Personal Protector - FakeSpyGuard Rogue Antivirus

Personal Protector is a fake security software from fakespyguard Family Clone : Advanced Defender Personal Guard 2009
The Interface from installer look like this :

His database is not actually empty so he after restart or in a strange moment he can overload and load the database worker to find threats and implating fake alert after disable real security center
Notifications are Showed Like That :

Let (FakeSpyGuard Name)
Was Similar to Smart Protector
The Installer is PersonalProtectorInstaller.exe
MD5 : 672d77d4bc81da0850cd970fa682fa47
This trojan after a boot or log off or time similar he scan for threats
He also drop dll installer bootkit and program files may look like this

 

c:\Program Files\Personal Protector c:\Program Files\Personal Protector\base.wdb c:\Program Files\Personal Protector\baseadd.wdb c:\Program Files\Personal Protector\conf.wcf c:\Program Files\Personal Protector\personalprotector.exe c:\Program Files\Personal Protector\quarant.wdb c:\Program Files\Personal Protector\queue.wdb c:\Program Files\Personal Protector\un.exe c:\Program Files\Personal Protector\q

 c:\Documents and Settings\All Users\Microsoft PData\inetprovider.dll
%UserProfile%\Desktop\Personal Protector.lnk %UserProfile%\Start Menu\Programs\Personal Protector %UserProfile%\Start Menu\Programs\Personal Protector\Personal Protector.lnk %UserProfile%\Start Menu\Programs\Personal Protector\Uninstall.lnk
The files was dropped by installer.
Also after reboot or long time logged on also Starting to create a fake security center and find threats.

 The file is located as system32\winscent.exe

 MD5 : 66bdf0674a7a598ddcf05165d281472e
And All threats are finded from a database dropped :

 

 And security so the register to activate there is no way to bypass if you close said invalid

 The Input from database is : base.wdb and baseadd.wdb this is so differently
The database will look in plain notepad text no encryption :
base.wdb
asty1|Trojan-Downloader.Win32.Banload.dcd|This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent|3|Trojan
asty2|Backdoor.Agobot.gen|This is a classical backdoor and allows a 'master' to control the victim machine remotely by sending commands via IRC channels|1|Spyware
asty3|Virus.JS.Fortnight|JS.Fortnight is an Internet worm that uses infected emails with hidden links to an Internet Web page from which it downloads its infected code.|1|JavaScript Virus
asty4|Email-Flooder.Win32.FriendGreetings|Advert.FriendGreetings is an electronic post card program that once installed, unlike other similar programs, sends out emails to all addresses found in a victim computer's Microsoft address book|1|Malware
asty5|Email-Worm.Win32.Eyeveg.g|This worm spreads via the Internet as an attachment to infected emails|3|Malware
asty6|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|3|Internet virus
asty7|Trojan-Downloader.HTML.Agent.aq|This Trojan downloads other malicious programs|2|Trojan downloader
asty8|Trojan-Spy.HTML.Citifraud.db|This Trojan uses spoofing technology, and is a fake HTML page|3|Spyware programm
asty9|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware programm
astz1|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|3|Backdors

 Did you notice ? He mistaked the Personal Guard 2009 and Allow to exit ?

 

baseadd.wdb

C:\WINDOWS\inf\1394vdbg.inf|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
c:\WINDOWS\inf\axant5.inf|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\inf\1394.inf|Email-Worm.Win32.Eyeveg.g|This worm spreads via the Internet as an attachment to infected emails|3|Malware|0
C:\WINDOWS\inf\1394vdbg.inf|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
c:\WINDOWS\inf\axant5.inf|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\system\VER.DLL|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\inf\1394.inf|Email-Worm.Win32.Eyeveg.g|This worm spreads via the Internet as an attachment to infected emails|3|Malware|0
C:\WINDOWS\ehome\custsat.dll|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\AppPatch\sysmain.sdb|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\Driver Cache\i386\portcls.sys|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\updspapi.dll|Email-Worm.Win32.Eyeveg.g|This worm spreads via the Internet as an attachment to infected emails|3|Malware|0
C:\WINDOWS\twain_32\wiatwain.ds|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\Microsoft.NET\Framework\sbs_iehost.dll|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\Microsoft.NET\Framework\SharedReg12.dll|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\srchasst\msgr3en.dll|Email-Worm.Win32.Eyeveg.g|This worm spreads via the Internet as an attachment to infected emails|3|Malware|0
C:\WINDOWS\explorer.exe|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\TASKMAN.exe|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\srchasst\srchctls.dll|Email-Worm.Win32.Eyeveg.g|This worm spreads via the Internet as an attachment to infected emails|3|Malware|0
C:\WINDOWS\PeerNet\sqlqp20.dll|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\PeerNet\sqldb20.dll|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\PeerNet\sqlse20.dll|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\security\Database\secedit.dll|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\system32\chkntfs.exe|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\system32\csrss.exe|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\system32\dxdiag.exe|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\system32\iernonce.dll|Email-Worm.Win32.Eyeveg.g|This worm spreads via the Internet as an attachment to infected emails|3|Malware|0
C:\WINDOWS\system32\jobexec.dll|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\system32\mfc40.dll|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\system32\msdtc.exe|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\system32\ntmsevt.dll|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\system32\runas.exe|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\system32\wpabaln.exe|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
The registration is saving as a bookmark adress if is correct after i debug the private registration
Code is :

58086752C1D853DE3C770472E76898F2C0AC1AD3

Once Registred he disable the fake security center and remedy all negative changes and cleanup allowed and store in a salted code hashed private.
Also if you put digits or dashes under code may works

No Any of the files will be quaratine still empty the file 0 kb until modify

 

Now there is no continue unprotected or ALT + F4

 

The Update Also is fake

Update Antivirus Modules database module update program update completed i think is not remote a server or update error

  

The registry look like this location : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Personal Protector HKEY_LOCAL_MACHINE\SOFTWARE\Personal Protector HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "personalprotector" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "suicide"

Activated and Installed data
STAY AWAY If you don't know is a virus
Video Review and payload :