User Protection is a rogue antispyware program from the same family of rogues as Dr. Guard, Paladin Antivirus and Malware Defender. The program is distributed through the use of trojans. Once the trojan infects your computer, it will add itself to the startup programs to run whenever you start Windows, and then performs several actions. First, shows many fake security alerts that inform, for example, that computer is infected, or that detected the attack from the Internet. Second, downloads and installs on your computer User Protection.
When User Protection is installed and started, it will first step register itself in the Windows registry to run automatically every time when Windows starts, Then it will ask you to uninstall legitimate antivirus and antispyware tools (Malwarebytes’ Anti-Malware, AVG, etc), to protect itself from uninstalling. After that, User Protection will run an imitation of system scan and detect numerous infections that will not be fixed unless you first purchase the software. Nothing new here, this is a scam. Like other rogue antispyware applications, the rogue is unable to detect or remove any infections and nor will be protect you from legitimate future threats. So you can safely ignore the false scan results.
While User Protection is running, you will be shown nag screens and fake security warnings from Windows task bar. A few samples:
Danger!
Harmful viruses detected on your computer. Click on the
message to scan your computer for security threats for free.
Warning! Network attack detected!
Network intrusion detected!
Your computer is being attacked from a remote PC.
Danger!
Unauthorized person tries to steal your passwords and private
information. Click on the message to prevent identity theft.
Danger!
A security threat detected on your computer.
TrojanASPX.JS.Win32. It strongly recommended to remove
this threat right now. Click on the message to remove it.
Warning! Adware detected!
Adware module detected on your PC!
Warning! Keylogger detected!
Keylogger activity detected on your PC!
Of course, all of these alerts and warnings are a fake and like false scan results should be ignored! As you can see, User Protection is a scam, that created with one purpose to scare your into purchasing so-called “full” version of the program. Most importantly, do not purchase it!
Last but not least, the same trojan that installs User Protection will also download and install onto your computer a variant of TDSS trojan. The trojan may redirect search results in Google, Yahoo, MSN, block the ability to run various antivirus and antispyware programs and much more.
If you find that your computer is infected with the rogue, then be quick and take effort to remove it immediately. Follow the removal guide below to remove User Protection and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKCU\..\Run: [diskperfxp.exe] C:\DOCUME~1\comp\LOCALS~1\Temp\diskperfxp.exe
O4 – HKCU\..\Run: [User Protection] “C:\Program Files\User Protection\usrprot.exe” -noscan
More screen shoots of User Protection
Use the following instructions to remove User Protection (Uninstall instructions)
Step 1. Remove TDSS trojan-rootkit
Download TDSSKiller from here and unzip to your desktop.
Open TDSSKiller folder. Right click to tdsskiller and select rename. Type a new name (123myapp, for example). Press Enter. Double click the TDSSKiller icon to start scanning Windows registry for TDSS trojan. If it is found, the you will see a screen similar to the one below.
TDSSKiller
Type delete and press Enter. Once TDSSKiller has finished removing rootkit TDSS, you will see a windows as shown below.
TDSSKiller
Type Y and press Enter. Your computer will be rebooted.
Step 2. Remove User Protection and any associated malware.
Download MalwareBytes Anti-malware (MBAM). Once downloaded, close all programs and windows on your computer.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to “Update Malwarebytes’ Anti-Malware” and Launch “Malwarebytes’ Anti-Malware”. Then click Finish.
MalwareBytes Anti-malware will now automatically start and you will see a message stating that you should update the program before performing a scan. If an update is found, it will download and install the latest version.
As MalwareBytes Anti-malware will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main menu. You will see window similar to the one below.
Malwarebytes Anti-Malware Window
Make sure the “Perform quick scan” option is selected and then click on the Scan button to start scanning your computer for User Protection infection. This procedure can take some time, so please be patient.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. You will see a list of infected items similar as shown below.
Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove User Protection. MalwareBytes Anti-malware will now remove all of associated User Protection files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
User Protection creates the following files and folders
C:\Program Files\User Protection
%UserProfile%\Start Menu\Programs\User Protection
C:\Program Files\User Protection\usrhook.dll
C:\Program Files\User Protection\usrprot.exe
%UserProfile%\Local Settings\temp\diskperfxp.exe
C:\Documents and Settings\All Users\Desktop\spam001.exe
C:\Documents and Settings\All Users\Desktop\spam003.exe
C:\Documents and Settings\All Users\Desktop\troj000.exe
C:\Program Files\User Protection\about.ico
C:\Program Files\User Protection\activate.ico
C:\Program Files\User Protection\buy.ico
C:\Program Files\User Protection\help.ico
C:\Program Files\User Protection\scan.ico
C:\Program Files\User Protection\settings.ico
C:\Program Files\User Protection\splash.mp3
C:\Program Files\User Protection\uninstall.exe
C:\Program Files\User Protection\update.ico
C:\Program Files\User Protection\usr.db
C:\Program Files\User Protection\usrext.dll
C:\Program Files\User Protection\virus.mp3
%UserProfile%\Start Menu\Programs\User Protection\About.lnk
%UserProfile%\Start Menu\Programs\User Protection\Activate.lnk
%UserProfile%\Start Menu\Programs\User Protection\Buy.lnk
%UserProfile%\Start Menu\Programs\User Protection\Scan.lnk
%UserProfile%\Start Menu\Programs\User Protection\Settings.lnk
%UserProfile%\Start Menu\Programs\User Protection\Update.lnk
%UserProfile%\Start Menu\Programs\User Protection\User Protection Support.lnk
%UserProfile%\Start Menu\Programs\User Protection\User Protection.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\User Protection.lnk
%UserProfile%\Desktop\User Protection Support.lnk
%UserProfile%\Desktop\User Protection.lnk
C:\Documents and Settings\All Users\Desktop\nudetube.com.lnk
C:\Documents and Settings\All Users\Desktop\pornotube.com.lnk
C:\Documents and Settings\All Users\Desktop\youporn.com.lnk
User Protection creates the following registry keys and values
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\user protection
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\diskperfxp.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
I guess it helps if you read other posts… thanks for the info…
Toby, skip first step.
Many thanks, Very helpful.
: )
Thanks I was able to remove the items listed and the anying suer protection seems to be gone. I have Webroot running. Hope that helps the future. Thanks Again!
Hi there, I downloaded the files and followed the instruction, and it seems to be gone. But..when I try to install McAfee, it comes up as being in conflict with Mcafee and apparently is still inside my PC, someplace, any ideas?
Thanks for this! I had to reboot my laptop 2 times before I realised this ‘User Protection’ wasn’t genuine.
Rob, follow the steps below:
Click Start, Run.
Type wbemtest and press Enter.
Windows Management Instrumentation Tester opens.
Click Connect… button.
Type root\SecurityCenter and press Enter.
Click to Query button.
Type SELECT * FROM AntiVirusProduct and click on Apply button.
If there is more than one result, it means there is more than one Antivirus program installed. Double click on each result to view the properties for that Antivirus product.
Identify the product(s) installed and DELETE any records for an Antivirus software (or rogue security program) that is no longer installed.
Hi, my boss brought his home computer in for me to look at (I’m the web designer at our non-profit). He’s definitely got User Protection, and I ran TDSSKILLER, which worked, but I can’t run MBAM – I install it from a flash drive, but by the time it gets to the launch & update phase, the mbam.exe has been removed. He also seems to have the “XP Security Tool” virus as well – which may be the problem with running MBAM, and I’m not sure what order to go about removing these pests. Any help would be most appreciated, and thanks for all the help so far.
He’s running XP 2002 SP3, by the way. Not sure if that makes a difference.
Safe yourself lots of aggrevation and download AVIRA install, run it, and forget about it!
It worked great!
Josh, if boss`s PC is infected with “XP Security Tool” then use these steps.
I tried! MBAM won’t run after taking those steps either. The setup program finishes, and when I click Yes to Run and Autoupdate, it just stops. When I try to browse to MBAM.exe, it’s not there! Ah well. Thanks for your time!
Josh, read these instructions and use the fix for your situation.
I am actually having the same problem as Joemac I have run TDSSKiller but it just tells me i don’t have any virus all it comes up with is
0/0/0
0/0/0
Is there any particular reason for this?
thanks so much everyone…
it works!!! 🙂
rich, looks like your computer is not infected with TDSS trojan. If Malwarebytes won`t run, then ask for help in our Spyware removal forum.
Hi, I have user prtection n my computer. I have found your site and downloaded both programs. I have unzipped, renamed and put them on my desktop. Now user protection does not allow me to open any file without asking with what program I would like to open / start it. So I have no chance to start any program? Any help on this? Thx Carsten
Carsten, try the steps below:
Click Start, Run. Type command and press Enter.
Type notepad and press Enter.
Notepad opens. Copy the gray text below into Notepad.
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click fix.reg and click YES for confirm.
Reboot your computer.
Hello. Performed the 1st step and seemed to work. When I run the malware scan, that seems to work. However, when a popup window comes up and states, click for your results, I click and Malwarebyte shuts down. Never get to see the results of click to fix. Thoughts?
card, reboot your computer in Safe mode and try scan with Malwarebytes once again.
card,
I had the same problem, it ended up that there were more processes running. It is a computer at the shop I work at, and somehow someone downloaded a LOT of these rogue spyware programs. I had to kill them ALL before malware would scan and then let me click to fix.
Hope that helps.
i did the second step and theres still those pop ups
and i repeated the step over 5 times is there something im missing
oh and my computer keeps on trying to download something called digitally protecter
please help
I just got this virus yesterday,removed by disconnecting from internet,(do not click on fake alerts!)then ran a scan with malwarebytes,may have to do several times,also check startup for unusaul startup items and disable or delete them,I deleted with ccleaner,also turn off system restore till clean,clean prefetch folder,when clean restore browser to default settings,as I noticed it messes with browser settings.This malware installs itself without any user actions.
Hi…I did the malware scan and removed all the infected items but I noticed that the User Protection icon is still on my desktop/in my recycle bin…I ran the scan again and it showed no infected items but the icon is still there..could it still be on my comp and do I need to get rid of it some other way or can i just delete it from my recycle bin?
…sorry i forgot to mention it DID remove all the popups..im just worried about the icons
..sorry i just realized the icons are “Digital Protection” and “Digital Protection Support” could these be different viruses?
i downloaded your program and unzipped it, but apparently i didn’t rename it BEFORE i opened it. and now it says,
Results:
Memory objects infected / cured / cured on reboot:
Registry objects infected / cured / cured on reboot:
File objects infected / cured / cured on reboot:
0/0/0
0/0/0
0/0/0
does it have something to do with me forgetting to rename it? but after i run the program, i closed it then i deleted the file and re-unzipped it for 2 times and it still says the same thing…
so… help me?
sean, try update Malwarebytes and rescan your PC. If it does not help, then open a new topic in our Spyware removal forum.
Hailey, manually remove these icons 🙂