Thursday 18 March 2010

How to remove "User Protection" fake program (Free removal)

User Protection is a fake anti-virus program from the same family as Dr. Guard and Paladin Antivirus. This fake program reports false threats on your computer and displays fake warnings to make you think that your computer is infected with worms, trojans, spyware, adware and etc. User Protection usually comes from fake online scanners, malicious sites (usually infected online video sites) or through the use of other malicious software.



User Protection video: (thanks to rogueamp)


The rogue program may be also distributed on popular social networks such as Facebook, MySpace or even Twitter. Very often, it comes bundled with rootkits (mainly TDSS rootkit) that's why you should run a full system scan with legitimate and powerful anti-malware program. It's possible to remove User Protection manually too, but manual removal is not recommended.



"Warning! Virus threat detected!
Virus activity detected!
Trojan-Clicker.Win32 adware has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now."

As a typical rogue anti-virus program, User Protection may block legitimate programs and especially antivirus and anti-malware applications. It also attempts to uninstall legitimate anti-virus software if it founds one on the compromised computer. It tries to uninstall MalwareBytes anti-malware, NOD32 Antivirus, AVG, Avast!, Avira and other better known security programs. The reason is obvious - to protect itself from being uninstalled.

It also uses browser hijacking and disables certain Windows system tools (usually task manager and registry editor). That's a usual behavior. UserProtection impersonates Windows Security Center and states that you should purchase the program in order to protect yourself. The most important thing to remember is that User Protection is a scam, absolutely needless program. It will prompt you to pay for a full version of the program numerous times. Don't buy it! If you have already purchased it, then you should contact your credit card company and dispute the charges while is not too late.

The most important question is of course how to get rid of this infection? Thankfully, there is a way to remove User Protection from a computer for free using legitimate anti-malware programs. Please follow the removal instructions below. If you have any questions, don't hesitate and ask or leave a comment. Good luck and be safe!


User Protection removal instructions:

1. Download the file TDSSKiller.zip and extract it into a folder
2. Execute the file TDSSKiller.exe (NOTE: you may have to rename TDSSKiller.exe to explorer.com yourself or download already renamed explorer.com file in order to run it)
3. Follow the prompts and wait for the scan and disinfection process to be over. Close all programs and press “Y” key to restart your computer.
More detail TDSSKiller tutorial: http://support.kaspersky.com/viruses/solutions?qid=208280684
4. Download one of the following anti-malware software and run a full system scan:
5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

User Protection associated files and registry values:

Files:
  • C:\Program Files\User Protection
  • C:\Program Files\User Protection\usr.db
  • C:\Program Files\User Protection\usrext.dll
  • C:\Program Files\User Protection\usrhook.dll
  • C:\Program Files\User Protection\usrprot.exe
  • C:\Program Files\User Protection\virus.mp3
  • %UserProfile%\Local Settings\Temp\4otjesjty.mof
  • %UserProfile%\Local Settings\Temp\usr.dat
  • %UserProfile%\Local Settings\Temp\usrr.dat
  • %UserProfile%\Start Menu\Programs\User Protection
  • C:\Documents and Settings\All Users\Application Data\fiosejgfse.dll
Registry:
  • HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\User Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\User Protection
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "User Protection"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E2121EE-0300-11D4-8D3B-444553540000}"

Please share this information with other people:

No comments:

Post a Comment