Cloud Protection Virus

11 October 2011 Rogue 0 Comment

Cloud Protection is a program that fits the class of ‘fake software that aims to steal money from victims.’ This software uses tricky method to make user believe that computer is at risks and immediate removal action is needed. Cloud Protection produces dozens of fake alert messages aside from the actual scan it commence during Windows start-up. Through this course, one can be easily convinced that viruses really exist on the system and there is no other way to cure it than to obtain the paid version of Cloud Protection.

Cloud Protection typically arrives on computer uninvited. In fact, it was another Trojan infection that may get this fake antivirus inside your system. Trojan’s origin is hardly identified because it may reach ones PC from so many sources. Roughly, Trojan that is associated to rogue software mainly spread through fake online virus scanner website, fraud web site, fake video web site and peer-to-peer network connections. A rogue author employs the use of Trojan because of its ability to intrude a system while bypassing security protection. Once it gets inside, Trojan fetches a copy of Cloud Protection from a specified host and install without your notice.

The only sign that Cloud Protection is inside your computer is when annoyances begin to emerge at once. Pop-up alerts, task bar warning and redirection of search result are most noticeable symptoms. Other damages that Cloud Protection virus can cause are almost infinite. In fact, this malware can bring system to a total failure by halting every resources needed to operate it.

In the end, you can realize that all of these trouble only roots to one goal. Authors intend to sell the fake security program with this deceptive scheme.

Screen Shot Images:

Technical Details and Additional Information:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Characteristics (Analysis)
This threat runs automatically each Windows boot up by adding the following entry to Windows registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “(random characters)”

Malware Behavior
Once the malware gets inside the computer, it begins to issue extreme pop-up alerts and warning messages. This is an attempt to to make user believe that system is at risks and Cloud Protection can help you fix this problem.

Warning! Infection found
Unauthorized sending E-MAIL with subject “RE:” to <fake email here> was CANCELLED.

Warning! Infection found
Unwanted software (malware) or tracking cookies have been found during last scan. It is highly recommended to remove it from your computer.
Keylogger Zeus was detected and put in quarantine.
Keylogger Zeus is a very dangerous software used by criminals to steal personal data such as credit card information, access to banking accounts, passwords to social networks and e-mails.

Security Warning
Your computer continues to be infected with harmful viruses. In order to prevent permanent loss of your information and credit card data theft please activate your antivirus software. Click here to enable protection.

Added Registry Entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "(random characters)"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "(random characters)" 

Associated Files and Folders:

%AppData%\(random characters)\
%AppData%\(random characters)\
%AppData%\(random characters)\
%AppData%\(random characters)\
%AppData%\ldr.ini
%AppData%\svhostu.exe
%AppData%\(random characters)\Cloud Protection.ico
%StartMenu%\Programs\Cloud Protection\
%StartMenu%\Programs\Cloud Protection\Cloud Protection.lnk
%StartMenu%\Programs\Startup\crss.exe
%System%\(random characters).exe
%UserProfile%\Desktop\Cloud Protection.lnk
%Temp%\svhostu.exe 

This guide requires a tool called Malwarebytes' Anti-Malware. It is a free tool designed to eradicate various computer infections. MBAM scanner is distributed for free.

Boot Windows in Safe Mode With Networking

1. First thing to do is to reboot the computer in Safe Mode with Networking to avoid Cloud Protection from loading at start-up. You may want to print this procedure as we have to restart the computer to complete the removal process.
- Restart the computer.
- Before Windows begins to load, press F8 on your keyboard.
- It will display an Advanced Boot Options menu. Please select Safe Mode with Networking.
- Windows will now start in Safe Mode.

Automatic Removal Procedure

2. Download removal tool from this page and save it on your Desktop or any location on your PC.
3. When finish downloading, double-click on the file to install the application.
4. Follow the prompts and install with default configuration.
5. Before the installation completes, you need to update the database.

6. Click Finish. Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
7. When finished updating, the tool will run. Select Perform full scan on main screen to check your computer thoroughly.
8. When scanning is finished click on Show Results.
9. Make sure that all detected threats are checked, click on Remove Selected. This will delete all files and registry entries that belongs to Cloud Protection.
10. Restart your computer.

Note: If Cloud Protection prevents mbam-setup.exe from downloading. Download the software from another computer. Renaming it to something like 'anything.exe' can help elude the malware.