RSS Feed
Follow on Twitter
YouTube Channel
Subscribe by Email
Virus Protector is another one of those fraudulent security programs that uses scare messages in various colors, sizes and shapes to scam the unwary victims to part with their money for the fake product. The scare messages are many, flooding the desktop every few seconds making it unusable. The scare messages mainly warn about Spam and Hacking attacks.
A rogue security software such as Virus Protector belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
Virus Protector Scare Messages
The malware dropper file is named setup.exe (73 KB) in this instance. It is detected by only 2/42 (4.77%) of the antivirus engines available at VirusTotal. The main scareware executables run from the Windows System 32 folder to avoid detection. Many folders and files are created in the user’s Temp folder. This scareware also drops a bunch of random named .exe and .dll files -all are of the same size (1641KB)- into the Windows System32 folder, Windows System32 Drivers folder and the Windows folder.
Virus Protector is your every-day rogue software until the infected system is restarted. On restart it completely hijacks the desktop by substituting itself for the Windows Shell. This effectively disables the desktop by hiding the icons and taskbar. Further right-click is disabled and Keyboard shortcuts to open system tasks like Windows Explorer, Task Manager and Run command were also blocked and so was the Registry Editor.
Hard booting into Windows Safe Mode or Safe Mode with Networking does not kill the Virus Protector malware as it replaces explorer.exe with its own file named arxc2codv.exe as the Windows shell and also uses another autostart method in safe mode by adding a random named .dll file to the registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows. These are evident from the following HijackThis entries:
- F2 – REG:system.ini: Shell=C:\WINDOWS\system32\arxc2codv.exe
- O20 – AppInit_DLLs: alUrcEiXh.dll
Virus Protector Associated Files and Folders
- C:\WINDOWS\system32\arxc2codv.exe
- C:\WINDOWS\system32\alUrcEiXh.dll
- C:\WINDOWS\BoEOc.exe
- C:\WINDOWS\BvDhcn.exe
- C:\WINDOWS\ceDQljRL.dll
- C:\WINDOWS\cxRAIsSU.exe
- C:\WINDOWS\GFFqHbNB.dll
- C:\WINDOWS\iYxjuL.exe
- C:\WINDOWS\jimXEf.exe
- C:\WINDOWS\orXJRD.exe
- C:\WINDOWS\PgURxwAC.exe
- C:\WINDOWS\PUcpEFGdL.exe
- C:\WINDOWS\qQLCKX.exe
- C:\WINDOWS\VWJAkRBRr.dll
- C:\WINDOWS\XxaAt.exe
- C:\WINDOWS\system32\adJCWYrN.dll
- C:\WINDOWS\system32\CNgsschfR.dll
- C:\WINDOWS\system32\dMhysRhY.exe
- C:\WINDOWS\system32\elnWExyv.exe
- C:\WINDOWS\system32\GSFiWw.dll
- C:\WINDOWS\system32\IwWgQJvit.exe
- C:\WINDOWS\system32\KoEhcY.exe
- C:\WINDOWS\system32\NloMGe.dll
- C:\WINDOWS\system32\XlsFQcj.exe
- C:\WINDOWS\system32\yOmaN.exe
- C:\WINDOWS\system32\drivers\DxqwXhnFv.exe
- C:\WINDOWS\system32\drivers\dYIWkykb.exe
- C:\WINDOWS\system32\drivers\FucUvmA.dll
- C:\WINDOWS\system32\drivers\LToJYLJN.exe
- C:\WINDOWS\system32\drivers\pyFGY.exe
- C:\WINDOWS\system32\drivers\SuPjSKx.exe
- C:\WINDOWS\system32\drivers\TDhCt.dll
- C:\WINDOWS\system32\drivers\VWRqbpI.dll
- C:\WINDOWS\system32\drivers\WsmwYw.dll
- C:\WINDOWS\system32\drivers\yhaofu.dll
- C:\WINDOWS\Prefetch\ARXC2CODV.EXE-03E0D40A.pf
- C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\nszA.tmp
Some of the file names may be randomly generated.
Virus Protector Associated Registry Values and Keys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell c:\windows\system32\arxc2codv.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell system32\arxc2codv.exe
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA=0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs=1
Virus Protector Associated Domains
This scareware was observed accessing the following domains during installation and operation:
- www.salebogs .com
- www.antivpc. com
- www.annuanews .com
- www.softpayb. com
Note: Visiting the domains mentioned above may harm your computer system.
Virus Protector Removal (How to remove Virus Protector)
A combination of free tools used according the state of the infected system should be able to disable the Virus Protector. Use an alternate browser like Firefox or Chrome to download the following or use a removable drive to transfer them to the affected computer:
- MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download)
If the system has not been restarted – Install and run MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download). Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
Turn System Restore off and on
If the system has been restarted – The malware blocks your desktop.
- Use an alternate computer to download MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download) and the latest Malwarebytes’ Anti-Malware Malware definitions to a removable drive.
- Boot in to Windows Safe Mode with Command Prompt
- At the command prompt type “explorer.exe” and press the Enter key, wait for Windows Explorer to open. Now in My Computer browse to your removable drive.
- Install Malwarebytes’ Anti-Malware Malware and Malwarebytes’ Anti-Malware Malware definitions to your hard disk. Run Malwarebytes’ Anti-Malware. Go to the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
- Turn System Restore off and on
You should now be clean of this rogue.
If you are unable to get rid of this scareware, you may have other malware in addition to Virus Protector. Please visit one of the recommended forums for malware help and post about your problem.
Virus Protector Scareware — Screenshots
Virus Protector Scareware — Video
Note: The Virus Protector installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.
You may also like to read
{ 30 comments… read them below or add one }
This is the best advice I’ve found so far. Unfortunately, it did not remove Virus Protector. CTRL+ALT+DELETE now lets me run Task Manager at the command promt window, but that is the only change I’ve seen.
Any further wisdom??
Were you able to install and run MBAM?
This was perfect. I got rid of this nasty ****, thanks to you.
Amazingly this malware is working in safemode with networking now. Seems to be evolving. I had to perform the system restore in command prompt c:\system32\restore\rstrui.exe http://support.microsoft.com/kb/304449
this worked and got me able to do some backups.
Also I couldn’t get chkdsk chkntfs autocheck to work and had to enable the dirty bit using fsutil http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fsutil.mspx?mfr=true
I’m still trying to get a mess of other virus and related droppers rogues etc but Virus Protector is gone. Interesting to note that i’ve been off of the net and scanned with everything I can find and still get streams of misc viruses. Everything seems fine now but something just disabled Mcafee….yea
latest malware definitions does not detect the latest strand of this malware. havn’t tried others yet.
i’ve managed to get my desktop loaded up again by removing the registry keys and the actual [random].exe located in system32 (you can find the actual filename by looking at the label in the first registry key). its a temporary fix, as you still have those other random files scattered in the hard drive. hopefully an update from popular malware scanners can rectify this.
Hi, I need help with my computer. Its bypassing my safemode and now I can’t do anything.
I fixed mine accidentally, I was going to scan my hard drive using my good computer and an IDE to USB cable. I unplug my computer, unplug the IDE cable from the hard drive and mother board. I need to do something else so I plugged it back in and restarted it. My PC was able to start normally and I scanned it with N360 4.0, removed 3 Trojan viruses and now everything is working fine.
steps above did not work dont know if the program was modded or what i followed directions above to the letter rebooted as directed ad the malware was still in control i am performing a full format reload as i type
links above don’t work and I have no idea how to get the definition update file to download to a cd. Help please.
Which of the links is not working for you? They seem to work fine for me. You need to download the definitions update to a hard drive and then copy it on to a CD.
The malwarebytes links are the ones not working for me. I have the program on this pc and the one I”m working on. I have already updated the definition file on this pc and can’t locate the file to copy it to a cd.
The local definition file is named rules.ref and can be found at \Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware\rules.ref in Windows XP.
So where does it go in Windows Vista? Thats what the infected pc is running and it doesn’t even come up when I search for it. I’ve got it to where all I need to do is copy the definition file to the infected HD and run the program.
Try :\ProgramData\Malwarebytes\Malwarebytes’ Anti-Malware\rules.ref
Got it loaded, ran malwarebytes deep scan, it did fine 5 things and I removed them all, but now I just get a blank screen when I try to boot normally or in regular safe mode. Still having to boot to safe mode with command prompt to even get in. I can however network to it if booted normally so I will just back everything up and reload windows unless you have any other suggestions.
Check if this helps, Cleaning Malware and Safe Mode especially the part “Unable to start in Safe mode?”.
i can’t get into safe mode one windows 7 please help
Please check if this helps, Cleaning Malware and Safe Mode.
The virus comes up in safe mode and safe mode networking, i cannot do anything to make changes or fix or anything, my start button is missing. I am so frustratated
@pookitty, This malware runs in safe mode and safe mode with networking. Are you following the removal instructions in the above article? Please boot into Safe Mode with Command Prompt. You can find step by step instructions above in the part titled “Virus Protector Removal (How to remove Virus Protector)”.
I have already tried that, I typed explorer.exe at the prompt and it does nothing
It just give me the comand again, what am I doing wrong. I can usually fix my computer problems but this has me stumped.
Help please- I have downloaded the above software to remove the virus protector but when I get an error message after installing (MBAM_ERROR_UPDATING(12007,0,WinHttpSendRequest)
What can I do? I was able to run a full scan, but when I shutdown and restarted the malware was still there.
Hello I ran into the same mbam_error_updating 12007 error message… The solution for me was that I forgot to turn my wireless card back on (I had turned it off when I first saw the virus warnings)… Anyhow, thought I’d share my success story as it is critical to allow the program to update it’s files even if you just downloaded it… I tried it without downloading the updated files and the virus didn’t go away… It wasn’t until I solved the update problem that things worked again.
running the scans in safe mode command prompt and then in normal mode worked for me. thanks guys.
I followed the instructions to a T, latest definitions and all, and it did not go away.
Hmmm…..did you run MBAM in safe mode command prompt? Were you able to repeat the scan in normal mode?
Yes. Safe Mode. Mbam found 5 items & I told it to remove. I turned off System Restore & restarted in normal mode & it still came up with Virus Protector. It’s an Asus EEEpc with XP Home & 4gb ram. It runs Spyware Blaster (free), Mbam (free), and Avast free, all recently updated. I even got the latest Mbam on a memory stick, installed it, and it failed to kill.
The solution for me was at http://www.myantispyware.com/2010/02/20/how-to-remove-virus-protector-uninstall-instructions/
I hope it helps others.
Thanks,
Slob
Excellent description of what Virus Protector does. If I’d read this sooner I might have had success when I initially tried to remove this program from a friend’s machine. Knowing that even the Safe Mode shell might be affected has changed my strategy. Thanks again for this help article.