Spyware Protection
Spyware Protection is a rogue security program that is advertised through the use of Trojan and malware that are able to redirect Internet browser to predefined malicious web sites. Spyware Protection is capable of displaying fake alert messages that advise to download unregistered version of the program. If installed on computer, it will modify system settings and create an entry on Windows registry that executes Spyware Protection every time computer starts. Its own virus scan produces fabricated results in an attempt to persuade users into obtaining the licensed version. Throughout its entire presence on the system, this virus continuously remind that paid version is needed to be able to remove threats found locally.
Never believe what Spyware Protection is trying to project. It is purely scare tactics, a common deceiving method to scam computer users and let them pay for the useless. Upon agreeing with its terms, Internet browser is instantly redirected to fraudulent online payment processing web page. Procurement procedure calls for the entry of credit card information to fully complete transaction.
One must remove Spyware Protection as soon as symptoms are monitored. Free removal tool can be downloaded to eliminate not only Spyware Protection but all of the components involved with it.
Screen Shot Image:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Spyware Protection Virus Removal Procedures
Manual Removal:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Spyware Protection” virus. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
winav.exe or sysav.exe
2. You need to update your installed antivirus application to have the latest database.
3. Thoroughly scan the computer and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Spyware Protection Virus.
4. Registry entries created by Spyware Protection must also be remove from the Windows system. Please refer below for entries associated to rogue program.
- For Windows 2000/XP: Go to Start > Run, type “regedit” on dialog box then press Enter on keyboard.
- For Windows Vista/7: Go to Start > Search Program and Files, type “regedit” and press Enter.
5. Exit registry editor.
6. Get rid of Spyware Protection start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
winav.exe or sysav.exe
7. Click Apply and restart Windows.
Spyware Protection Removal Tool:
Most practical method to eliminate Spyware Protection virus is to clear computer from any infected files. This can be accomplished with the free version of Malwarebytes Anti-Malware. There are times that downloading and execution is prohibited by Trojans to avoid removal. On this situation, download the tool from a clean computer. Rename the file before loading on the compromised system.
Using Portable SuperAntiSpyware:
To thoroughly remove the virus, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Click here to download and run SAS Portable Scanner.
Technical Details and Additional Information:
Malicious Files Added by Spyware Protection Virus:
%UserProfile%\Application Data\winav.exe
%UserProfile%\Desktop\Spyware Protection.LNK
%UserProfile%\Start Menu\Spyware Protection.LNK
File Location for Windows Versions:
- %AllUserProfile% for Vista/7 user is C:\ProgramData while for Windows XP/2000 this is C:\Documents and Settings\All Users\
Spyware Protection Registry Entries:
HKEY_CURRENT_USER\Software\Spyware Protection
HKEY_CURRENT_USER\Control Panel\don’t load “scui.cpl”
HKEY_CURRENT_USER\Control Panel\don’t load “wscui.cpl”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “sysav”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusDisableNotify” => 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallDisableNotify” => 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “UpdatesDisableNotify” => 1
Mary
Mar 02, 2011 @ 16:17:20
What’s described above is exactly what’s going on with my pc. When I try to do a control alt delete, it says it cannot be started due to infection with w32blaster.worm. it won’t let me do anything..i can’t even open media player or my antimalware program. nothing. the only thing i can open is internet explorer, because it will not let me open my mozilla. please tell me what to do
Frank
Mar 02, 2011 @ 17:36:39
Just finished messing with this spyware protector virus. It locked up my whole system, would not allow me to run any programs including task manager. I found the way to rid it was, shut computer off restart in safemode (on startup continually hit F8 key) then go to
Start, all programs,accesories, system tools and system restore. Pick a earlier restart point (before you acquire this virus 1-2 todays. Restored me back to normal. Now I will get a good virus protector. Thanks everyone for the answers.
MK
Mar 08, 2011 @ 19:36:33
Frank’s suggestion worked like a charm– thank you so much.
Chris D
Mar 11, 2011 @ 18:14:00
Franks advise worked great, thanks
Felipe
Mar 18, 2011 @ 02:12:48
Frank’s solution worked great, thanks !
Prom
Mar 18, 2011 @ 17:12:48
Worked a treat. You know what they say, Ask Frank!
Jeff
Mar 20, 2011 @ 16:44:33
Thank you Frank. It seems to have worked for me also!
Jeff
Mar 20, 2011 @ 16:45:36
How did it get past my AVG virus protection?
Brian
Mar 21, 2011 @ 23:46:27
Frank was dead on! Thank you sir. My wife can now have her damn laptop back and stop using mine! haha
Graham
Mar 24, 2011 @ 11:13:12
This seems to have done the trick for me too – thanks for the good advice, I was getting worried there when the virus was blocking everything I tried to do.
Terry
Mar 27, 2011 @ 20:20:08
Worked for me too. Then downloaded MalwareBytes and found the culprit. Loading AVG 2011 free now and running that scan.
Thanks!!
al
Mar 27, 2011 @ 21:46:46
just a heads up folks: while using the system restore may fix this particular issue, it is not a good idea to use it if you can otherwise delete the virus. carefully following the instructions above, including running the malwarebytes and installing a robust anti-virus, are the best ways to get rid of and prevent this virus from hi-jacking your machine.
JIm
Mar 28, 2011 @ 19:49:10
I got this yesterday…Frustrating. I use the free version of Avast and I left all the alert windows open while I opened and ran Avast, found nothing. Then I set up a boot scan which found the problem. When the scan finished, windows started and Avast opened back up, it prompted me to “fix” the issue, I did. And no more issue.
Good Luck.
brian
Mar 29, 2011 @ 03:52:17
i love frank!!!!!!!!!!
Chris
Mar 29, 2011 @ 04:27:05
Stinger worked well for me.
While in windows with the virus doing its thing, I went to internet explorer and searched for mcafee stinger. Found the website and downloaded it to my desktop.
Restarted, and hit F8 repeatedly to go into safe mode. After boot up, clicked on stinger program, it ran and detected the virus pretty quickly.
Btw, the startup entry (for the variation of the virus i’m infected with) is defender/defender.exe. The virus name as stinger called it is FakeAlert!defender virus!!!
The good thing about using stinger is that when you download it, it is the latest version. No need to update the virus database like malwarebytes which is helpful if safe mode doesn’t let you get online because the drivers don’t load. Also, since its standalone, you can run it from a thumb drive a.k.a. nerd stick.
Hope this helps.
Ry
Mar 30, 2011 @ 21:59:17
After searching for two hours and getting overwhelmed by unclear instructions or manually deleting it piece by piece instructions (not completely computer savvy) FRANK’s advice was the way to go! So easy too! Thank you so much!
Brandon
Mar 31, 2011 @ 01:26:36
It just blocks the system restore as well as everything else I try to do.
Brandon
Mar 31, 2011 @ 11:10:50
Yeah, I tried to do what Frank said but when I clicked System Restore, it said it had a virus and wouldn’t let me open it.
Ewan
Apr 02, 2011 @ 10:59:14
Thanks Frank:)
Rick Jalbert
Apr 02, 2011 @ 13:17:01
I hit F8 until the option for safe mode came up then ran the install of Malwarebytes off of a USB key. The reason for that was I could not run any virus program or any executable in Windows. Mcafee did not even pick it up but for $89.00 they would kill it by having one of their online techs kill it. I use ESET NOD 32 and never have these problems. I find Symantecs products a nightmare.
Rick Jalbert
Apr 02, 2011 @ 15:08:00
I tried to kill it with Malwarebytes in Safe Mode no cigar. I downloaded Stinger from Mcafee booted into safe mode then ran it. It found FakeAlert!Defender virus under C:\documents and settings\(user name)\application Data\defender.exe.
gerry
Apr 02, 2011 @ 20:00:07
franks suggestion has worked like a gem. this virus has been driving me crazy all morning because it stopped me from executing any other virus detector.
Jon F
Apr 03, 2011 @ 12:19:45
Cheers chris! advice worked with safe mode and stinger
fyi ESET NOD 32 missed the virus! bad times when the best can’t detect it.
LIsa
Apr 03, 2011 @ 19:43:49
Frank, you saved me! I run a business on this computer, and I can’t tell u how glad I am that I seen your post!
noodle
Apr 03, 2011 @ 22:42:52
frank you legend !
Waynester
Apr 04, 2011 @ 19:54:17
After updating my anti virus, I managed to detect the fake spyware protection. goes under the name of Defend.exe
C:\documents and settings\(user)\application data
afterwards I proceed with number 6 instruction (which only prevents the program from opening on start up) in the Startup tab is was also named Defender.
And went on with deleting the spyware protection scam
Alise
Apr 06, 2011 @ 01:35:25
Going home to try tonight. Will post back tomorrow with results.
Thanks!
Stuart
Apr 06, 2011 @ 10:31:30
Mmm – I was nable to access System Restore as well while in Safe Mode. So I went into Safe Mode and then ran Malwarebytes. That seemed to work pretty successfully too.
Stuart
Apr 06, 2011 @ 10:37:09
Forgot to mention the important bit – change of name for the virus fle. When I got it, it was called defender.exe.
Alise
Apr 11, 2011 @ 00:46:44
Went into safe mode (first time so that was interesting), managed to find defender.exe and delete.
Logged back into normal mode and did system restore then ran Malware and AVG and all seems to be fine now.
Still no idea how it got into our system though.
Thanks for all the advice guys, especially you Frank :)
eboni
May 22, 2011 @ 01:28:09
dear frank: bless you : ]
autumn
May 28, 2011 @ 12:04:13
Tried everything! Computer starts to load once I’m deleting some windows defender? And then shuts down. Had this virus before and had to send computer away. Advice please?