The Emsi Software malware research team has discoverd a new outbreak of the User Protection adware. a-squared Anti-Malware detects this malware as Adware.Win32.UserProtection.

User Protection is a rogue security program. This is a new variant from Dr. Guard/PaladinAntivirus. This rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase.

Create new files:

• %ProgramFiles%\User Protection\scan.ico
• %ProgramFiles%\User Protection\settings.ico
• %ProgramFiles%\User Protection\splash.mp3
• %ProgramFiles%\User Protection\uninstall.exe
• %ProgramFiles%\User Protection\update.ico
• %ProgramFiles%\User Protection\usr.db
• %ProgramFiles%\User Protection\usrext.dll
• %ProgramFiles%\User Protection\usrhook.dll
• %ProgramFiles%\User Protection\usrprot.exe
• %ProgramFiles%\User Protection\virus.mp3
• %ProgramFiles%\User Protection\about.ico
• %ProgramFiles%\User Protection\activate.ico
• %ProgramFiles%\User Protection\buy.ico
• %ProgramFiles%\User Protection\help.ico
• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\User Protection.lnk
• %UserProfile%\Desktop\User Protection.lnk
• %UserProfile%\Desktop\User Protection Support.lnk
• %UserProfile%\Desktop\License.txt
• %UserProfile%\Local Settings\Temp\4otjesjty.mof
• %UserProfile%\Local Settings\Temp\usr.dat
• %UserProfile%\Local Settings\Temp\usrr.dat
• %UserProfile%\Start Menu\Programs\User Protection\Settings.lnk
• %UserProfile%\Start Menu\Programs\User Protection\Update.lnk
• %UserProfile%\Start Menu\Programs\User Protection\User Protection.lnk
• %UserProfile%\Start Menu\Programs\User Protection\User Protection Support.lnk
• %UserProfile%\Start Menu\Programs\User Protection\About.lnk
• %UserProfile%\Start Menu\Programs\User Protection\Activate.lnk
• %UserProfile%\Start Menu\Programs\User Protection\Buy.lnk
• %UserProfile%\Start Menu\Programs\User Protection\Scan.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\User Protection
• HKEY_LOCAL_MACHINE\software\User Protection
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “User Protection”

Screenshots:

How to remove the infection of User Protection (Adware.Win32.UserProtection)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: Rogue, UserProtection

This entry was posted on Monday, March 22nd, 2010 at 20:31 and is filed under Malware Alerts, Removal Help. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.