PUP Friday: Content Protector

PUP Friday: Content Protector

Content Protector or Content Defender as it was called before, is an adware not to be confused with the legitimate WordPress and Joomla plugin “Content Protector”.

The offer

Content Protector by “Artex Management S. A.” is delivered by bundlers that combine desired programs with adware and/or advertisements. It is advertised as a web-filtering application to protect your system while surfing. Instead it serves up their choice of advertisements.

The privacy policy can be found at their site and is certainly worth reading if you are considering this potentially unwanted program (PUP). They do not hide the fact that the program is ad-supported. Even though this seems counterproductive for the advertised goal of the software.

We and the Services may use third party services to provide you with the Services and to serve you with advertisements using Our or third party’s technology.

Installation

As you may be able to tell from the installation screens, someone did not put a lot of effort into the text.

installsequence
Content Defender is still used instead of Content Protector and where the text says Finish the button says Close.

The installation files are fetched from

http://contentprotector-w1.com/install/start/sourceid/1/campaignid/ 

which is blocked by the Malwarebytes Website Protection module.

protection2

Certificate

There is one thing that makes this adware stand out from others. And that is the fact that it installs its own certificate. Which is valid until 2056 and for all purposes.

certificate

In the Program Files folder of ContentProtector you will find a subfolder with the certificate and an executable called “import_root_cert.exe” for this purpose.

programfolder

In the folder called “nss” you will find the Microsoft file certutil.exe which is also needed to complete this task.

Removal

As this adware installs two services and one driver it is hard to remove manually and we would advise you to use a full Malwarebytes Anti-Malware Threat Scan. A full removal guide can be found on our forums.

File details

The installer is detected by Malwarebytes Anti-Malware as PUP.Optional.ContentProtector.

protection

SHA-1 ConProtSe.exe 9814ccbaa0e184f3446ae74b5ab811f50202bb2b

Pieter

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.