Cloud Protection

Posted: October 10, 2011

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	101

First Seen:	October 10, 2011
Last Seen:	August 17, 2022
OS(es) Affected:	Windows

Cloud Protection is a new variant of older forms of rogue anti-malware programs from the FakeScanti family. This group of fake malware scanners (including Cloud Protection) uses fake error messages to make you believe that your PC is seriously damaged and follows up on the scam by asking you to purchase a registration key to fix the problem. SpywareRemove.com malware experts have combed over Cloud Protection and found Cloud Protection to be totally lacking in real anti-virus or anti-malware functionality, however, and they recommend against purchasing Cloud Protection. Until you remove Cloud Protection and any related infections (such as the ZeroAccess rootkit) from your PC with a real anti-malware program, your computer may be subjected to attacks that redirect your web browser or shut down security-related software.

Countless Reasons to Avoid a Cloud Protection Forecast

Cloud Protection is part of a family of rogue security programs that prefer to distribute themselves with ZeroAccess, a rootkit that have a variety of capabilities, most particularly towards attacking your computer's security. While ZeroAccess is active, you may be unable to run standard anti-malware software or experience unusual crashes that prevent you from removing Cloud Protection. However, SpywareRemove.com malware analysts note that appropriate rootkit-removal software can still delete the latest versions of ZeroAccess, and sufficiently-broad anti-malware programs should also be able to remove Cloud Protection in the process.

Other Cloud Protection-related problems can also extend to:

Browser hijacks that redirect your web browser to a Cloud Protection website or to the website of a related rogue AV program, such as Security Guard, Sysinternals Antivirus, WireShark Antivirus, Milestone Antivirus, BlueFlare Antivirus, Wolfram Antivirus, OpenCloud Antivirus, OpenCloud Security, Data Restore, OpenCloud AV, Security Guard 2012, AV Guard Online, AV Protection Online, System Protection 2012, AV Security 2012, Sphere Security 2012, AV Protection 2011 and Super AV 2013. These sites may attack your PC with fake system scans or drive-by-download scripts that install other forms of harmful software.
The appearance of fake error messages and other forms of pop-ups that present false data instead of real analyses of your computer's health or state of infection. Cloud Protection's pop-ups can appear at random intervals or when triggered by certain actions, such as by opening another program.
Reduced security, especially with regards to your network ports and firewall settings. Although these attacks typically are caused more by an accompanying ZeroAccess rootkit than by Cloud Protection, both Cloud Protection and ZeroAccess should be deleted to insure security for your PC.

IDing a Fake Cloud Protection Infection

SpywareRemove.com malware researchers present the following examples of Cloud Protection's fake warnings to allow you to ignore any pop-ups that resemble these false leads. However, since their appearance on your PC does indicate that your PC is already infected with Cloud Protection, further action, such as usage of an anti-malware product, is required.

svchost.exe
svchost.exe was replaced with unauthorized program.
It has encountered a problem and needs to close.
If you were in the middle of something, the information you were working on might be lost.
Please tell Microsoft about this problem.
We have created an error report that you can send to us. We will treat this report as confidential and anonymous.

Windows Security Alert
To help protect your computer, Windows Firewall has blocked some features of this program.
Do you want to keep blocking this program?
Name: Zeus Trojan
Publisher: Unauthorized

Warning! Infection found
Unauthorized sending E-MAIL with subject "RE:" to [FAKE EMAIL] was CANCELLED.

Warning! Infection found
Unwanted software (malware) or tracking cookies have been found during last scan. It is highly recommended to remove it from your computer.
Keylogger Zeus was detected and put in quarantine.
Keylogger Zeus is a very dangerous software used by criminals to steal personal data such as credit card information, access to banking accounts, passwords to social networks and e-mails.

Security Warning
Your computer continues to be infected with harmful viruses. In order to prevent permanent loss of your information and credit card data theft please activate your antivirus software. Click here to enable protection.

Security Warning
Malicious programs that may steal your private information and prevent your system from working properly are detected on your computer.
Click here to clean your PC immediately.

Security Warning
There are critical system files on your computer that were modified by malicious software.
It may cause permanent data loss.
Click here to remove malicious software.

Warning: Infection is Detected
Windows has found spyware infection on your computer!
Click here to update your Windows antivirus software

Warning: Spyware Detected
Windows has found spy programs running on your computer!
Click here to update your Windows antivirus software

Windows Security Center
Serious security vulnerabilities were detected on this computer. Your privacy and personal data may be unsafe. Do you want to protect your PC?

Besides the symptoms that have been noted here, Cloud Protection and the ZeroAccess rootkit may show few symptoms of being on your computer and, if removed in an improper fashion, may remain on your PC even if they appear to be removed. Use Safe Mode and a completely-updated security program to scan your hard drive, before assuming that your Cloud Protection removal attempt has succeeded. If necessary, SpywareRemove.com malware experts also note that you can fake registration for Cloud Protection with the code '9992665263.'

Aliases

Mal/FakeAV-OZ [Sophos]a variant of Win32/Kryptik.AAJZ [NOD32]Adware/WindowsRecovery [Panda]Gen:Variant.Kazy.40147 [BitDefender]a variant of Win32/Kryptik.TWI [NOD32]Trojan.Win32.Jorik [Ikarus]Artemis!1B426E933853 [McAfee-GW-Edition]Trojan.Win32.Jorik.Fraud.fla [Kaspersky]a variant of Win32/Kryptik.UES [NOD32]Generic FakeAlert.bz [McAfee]Win32:FakeAlert-BHX [GData]TR/Fakealert.TZ [AntiVir]Trojan.Packed.189 [DrWeb]Trojan.Win32.Jorik.Fraud.fmf [Kaspersky]Win32:FakeAlert-BHX [Trj] [Avast]
More aliases (62)

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%USERPROFILE%\cmhost.exe

File name: cmhost.exe
Size: 174.59 KB (174592 bytes)
MD5: 999ab3d32d2aa4c05962142ebbca8f41
Detection count: 43
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%
Group: Malware file
Last Updated: October 20, 2011

%TEMP%\svhostu.exe

File name: svhostu.exe
Size: 102.91 KB (102912 bytes)
MD5: 55e3ebfc4a5b7a14a46b9051c10a08ec
Detection count: 33
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%
Group: Malware file
Last Updated: October 17, 2011

%ALLUSERSPROFILE%\Application Data\6DSS92c31Apgjk.exe

File name: 6DSS92c31Apgjk.exe
Size: 347.13 KB (347136 bytes)
MD5: 15d961278fc23d262a41b43c91b79849
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data
Group: Malware file
Last Updated: October 25, 2011

%TEMP%\Low\9b88.exe

File name: 9b88.exe
Size: 430.08 KB (430080 bytes)
MD5: a537b08413c63a31533833bed1002b13
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\Low
Group: Malware file
Last Updated: October 25, 2011

%PROGRAMFILES%\1B272\lvvm.exe

File name: lvvm.exe
Size: 193.53 KB (193536 bytes)
MD5: 30b417d498af215d9d4c04f9182813f7
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %PROGRAMFILES%\1B272
Group: Malware file
Last Updated: January 10, 2022

%ALLUSERSPROFILE%\Application Data\1kAlMiG2Kb7FzP.exe

File name: 1kAlMiG2Kb7FzP.exe
Size: 429.05 KB (429056 bytes)
MD5: 19db38e4385b31dd3460bffd8be2ee7f
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data
Group: Malware file
Last Updated: November 1, 2011

%ALLUSERSPROFILE%\Application Data\PeOuyECqQC.exe

File name: PeOuyECqQC.exe
Size: 502.78 KB (502784 bytes)
MD5: 1b426e933853d2bcb271183c696a3084
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data
Group: Malware file
Last Updated: October 25, 2011

%WINDIR%\system32\config\systemprofile\AppData\Roaming\svhostu.exe

File name: svhostu.exe
Size: 101.37 KB (101376 bytes)
MD5: 07c237f3ee4e19dbf8058166e766333c
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\system32\config\systemprofile\AppData\Roaming
Group: Malware file
Last Updated: October 20, 2011

%AppData%\ldr.ini

File name: %AppData%\ldr.ini
Mime Type: unknown/ini
Group: Malware file

%AppData%\E77ikC6uQA5hAym

File name: %AppData%\E77ikC6uQA5hAym
Group: Malware file

%AppData%\GxxTGN9pzF

File name: %AppData%\GxxTGN9pzF
Group: Malware file

%AppData%\g44tgnOLrfI2dJw

File name: %AppData%\g44tgnOLrfI2dJw
Group: Malware file

%AppData%\g44tgnOLrfI2dJw\Cloud Protection.ico

File name: %AppData%\g44tgnOLrfI2dJw\Cloud Protection.ico
Mime Type: unknown/ico
Group: Malware file

%Programs%\Cloud ProtectionCloud Protection.lnk

File name: %Programs%\Cloud ProtectionCloud Protection.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

%Programs%\Startupcrss.exe

File name: %Programs%\Startupcrss.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%ProgramFiles\Internet Explorer\1.tmp

File name: %ProgramFiles\Internet Explorer\1.tmp
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file

%SystemDir%\D88olEDV7kS7kSu.exe

File name: %SystemDir%\D88olEDV7kS7kSu.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%Desktop%\Cloud Protection.lnk

File name: %Desktop%\Cloud Protection.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

%TempDir\svhostu.exe

File name: %TempDir\svhostu.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%TempDir\2.tmp

File name: %TempDir\2.tmp
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"

7 Comments

Ruth Purvis says:

October 11, 2011 at 12:57 pm

I have Cloud Protection coming up and making me activate the program and telling me I have all kind of viruses and I can't get my avg virus program to install and clean my computer. What can I do to get rid of Cloud Protection????? or let me know how I can call you.
Brittany says:

October 13, 2011 at 11:53 am

I have the same problem as Ruth. Its annying the eff outta me. Please let me know how to remove this junk. K thanks.
emma says:

October 16, 2011 at 7:24 pm

Please help me, i'm having such a hard time trying to get off this cloud mess !!! What should I do ?!
kaleigh says:

October 17, 2011 at 3:58 am

i copied the fake register code 9992665263 and it deleted itself!
Lyn Baker says:

October 17, 2011 at 10:24 am

I booted up in safe mode (F8) then found the application file and deleted it. It worked!
Stevo says:

October 17, 2011 at 10:52 pm

I unplugged the power to my computer & rebooted. select safe mode. Once booted, right click on the \"cloud\" icon & select \"open file location\" delete that file. Then go up one folder and delete everything in that roam folder dated up to the day before your computer started acting up. Then reboot in normal mode. Worked for me.
steph says:

April 5, 2012 at 11:04 am

WOW....worked like a charm, spyhunter. Cant belive I put up with that for a day and a half.