System Protector Description

[+] Click Image to Enlarge

• 
• 
• 
• 

System Protector, or SystemProtector, is a rogue anti-spyware program designed to trick users into believing it’s a legitimate anti-spyware program.

System Protector may be installed in the user’s computer system by a Trojan, such as Zlob, through a rogue video codec download or the user may have downloaded it from a rogue website. Once Zlob is installed, the user will receive a large amount of fake notification messages stating that his/her computer is infested with spyware. In order to remove these threats, the user will be redirected to a fraudulent website to further purchase System Protector’s full version. System Protector is also able to emulate a computer system scan. After System Protector’s scanner is launched, the user will receive a list of spyware infections supposedly found in his/her computer system as a result.

System Protector may be configured to run on every Windows startup. System Protector may also cause computer system’s performance to decrease.

Type: Rogue AntiSpyware Programs

How Can You Detect System Protector?

System Protector Technical Report

As new System Protector details are reported by our customers and findings from our Threat Research Center, we will update this section.

The following System Protector files with its MD5s were created in the system:

‘How System Protector Infects Your Computer’ Video

System Protector Removal Details

System Protector has typically the following processes in memory:

• %UserProfile%\Application Data\lsascs.exe
• %UserProfile%\Application Data\shellex.dll
• sysprotector_install[1].exe
• %UserProfile%\Application Data\Microsoft\windll32.exe
• sys-protector.exe
• %UserProfile%\Application Data\install.exe

System Protector creates the following files in the system:

• C:\WINDOWS\system32\spyprotector.cpl
• %UserProfile%\Application Data\SpyProtectorSC_Config.ini
• %UserProfile%\Start Menu\Programs\System Protector\Support Page.url
• System Protector.lnk
• %UserProfile%\Desktop\System Protector.lnk
• %UserProfile%\Start Menu\Programs\System Protector\System Protector.lnk
• dfgfgh.ini
• C:\Program Files\System Protector
• %UserProfile%\Application Data\SpyProtectorSC_Base_new.dat
• %UserProfile%\Start Menu\Programs\System Protector\Purchase License.url

System Protector created the following directories, files, paths:

• %UserProfile%\Start Menu\Programs\System Protector
• %ProgramFiles%\System Protector

System Protector creates the following registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” => 1
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\System Protector
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\lsascs.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\System Protector
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\System Protector
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\System Protector
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{107A1D63-2EAA-4694-8ABA-EC209C630D83}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “System Protector”
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “System Protector”

Important Article Disclaimer