Your PC Protector is a new rogue antispyware program from the same family of malware as Windows Antivirus Pro and Windows Police Pro. It usually installed itself onto your computer without your permission and knowledge, through the use trojans. When the trojan is started, it will install Your PC Protector onto your computer.
During installation, Your PC Protector will register itself in the Windows registry to run automatically every time when you start an application (files with “exe” extension). The rogue also uses this method of running to block the ability to run any programs, including security applications. The following alert will be shown when you try to run Notepad (and any program with “exe” extension):
Warning
Running of application is impossible.
The file C:\Windows\System32\notepad.exe is infected.Please activate your antivirus program.
Once running, Your PC Protector will begin to scan your computer and list a large amount of infections. All of these infections are fake, so you can safely ignore them.
While Your PC Protector is running, it will display fake Windows Security Center, a lot of nag screens, numerous fake security alerts and notifications from Windows task bar that stats:
Security Warning
Your computer continues to be infected with harmful viruses.
In order to prevent permanent loss your information and
credit card data theft please activate your antivirus software.
Click here to enable protection.
svchost.exe
svchost.exe has encountered a problem and needs to
close. We are sorry for inconvenience.
Warning
Unwanted software (malware) or tracking cookies have been found during
last scan. It is highly recommended to remove it from your computer.
Your PC Protector Alert
Infiltration Alert
Your computer is being attacked by an
Internet Virus. It could be a password-
stealing attack, a trojan-dropper or simular.
Details
Attack from: 239.80.11.105, port 58962
Attacked port: 41567
Threat: HalfLemon
Warning: Infection is Detected
Windows has found spyware infection on your computer!
Click here to update your Windows antivirus software…
Internet attack attempt detected:
Somebody is trying to attack your PC:
This can result in loss of your personal information and
infection other computers connected to your network.
Click here to prevent attack
However, all of these alerts, screens and pop-ups are fake and like false scan results should be ignored! As you can see, Your PC Protector is scam and designed with one purpose to scare you into purchasing so-called “full” version of the program. Do not be fooled into buying the program!
If you are infected with this malware, then use these removal instructions below, which will remove Your PC Protector and any other infections you may have on your computer for free.
More screen shoots of Your PC Protector
Symptoms in a HijackThis Log
O2 – BHO: ICQSys (ADC PlugIn) – {77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02} – C:\Program Files\adc32.dll
O23 – Service: Adobe Update Service (AdbUpd) – Unknown owner – C:\Program Files\svchost.exe
Use the following instructions to remove Your PC Protector (Uninstall instructions)
Step 1. Repair “running of .exe files”.
Click Start, Run. Type command and press Enter. Command console “black window” opens. Type notepad as shown below
Command console
Press Enter. Notepad opens. Copy all the text below into Notepad.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
You will see window similar to the one below.
Notepad
Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.) Double Click fix.reg and click YES for confirm.
Reboot your computer.
Step 2. Remove Rootkit/Trojan TDSS
Your PC Protector may be installed with a TDSS trojan-rootkit that may redirect search results in Google, Yahoo, MSN, block an access to security websites and much more.
Download TDSSKiller from here and unzip to your desktop.
Open TDSSKiller folder and double click the TDSSKiller icon. When the scan is finished, you will see window similar to the one below.
TDSS trojan remover
Close all programs and press Y key.
Step 3. Remove Your PC Protector associated malware.
Download MalwareBytes Anti-malware (MBAM). Once downloaded, close all programs and windows on your computer.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to “Update Malwarebytes’ Anti-Malware” and Launch “Malwarebytes’ Anti-Malware”. Then click Finish.
MalwareBytes Anti-malware will now automatically start and you will see a message stating that you should update the program before performing a scan. If an update is found, it will download and install the latest version.
As MalwareBytes Anti-malware will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main menu. You will see window similar to the one below.
Malwarebytes Anti-Malware Window
Make sure the “Perform quick scan” option is selected and then click on the Scan button to start scanning your computer for Your PC Protector infection. This procedure can take some time, so please be patient.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. You will see a list of infected items similar as shown below.
Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove Your PC Protector. MalwareBytes Anti-malware will now remove all of associated Your PC Protector files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Your PC Protector creates the following files and folders
%userProfile%\Start Menu\Programs\Your PC Protector
C:\Program Files\Your PC Protector
C:\Program Files\Your PC Protector\Your PC Protector.exe
C:\Program Files\adc32.dll
%userProfile%\Start Menu\Programs\Your PC Protector\Your PC Protector.lnk
C:\Program Files\alggui.exe
%userProfile%\Desktop\Your PC Protector.lnk
C:\Program Files\nuar.old
C:\Program Files\wp3.dat
C:\Program Files\wp4.dat
C:\Program Files\svchost.exe
Your PC Protector creates the following registry keys and values
HKEY_CLASSES_ROOT\CLSID\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD
HKEY_CURRENT_USER\SOFTWARE\Your PC Protector
Fred, you have unzipped TDSSKiller before running ?
Jon, try run Malwarebytes in Safe mode.
Nate, you need run TDSSKiller in normal mode. Do 1 and 3 steps in safe mode, then reboot and try second step.
Gary, the above .reg script is ok.
Looks like your PC also infected with a trojan Vundo. Ask for help in our Spyware removal forum.
Robert, check twice a text in Notepad. It should have “Windows Registry Editor Version 5.00” as first line.
Eileen, write Malwarebytes and TDSSKiller to a flash or cd disk and move both files to infected PC.
Good answers, I was able to get only to install malwarebytes, but it wouldn’t run. I found that the malware was deleting the mbam.exe file as soon as install finished. I then downloaded malwarebytes and installed on a clean PC. I then renamed mabm.exe to a.exe (thanks to a tip on another web site), and copied the entire directory onto the infected PC. I then ran a.exe, which was then able to clean the PC. You do have to go through the install process on the infected PC before you copy the directory over.
I’m running TDSSKiller (at least my Task Manager says it’s running), but it’s taking a long time. (It’s been running for at least 20 minutes, maybe more like 30.) How long is it supposed to take before I get the trojan remover window?
Also, when I first turned my computer on today, I was told I had trojan.vundo, but I don’t know whether to believe it since I think that notice came from the PC Protector virus to begin with. Any idea if that’s real?
Thanks!
Please disregard my comment above. TDSSKiller finally told me I didn’t have any infected files. I’m having trouble fully installing the malware software, so I can’t get it to run.
Thanks for providing us a great 1-2-3 STEP direction solving this problem. I don’t know anything about fixing those kind of issues but I guess I could fixed it by myself just following your instruction.
You are genius!!
Patrik,
I want to thank you and all the good people at myantispyware.com for helping me and all these other folks solve their malware problems. I would like to support your operation with a modest donation as a sign of my gratitiude. I am sure it costs a lot of money to keep this site up and maintained as you do. If everyone that is helped gives a little bit back, it would make it easier for you to carry on your mission.
It took several attempts but finally I got the MBAM.exe to work. The trick is to make sure it is available to the ABAM folder on the C:\program files. I am not sure what was the turning point for me, but I did a lot of work in Safe mode and then today launched the final attempt with ABAM.exe in normal mode and it worked, first with the quick scan and then following up with a full scan.
Again, thanks and God bless you all!
Zannah, new variants of the rogue also bundled with Vundo trojan. If you can`t run Malwarebytes (got error code 2), then read and follow “Comment by Patrik — February 10, 2010 to Spencer”.
A friend of mine was receiving these messages on his computer and he bought the software. Do you know if there is any action that can be taken? Or is he out the money he paid? Any help or suggestions would be appreciated and passed along.
Thanks!
Completed step 1 but after download of TDSSkiller i am asked what program I want to use to open it.
fix.reg won’t run as this crap keeps telling me that it is infected.
Hey Patrik is it ok if i uninstall all the stuff after i get rid of the your pc thing? I’m a little afraid it might come back to bite me again o.o;
Denise, he should contact his credit card company and tell them what has happened.
Tina, repeat fist step.
Eric, right click to fix.reg and select Merge.
Tried to remove via instructions – – no luck. Now the computer keeps restarting over and over,but not starting.
Mark, try boot your PC in Last good configuration.
when i get to command box i cannot type notepad.
it gives me C:\DOCUME`1\owners name\
donovan,
Open My Computer,click the Tools menu and click Folder Options.Select the View tab. Scroll down. Uncheck the “Hide file extensions for known types” option. Click OK.
Open C:\Windows\System32 folder and look for notepad.exe. Copy this file to your desktop. Then rename it to notepad.com. Run it and follow above steps.
Thanks for your help, Patrik, but I am still having problems. I ran step 1,2 without a problem–step 2 showed no infections. When I try to install malware bytes I get an error during the install of create process failed code 2 cannot find file specified\n
I have tried everything mentioned from renaming the EXE install to the patch that you install to the same dir that the install goes to….
Thanks in advance
Also worth mentioning, I tried deleting the “pc protector” manually by deleting certain registry keys and values. Some were there and I deleted them and others did not show. I wacked all the program files/directories and the virus doesn’t seem to be surfacing anymore. Not getting any pop ups but I have to test it some more. I just wanted to install and scan with the malware bytes and not being able to install the exe concerns me.
DOug, looks like your computer is infected with a trojan Vundo. Save the file to home dir of Malwarebytes (c:\Program Files\Malwarebytes` Anti-malware by default) and run it.
If above instruction does not help you, then ask for help in our Spyware removal forum.
Hi, I have a friend with this virus. I couldn’t get any safe modes to open, the laptop would just resart and load windows normally. I then found this page social.answers.microsoft.com/Forums/en-US/vistasecurity/thread/9f069595-7217-4f8b-a6cc-0062f100a5d1 and saw some instructions that I hadn’t read and so gave them a go (the message from smithers1983) and things seemed to be working, until I restarted the laptop after changing some stuff in msconfig….now the laptop is trying to boot into safe mode automatically and VP is thus making it restart over and over again. I can’t even get to the windows log in page. Does anyone have any ideas?
thanks in advance
gareth, you need use msconfig once again to change boot method to Normal mode. Read and follow the steps to remove Virus Protector.
This information looks great but I have a slight problem. This program “Your PC Protector” is not only doing everything you stated, but, for me, is also keeping my desktop from loading. None of my desktop icons, my taskbar or start menu can load before the program pops up and starts doing its scan. Now.. I didn’t have the patience but if I let the scan complete does the desktop finish loading? I just want to know in case I run into this again. Thank you for you time! =)
Scott, Malwarebytes should fix this problem. If you can`t run Malwarebytes, then open a new topic in our Spyware removal forum and i will suggest your another ways.