BleepingComputer.com: "Malware Protection" Virus

So, my kid comes to me and says, "Dad, help. I was online and suddenly popups started appearing saying the computer is infected with two viruses, and it's running a scan." Lickety-split I'm in the office and sure enough "Malware Protection" is on the screen apparently running a scan. The problem is, I never loaded it onto my computer. That's for another day though...

The result is that I get continually rotating notification balloons in the bottom right hand corner of the screen that tell me, "File (such and such)
is infected by W2/Blaster.worm. Please activate Malware Protection to protect your computer." Being careful not to start any executable files or enter any personal information, I moved forward to see what activating it entailed. And of course it wants my personal information.

I cannot turn it off. I cannot uninstall it. It won't allow me to open the Task Manager. And here comes the worst part: it won't let me connect to the internet through either FireFox or Internet Explorer. So I'm sending this from a different computer.

Additionally, there is a larger popup saying, "FIREWALL WARNING. Hidden file transfer to remote host has been detected." It then recommends you block the transfer and asks you to choose to Block or Allow. Allow simply closes the popup for a little while. Block brings you again to a screen that asks you to activate the program.

Essentially, I can't use my computer at all for anything. Can someone help, please?

Had same problem as well. Was able to halt it by disconnecting from the internet and starting task manager immediately after logging into the computer, working quickly to stop processes related to it. Cannot recall name of process exactly, but I believe it started with a "u" and "*32" was at the end. There were several of the particular process. Doing this allowed me to run previously inaccessible programs, including system restore. Seems to be gone now.

Hi there

Malware Protection is itself the virus - it's a type of infection known as a rogue Programme as it pretends to be a real anti spyware/virus programme to scare you into purchasing it.

If you do have malware protection, have a look at the removal guide for it here:
http://www.bleepingcomputer.com/virus-removal/remove-malwareprotector2008

If it is that particular rogue, follow the instructions if you can and see if that helps to clear it. If that doesn't work, post again to get more expert help!

Mod Edit: Please follow the instruction in the Removal Guide for posting in the Virus, Trojan, Malware Removal Forum.

""If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help."

This post has been edited by hamluis: 28 May 2011 - 09:55 AM

ok, so the trick was starting up in safe mode...

i then ran malwarebytes anti-malware and superAntispyware...both updated and ran twice, removed infected and then restarted in normal mode.

everything is fine again....

KALUK, on 21 May 2011 - 11:40 AM, said:

the problem with these instructions is that you are not able to access this program (if you even have it installed) or even access the internet to download it.

this virus blocks everything from starting...unless you start up in safemode (by pressing f8 while the computer is starting up)

after you start up in safemode, you can then run these programs and get rid of this virus.

good luck everyone...

Hi.

First of all great site!

I have rebooted the computer on safemode and removed the "Malware Protection" using Malwarebytes as described by this thread, and it works fine. Thanks!

The virus had not returned on my computer after I used malwarebytes and super antispyware. It has been over 24 hours. All looks good for me.

Hey, Original Poster here! Just wanted to let you all know that your help has once again been invaluable. A little point of clarification for noobs like me. Since my computer is wireless, I had to start up in Safe with Networking mode in order to maintain network connection. No big... Even I could figure that one out. Ran MBAM in safe mode and then again in normal and ran SAS in normal and am good to go. Who'da thunk it?!

Thanks Again!!

Mod Edit: At this point, all followon comments should have been either deleted or ignored, IMO ~ Hamluis.

This post has been edited by hamluis: 28 May 2011 - 10:11 AM
Reason for edit: Added emphasis.

Not perfect, but it works...

I have the "Malware Protection" virus as well. I was unable to run my virus scan or malwarebytes even in safe mode. However, I found a way to stall the load of the virus software long enough to open everything I had to kill it. Here's the clunky thing I did (I think it's the same process "KALUK" recommends above:

Reboot computer.
On load up, CTRL+ALT+DELETE right when Microsoft logo appears - before desktop can load.
Start Task Manager.
When each instance of "Host process for Windows Services" loads in the Processes tab, right click, and End Process (don't worry, they keep reloading).
For some reason, this slows it down enough to catch the process "Nimp" as it loads. END PROCESS.
Windows will error message you that it is looking for a solution because it cannot load it. Hit Cancel.

This kept it from loading, so I could start scanning with every tool I had.

Again, this approach is clunky and not the best, but it worked for me. Only try this if safe mode won't let you run your scans and fixes.

Good luck.

This post has been edited by conanthebarbie: 26 May 2011 - 09:10 PM

I just finished dealing with this myself. As I’m sure most of you have figured out, it blocks task manager, regedit, and just about every possible program you can use to get rid of it (including my antivirus software!). Someone mentioned that it even activates in safe mode though I haven’t tried this. What I did was, using the malware protection icon on the desktop, I right clicked, went to open file location, found an application with the maleware icon (I think it was called “defender” or “protection”, something along those lines anyway). Although you cannot delete this file the solution is easy enough. Right click on it, go into properties and set it so it needs administrator permission to run. Log out and when you log back in malware protection won’t be able to activate and you can remove it via regedit and delete the application. I hope this is helpful to everyone.

Since the OP has stated that original issues are resolved...and to prevent any further confusion...this topic is now closed.

Louis

This post has been edited by hamluis: 28 May 2011 - 10:13 AM