Now you are probably wondering why would I want to remove malware protection? Malware protection is good right? Well in this case it “ain’t” so good, especially when the malware protection program is called Malware Protection! This is yet another fake anti-virus (anti-malware) program. Now the owner of this computer thinks that computer is infected by a virus because the anti-virus program says the computer is infected by a bunch of viruses (see screen shot below). Naturally I was immediately suspicious from the description of some of the popups and after asking the name of the “supposed” anti-virus program and a quick web search my suspicions where confirmed.
Now like any respectable anti-virus program (cough – cough), Malware Protection was busy protecting against:
- Any .exe’s that you tried to run (for example Microsoft Word – winword.exe). Of course all exe’s where infected by the W32 Blaster worm – won’t want that would we?
- Remote Network “hacking,” lots of remote networking hacking (screenshot below)!
- No internet access – of course internet access is dangerous so we obviously do not need that!
- Shuts down current “real” anti-virus protection!
- Protects itself from being uninstalled – hate for that to happen?
- Prevents access to any system configuration utilities (MSConfig, Control Panel utilities, ect.)
How to Remove Malware Protection?
First off, I decided to try removing Malware Protection without restarting the computer and using Safe Mode, hopefully making the process easier.
- Since I am unable to run any .exe’s, I am first going to try killing Malware Protection’s process using a tool known as RKill from Bleeping Computer: http://www.bleepingcomputer.com/download/anti-virus/rkill. RKill has a number of different .exe’s. and formats in case the virus blocks one. I started by trying RKill.com, then RKill.exe, then RKill.scr, and finally uSeRiNiT.exe, which finally killed Malware Protection. The first three RKill programs where killed by Malware Protection, and it took a few minutes for uSeRiNiT.exe to finally work. You can download uSeRiNiT.exe directly at: http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe. Now since I was not able to access the internet on this machine I downloaded RKill to my USB Flash drive and ran it from there. From here you can skip to step 6 if you want.
- Now that Malware Protection’s process has been terminated, I reinstalled Microsoft Security Essentials, which apparently had been damaged by Malware Protection. Upon installation Microsoft Security Essentials performed an virus definitions update followed by a quick scan which detected 5 viruses including Malware Protection. Now at this point I was thinking: “man this was too easy” and rebooted the computer to finish Microsoft Security Essential’s installation. To my unfortunate surprise Malware Protection was back and Microsoft Security Essential’s was no longer working (yep that .exe was infected by the W32 Blaster worm as well!). Now it is very well possible that if I had done a full system scan instead of letting MSE perform the quick scan upon installation that I might have been done at this point!
- Ok, in that case I used RKill to kill malware protection again and used UnHackMe to perform a deep scan of the computer, unfortunately UnHackMe did not find Malware Protection, just some false positives.
- Next since SpyBot Search & Destroy was already installed on the computer I decided to try using that; and again with no results.
- With none of the other options working, I figured it was time to pull out the big guns and try Norton Antivirus. Unfortunately no luck there either!
- I decided to give one more try with a final program known as MBAM. MABM is a popular anti-malware removal tool and can be downloaded at: http://www.malwarebytes.org/. With the Malware Protection process killed you should be able to access the internet on the infected machine without the need for using a second computer and a flash drive. MBAM found Malware Protection in 2 places and removed both of them. This is probably why it came back after MSE removed it from only the one location, most likely performing a full system scan with MSE would have found the second location.