Malware Protection

27 May 2011 Rogue 1 Comment

Malware Protection virus is nothing but a program that was made to scam computer users. While some web site promotes it as a legal program, security experts have enough evidence to consider it as a rogue software. Commonly spread by means of fake security websites and with the help of Trojan, Malware Protection can get into the system unsought. Once inside the computer, it will begin to alter system settings and modify registry that will allow itself to load each time you run Windows. Excessive fake pop-up alerts and warning messages are just some hideous thing to expect on victim’s computer. This is one way to promote Malware Protection as a legal program. It claims to remove locally detected threats but does not have capacity to achieve the task.

Rogue programs are usually installed without an option to remove itself through the Add/Remove programs of Windows. It intends to be kept on the system and provide annoying activities until such time that you purchase its registration key. Presence of this malware will be very much disturbing; any software will be prevented from running and state that the file is infected. Security settings are also lessen to an extent that will kill any installed anti-virus and firewall programs. With this technique, Malware Protection will remain harmless to the system. It is important to remove Malware Protection immediately before it can do any further harm to the computer.

Screenshot Image:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Malware Protection Desktop Lock

Update: 13 March 2012

There is a new version of Malware Protection. This time, it is not presented as antivirus software but rather a “ransomware”. The new variant will lock the desktop and prevents you from running any programs. In short, it will render the compromised computer useless. It will only give back your access once you have purchase the serial number.  It will display the following message:

Malware Protection
Warning! Access to your computer is limited and all your important files has been decrypted with AES-256-KEY.
From your computer was detected mailing (spam) sending a very dangerous polymorphic virus which contradicts law and harm other network users. Your computer has been also infected by this very dangerous polymorphic virus, which modifies itself every 24 hours and in this case virus detection by anti-viruses is very difficult.

To unlock your desktop, please use this code: 76557152140071780302280

Once the desktop is functioning, please proceed with the removal procedure below to ensure that all files and registry values are eliminated.

Malware Protection Removal Procedures

Manual Removal:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Malware Protection”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
(random characters).exe

2. You need to update your installed antivirus application to have the latest database.
3. Thoroughly scan the computer and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Malware Protection Virus.
4. Registry entries created by Malware Protection must also be remove from the Windows system. Please refer below for entries associated to the rogue program. [how to edit registry]
5. Exit registry editor.
6. Get rid of Malware Protection start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
(random characters).exe

7. Click Apply and restart Windows.

Malware Protection Removal Tool:
1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) from this link and save it on your Desktop.
2. After downloading, double-click on the file to install the application.
3. Follow the prompts and install as “default” only
4. If it prompts to update the database after installation, please proceed.

5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished, click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart the computer.

Note: “Malware Protection” may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.

Using Portable SuperAntiSpyware:
To thoroughly remove the virus, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Click here to download and run SAS Portable Scanner.

Technical Details and Additional Information:

Malicious Files Added by Malware Protection:
%Documents and Settings%\[User Name]\Desktop\Malware Protection.lnk
%Documents and Settings%\[User Name]\Start Menu\Malware Protection.lnk
%Documents and Settings%\[User Name]\asr.dat
%Documents and Settings%\[User Name]\Application Data\1tmp.bat
%Documents and Settings%\[User Name]\Application Data\defender.exe
%Documents and Settings%\[User Name]\Application Data\scan.dll
%Documents and Settings%\[User Name]\Application Data\[random].tmp

Malware Protection Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = “0?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “rundll32? = “”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80c10400-59cb-4c79-97ce-cc693103afca}
HKEY_CURRENT_USER\Software\Malware Protection
HKEY_CLASSES_ROOT\BrcWizApp.BrcWiz
HKEY_CLASSES_ROOT\BrcWizApp.BrcWiz.1
HKEY_CLASSES_ROOT\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}
HKEY_CLASSES_ROOT\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}
HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
HKEY_CLASSES_ROOT\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}
HKEY_CURRENT_USER\Software\Microsoft “adver_id” = “29?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe;”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Malware Protection”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “rundll32? = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = “%UserProfile%\Application Data\defender.exe” /sn”