9D-U2FD
U2FD-S2LA-H4KA-UEPB

How to remove the infection of Internet Security Guard (Rogue.Win32.InternetSecurityGuard)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsisoft malware research team has discovered a new outbreak of the System Check rogue. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SystemCheck.

System Check is a rogue application, another variant of System Fix, System Restore, Data Restore, Data Recovery, System Recovery, Master Utilities, PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %AllUsersProfile%\Application Data\[random].exe
• %AllUsersProfile%\Application Data\[random].exe
• %AllUsersProfile%\Application Data\~[random]
• %AllUsersProfile%\Application Data\~[random]r
• %AllUsersProfile%\Application Data\[random]
• %AppData%\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
• %UserProfile%\Desktop\System Check.lnk
• %Temp%\3.tmp
• %Temp%\smtmp\
• %Temp%\smtmp\2\
• %Temp%\smtmp\4\
• %Temp%\smtmp\1\
• %UserProfile%\Start Menu\Programs\System Check\
• %UserProfile%\Start Menu\Programs\System Check\Uninstall System Check.lnk
• %UserProfile%\Start Menu\Programs\System Check\System Check.lnk

Create/modify registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\policies\system\
  DisableTaskMgr = 01000000

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
  [random].exe = %AllUsersProfile%\Application Data\[random].exe

• HKEY_CURRENT_USER\Control Panel\
  nsreg = F82D014F

• HKEY_CURRENT_USER\Control Panel\
  bin = 43003A005C0044006F006…

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
  CheckExeSignatures = no

• HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\
  Use FormSuggest = Yes

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  Hidden = (empty)
  ShowSuperHidden = (empty)
  TaskbarGlomming = (empty)
  TaskbarGlomLevel = 02000000
  Start_ShowControlPanel = (empty)

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
  HidNoChangingWallPaperden = 01000000

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations\
  LowRiskFileTypess = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi; .mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
  SaveZoneInformation = 01000000

• HKEY_CURRENT_USER\softare\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  NoDesktop = 01000000

• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\System\
  DisableTaskMgr = 01000000

Screenshots:

To register and uninstall this rogue application, you can try the following serial number, and enter any email:

1203978628012489708290478989147

How to remove the infection of System Check (Rogue.Win32.SystemCheck)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.