User Protection
User Protection virus will promote itself as a legitimate computer security program created for the Windows platform. User Protection is so harmful in a way that it can find and delete files related to F-Secure, NOD32, Malwarebytes’ Anti-Malware, Norton Internet Security, Avira AntiVir, AVG8, AntiVir, Agnitum Outpost Security Suite and Avast! This will render the mentioned software useless on the compromised computer. With that, penetration of User Protection will be undetected and unstoppable. Similar to its previous variant called Your Protection, the new version adopts its payload on altering settings on target PC that allows the rogue program to manipulate processes.When inside the computer, this malicious software will begin to trick computer users about the real security status. Fake alerts and virus detection will be posted to scare users and convince them to purchase the registered version of User Protection.
User Protection can be obtained by visiting questionable websites, fake online virus scanner, downloaded files from file-sharing networks and software vulnerabilities. Given this, you can avoid User Protection virus by staying away from illegitimate web sites. Additionally, make sure that your antivirus program has the latest database update.
Screen Shot Image:
Technical Details and Additional Information:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Characteristics (Analysis)
“User Protection” is a misleading security application or commonly tagged as rogue program. For some, it is computer virus hiding in the interface of fake-antivirus software. A rogue application usually spreads through correlated Trojan infection that typically acquired from malicious web sites, fake multimedia pages, email attachment and instant messaging application. If User Protection runs, it does not infect other files on the computer. The main damage it can cause is rendering certain programs unusable.
Malware Behavior
This virus will display different fake security alerts and tries to convince user that enduring virus attacks are detected. Through this scare tactics, attackers behind this fake anti-virus program are hopeful that victims may consider a purchase of User Protection. Some alerts may contain similar messages like these:
Added Registry Entries:User’s activity loggers detected!
It’s strongly recommended to remove detected threats right now!Your computer is being attacked from a remote PC.
Process is trying to steal your passwords listed below. It is highly recommended to block this threat now.
HKLM\SOFTWARE\User Protection
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "User Protection"
HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\User Protection
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E2121EE-0300-11D4-8D3B-444553540000}"
Associated Files and Folders:C:\Documents and Settings\All Users\Application Data\jkihposlfp.dll C:\Program Files\User Protection\splash.mp3 C:\Program Files\User Protection\uninstall.exe C:\Program Files\User Protection\usr.db C:\Program Files\User Protection\usrext.dll C:\Program Files\User Protection\usrhook.dll C:\Program Files\User Protection\usrprot.exe C:\Program Files\User Protection\virus.mp3 %UserProfile%\Desktop\User Protection Support.lnk %UserProfile%\Desktop\User Protection.lnk %UserProfile%\Desktop\usrprot.exe.txt %UserProfile%\Local Settings\Temp\8uywtgc.mof
How to Remove User Protection
1. Stop User Protection process by pressing Ctrl+Alt+Del. Windows Task Manager will open. Look for the following process:
usrprot.exe
Highlight and delete the process. Click on End Process.
2. Connect to Internet and update your installed anti-virus program. This is necessary to identify newer variants of this virus.
3. Run a full virus scan and clean/delete all detected infected file(s).
4. Edit Windows registry and delete User Protection entries (Refer to Technical Details). [how to edit registry]
5. When done with removal of registry entry, exit registry editor by closing the program. It automatically saves changes made.
6. Remove User Protection start-up entry by going to Start > Run, type msconfig on the "Open" dialog box. System Configuration Utility will open. Go to Startup tab and uncheck the following Start-up item(s):
[random]tssd.exe
7. Click Apply and restart Windows.
User Protection Removal Tool:
In order to completely remove the threat, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected machine.
Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found on websites of legitimate anti-virus and security provider.
Sam Kumar
Mar 23, 2010 @ 20:28:29
Got the same virus. Tried many different things and finally.
Restarted the machine is safe mode and deleted all the cookies and temp internet files and applications.
Olaa.. Virus was removed.