User Protection
What is User Protection?
User Protection is a bogus anti-virus program from the same group who also created Dr. Guard. This threat can be automatically downloaded and install on computer when a user visits a fake security website that will run a script. Once inside the computer, User Protection will perform a virus scan and pretend to be as antivirus program. It will display falsified information regarding threats found on the computer. A prompt to remove these infection is advise but a User Protection activation key must be purchase first. While still on the computer, User Protection will display various warning messages as listed below:
Warning! Virus threat detected!
Virus activity detected!
Trojan-Clicker.Win32 adware has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now.
Antivirus Alert – Critical threat detected
Warning: Network attack detected
Network attack has been detected. Process is attempting to access your private data.
Your computer is being attacked from a remote PC.
Process is trying to steal your passwords listed below. It is highly recommended to block this threat now.
User’s activity loggers detected!
It’s strongly recommended to remove detected threats right now!
Zlob.Porn.Ad adware has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now.
ANTIVIRUS IS RUN IN DEMO MODE. ACTIVATE YOUR ANTIVIRUS OTHERWISE ALL THE DATA WILL BE LOST OR DAMAGED!
DANGEROUS! ANTIVIRUS DETECTED SOME HARMFUL PROGRAMS ON YOUR PC! THEY MAY CORRUPT YOUR INFORMATION OR SEND IT TO HACKERS.
| Type | Rogue |
| Sub-Type | FakeAV |
| Aliases | |
| OS Affected | Windows |
| Detected By | MalwareBytes |
What are the Symptoms of “User Protection” Infection?
This rogue program will display fake security scan results that aims to trick users into purchasing the User Protection registration key.
It will modify Windows Registry and add the following entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\User Protection
- HKEY_LOCAL_MACHINE\SOFTWARE\User Protection
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Run\User Protection
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Run\asr64_ldm.exe
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Policies\System\DisableTaskMgr
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Policies\System\DisableTaskMgr
The threat will drop the following malicious files:
- C:\Program Files\User Protection
- %UserProfile%\Start Menu\Programs\User Protection
- C:\Program Files\User Protection\uphook.dll
- C:\Program Files\User Protection\userprotection.exe
- %UserProfile%\Local Settings\temp\SPAM.exe
- C:\Program Files\User Protection\about.ico
- C:\Program Files\User Protection\activate.ico
- C:\Program Files\User Protection\buy.ico
- C:\Program Files\User Protection\up.db
- C:\Program Files\User Protection\upext.dll
- C:\Program Files\User Protection\help.ico
- C:\Program Files\User Protection\scan.ico
- C:\Program Files\User Protection\settings.ico
- C:\Program Files\User Protection\splash.mp3
- C:\Program Files\User Protection\uninstall.exe
- C:\Program Files\User Protection\update.ico
- C:\Program Files\User Protection\virus.mp3
- %UserProfile%\Start Menu\Programs\User Protection\About.lnk
- %UserProfile%\Start Menu\Programs\User Protection\Activate.lnk
- %UserProfile%\Start Menu\Programs\User Protection\Buy.lnk
- %UserProfile%\Start Menu\Programs\User Protection\User Protection Support.lnk
- %UserProfile%\Start Menu\Programs\User Protection\User Protection.lnk
- %UserProfile%\Start Menu\Programs\User Protection\Scan.lnk
- %UserProfile%\Start Menu\Programs\User Protection\Settings.lnk
- %UserProfile%\Start Menu\Programs\User Protection\Update.lnk
- C:\Documents and Settings\All Users\Desktop\nudetube.com.lnk
- C:\Documents and Settings\All Users\Desktop\pornotube.com.lnk
- C:\Documents and Settings\All Users\Desktop\youporn.com.lnk
- %UserProfile%\Local Settings\temp\asr64_ldm.exe
- %UserProfile%\Desktop\User Protection Support.lnk
- %UserProfile%\Desktop\User Protection.lnk
- %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\User Protection.lnk
How to Remove ”User Protection” Manually
1. Restart your computer in SafeMode
- After Power-On the computer, just before Windows start, press F8
- From the selections, Select SafeMode
2. Remove Registry entries that the threat added. You MUST BACKUP YOUR REGISTRY FIRST.
- Click Start > Run
- Type in the field, regedit
- Navigate and look for the registry entries mentioned above and delete if necessary
3. Delete malicious files that the threat added:
- Base on the given location above, browse and delete the file
- If no location is given, click Start>Search> and search for the files.
- If cannot be deleted, press Ctrl+Alt+Del to access Task Manager, see if the file is running in the process. If it is, select the file and click End Process. Perform file delete again.
4. Scan computer with Antivirus Program
- Update antivirus program
- Scan computer and delete all detected threats.
Automatic Removal of User Protection
1. Download and run MalwareBytes AntiMalware to remove User Protection
