Virus Protector 5.1 Rogue / Trojan / Virus

For those that get this nasty I feel for you. The rogue program is ( Virus Protector ) version 5.1. It will not let you do anything until you give them your credit card which is a BIG NO NO. Safe mode brings up the same thing. No desktop just the software that is worthless. I even tried system restore in safe mode with the DOS screen and I knew it probably would not work. Task Manager was also disabled. I have removed many of these rogue things and this one was by far the worst. What I finally had to do was remove the hard drive from the infected computer and then install it in mine. I booted and went to my computer and done a Norton 2010 full scan. It found about 30 Trojans and removed them all. The computer now boots to the desktop. Whew, what was mess. Tom

That does sound like a tough one Tom - I love your solution though :top: Also, thanks for posting up the screen shot - it's nice to see the infection get wacked :lol: :top:

Marvin, I just thought I would let you know that I spoke to quick. The rogue is still there. Now when I boot the computer all I get is blank desktop with strange looking background. The trojan is still there because when I hit ctrl,alt delete to try and run task manager the nasty program tells me it is still there. I removed the hard drive again and this time I run spywareblaster from my computer. It found 84 Trojans. I run Norton and malwarebytes again it found nothing. Put the drive back in the original computer and same thing, the rogue software is still there. I am about to give up. Any suggestions on how I can as least get to the desktop ? Tom

Hi Tom;

For the record, Norton has never been held in good stead on this site over the span of..about 8 years now. in fact, we enjoy bashing it every chance we can - it's that good ;)

Instead, what I would do is follow these steps to get rid of it.

That means you'll be using MalWare Bytes to case it :top:

My personal experience has been that there is no single AV app that tends to case everything. At the top of this forum we posted up a list of the then-current apps that we kept in our arsenal. The idea being that a person would use several of them - that's what I do - and it works. That list is pinned at the top of the forum.

You don't run them all at the same time - you install/run them one by one :top:

Bottom line though, MalwareBytes seems to be the way to go - at least initially. It's entirely possible it won't find every infection - hence the preceding paragraph :top:

Once you're convinced the drive is clean I would recommend ensuring that there is no media in the destination computer. You wouldn't want an infected floppy/USB/CD to enable it to come back :(

Marvin, I would have agree with you on Norton until I tried the 2009 and 2010 version. I tried it after it was installed on our new computer at work. It was one of the few that would stop cold these rogue programs. I know for a fact on that one because I got infected myself and Norton caught it. I also like the log in feature Norton has. I do not have to remember any of my passwords as long as I log in to the software when the computer first starts up. I like that. Norton 2010 also does not slow a computer like the past versions did. I like that. Now for the infection. I removed the hard drive the third time and run malwarebytes, superantispyware and Norton. I did these one at a time. I replaced the drive and still on blank desktop, the same color as when the rogue was installed. Any more thoughts on this. Tom

Hi it sounds like a Boot Sector Virus.

Usually the only answer, is to remove all needed data etc - when slaved to another Pc and reinstall the operating system.

But , I'd try..if Xp.
Boot from Xp Cd...when prompted press [R]
Choose Windows installation [typically by pressing [1]
When prompted for password.
Press Enter.
At prompt type
fixboot
Enter
Then Type
fixmbr
Enter

Have you tried?
Tap f 8 while your system is starting up.
Choose safe mode with command prompt.
Log on as an admin.
At command prompt type
%systemroot%\system32\restore\rstrui.exe

This will launch System Restore.

Yeah, yeah, yeah - but it didn't do what it's designed to - which was, if I 'm not mistaken, to protect you from infections such as this :D :lol: So, you haven't convinced me that it's merit has changed over the years although it does sound like it's improving in other areas :top:

No matter, it's all a personal decision :top:

With respect to the ongoing infection, I'm almost thinking perhaps you didn't quite do it right (with MalWare Bytes). It's been pretty well documented to fix this infection so I took another look on the 'net for more detailed instructions and found these.

Hopefully more detail will help you kill it completely this time :top:

I wouldn't rule out a boot sector infection but it seems this virus normally resides outside of the boot sector. By no means am I an expert in this particular infection, but it looks to me like it resides in the registry and the file system;

Associated Virus Protector Files:

c:\Documents and Settings\Bleeping\Application Data\<random>.exe
c:\Documents and Settings\Bleeping\Application Data\<random>.dll
c:\Documents and Settings\Bleeping\Local Settings\Temp\<random>.exe
c:\Documents and Settings\Bleeping\Local Settings\Temp\<random>.dll
c:\Program Files\Internet Explorer\<random>.exe
c:\Program Files\Internet Explorer\<random>.dll
c:\WINDOWS\<random>.exe
c:\WINDOWS\<random>.dll
c:\WINDOWS\system32\<random>.exe
c:\WINDOWS\system32\<random>.dll
c:\WINDOWS\system32\drivers\<random>.exe
c:\WINDOWS\system32\drivers\<random>.dll



Associated Virus Protector Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Virus Protector"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "LoadAppInit_DLLs" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs" = "<random>.dll"

From the looks of the above it should be easy to manually extract the bugger with Windows Explorer & regedit.

You should be able to load the registry on the infected drive from your current O/S and check/modify those entries if you so desire and also delete whatever files those entries point to on your computer in the aforementioned directories.

If you elect to go this route I would still run Malware Bytes on it and also Microsoft's Security Essentials. I suspect Microsoft's solution would probably nail the little bugger too :top:

BTW, I like Desmond's post :top: but I do still think there's hope yet on the Malware Bytes front :)

Marvin, the computer that was infected did not have Norton. It had AVG. I have been running Norton, not the person who's computer I am working on. I was like you when dealing with Norton until last year. It is now a good antivirus. Microsoft may be better, not sure. I am tired of dealing with this problem as of now. Later I may decided to try it again. The person that owns this computer told me last night that his wife is always downloading screen savers. I know see the problem. I may just see if I can get my computer infected being I have a Ghost image. I cannot understand how all these people are messing up perfect running systems. Infecting mine will see if Norton is doing its job. Tom

Screen savers - that can do it :) Screen savers were somewhat important back when everyone was using CRT (glass) monitors. With the prevalence of LCD's though there's pretty much no reason to use one (it's nearly impossible to burn in an LCD screen).

I'm sure you're aware of this but a better way to go is to skip screen savers and just use power management. That's what I used to do with CRT's. Have the monitor power itself down as opposed to displaying screen savers. That saves money on the electric bill whereas flying toasters keep the meter turning :lol:

Tom, don't worry too much about Norton. It's a personal view that's been born out of years of nasty experiences with it. It's entirely possible I may never change my view of it :blink: Norton has caused so many other problems (aside from the virus side of things) that a significant number of posts on this site for non-virus issues were repeatedly tracked back to Norton. Everything from MSN Messenger issues, to email issues etc.

If a person does a search on Microsoft's Knowledge Base for the keyword Norton (or Symantec) you'll get an idea as to why that attitude has grown over the years - and some of the issues we've had to help people with.

I'm not sure I would go off testing Norton against intentional virus infections. If you've got time to kill I'd be more interested in seeing what happens when you go after these puppies;

Associated Virus Protector Files:

c:\Documents and Settings\Bleeping\Application Data\<random>.exe
c:\Documents and Settings\Bleeping\Application Data\<random>.dll
c:\Documents and Settings\Bleeping\Local Settings\Temp\<random>.exe
c:\Documents and Settings\Bleeping\Local Settings\Temp\<random>.dll
c:\Program Files\Internet Explorer\<random>.exe
c:\Program Files\Internet Explorer\<random>.dll
c:\WINDOWS\<random>.exe
c:\WINDOWS\<random>.dll
c:\WINDOWS\system32\<random>.exe
c:\WINDOWS\system32\<random>.dll
c:\WINDOWS\system32\drivers\<random>.exe
c:\WINDOWS\system32\drivers\<random>.dll

Associated Virus Protector Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Virus Protector"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "LoadAppInit_DLLs" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs" = "<random>.dll"

You may well be able to manually kill that thing without too much effort. Or, at least get it back to a place where you can work with it again :top:

Marvin, are you saying that I should delete these files ? I do not remember seeing files that were named that. Anyway I will look again. You want to come in my computer and take a look after I reconnect this hard drive ? I have xp pro and we can use remote desktop. I know you probably do not have time but just a thought. Let me know and I will connect this thing and we can take a look. Like I said it is no big deal but I do not like to be beat. Tom

Hi Tom;

You should delete the appropriate files - but only the right ones :top:

Remote Desktop is intriguing - the one thing that tends to bug me about it is that typically the person I'm connecting to usually has a firewall running and it takes forever for them to figure out how to open it up to allow an RA session. That usually adds a lot of time to something which would otherwise be simple. Bandwidth is another issue - do you have enough? Hopefully you're not on dial-up or something like that.

The first question I have though, is did you follow the steps in the second link I posted about using MalWare Bytes to fix the issue?

The reason I ask is that I don't think you're going to find any easy way to remotely open the required registry keys on the other drive.

Last Result:
Download Speed: 23862 kbps (2982.8 KB/sec transfer rate)
Upload Speed: 1913 kbps (239.1 KB/sec transfer rate)

I am fast here. I did run malware bytes. I did it three times and done the full scan. It found many things and said it fixed them. I still cannot get to the desktop. I also tried earlier to run system restore from the command prompt and it went through the motions and came back to same thing. I even tried several dates and months and all did not work even though it said it did. I looked around on this hard drive while connected to mine and I see they had Trojans back in October. I have tried every way I know to find that product key so I can just reformat but I cannot get it. I used several programs to find the key and it keeps just finding mine. I do not know what I did but now when I try to edit the registry using this>
To edit the registry on a slaved drive, in regedit, click File, Load Hive. Load Hive is grayed out.It worked last night. I have re-ghosted my computer several times after I slave this drive to be on the safe side. Now the last time when I run Ghost on my computer I get this when I check in the View Log of Ghost > Task-Restore Start Time 3/04/2010 Status-Failure. I have kept messing with this infected drive until I think I messed up mine. I thought Ghost would bring it back because I made a backup just before I started doing all of this. Oh well, back to the drawing board. If you want to come in and look we could always use this
zolved.com
I have used it many times and it punches right through the firewall and it much easier for most people to configure. Let me know.

Hi Tom;

I don't really want to get involved in it (at least directly). The only time I do virus recovery is when I'm getting paid for it and I charge quite a bit :D

Have you tried SmitFraudFix? It's designed to go after the Zlob infection family (and that's what you got) :)

Marvin, I have been using Norton Ghost 2003 version 2003.775. Now I have read where that version will not work correct when Ghosting SATA drives. I should have updated it to 2003-793. I think that is the reason I got the failure when I run the ghost. I have been using this version of Ghost for years but never knew that I needed to update it because of SATA drives. I know now. What I would always do is make a Ghost image and then I could test anything I wanted without fear of corrupting my drive, I always just run Ghost after I was through. Well I should have read about this. Now because I was playing around with this slaved infected drive I have messed up mine I believe. I just thought I was protected with my Ghost. My XP seems fine but little things probably will crop up later being my Ghost view log says Failure. We learn something everyday. Tom

Marvin, by no means did I want you to get involved. This hard drive can be reformatted very easy. I just wanted to see if I could fix it for a learning experience. This old computer that this drive came out of is not worth even messing with really. I am a firm believer that when someone gets infected like this then it is much much quicker to wipe it and reload. I can slave a drive and copy and paste most anything someones needs. I have plenty of backups to do this with. I can almost bet that virus files will be left hanging around even when someone gets rid of them. Sorry to have bothered you with this very minor problem. Tom

Hi Tom;

I wouldn't worry about that too much - as long as you can get into the O/S XP is pretty darn resilient :top:

My neighbor's computer had a wicked infection last year. There were multiple viruses and they took out the registry editor, system restore and an entire section of the O/S! It did some interesting damage to the Windows Updates side of the computer....

It was quite interesting because every tool I would normally use to manually extract the virus was removed or disabled by the virus :o I found it to be a well-designed infection B)

I was able to get the infections out using various software listed in the Spyware section (that took about 1.5 hours). After that I was able to re-build the system, without re-installing, primarily by using the System File checker and doing some manual work. I did have to do some interesting work on the Windows Updates side of things - even after SFC it still wouldn't work. The good news is that someone at Microsoft wrote a script to completely re-register all .dll's used by Windows Update and once I found that script I had it back up and working.

I was quite shocked by how the O/S came back. It was crippled - but it all came back. Mind you, I was able to access the O/S.

I never use Ghost as I use disk-based backups for the entire network. They're done every day so I can always come back from the grave (so to speak).

Not at all Tom - I agree with the learning side, I actually had some fun with that infection I mentioned earlier. Certainly I learned a lot from it about XP and it's resiliency :top:

You're no bother - I was just thinking that it should have worked with respect to MalWare bytes. Once you can get back into the O/S it's not that hard.

For instance, if you could get back into the O/S you could post up a HiJackThis logfile and it would have been quite simple (relatively speaking) to then guide you to increasing levels of success until it was done.

I wonder if the issue with MalWare Bytes (and even the others) is that the drive is not the boot drive. It's just a guess but maybe their virus detection routine requires both an infected registry and the appropriate files.

What I'm getting at is this - perhaps what MalWare Bytes is doing is scanning your registry (as opposed to the infected one) and consequently not cleaning it or detecting all the infected files.

It's just a thought but there must be a reason it's not getting cleaned when really it should.

If that assumption is correct (or has merit) then perhaps the best thing a guy could do is use a virus scanner that runs off a boot CD. If you re-installed the infected drive into the infected computer and then boot the CD and ran the scan it may well make a difference and get you back up and running.

Just a guess, but perhaps an educated one :top:

FREE Bootable AntiVirus Rescue CDs Download List

Thanks Marvin. I will give the Bitdefender boot disk a try and post back the results. Tom

It sure looks as the operating system is trashed. I now get this
windows could not start because the following file is missing
windows\system32\config\system
I tried to do a repair and after I hit the F8 key the REPAIR option is not listed
I was able to use the internet while the boot cd was in but linux is new to me. I also was not able to scan for viruses. It would load the updates and start to scan and the it would go off the page. I also tried to run the keyfinder program and it would not work. I do not have a clue how the registry got corrupted unless the nasty virus did it.
Anyway I think I am through with this one until the person gets me a legal copy of windows. Sometimes we try and loose. I lost I guess.
Thanks for you time. If by chance you have anymore tips I still have time before I wipe it. Tom

Hi Tom;

I would use the Kaspersky rescue disk - it has a graphical point & click interface :top: If memory serves, it's also one of the best AV programs out there :top: