I only wish I could have grabbed a screen of how the fake scamware looked but was on someone else's laptop without a flash drive handy!
The scamware looked too much like an updated form of the MS Security Essentials when prompting about 4 trojans it saw downloaded in the first place and when trying to bring up the taskmanager!
The taskmanager was obviously locked up first to prevent anyone from ending the protector-xfg.exe combo bug! Instead you saw the same fake SE screen only with two menu columns on the left one above the other with a "Windows Process Manager"! Or lock up of taskmanager!
The fake also pointed right at "C:\Program Files\Internet Explorer\iexplorer.exe" as a risk and designed to prevent any IE windows from staying open long enough to run any online security sweep or download a removal tool! This one was well written and aimed at forcing people to buy a non existent program!
Removal wasn't as hard IF you knew it was a fake to start with! While you wouldn't be able to takeownership over the protector-xfg.exe itself you could open two WE windows and see it moved out of the "C:\users\user account name\AppData\Roaming\" sub folder where this one was found into a temp folder.
The reboot in safe mode saw no events since the process was ended where that file was simply dragged into the Recycle Bin to say "bye bye!" to that one. The subsequent scan by VIPRE seen there was then able to remove the scam ware as well as the 4 trojans in one shot with no further traces of any of this found so far. IE is also running normally.
Just how the malware got on in the first place is another matter since the laptop was being borrowed by someone totally new with any pc! Namely a kid who lacks any actual experience besides a social network. The suspicion is that it wasn't from being on any site the firewall would have blocked.
The trial version for another av software as well as another browser were found installed without the owner's knowledge or permission being someone new with pcs as well. I think someone simply clicked on one too many links and ended up with...