Saturday, April 3, 2010

How to remove "Your Protection" malware (Uninstall guide)

"Your Protection" is a fake anti-virus program and it's a clone of User Protection malware. Needless to say, that this fake program should be removed from your computer immediately. If you are reading this article, then your computer is probably infected with Your Protection virus.

So, what is it and how to remove this infection? Basically, it's a trojan virus that pretends to be legitimate antivirus software. The rogue program comes mostly from fake online anti-malware scanners, compromised web sites, or through software vulnerabilities (web browser, pdf and etc). Once installed, it displays fake warnings, pop-ups and reports false system security threats to make you think that your PC is infected with malicious software, whereas the only real infection is YourProtection. Thankfully, we've got instructions to help you.



Just like it's predecessors, Your Protection attempts to uninstall legitimate anti-virus anti-spyware programs from from your computer. It scans computer for the following antivirus programs: avast!, AVG, Avita AntiVir, NOD32, F-Secure and others. The rogue program states that found anti-virus program is infected and that you need to uninstall it. That's of course not true.

When running, this scareware also displays many fake security warnings. Some of them will state:

"User's activity loggers detected!
It's strongly recommended to remove detected threats right now!"

"Zlob.Porn.Ad adware has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now."



"Danger!
A security threat detected on your computer. TrojanASPX.JS.Win32. It strongly recommended to remove this threat right now. Click on the message to remove it."

Of course, you will probably see more of these fake alerts on your computer screen. Also, you may find several porn icons on your Desktop. That's a part of this infection. Those shortcuts redirects user to porn web sites or other infected web sites, so don't click on them.

As you probably know, Your Protection reports fake infections to scare you into purchasing the bogus program. Don't do that. This is nothing more but a scam. However, if you have already purchased it, then you should contact your credit card company as soon as possible and dispute the charges.

Last, but not least, YourProtection may come bundled with TDSS rootkit. This rookit usually hijacks Internet Explorer (other web browsers too) and redirects users to entirely unrelated web sites. Very often those web sites are harmful or full of false information. It's very important to remove TDSS infection. That's why you should follow the removal instructions below very carefully and use suggested malware removal tools. Your Protection virus can be removed manually, but because of possible TDSS infection manual removal is not recommended. If you have any questions about this virus or any information that might help to remove it, don't hesitate and leave a comment. Good luck and be safe!


Your Protection removal instructions:

1. Download the file TDSSKiller.zip and extract it into a folder
2. Execute the file TDSSKiller.exe (NOTE: you may have to rename TDSSKiller.exe to explorer.com yourself or download already renamed explorer.com file in order to run it)
3. Follow the prompts and wait for the scan and disinfection process to be over. Close all programs and press “Y” key to restart your computer.
More detail TDSSKiller tutorial: http://support.kaspersky.com/viruses/solutions?qid=208280684
4. Download one of the following anti-malware software and run a full system scan:
5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

User Protection associated files and registry values:

Files:
  • C:\Program Files\Your Protection
  • C:\Program Files\Your Protection\Uninstall.exe
  • C:\Program Files\Your Protection\urp.db
  • C:\Program Files\Your Protection\urpext.dll
  • C:\Program Files\Your Protection\urphook.dll
  • C:\Program Files\Your Protection\urpprot.exe
  • C:\Documents and Settings\All Users\Application Data\kjrofjkrtm.dll
  • %Temp%\asd1.tmp
  • %Temp%\mplay32xe.exe
  • %Temp%\urp.dat
  • %Temp%\urpr.dat
Registry:
  • HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "mplay32xe.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Your Protection"
  • HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SimpleShlExt "(Default)" = "{5E2121EE-0300-11D4-8D3B-444553540000}"
  • HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt "(Default)" = "{5E2121EE-0300-11D4-8D3B-444553540000}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E2121EE-0300-11D4-8D3B-444553540000}"

Please share this information with other people:

No comments:

Post a Comment