Internet Security Guard

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 9
First Seen: January 14, 2012
Last Seen: January 24, 2023
OS(es) Affected: Windows

Internet Security Guard Image

According to ESG security researchers, Internet Security Guard is a fake antispyware application that belongs to a large family of rogue security programs, the FakeScanti family. If your computer system has become infected with Internet Security Guard, it is essential that you remove Internet Security Guard with the use of a legitimate anti-malware application. Failure to remove Internet Security Guard puts you at risk for additional malware infections and increases the risk that your credit card number or online accounts may be compromised.

Some fake anti-virus programs that are known clones of Internet Security Guard include Security Guard, Sysinternals Antivirus, Wireshark Antivirus, Milestone Antivirus, BlueFlare Antivirus, WolfRam AntiVirus, OpenCloud Antivirus, OpenCloud Security, Data Restore, OpenCloud AV, Security Guard 2012, AV Guard Online, Guard Online, Cloud Protection, AV Protection Online, System Protection 2012, AV Security 2012, Sphere Security 2012, AV Protection 2011, Super AV 2013.
 

Dealing With an Internet Security Guard Infection

The main tactic that Internet Security Guard uses in order to attack its victims is displaying constant fake security alerts and error messages. These are meant to cause panic and to urge the victim to register Internet Security Guard by purchasing a registration code in order to 'unlock' Internet Security Guard's full features. However, ESG security researchers advise against paying for Internet Security Guard in any way. Internet Security Guard has absolutely no anti-virus capabilities. In fact, this dangerous application is made up of little more than its showy interface (designed to mimic Windows Security Center) and a handful of malicious scripts and Trojans designed to wreak havoc on the victim's computer system. ESG security researchers recommend following these guidelines in order to deal with an Internet Security Guard infection more effectively:

  • Internet Security Guard will often be accompanied with a Trojan infection designed to detect and overwrite any security software on the victim's computer, effectively disabling the victim's security software. Therefore, it may be a prerequisite to download or reinstall your anti-virus application or run it from an external drive.
  • Internet Security Guard is designed to display error messages whenever the victim attempts to access files or connect to the Internet. Entering a registration code can help ameliorate these symptoms. Anyhow, it should be mentioned that the registration code will not stop an Internet Security Guard infection but simply relieve some of its most annoying symptoms. ESG security analysts have provided the following registration codes: K7LY-H4KA-SI9D-U2FD, U2FD-S2LA-H4KA-UEPB and K7LY-R5GU-SI9D-EVFB.
  • Because Internet Security Guard can start up automatically when you start up Windows, it may be necessary to start up in Safe Mode before removal can be carried out.

ScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshot

Internet Security Guard Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Internet Security Guard may create the following file(s):
# File Name Detections
1. %CommonAppData%\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe
2. %UserProfile%\Recent\gid.dll
3. %UserProfile%\Recent\ANTIGEN.exe
4. %UserProfile%\Recent\fan.sys
5. %UserProfile%\Recent\ppal.sys
6. %AppData%\Internet Security Guard\ScanDisk_.exe
7. %UserProfile%\Recent\CLSV.dll
8. %UserProfile%\Recent\SM.dll
9. %UserProfile%\Recent\fix.sys
10. %UserProfile%\Recent\sld.sys
11. scandsk107d_8027.exe
12. %CommonAppData%\79b35\ISa76.exe
13. %UserProfile%\Recent\eb.dll
14. %UserProfile%\Recent\energy.exe
15. %UserProfile%\Recent\PE.exe
16. %UserProfile%\Recent\SM.exe
17. %Programs%\Internet Security Guard.lnk
18. %CommonAppData%\[RANDOM CHARACTERS]\ISG.ico
19. %AppData%\Internet Security Guard\cookies.sqlite
20. %CommonAppData%\ISEUG\
21. %UserProfile%\Recent\energy.tmp
22. %UserProfile%\Recent\tjd.tmp
23. %UserProfile%\Start Menu\Internet Security Guard.lnk
24. %StartMenu%\Internet Security Guard.lnk
25. %Desktop%\Internet Security Guard.lnk
26. %AppData%\Internet Security Guard\
27. %CommonAppData%\79b35\ISG.ico
28. %UserProfile%\Recent\cb.drv
29. %UserProfile%\Recent\snl2w.drv
30. %UserProfile%\Desktop\Internet Security Guard.lnk
31. %AppData%\Internet Security Guard\Instructions.ini
32. %AppData%\Microsoft\Internet Explorer\Quick Launch\Internet Security Guard.lnk
33. %CommonAppData%\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].cfg
34. %CommonAppData%\79b35\
35. %CommonAppData%\ISEUG\ISKIYFOAG.cfg
36. %UserProfile%\Recent\FW.drv
37. %UserProfile%\Recent\SICKBOY.tmp
38. %UserProfile%\Start Menu\Programs\Internet Security Guard.lnk

Registry Details

Internet Security Guard may create the following registry entry or registry entries:
Regexp file mask
%AllUsersProfile%\?????\IS[RANDOM CHARACTERS].exe
HKEY_CLASSES_ROOT\IS9c5_8027.DocHostUIHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutor.exe
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "DisallowRun" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "3" = "egui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "6" = "avscan.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "9" = "avgtray.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "12" = "avgemc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "15" = "avgwdsvc.exe"
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=8027&q={searchTerms}"
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "feed/7.1.08027"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "1" = "MSASCui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "5" = "avcenter.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "8" = "avgui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "11" = "avgcfgex.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "14" = "avgcmgr.exe"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
HKEY_CURRENT_USER\CurrentVersion\Run "Internet Security Guard" "%CommonAppData%\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe" /s /d
HKEY_CURRENT_USER\Software\3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=8027&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "879905773703"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "0" = "msseces.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "4" = "avgnt.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "7" = "avgfrw.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "10" = "avgscanx.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "13" = "avgchsvx.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Internet Security Guard"

URLs

Internet Security Guard may call the following URLs:

save-secure.com
securityearth.net
www5.internet-security-guard.com

Messages

The following messages associated with Internet Security Guard were found:

Address space conflict
Warning! Access conflict detected
An unidentified program is trying to access system process address space.
Memory access problem
WindowsErrorForm has encountered a problem at address 0x1FC408.
We are sorry for the inconvenience.
System Message
Your PC may still be infected with dangerous viruses. Internet Security Guard protection is needed to prevent data loss and avoid theft of your personal data and credit card details. Click here to activate protection.

1 Comment

Such a great information. This is really very helpful for bloggers

Trending

Most Viewed

Loading...