Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Your Protection Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Your Protection is one of a recent addition to the long line of rogue security software. The tested variant posed as a version of the popular Adobe Flash Player. Once activated in the computer, the installer downloads and installs the Your Protection scareware. Once installed the Your Protection scareware looks for installations of certain security software and pops up the following message if found:

“There is unauthorized antivirus software detected on your computer. It is recommended you to remove it, otherwise it could conflict with Your Protection. Press ‘OK’ to remove ………”

Similar to its kind it initiates a fake system scan and purportedly finds many non-existent malware infections. This scareware:

  • Disables Legitimate Windows Security Center
  • Disables TaskManager
  • Disables Security Center notifications
  • Installs a version of Fake Windows Security Center
  • Drops internet shortcuts to porn sites on the desktop
  • Doesn’t allow running of certain security software
your protection 03 590x437 Your Protection Analysis and Removal

Your Protection Scareware

A rogue security software such as Your Protection belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

Rogue security software like Your Protection are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Your Protection Aliases

The trojan downloader in this instance was named adobeflashplayerv10.0.45.2.exe (21504 bytes). It was detected by only 6/39 (15.39%) of the antivirus engines available at VirusTotal.

This scareware or its associate files are known by the following aliases:

  • TrojWare.Win32.Trojan.Agent.Gen
  • Adware.Win32.YourProtection!A2
  • W32/Malware!Gemini
  • DNSChanger!dd
  • Troj/MsvcrtHk-E
  • Trojan.Win32.Alureon
  • Trojan:Win32/Alureon.DK
  • Mal/TDSSConf-A

Typical Your Protection Scare Messages

Danger! Unauthorized access to your computer! Click on the message to install up-to-date antivirus software.

Danger! Harmful viruses detected on your computer. This malicious software may harm your computer. click on the message to ensure the protection of your computer.

Danger! A security threat detected on your computer. Trojan ASPX.JS.Win32. It strongly recommended to remove this threat right now.

Warning! Network attack detected! Network intrusion detected! Your oomputer is bring attacked from a remote PC.

Your Protection Associated Files and Folders

  • C:\Documents and Settings\All Users\Desktop\nudetube.com.lnk
  • C:\Documents and Settings\All Users\Desktop\pornotube.com.lnk
  • C:\Documents and Settings\All Users\Desktop\youporn.com.lnk
  • C:\Documents and Settings\All Users\Favorites\_favdata.dat
  • C:\Documents and Settings\malwarehelp.org\Application Data\Microsoft\Internet Explorer\Quick Launch\Your Protection.lnk
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temporary Internet Files\Content.IE5\T4OOPICJ\readdatagateway[1].htm
  • C:\Documents and Settings\malwarehelp.org\Desktop\Your Protection Support.lnk
  • C:\Documents and Settings\malwarehelp.org\Desktop\Your Protection.lnk
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\1.ico
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\2.ico
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\3.ico
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\4otjesjty.mof
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asd3.tmp
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asd4.tmp
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\asd4.tmp.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\dhdhtrdhdrtr5y
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\mplay32xe.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\TMP20E3.tmp
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\uacdf16.tmp
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\uace078.tmp
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\uace4ce.tmp
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\uace616.tmp
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\uace829.tmp
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\urp.dat
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\urpr.dat
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\_iu14D2N.tmp
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Your Protection\About.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Your Protection\Activate.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Your Protection\Buy.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Your Protection\Scan.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Your Protection\Settings.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Your Protection\Update.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Your Protection\Your Protection Support.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Your Protection\Your Protection.lnk
  • C:\Program Files\Your Protection\about.ico
  • C:\Program Files\Your Protection\activate.ico
  • C:\Program Files\Your Protection\buy.ico
  • C:\Program Files\Your Protection\help.ico
  • C:\Program Files\Your Protection\scan.ico
  • C:\Program Files\Your Protection\settings.ico
  • C:\Program Files\Your Protection\splash.mp3
  • C:\Program Files\Your Protection\Uninstall.exe
  • C:\Program Files\Your Protection\update.ico
  • C:\Program Files\Your Protection\urp.db
  • C:\Program Files\Your Protection\urpext.dll
  • C:\Program Files\Your Protection\urphook.dll
  • C:\Program Files\Your Protection\urpprot.exe
  • C:\Program Files\Your Protection\virus.mp3
  • C:\WINDOWS\Prefetch\ADOBEFLASHPLAYERV10.0.45.2.EX-04EA2DF4.pf
  • C:\WINDOWS\Prefetch\ASD3.TMP.EXE-1B9AA182.pf
  • C:\WINDOWS\Prefetch\ASD4.TMP.EXE-1C110D1B.pf
  • C:\WINDOWS\Prefetch\MOFCOMP.EXE-01718E95.pf
  • C:\WINDOWS\Prefetch\MPLAY32XE.EXE-155E7535.pf
  • C:\WINDOWS\Prefetch\SC.EXE-012262AF.pf
  • C:\WINDOWS\Prefetch\TMP1A0D.EXE-2E44E9C3.pf
  • C:\WINDOWS\Prefetch\TMP20A5.EXE-0F972A48.pf
  • C:\WINDOWS\Prefetch\URPPROT.EXE-0CAEE174.pf

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Your Protection Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify=0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5E2121EE-0300-11D4-8D3B-444553540000}=Your Protection extension
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Protection\DisplayIcon=C:\Program Files\Your Protection\urpprot.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Protection\DisplayName=Your Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Protection\DisplayVersion=1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Protection\Publisher=Your Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Protection\UninstallString=C:\Program Files\Your Protection\Pklkvqdii+`}`
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Protection\URLInfoAbout=http://support.activesecuritys.org
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\Settings_0=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\SecStatus_3=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\SecStatus_4=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\SecStatus_5=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\FD=0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\GUID=795639577956390279563836
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\Data=:1991:2104:2217:2330:2443:2556:2669:2782:2895:3008:3121:3347:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\swver=3.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\dbver=1.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\dbsigns=62577
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\dbverf=1.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\dbsignsf=62577
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\InfectedFiles=C:\WINDOWS\System32\wowfaxui.dll,C:\WINDOWS\System32\Drivers\compbatt.sys,C:\WINDOWS\System32\Drivers\rootmdm.sys,C:\WINDOWS\System32\Wbem\evntrprv.mof,C:\WINDOWS\System32\Wbem\wmipicmp.mof,C:\WINDOWS\Fonts\app855.fon,C:\WINDOWS\Fonts\sserife.fon,C:\WINDOWS\Help\chnscsvr.hlp,C:\WINDOWS\Help\joy.chm,C:\WINDOWS\Help\remasst.chm,C:\WINDOWS\Media\chimes.wav,HKCR\shopNon.shopNonHelper*,
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\LastScan=1270704280
  • HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection\Infected=16
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr=1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mplay32xe.exe=C:\DOCUME~1\MALWAR~1.ORG\LOCALS~1\Temp\mplay32xe.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Your Protection=”C:\Program Files\Your Protection\urpprot.exe” -noscan
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\malwarehelp.org\Desktop\adobeflashplayerv10.0.45.2.exe=
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\MALWAR~1.ORG\LOCALS~1\Temp\TMP1A0D.exe=
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\MALWAR~1.ORG\LOCALS~1\Temp\TMP20A5.exe=
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\MALWAR~1.ORG\LOCALS~1\Temp\asd3.tmp.exe=
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\MALWAR~1.ORG\LOCALS~1\Temp\_iu14D2N.tmp=
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Your Protection\urpprot.exe=
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\MALWAR~1.ORG\LOCALS~1\Temp\mplay32xe.exe=

The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Your Protection Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • www.elefind. org
  • www.securityletters. com
  • findernos. org
  • searchmartiup. org
  • searchlityup. org

Note: Visiting the domains mentioned above may harm your computer system.

Your Protection Removal (How to remove Your Protection)

MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download), when run in safe mode was able to clear this infection.

  • Boot in to Windows Safe Mode with networking.
  • Download, Install and run MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download). Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  • In normal mode, again run a full-scan with MalwareBytes’s Anti-Malware. If prompted restart immediately back into normal mode.
  • Turn System Restore off and on

You should now be clean of this rogue.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Your Protection Scareware — Screenshots

Your Protection Scareware — Video

Note: The Your Protection installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 4 comments… read them below or add one }

rod May 5, 2010 at 3:17 PM

this is exactly happened to my computer, i am not a very good computer user,do you know someone on the gold coast you would reccomend i take my computer to to get it sorted out…kind reguards rod….0408xxxxxx

Reply

Farzaneh July 18, 2010 at 10:16 PM

Hello Shanmuga,
My notebook pc became infected with “your protection” malware a few days ago.
Per your instructions I booted in safemode with networking, downlowded, installed and updated the malware help software, opened the scanner tab and chose full scan. After over an hour the scanner showed that the infected files count has gone up to 60, but then suddenly the warning message came that your computer is not protected and must be restarted, and it restarted the pc automatically. I went through the whole scanning process again, but before finishing the scan process, the warning came and the pc restarted. This malware is so nasty that it is even showing up at the start up in ‘safe mode’ and it gives me fake security warnings every few minutes, and my McAfee antivirus software has not been able to prevent or remove it. I wonder if choosing the quick scan instead of the full scan would be of any help! Any suggestions as to how to complete the full scan (without the pc restarting halfway through) and remove this horrible “your protection” malware?

Reply

sambo July 21, 2010 at 8:19 PM

All… DEFENCE CENTRE is the cause of all strange messages popping up. The good news is that I just managed to remove it using free \malwarebytes\. You need to go into safe mode with networking and make sure you don’t have other programs running including your browser.
Follow the instructions and depending on the number of files to scan it will take about 30 mins to complete. I was waiting for the good ol’ \found heaps of infected files… now cough up your credit card details\ but I can confirm it is free.
Oh, one last tip.. when you are going through around 35 mins of full scanning, you might get a pop up box with one of those friggin annoying virus messages (because of defence centre), so if you can’t get rid of that box end the annoying message using task manager (ctl + alt + del).
Good luck !! Will work, but you need to invest around 40 mins. It saved me McAfee virus removing service worth 129 bucks.
ps.. who are these a holes \defence centre\ ??!!??!!

Reply

Nita September 6, 2010 at 11:26 AM

Hi, just followed the above instructions as both my sony vaio laptops had this annoying virus! And just wanted to say thank you – both sorted, really easy and free – thanks again!

Reply

Leave a Comment

Previous post:

Next post: