Your PC Protector is a new rogue antispyware program from the same family of malware as Windows Antivirus Pro and Windows Police Pro. It usually installed itself onto your computer without your permission and knowledge, through the use trojans. When the trojan is started, it will install Your PC Protector onto your computer.
During installation, Your PC Protector will register itself in the Windows registry to run automatically every time when you start an application (files with “exe” extension). The rogue also uses this method of running to block the ability to run any programs, including security applications. The following alert will be shown when you try to run Notepad (and any program with “exe” extension):
Warning
Running of application is impossible.
The file C:\Windows\System32\notepad.exe is infected.Please activate your antivirus program.
Once running, Your PC Protector will begin to scan your computer and list a large amount of infections. All of these infections are fake, so you can safely ignore them.
While Your PC Protector is running, it will display fake Windows Security Center, a lot of nag screens, numerous fake security alerts and notifications from Windows task bar that stats:
Security Warning
Your computer continues to be infected with harmful viruses.
In order to prevent permanent loss your information and
credit card data theft please activate your antivirus software.
Click here to enable protection.
svchost.exe
svchost.exe has encountered a problem and needs to
close. We are sorry for inconvenience.
Warning
Unwanted software (malware) or tracking cookies have been found during
last scan. It is highly recommended to remove it from your computer.
Your PC Protector Alert
Infiltration Alert
Your computer is being attacked by an
Internet Virus. It could be a password-
stealing attack, a trojan-dropper or simular.
Details
Attack from: 239.80.11.105, port 58962
Attacked port: 41567
Threat: HalfLemon
Warning: Infection is Detected
Windows has found spyware infection on your computer!
Click here to update your Windows antivirus software…
Internet attack attempt detected:
Somebody is trying to attack your PC:
This can result in loss of your personal information and
infection other computers connected to your network.
Click here to prevent attack
However, all of these alerts, screens and pop-ups are fake and like false scan results should be ignored! As you can see, Your PC Protector is scam and designed with one purpose to scare you into purchasing so-called “full” version of the program. Do not be fooled into buying the program!
If you are infected with this malware, then use these removal instructions below, which will remove Your PC Protector and any other infections you may have on your computer for free.
More screen shoots of Your PC Protector
Symptoms in a HijackThis Log
O2 – BHO: ICQSys (ADC PlugIn) – {77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02} – C:\Program Files\adc32.dll
O23 – Service: Adobe Update Service (AdbUpd) – Unknown owner – C:\Program Files\svchost.exe
Use the following instructions to remove Your PC Protector (Uninstall instructions)
Step 1. Repair “running of .exe files”.
Click Start, Run. Type command and press Enter. Command console “black window” opens. Type notepad as shown below
Command console
Press Enter. Notepad opens. Copy all the text below into Notepad.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
You will see window similar to the one below.
Notepad
Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.) Double Click fix.reg and click YES for confirm.
Reboot your computer.
Step 2. Remove Rootkit/Trojan TDSS
Your PC Protector may be installed with a TDSS trojan-rootkit that may redirect search results in Google, Yahoo, MSN, block an access to security websites and much more.
Download TDSSKiller from here and unzip to your desktop.
Open TDSSKiller folder and double click the TDSSKiller icon. When the scan is finished, you will see window similar to the one below.
TDSS trojan remover
Close all programs and press Y key.
Step 3. Remove Your PC Protector associated malware.
Download MalwareBytes Anti-malware (MBAM). Once downloaded, close all programs and windows on your computer.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to “Update Malwarebytes’ Anti-Malware” and Launch “Malwarebytes’ Anti-Malware”. Then click Finish.
MalwareBytes Anti-malware will now automatically start and you will see a message stating that you should update the program before performing a scan. If an update is found, it will download and install the latest version.
As MalwareBytes Anti-malware will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main menu. You will see window similar to the one below.
Malwarebytes Anti-Malware Window
Make sure the “Perform quick scan” option is selected and then click on the Scan button to start scanning your computer for Your PC Protector infection. This procedure can take some time, so please be patient.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. You will see a list of infected items similar as shown below.
Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove Your PC Protector. MalwareBytes Anti-malware will now remove all of associated Your PC Protector files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Your PC Protector creates the following files and folders
%userProfile%\Start Menu\Programs\Your PC Protector
C:\Program Files\Your PC Protector
C:\Program Files\Your PC Protector\Your PC Protector.exe
C:\Program Files\adc32.dll
%userProfile%\Start Menu\Programs\Your PC Protector\Your PC Protector.lnk
C:\Program Files\alggui.exe
%userProfile%\Desktop\Your PC Protector.lnk
C:\Program Files\nuar.old
C:\Program Files\wp3.dat
C:\Program Files\wp4.dat
C:\Program Files\svchost.exe
Your PC Protector creates the following registry keys and values
HKEY_CLASSES_ROOT\CLSID\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD
HKEY_CURRENT_USER\SOFTWARE\Your PC Protector
Great article. I had this Virus and no one seemed to know the ins and outs about it. Thanks for the in-depth and detailed outline for solving this issue.
Thank you so much. I’ve had this problem and this is the only website which prescribed each step to help me. I was nervous about the registry step, but it was fine.
Thank you, this article has been a great help. I’m glad to see that there’s still helpful sites like this.
hey its blocking notepad what should i do?
Thank you thank you thank you! While reading this article to try to get rid of it, it took over both Firefox and IE. I was somehow able to open up my anti-spyware program and it got rid of it for me. This thing is NASTY!
I made it step 2, but when I try to run the TDSSKiller, I can’t because I get the following error ” Warning
Running of application is impossible.
The file (location here) is infected.
Please activate your antivirus program.”
Any idea what to do now?
Hey, thank you for posting this. However, I’m running into a problem when I try to open the TDSSKiller program. When I try to open it (after it is unzipped and installed) the fake PC Protector bubble pops up and says that it cannot be opened by it is “infected.” What should I do? In the step before I went to reboot my computer after adding the fix.reg file but the command window would not close without me having to click the “End Now” button – could this have something to do with it?
Thanks for all the help.
Greg you need run command console (command.com) and then notepad.
PJ, try repeat first step once again.
Um I have downloaded it and it seems that my laptop cant load the file. i downloaded it onto my home computerp ut it on a flash and switched it over now it wont run the program.. Help>
Should fix.reg be saving over an existing file on my desktop? I was able to open Notepad, but nothing improved after restart.
For step 2, I can run the program, but with the following result:
TDSS rootkit removing tool, Kaspersky Lab, 2010
version 2.2.3 Feb 4 2010 14:34:00
Scanning Services …
Scanning Kernel memory …
Completed
Results:
Memory objects infected / cured / cured on reboot: 0 / 0 / 0
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 0 / 0 / 0
Press any key to continue . . .
Pressing a key exits the program.
Thank you for providing this information!
thank man…it worked good…thank u again
thank you ..it worked good..thank you again
I get the same thing as PJ. I have tried the first step multiple times. Not sure what I am doing wrong.
I try running TDSSKiller and it doesn’t find any infected files. Does anyone know what I could be doing wrong?
Excellent description and instructions. Thank YOU!
The virus would not allow me to download the malwarbytes programs onto my desktop. Using my laptop I had to first save them to a thumb drive, and then install onto my infected computer to follow the procedure. what a nightmare!
I did the first step correctly
second step correctly but on the third step i downloaded malawarebytes and every time i open the shortcut, or the .exe file, there will be no process in the Task Manager of Malawarebytes, Please help me!!!
I got to step 2. Downloaded the zipped file. Doubleclicked the TDSSkiller icon. Got an hour glass for about 10 seconds. Never got the dos SPYWARE.com window. Help! Can’t open window apps (excel, word).
the registry part worked and I can now run .exe’s but when I run TDSSKiller it finds no infected files and when I run malwareBytes I see the screen that has the scan button, but the application goes away before I could start the scan? Any suggestion? Thanks much so far!-Jon
TDSS Killer gives me a “Driver load error!” when I run it.
I’m having to do it in safe mode, since the virus won’t even let me use my command prompt in regular mode.
very frustrating.
Today (Feb 10) I opened what I thought was a legit email today and “Your PC Protector” suddenly jumped onto my PC. I have tried the methods above to eliminate it, and it appeared to run the tdsskiller and I have some log files from it. But attempts to run the Malwarebytes’ Anti-malware have been thwarted. I can install it, but when it starts to run, it suddenly disappears after a second or two. Repeated attempts to start it result in a message saying mbam.exe cannot be found.
Also a question regarding the first step: in the fix.reg notepad file command line you appear to have a space between the third quote mark and the last percent sign. Is that correct or does it matter?
@=”\”%1\” %*”
Finally should I be doing this in safe mode? Or parts of it? So far its not working and “Your PC Protector” is still running the show.
Thanks, I am dead in the water until I can get this awful malware removed. All your help is most appreciated.
it will not let me import fix.reg. after i click ‘yes’ i get: Cannot import …fix.reg: The specified file is not a registry file. You can only import registry files.
any suggestions?
thanks
Open TDSSKiller folder and double click the TDSSKiller icon. When the scan is finished, you will see window similar to the one below.
I don’t see the window…have tried several times…can’t get beyond this step HELP!
Unfortunately, its not letting me fully download the Malwarebites stuff – it fails to download mbam.exe at the very end, making it unable to run the program. Every time it tries to block a program – or even come up for that matter – I just go to the Windows Task Manager and bat it back down. It seems to work for the most part…
Yeah – it says:
Unable to execute file:
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
CreateProcess failed; code 2.
The system cannot find the file specified.
I can’t get command to open, help anyone ?!?! I can’t get rid of this thing
I cannot do step 2 because it’s taken over my ability to access the internet. (I’m accessing this website from my laptop.) What do I do now?
Nate, goto first step once again, don`t reboot your PC, run TDSSKiller, then MBAM.
Richie, probably your PC is infected with another version of the rogue that has not bundled with a TDSS trojan.
Spencer, looks like your PC also infected with a trojan (probably Vundo), which removed the mbam.exe – core component of Malwarebytes. Download the file and save it to home folder of Malwarebytes. Run it.