«
»
Jan 25

Antivirus Smart Protection Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the Antivirus Smart Protection. Emsisoft Anti-Malware detects this malware as Rogue.Win32.AntivirusSmartProtection.

Antivirus Smart Protection is a rogue scanner application, another variant of Malware Protection Center and Internet Security Guard. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AllUsersProfile%\Application Data\5c678c\
  • %AllUsersProfile%\Application Data\5c678c\sqlite3.dll
  • %AllUsersProfile%\Application Data\5c678c\ASPSys\
  • %AllUsersProfile%\Application Data\5c678c\BackUp\
  • %AllUsersProfile%\Application Data\5c678c\Quarantine Items\
  • %AllUsersProfile%\Application Data\5c678c\582.mof
  • %AllUsersProfile%\Application Data\5c678c\AS9c5_8046.exe
  • %AllUsersProfile%\Application Data\5c678c\ASP.ico
  • %AllUsersProfile%\Application Data\5c678c\mozcrt19.dll
  • %AllUsersProfile%\Application Data\ASLNP\
  • %AllUsersProfile%\Application Data\ASLNP\ASUUDJRRJXP.cfg
  • %AppData%\Antivirus Smart Protection\
  • %AppData%\Antivirus Smart Protection\cookies.sqlite
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\Antivirus Smart Protection.lnk
  • %UserProfile%\Desktop\Antivirus Smart Protection.lnk
  • %Temp%\scandsk211d_8046.exe
  • %UserProfile%\Start Menu\Antivirus Smart Protection.lnk
  • %UserProfile%\Start Menu\Programs\Antivirus Smart Protection.lnk

Create/modify registry entries:

  • HKEY_LOCAL_MACHINE\Software\Classes\AS9c5_8046.DocHostUIHandler
    Default = Implements DocHostUIHandler
    Clsid  = {3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_LOCAL_MACHINE\Software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
    Default = Implements DocHostUIHandler
    LocalServer32  = %AllUsersProfile%\Application Data\5c678c\AS9c5_8046.exe
    ProgID  = AS9c5_8046.DocHostUIHandler
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe \
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe\
    Debugger = svchost.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\
    Debugger = svchost.exe
  • HKEY_CURRENT_USER\software\3
  • HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\
    ltTST = 7F3E0000
  • HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
    CheckExeSignatures = no
    RunInvalidSignatures = 01000000
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
    Home Security Solutions = “%AllUsersProfile%\Application Data\5c678c\AS9c5_8046.exe” /s /d
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce\
    HSS = “%Temp%\scandsk211d_8046.exe” /cs:1

Screenshots:

Antivirus Smart Protection

Antivirus Smart Protection

Antivirus Smart Protection

Antivirus Smart Protection

Antivirus Smart Protection

To register and uninstall this rogue application, you can try one of the following serial number:

K7LY-R5GU-SI9D-EVFB
U2FD-S2LA-H4KA-UEPB

How to remove the infection of Antivirus Smart Protection (Rogue.Win32.AntivirusSmartProtection)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: , , , ,

This entry was posted on Wednesday, January 25th, 2012 at 07:47 and is filed under Malware Alerts, Removal Help. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.