Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Thursday, March 25, 2010

How to remove "Online Protection Tool" fake pop-up (Free removal)

Tell your friends:
"Online Protection Tool" is a fake pop-up that looks like a legit Windows warning but actually it's a part of malware infection. If you see a repeated pop-up on your screen that suggests you to install Online Protection Tool, then your computer is probably infected with Trojan virus.

Usually, it appears when users use their web browsers (even if they use Safari and are running Mac OS). Several users said that they can't access the Microsoft Windows Update website and that they are occasionally redirected to other websites with advertisements. Furthermore, it seems like this malware can block already installed antivirus or anti-spyware programs.



"Online Protection Tool" pop-up reads:
Windows Internet Security
Your browser is under the threat of infection. Windows requires your permission to install online protection tool.
Your browser is run in unsafe mode. Running the protection mode will help you to keep your computer safe. Staying at the suspicious website is unsafe mode my lead to the loss of personal data and computer breakage. To run the web browser in protected mode windows requires installing the certified antivirus scanner software and online protection tool.
Name: online protection tool
Publisher: Microsoft windows

If you are reading this article then your computer is probably already infected. Thankfully, there are several free malware removal programs that you can use to remove this infection from your computer for free. You may choose from: (all programs are free)
Please note that you may have to download/run chosen anti-malware program in Safe Mode or Safe Mode with Networking as this virus is able to block anti-malware programs.

Also, if you already have MalwareBytes' Anti-malware installed on your PC but you can't launch it then go to C:\Program Files\Malwarebytes' Anti-Malware and rename the "mbam.exe" file within the folder. Then double-click on the ranamed.exe, in order to run it. You may rename it to test123.exe or anything else. More information here.
The same applies to other programs listed above.

If you have any questions question please don't hesitate and ask or leave a comment. Good luck and be safe!

Share this information with other people:

14 comments:

Anonymous said...

I started getting this pop-up on Firefox a few days ago. The weird thing is that I'm running Linux (Fedora 12), so I don't think it's a trojan installed on my computer. Any thoughts?

Thank you
Davide

Admin said...

Davide, check DNS settings. Reacently, I received several reports that this is a combination of an adware infection and DNS changer virus.

Anonymous said...

I tried malwarebytes and it worked but then later today it started again, and i get the pop up again! What is causing this?

Anonymous said...

this did not work for me. however, this did:
http://www.bleepingcomputer.com/forums/index.php?s=a5aefc0953d4dd8fd32b2ec212348953&showtopic=305070&st=0&gopid=1689448&#entry1689448

John GWolf said...

Ok here is one for you, I'm on a macbook and have this thing coming up. the dang thing can't even load up on here but the virus is present. Go figure.

Anonymous said...

I have it too but I can't even access any of the malware scanner sites... Not even in safe mode! It has taken over and is blocking my Kaspersky AV 2010 updates, windows updates, everything! I have no idea what to do next...

Admin: How do you check DNS settings?

Anonymous said...

Update to my post above from yesterday...
I found my DNS entries and sure enough, they had been changed to a company out of the Ukraine!!! As soon as I put back in my correct DNS addresses, I was able to do all the downlaods and updates that had been blocked. I no longer have that popup and those annoying Clicksor ads. I have read that this thing is getting by every one of the AV programs and sometimes comes in as an update.

Anonymous said...

Wow, this really caused me alot of headake. I formated and reloaded windows. It still was there so I thought it must have infected the MBR. After FDISK /MBR is was STILL there! Then yesterday my wifes new laptop got the popup. I found this forum and got to thinking. I checked the DSN setting of our router and sure enough, they had been changed. So if you are going though a router be sure and check it out! I noa have a password on the router (I just had the default one before)

THANKS FOR THE HELP!!!!

Keith.

- Tom Music - said...

The name of this virus is: Trojan.DNSChanger
It has been bugging me for about a week. My virus programs did not identify it and several registry programs did not work. The newest version of Malwarebytes located at http://download.cnet.com will remove the virus. You may have to go to a clean computer to download the program as this virus is very clever in the way that it will block updates and downloads from many sites. It changed my DNS entry on my computer to a Ukraine site: 93.188.166.78 which is hosted by http://prom-net.com.ua located in the Ukraine. I wrote a letter to Prom-Net and I encourage everyone reading this message to do the same. Only if victims of Virus Abuse step up will there be any actions taken to stop the site responsible. Please send your letter of concern to: support@prom-net.com.ua as they are the ISP for the Virus Web site. Prom-Net manages a range of Domain Addresses, they are not the "Bad Guy" but they are responsible for managing the use of the 93.188.168.78 address. Your particular computer may have a different DNS than the one that affected me but it will start with 93.188 as the beginning of the range. I have also written to the REGISTRAR for Prom-Net which is RIPE NCC in Amsterdam. They replied to me and claimed no responsibility and referred me to Prom-Net. Once the virus is removed your correct DNS will be restored to your computer and the problem will be gone. Glad to help the community, -TOM-

Anonymous said...

I was also able to get rid of this pop up by resetting my router. My question to this forum is: I have probably logged in to secure accounts while before I changed the router settings. Can the re-routed domain capture this information? Do I need to reset my passwords?
Thanks

- Tom Music - said...

The Virus is nesting in four separate registry keys. You must get the Virus out of your system. The Virus can surface again during a fresh boot.
Run Malwarebytes, I promise you that a Deep Scan of your hard drive will alert Malwarebytes.

Anonymous said...

I have a mac and got this virus, I completely erased and rebooted my computer and its still here...it has changed the DNS and i cant delete it, help?

Razer WIlliam said...

Very useful post, security awareness training and the information security training has very demand now a days.And now i am taking some courses from Information Security Training this site is also a great collection of online courses.

Anonymous said...

How do I find my DNS settings and restore to the correct ones?