Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Digital Protection Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Digital Protection is one of the recent entrants to the never-ending line of rogue security software. Once installed this scareware produces a variety of system alerts that are designed to scare the gullible users to buy its subscription. It initiates a fake system scan at every system start and purportedly finds many non-existent malware infections. This scareware:

  • Disables Legitimate Windows Security Center
  • Disables TaskManager
  • Disables Windows firewall
  • Disables Security Center notifications
  • Installs a version of Fake Windows Security Center
  • Drops internet shortcuts to porn sites on the desktop
  • Doesn’t allow running of certain security software

Scareware like Digital Protection are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

digital protection 01 Digital Protection Analysis and Removal

Digital Protection Scareware

A rogue security software such as Digital Protection belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Digital Protection Aliases

The trojan downloader was about 260096 bytes in size. It was detected by 19/41 (46.35%) of the antivirus engines available at VirusTotal.

This scareware is known by the following aliases:

  • Trojan.FakeAV
  • Mal/FakeAV-CS
  • VirTool:Win32/Obfuscator.EW
  • Trojan.Dldr.FraudLoad.xamj
  • Win32:Jifas-FH
  • TrojWare.Win32.Trojan.Agent.Gen
  • Trojan.Fakealert.15051

Typical Digital Protection Scare Messages

Warning! Antivirus is run in demo mode. Activate your antivirus otherwise all the data will be lost or damaged!

Harmful viruses detected on your computer. Click on the message to scan your computer for security threats for free.

Unauthorized person tries to steal your passwords and private information. Click on the message to prevent identity theft.

A security threat detected on your computer. TrojanASPX.JS.Win32. It is strongly recommended to remove this threat right now. Click on the message to remove it.

It is strongly recommended to remove all detected viruses to protect your computer against existing security threats. Click on the message to ensure the protection of your computer.

Network attack has been detected. Process is attempting to access your private data.

Network intrusion detected! your computer is being attacked from a remote PC.

Digital Protection Associated Files and Folders

  • C:\Documents and Settings\All Users\Application Data\fiosejgfse.dll
  • C:\Documents and Settings\All Users\Desktop\nudetube.com.lnk
  • C:\Documents and Settings\All Users\Desktop\pornotube.com.lnk
  • C:\Documents and Settings\All Users\Desktop\youporn.com.lnk
  • C:\Documents and Settings\malwarehelp.org\Application Data\Microsoft\Internet Explorer\Quick Launch\Digital Protection.lnk
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\MSWINSCK.exe
  • C:\Documents and Settings\malwarehelp.org\Desktop\Digital Protection Support.lnk
  • C:\Documents and Settings\malwarehelp.org\Desktop\Digital Protection.lnk
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asd5.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asd6.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asd7.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asd8.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asd9.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asdA.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asdB.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asdC.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asdD.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asdE.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Digital Protection\Activate.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Digital Protection\Buy.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Digital Protection\Digital Protection Support.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Digital Protection\Digital Protection.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Digital Protection\Scan.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Digital Protection\Settings.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Digital Protection\Update.lnk
  • C:\Program Files\Digital Protection\about.ico
  • C:\Program Files\Digital Protection\activate.ico
  • C:\Program Files\Digital Protection\buy.ico
  • C:\Program Files\Digital Protection\dig.db
  • C:\Program Files\Digital Protection\digext.dll
  • C:\Program Files\Digital Protection\dighook.dll
  • C:\Program Files\Digital Protection\digprot.exe
  • C:\Program Files\Digital Protection\help.ico
  • C:\Program Files\Digital Protection\scan.ico
  • C:\Program Files\Digital Protection\settings.ico
  • C:\Program Files\Digital Protection\splash.mp3
  • C:\Program Files\Digital Protection\Uninstall.exe
  • C:\Program Files\Digital Protection\update.ico
  • C:\Program Files\Digital Protection\virus.mp3
  • C:\Program Files\Digital Protection
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Digital Protection

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Digital Protection Associated Registry Values and Keys

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr=1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Digital Protection=”C:\Program Files\Digital Protection\digprot.exe” -noscan
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer=http=127.0.0.1:5555;
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\Settings_0=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\SecStatus_3=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\SecStatus_4=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\SecStatus_5=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\FD=0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\GUID=468413204669232446522043
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\Data=:1878:1991:2104:2217:2443:2556:2669:2782:2895:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\swver=3.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\dbver=1.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\dbsigns=62577
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\dbverf=1.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\dbsignsf=62577
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\InfectedFiles=C:\WINDOWS\System32\w32topl.dll,C:\WINDOWS\System32\wowfaxui.dll,C:\WINDOWS\System32\Drivers\compbatt.sys,C:\WINDOWS\System32\Drivers\rootmdm.sys,C:\WINDOWS\System32\Wbem\wmipicmp.mof,C:\WINDOWS\Fonts\app850.fon,C:\WINDOWS\Fonts\ssee1257.fon,C:\WINDOWS\Help\charmap.hlp,C:\WINDOWS\Help\ixhelp.hlp,C:\WINDOWS\Fonts\85775.fon,C:\WINDOWS\Fonts\smallf.fon,C:\WINDOWS\Help\cdmedia.chm,C:\WINDOWS\Help\ipsecsnp.chm,
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\LastScan=1271763004
  • HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection\Infected=13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Digital Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Digital Protection\DisplayIcon=C:\Program Files\Digital Protection\digprot.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Digital Protection\DisplayName=Digital Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Digital Protection\DisplayVersion=1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Digital Protection\Publisher=Digital Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Digital Protection\UninstallString=C:\Program Files\Digital Protection\Pklkvqdii+`}`
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Digital Protection\URLInfoAbout=

The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Digital Protection Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • securitymental .com

Note: Visiting the domains mentioned above may harm your computer system.

Digital Protection Removal (How to remove Digital Protection)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

  1. Boot in to Windows Safe Mode with networking
  2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  5. Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Digital Protection. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Digital Protection Scareware — Screenshots

Digital Protection Scareware — Video

Note: The Digital Protection installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 2 comments… read them below or add one }

Jon Krushe April 22, 2010 at 4:33 AM

First of all – - –THANK YOU!!!!! This thing hit me on Sunday along with the XP Maleware scam. I did alot of research and all said to use MalwareBytes’s Anti-Malware Free edition, which I did. BUT the other sites said to just do the “Quick Scan” which does NOT remove everything. I did the Full Scan and was overjoyed to see it finally gone! Great tip to do “Turn System Restore off and on” too – that was not suggested on the other sites I checked to fix this issue and I know it helped.

Once again – THANK YOU for the info!

Reply

James April 25, 2010 at 8:20 PM

Slight problem here, I use a dongle to access the internet, and it wont work in safe mode?
I am using Vista and the folder you’ve put up on this page don’t exist, there is no C:\documents and settings.
Any help trying to get this sorted would be most appreciated, as at the moment when i start my computer up I have to run spybot in order to the task manager bug this things got, and then manually stop the processes linked with the virus.

Reply

Leave a Comment

Previous post:

Next post: