Virus Protector is another one of those fraudulent security programs that uses scare messages in various colors, sizes and shapes to scam the unwary victims to part with their money for the fake product. The scare messages are many, flooding the desktop every few seconds making it unusable. The scare messages mainly warn about Spam and Hacking attacks.
A rogue security software such as Virus Protector belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
The malware dropper file is named setup.exe (73 KB) in this instance. It is detected by only 2/42 (4.77%) of the antivirus engines available at VirusTotal. The main scareware executables run from the Windows System 32 folder to avoid detection. Many folders and files are created in the user’s Temp folder. This scareware also drops a bunch of random named .exe and .dll files -all are of the same size (1641KB)- into the Windows System32 folder, Windows System32 Drivers folder and the Windows folder.
Virus Protector is your every-day rogue software until the infected system is restarted. On restart it completely hijacks the desktop by substituting itself for the Windows Shell. This effectively disables the desktop by hiding the icons and taskbar. Further right-click is disabled and Keyboard shortcuts to open system tasks like Windows Explorer, Task Manager and Run command were also blocked and so was the Registry Editor.
Hard booting into Windows Safe Mode or Safe Mode with Networking does not kill the Virus Protector malware as it replaces explorer.exe with its own file named arxc2codv.exe as the Windows shell and also uses another autostart method in safe mode by adding a random named .dll file to the registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows. These are evident from the following HijackThis entries:
- F2 – REG:system.ini: Shell=C:\WINDOWS\system32\arxc2codv.exe
- O20 – AppInit_DLLs: alUrcEiXh.dll
Virus Protector Associated Files and Folders
- C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\nszA.tmp
Some of the file names may be randomly generated.
Virus Protector Associated Registry Values and Keys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell c:\windows\system32\arxc2codv.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell system32\arxc2codv.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs=1
Virus Protector Associated Domains
This scareware was observed accessing the following domains during installation and operation:
- www.salebogs .com
- www.antivpc. com
- www.annuanews .com
- www.softpayb. com
Note: Visiting the domains mentioned above may harm your computer system.
Virus Protector Removal (How to remove Virus Protector)
A combination of free tools used according the state of the infected system should be able to disable the Virus Protector. Use an alternate browser like Firefox or Chrome to download the following or use a removable drive to transfer them to the affected computer:
- MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download)
If the system has not been restarted – Install and run MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download). Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
If the system has been restarted – The malware blocks your desktop.
- Use an alternate computer to download MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download) and the latest Malwarebytes’ Anti-Malware Malware definitions to a removable drive.
- Boot in to Windows Safe Mode with Command Prompt
- At the command prompt type “explorer.exe” and press the Enter key, wait for Windows Explorer to open. Now in My Computer browse to your removable drive.
- Install Malwarebytes’ Anti-Malware Malware and Malwarebytes’ Anti-Malware Malware definitions to your hard disk. Run Malwarebytes’ Anti-Malware. Go to the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
- Turn System Restore off and on
You should now be clean of this rogue.
If you are unable to get rid of this scareware, you may have other malware in addition to Virus Protector. Please visit one of the recommended forums for malware help and post about your problem.
Virus Protector Scareware — Screenshots
Virus Protector Scareware — Video
Note: The Virus Protector installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.