Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Virus Protector Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Virus Protector is another one of those fraudulent security programs that uses scare messages in various colors, sizes and shapes to scam the unwary victims to part with their money for the fake product. The scare messages are many, flooding the desktop every few seconds making it unusable. The scare messages mainly warn about Spam and Hacking attacks.

A rogue security software such as Virus Protector belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

virus protector 14 590x337 Virus Protector Analysis and Removal

Virus Protector Scare Messages

The malware dropper file is named setup.exe (73 KB) in this instance. It is detected by only 2/42 (4.77%) of the antivirus engines available at VirusTotal. The main scareware executables run from the Windows System 32 folder to avoid detection. Many folders and files are created in the user’s Temp folder. This scareware also drops a bunch of random named .exe and .dll files -all are of the same size (1641KB)- into the Windows System32 folder, Windows System32 Drivers folder and the Windows folder.

Virus Protector is your every-day rogue software until the infected system is restarted. On restart it completely hijacks the desktop by substituting itself for the Windows Shell. This effectively disables the desktop by hiding the icons and taskbar. Further right-click is disabled and Keyboard shortcuts to open system tasks like Windows Explorer, Task Manager and Run command were also blocked and so was the Registry Editor.

Hard booting into Windows Safe Mode or Safe Mode with Networking does not kill the Virus Protector malware as it replaces explorer.exe with its own file named arxc2codv.exe as the Windows shell and also uses another autostart method in safe mode by adding a random named .dll file to the registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows. These are evident from the following HijackThis entries:

  • F2 – REG:system.ini: Shell=C:\WINDOWS\system32\arxc2codv.exe
  • O20 – AppInit_DLLs: alUrcEiXh.dll

Virus Protector Associated Files and Folders

  • C:\WINDOWS\system32\arxc2codv.exe
  • C:\WINDOWS\system32\alUrcEiXh.dll
  • C:\WINDOWS\BoEOc.exe
  • C:\WINDOWS\BvDhcn.exe
  • C:\WINDOWS\ceDQljRL.dll
  • C:\WINDOWS\cxRAIsSU.exe
  • C:\WINDOWS\GFFqHbNB.dll
  • C:\WINDOWS\iYxjuL.exe
  • C:\WINDOWS\jimXEf.exe
  • C:\WINDOWS\orXJRD.exe
  • C:\WINDOWS\PgURxwAC.exe
  • C:\WINDOWS\PUcpEFGdL.exe
  • C:\WINDOWS\qQLCKX.exe
  • C:\WINDOWS\VWJAkRBRr.dll
  • C:\WINDOWS\XxaAt.exe
  • C:\WINDOWS\system32\adJCWYrN.dll
  • C:\WINDOWS\system32\CNgsschfR.dll
  • C:\WINDOWS\system32\dMhysRhY.exe
  • C:\WINDOWS\system32\elnWExyv.exe
  • C:\WINDOWS\system32\GSFiWw.dll
  • C:\WINDOWS\system32\IwWgQJvit.exe
  • C:\WINDOWS\system32\KoEhcY.exe
  • C:\WINDOWS\system32\NloMGe.dll
  • C:\WINDOWS\system32\XlsFQcj.exe
  • C:\WINDOWS\system32\yOmaN.exe
  • C:\WINDOWS\system32\drivers\DxqwXhnFv.exe
  • C:\WINDOWS\system32\drivers\dYIWkykb.exe
  • C:\WINDOWS\system32\drivers\FucUvmA.dll
  • C:\WINDOWS\system32\drivers\LToJYLJN.exe
  • C:\WINDOWS\system32\drivers\pyFGY.exe
  • C:\WINDOWS\system32\drivers\SuPjSKx.exe
  • C:\WINDOWS\system32\drivers\TDhCt.dll
  • C:\WINDOWS\system32\drivers\VWRqbpI.dll
  • C:\WINDOWS\system32\drivers\WsmwYw.dll
  • C:\WINDOWS\system32\drivers\yhaofu.dll
  • C:\WINDOWS\Prefetch\ARXC2CODV.EXE-03E0D40A.pf
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\nszA.tmp

Some of the file names may be randomly generated.

Virus Protector Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell c:\windows\system32\arxc2codv.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell system32\arxc2codv.exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA=0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs=1

Virus Protector Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • www.salebogs .com
  • www.antivpc. com
  • www.annuanews .com
  • www.softpayb. com

Note: Visiting the domains mentioned above may harm your computer system.

Virus Protector Removal (How to remove Virus Protector)

A combination of free tools used according the state of the infected system should be able to disable the Virus Protector. Use an alternate browser like Firefox or Chrome to download the following or use a removable drive to transfer them to the affected computer:

If the system has not been restarted – Install and run MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download). Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.

Turn System Restore off and on

If the system has been restarted – The malware blocks your desktop.

  • Use an alternate computer to download MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download) and the latest Malwarebytes’ Anti-Malware Malware definitions to a removable drive.
  • Boot in to Windows Safe Mode with Command Promptvirus protector 13 590x292 Virus Protector Analysis and Removal
  • At the command prompt type “explorer.exe” and press the Enter key, wait for Windows Explorer to open. Now in My Computer browse to your removable drive.
  • Install Malwarebytes’ Anti-Malware Malware and Malwarebytes’ Anti-Malware Malware definitions to your hard disk. Run Malwarebytes’ Anti-Malware. Go to the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  • Turn System Restore off and on

You should now be clean of this rogue.

If you are unable to get rid of this scareware, you may have other malware in addition to Virus Protector. Please visit one of the recommended forums for malware help and post about your problem.

Virus Protector Scareware — Screenshots

Virus Protector Scareware — Video

Note: The Virus Protector installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 30 comments… read them below or add one }

Bob C March 10, 2010 at 10:30 PM

This is the best advice I’ve found so far. Unfortunately, it did not remove Virus Protector. CTRL+ALT+DELETE now lets me run Task Manager at the command promt window, but that is the only change I’ve seen.

Any further wisdom??

Reply

Shanmuga March 10, 2010 at 11:35 PM

Were you able to install and run MBAM?

Jake March 11, 2010 at 7:06 AM

This was perfect. I got rid of this nasty ****, thanks to you.

Reply

Shane March 20, 2010 at 9:17 AM

Amazingly this malware is working in safemode with networking now. Seems to be evolving. I had to perform the system restore in command prompt c:\system32\restore\rstrui.exe http://support.microsoft.com/kb/304449
this worked and got me able to do some backups.

Also I couldn’t get chkdsk chkntfs autocheck to work and had to enable the dirty bit using fsutil http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fsutil.mspx?mfr=true

I’m still trying to get a mess of other virus and related droppers rogues etc but Virus Protector is gone. Interesting to note that i’ve been off of the net and scanned with everything I can find and still get streams of misc viruses. Everything seems fine now but something just disabled Mcafee….yea

Reply

random March 20, 2010 at 8:52 PM

latest malware definitions does not detect the latest strand of this malware. havn’t tried others yet.

Reply

random March 21, 2010 at 12:19 AM

i’ve managed to get my desktop loaded up again by removing the registry keys and the actual [random].exe located in system32 (you can find the actual filename by looking at the label in the first registry key). its a temporary fix, as you still have those other random files scattered in the hard drive. hopefully an update from popular malware scanners can rectify this.

Reply

Kristine March 29, 2010 at 12:18 AM

Hi, I need help with my computer. Its bypassing my safemode and now I can’t do anything.

Reply

Dennis April 1, 2010 at 2:11 AM

I fixed mine accidentally, I was going to scan my hard drive using my good computer and an IDE to USB cable. I unplug my computer, unplug the IDE cable from the hard drive and mother board. I need to do something else so I plugged it back in and restarted it. My PC was able to start normally and I scanned it with N360 4.0, removed 3 Trojan viruses and now everything is working fine.

Reply

marshall April 1, 2010 at 12:53 PM

steps above did not work dont know if the program was modded or what i followed directions above to the letter rebooted as directed ad the malware was still in control i am performing a full format reload as i type

Reply

S Peirson April 12, 2010 at 6:06 AM

links above don’t work and I have no idea how to get the definition update file to download to a cd. Help please.

Reply

Shanmuga April 12, 2010 at 6:50 AM

Which of the links is not working for you? They seem to work fine for me. You need to download the definitions update to a hard drive and then copy it on to a CD.

S Peirson April 12, 2010 at 7:04 AM

The malwarebytes links are the ones not working for me. I have the program on this pc and the one I”m working on. I have already updated the definition file on this pc and can’t locate the file to copy it to a cd.

Reply

Shanmuga April 12, 2010 at 7:16 AM

The local definition file is named rules.ref and can be found at \Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware\rules.ref in Windows XP.

S Peirson April 12, 2010 at 8:14 AM

So where does it go in Windows Vista? Thats what the infected pc is running and it doesn’t even come up when I search for it. I’ve got it to where all I need to do is copy the definition file to the infected HD and run the program.

Reply

Shanmuga April 12, 2010 at 8:30 AM

Try :\ProgramData\Malwarebytes\Malwarebytes’ Anti-Malware\rules.ref

S Peirson April 12, 2010 at 10:12 AM

Got it loaded, ran malwarebytes deep scan, it did fine 5 things and I removed them all, but now I just get a blank screen when I try to boot normally or in regular safe mode. Still having to boot to safe mode with command prompt to even get in. I can however network to it if booted normally so I will just back everything up and reload windows unless you have any other suggestions.

Reply

Shanmuga April 12, 2010 at 11:01 AM

Check if this helps, Cleaning Malware and Safe Mode especially the part “Unable to start in Safe mode?”.

pookitty April 13, 2010 at 8:43 AM

i can’t get into safe mode one windows 7 please help

Reply

Shanmuga April 13, 2010 at 9:31 AM

Please check if this helps, Cleaning Malware and Safe Mode.

pookitty April 13, 2010 at 10:23 AM

The virus comes up in safe mode and safe mode networking, i cannot do anything to make changes or fix or anything, my start button is missing. I am so frustratated

Reply

Shanmuga April 13, 2010 at 10:46 AM

@pookitty, This malware runs in safe mode and safe mode with networking. Are you following the removal instructions in the above article? Please boot into Safe Mode with Command Prompt. You can find step by step instructions above in the part titled “Virus Protector Removal (How to remove Virus Protector)”.

pookitty April 13, 2010 at 11:25 AM

I have already tried that, I typed explorer.exe at the prompt and it does nothing
It just give me the comand again, what am I doing wrong. I can usually fix my computer problems but this has me stumped.

Reply

nic April 13, 2010 at 11:39 AM

Help please- I have downloaded the above software to remove the virus protector but when I get an error message after installing (MBAM_ERROR_UPDATING(12007,0,WinHttpSendRequest)

What can I do? I was able to run a full scan, but when I shutdown and restarted the malware was still there.

Reply

Ezra August 14, 2010 at 8:38 PM

Hello I ran into the same mbam_error_updating 12007 error message… The solution for me was that I forgot to turn my wireless card back on (I had turned it off when I first saw the virus warnings)… Anyhow, thought I’d share my success story as it is critical to allow the program to update it’s files even if you just downloaded it… I tried it without downloading the updated files and the virus didn’t go away… It wasn’t until I solved the update problem that things worked again.

Ram April 13, 2010 at 5:00 PM

running the scans in safe mode command prompt and then in normal mode worked for me. thanks guys.

Reply

Slob April 14, 2010 at 10:09 AM

I followed the instructions to a T, latest definitions and all, and it did not go away.

Reply

Shanmuga April 14, 2010 at 10:40 AM

Hmmm…..did you run MBAM in safe mode command prompt? Were you able to repeat the scan in normal mode?

Slob April 15, 2010 at 4:55 AM

Yes. Safe Mode. Mbam found 5 items & I told it to remove. I turned off System Restore & restarted in normal mode & it still came up with Virus Protector. It’s an Asus EEEpc with XP Home & 4gb ram. It runs Spyware Blaster (free), Mbam (free), and Avast free, all recently updated. I even got the latest Mbam on a memory stick, installed it, and it failed to kill.

Reply

Slob April 15, 2010 at 5:33 AM

The solution for me was at http://www.myantispyware.com/2010/02/20/how-to-remove-virus-protector-uninstall-instructions/
I hope it helps others.
Thanks,
Slob

Reply

Merla Bryd May 31, 2011 at 1:23 AM

Excellent description of what Virus Protector does. If I’d read this sooner I might have had success when I initially tried to remove this program from a friend’s machine. Knowing that even the Safe Mode shell might be affected has changed my strategy. Thanks again for this help article.

Reply

Leave a Comment

Previous post:

Next post: