Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Protection Center Removal and Analysis

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Protection Center is a new fraudulent, malicious and fake anti-spyware program that attempts to cheat gullible users to purchase a subscription for itself. This program will simulate a scan of your system at every start-up and lists fake malware infections and produces a variety of genuine looking Windows system alerts that makes it difficult to work with the computer normally.

Once installed this scareware:

  • Disables Windows Task Manager, Registry Editor, Command prompt, MS Configuration editor.
  • Disables running many security software and other programs.
  • Replaces the genuine Windows Security Center with its own.
  • Installs Internet shortcuts to porn websites on the desktop.
  • Installs TDSS Rootkit.
  • Modifies the registry so that the scareware starts every time an .exe file is run.

Scareware like Protection Center are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

protection center 08 Protection Center Removal and Analysis

Desktop hijacked by Protection Center Scareware.

Protection Center Removal (How to remove Protection Center)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

  1. Boot in to Windows Safe Mode with networking
  2. Right click and save the registry file protection_center_exe_fix.reg, make sure that you are saving the file with a .reg extension.
  3. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  4. Double click the downloaded “protection_center_exe_fix.reg”. You will see a dialogue box pop-up with a message similar to “Are you sure you want to add the information in trojan_fakerean_exe_fix.reg to the registry”. Click “Yes” to merge the registry data. This will delete the registry keys created by the scareware to start itself with any .exe program.
  5. protection center 09 Protection Center Removal and Analysis

  6. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  7. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  8. Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Protection Center. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

Protection Center Analysis

A rogue security software such as Protection Center belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

The trojan downloader in this case is named avs.exe -416768 bytes-. It is detected by 23/41 (56.1%) of the antivirus engines available at VirusTotal.

This scareware is known by the following aliases:

  • Trojan.Win32.FakeCog
  • W32/Alureon.U2.gen!Eldorado
  • Trojan/Win32.FakeAV
  • TR/Crypt.XPACK.Gen2
  • Gen:Variant.TDss.17
  • a variant of Win32/Kryptik.ETG
  • Mal/TDSSPack-Q

Typical Protection Center Scare Messages

Unauthorized access to your computer! Click on the message to install up-to-date antivirus software.

Harmful viruses detected on your computer. This malicious software may harm your computer. Click on the message to ensure the protection of your computer.

Network attack has been detected. Process is attempting to access your private data.

Viruses database is out of date! Please update!

Antivirus is run in demo mode. Activate your antivirus otherwise all the data will be lost or damaged.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Protection Center Associated Files and Folders

  • C:\Documents and Settings\malwarehelp.org\Application Data\Microsoft\Internet Explorer\Quick Launch\Protection Center.lnk
  • C:\Documents and Settings\malwarehelp.org\Desktop\nudetube.com.lnk
  • C:\Documents and Settings\malwarehelp.org\Desktop\pornotube.com.lnk
  • C:\Documents and Settings\malwarehelp.org\Desktop\Protection Center Support.lnk
  • C:\Documents and Settings\malwarehelp.org\Desktop\Protection Center.lnk
  • C:\Documents and Settings\malwarehelp.org\Desktop\spam001.exe
  • C:\Documents and Settings\malwarehelp.org\Desktop\spam003.exe
  • C:\Documents and Settings\malwarehelp.org\Desktop\troj000.exe
  • C:\Documents and Settings\malwarehelp.org\Desktop\youporn.com.lnk
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\mscdexnt.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\wscsvc32.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\kernel64xp.dll
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\PRAGMA2b3c.tmp
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\PRAGMA3399.tmp
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\PRAGMAe91.tmp
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\pragmamainqt.dll
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asd7.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asd8.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asd9.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asdA.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asdB.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Protection Center\About.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Protection Center\Activate.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Protection Center\Buy.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Protection Center\Protection Center Support.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Protection Center\Protection Center.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Protection Center\Scan.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Protection Center\Settings.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Protection Center\Update.lnk
  • C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll
  • C:\Program Files\Protection Center\about.ico
  • C:\Program Files\Protection Center\activate.ico
  • C:\Program Files\Protection Center\buy.ico
  • C:\Program Files\Protection Center\cnt.db
  • C:\Program Files\Protection Center\cntext.dll
  • C:\Program Files\Protection Center\cnthook.dll
  • C:\Program Files\Protection Center\cntprot.exe
  • C:\Program Files\Protection Center\help.ico
  • C:\Program Files\Protection Center\scan.ico
  • C:\Program Files\Protection Center\settings.ico
  • C:\Program Files\Protection Center\splash.mp3
  • C:\Program Files\Protection Center\Uninstall.exe
  • C:\Program Files\Protection Center\update.ico
  • C:\Program Files\Protection Center\virus.mp3
  • C:\WINDOWS\PRAGMAkossprrxtc
  • C:\WINDOWS\PRAGMAkossprrxtc\PRAGMAc.dll
  • C:\WINDOWS\PRAGMAkossprrxtc\PRAGMAd.sys
  • C:\WINDOWS\PRAGMAkossprrxtc\pragmabbr.dll
  • C:\WINDOWS\PRAGMAkossprrxtc\PRAGMAcfg.ini
  • C:\WINDOWS\PRAGMAkossprrxtc\pragmaserf.dll
  • C:\WINDOWS\PRAGMAkossprrxtc\PRAGMAsrcr.dat
  • C:\WINDOWS\PRAGMAqxtpetqdbm
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Protection Center
  • C:\Program Files\Protection Center

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Protection Center Associated Registry Values and Keys

  • HKEY_CLASSES_ROOT\.exe\DefaultIcon
  • HKEY_CLASSES_ROOT\.exe\shell
  • HKEY_CLASSES_ROOT\.exe\shell\open
  • HKEY_CLASSES_ROOT\.exe\shell\open\command
  • HKEY_CLASSES_ROOT\.exe\shell\runas
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command
  • HKEY_CLASSES_ROOT\.exe\shell\start
  • HKEY_CLASSES_ROOT\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr=1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Protection Center=”C:\Program Files\Protection Center\cntprot.exe” -noscan
  • HKEY_CURRENT_USER\Software\Classes\.exe
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Classes\secfile
  • HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
  • HKEY_CURRENT_USER\Software\pragma
  • HKEY_CURRENT_USER\Software\Malware Defense
  • HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5E2121EE-0300-11D4-8D3B-444553540000}=Protection Center extension
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Protection Center
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Protection Center\DisplayIcon=C:\Program Files\Protection Center\cntprot.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Protection Center\DisplayName=Protection Center
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Protection Center\DisplayVersion=1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Protection Center\Publisher=Protection Center
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Protection Center\UninstallString=C:\Program Files\Protection Center\Pklkvqdii+`}`
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Protection Center\URLInfoAbout=
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\Settings_0=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\SecStatus_3=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\SecStatus_4=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\SecStatus_5=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\FD=0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\GUID=460991424609809446096918
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\Data=:1878:1991:2104:2217:2443:2782:2895:3008:3121:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\swver=3.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\dbver=1.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\dbsigns=62577
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\dbverf=1.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\dbsignsf=62577
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\InfectedFiles=C:\WINDOWS\System32\w32topl.dll,C:\WINDOWS\System32\wowfaxui.dll,C:\WINDOWS\System32\Drivers\compbatt.sys,C:\WINDOWS\System32\Drivers\rootmdm.sys,C:\WINDOWS\System32\Wbem\wmipicmp.mof,C:\WINDOWS\Help\chnscsvr.hlp,C:\WINDOWS\Help\joy.chm,C:\WINDOWS\Help\remasst.chm,C:\WINDOWS\Media\chimes.wav,
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\LastScan=1275622999
  • HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center\Infected=15
  • HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA
  • HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense
  • HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\NextInstance=1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\Service=PRAGMAkossprrxtc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\Legacy=1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\ConfigFlags=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\Class=LegacyDriver
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\ClassGUID={8ECC055D-047F-11D1-A537-0000F8753ED1}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\DeviceDesc=PRAGMAkossprrxtc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\Control\*NewlyCreated*=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\Control\ActiveService=PRAGMAkossprrxtc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\NextInstance=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\Service=PRAGMAkossprrxtc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\Legacy=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\ConfigFlags=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\Class=LegacyDriver
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\ClassGUID={8ECC055D-047F-11D1-A537-0000F8753ED1}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\DeviceDesc=PRAGMAkossprrxtc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\Control\*NewlyCreated*=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAKOSSPRRXTC\0000\Control\ActiveService=PRAGMAkossprrxtc

The term malwarehelp.org in the above entries denotes the name of the Windows user account in the test machine

Protection Center Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • finderdea. org
  • finderaco. org
  • searchtanup. org
  • searchlouinc .org
  • automaticsecurityscan .com

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Protection Center Scareware — Screenshots

Protection Center Scareware — Video

Note: The Protection Center installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 7 comments… read them below or add one }

trevor June 8, 2010 at 5:11 AM

thank you for posting this i havent tried to use this yet because im not sure if it will work with windows vista, do you recommend that i buy a program and which program would you recommend, i dont know much about computers so i am reluctant to try this free version it seems complex, please email me back with any of your suggestions,

Thank You

Reply

qwerty June 9, 2010 at 9:46 AM

Once the scan is finished, i click “OK” and then im supposed to click show results, but after i click OK the program just goes away. I have to start it up again and rescan it. Whats going on?

Reply

Shanmuga June 9, 2010 at 10:26 AM

@qwerty, you need to be in safe mode when you run the scan.

qwerty June 10, 2010 at 1:56 AM

How do I go into safe mode?

Reply

qwerty June 10, 2010 at 2:53 AM

Nevermind, I got it. Protection Center gone. Thank you very much!

Reply

Scoot August 25, 2010 at 12:36 AM

Wow. bought the full version and ran it today. Did a marvelous job ridding me of the “protection center” and was very easy for me to do. I suspect that the free version would work just as well but, after reading about all of the variations of this bug felt it to be better safe than crashhed!

Reply

Jennifer Ferdinand May 22, 2011 at 1:18 AM

You saved my life. I am on a wireless network so both my PCs got infected. I searched and searched on the internet and came across your site at the very end of hours of searching. I wish it had been one of the top sites to pop up because YOUR INFORMATION WORKED QUICKLY AND PAINLESSLY.

Thank you so much! I will be purchasing the Malwarebytes full price because I can’t risk my work files, 100s of gigs of music and photos going down the drain.

Your site rocks!

How do you make it number one in internet searches? This would help so many!

Reply

Leave a Comment

Previous post:

Next post: