This fake program is promoted and installed through the use of Trojans and other malware. Usually, Trojans come from fake online scanners or misleading online video websites as flash player updates or video codecs. Once installed, Data Protection will simulate system scan and report false system security threats. Moreover, it will attempt to uninstall legitimate anti-virus and anti-spyware programs from your computer. The rogue program will state that your current antivirus software is infected and that you should remove it. Of course, that's not true. Furthermore, it will display fake security alerts every few minutes. The text of some of these warnings are:
"Warning! Adware detected!
Adware module detected on your PC!
Zlob.Porn.Ad adware has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now."
"Warning! Virus threat detected!
Virus activity detected!
Trojan-Downloader.VBS adware has been detected. This adware module advertises websites with explicitly content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now."
"Danger!
A security threat detected on your computer. TrojanASPX.JS.Win32. It strongly recommended to remove this threat right now. Click on the message to remove it."
Last, but not least, Data Protection will block legitimate anti-virus and anti-malware programs, hijack Internet Explorer and add some porn icons on your Desktop. Also note that this fake program may come bundled with TDSS rootkit. That's why we strongly recommend you to scan your computer with TDSSKiller utility from Kaspersky lab (it removes rootkits for free). Another thing, if you can't download or launch malware removal tools because Data Protection blocks them, then you will have to reboot your computer in Safe Mode with Networking (follow removal instructions below). Finally, if you have any questions or additional information about this virus, don't hesitate and leave a comment. By the way, if you have already purchased it, then you should contact your credit card company and dispute the charges. Good luck and be safe!
Data Protection removal instructions (in Safe Mode with Networking, Method 1):
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Download SUPERAntispyware, MalwareBytes Anti-malware, Spybot - Search & Destroy or Spyware Doctor and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run a system scan again. That's it!
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Data Protection removal instructions: (Method 2)
1. Download the file TDSSKiller.zip and extract it into a folder
2. Execute the file TDSSKiller.exe (NOTE: you may have to rename TDSSKiller.exe to explorer.com yourself or download already renamed explorer.com file in order to run it)
3. Follow the prompts and wait for the scan and disinfection process to be over. Close all programs and press “Y” key to restart your computer.
More detail TDSSKiller tutorial: http://support.kaspersky.com/viruses/solutions?qid=208280684
4. Download one of the following anti-malware software and run a full system scan:
5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Data Protection associated files and registry values:
Files:
- C:\Documents and Settings\All Users\Application Data\[random].dll
- %UserProfile%\Start Menu\Programs\Data Protection
- C:\Program Files\Data Protection
- C:\Program Files\Data Protection\about.ico
- C:\Program Files\Data Protection\activate.ico
- C:\Program Files\Data Protection\buy.ico
- C:\Program Files\Data Protection\dat.db
- C:\Program Files\Data Protection\datext.dll
- C:\Program Files\Data Protection\dathook.dll
- C:\Program Files\Data Protection\datprot.exe
- C:\Program Files\Data Protection\help.ico
- C:\Program Files\Data Protection\scan.ico
- C:\Program Files\Data Protection\settings.ico
- C:\Program Files\Data Protection\splash.mp3
- C:\Program Files\Data Protection\Uninstall.exe
- C:\Program Files\Data Protection\update.ico
- C:\Program Files\Data Protection\virus.mp3
- %Temp%\4otjesjty.mof
- %Temp%\MSWINSCK.exe
- %Temp%\wscsvc32.exe
- HKEY_CURRENT_USER\Software\Malware Defense
- HKEY_CURRENT_USER\Software\Paladin Antivirus
- HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
- HKEY_LOCAL_MACHINE\SOFTWARE\Data Protection
- HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Data Protection
- HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus
- HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Data Protection"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E2121EE-0300-11D4-8D3B-444553540000}"
No comments:
Post a Comment