Dear Virus Protector Victims,
A friend of mine recently became infected with this malware and it truly did a number on his system. It did all the above symptoms and disabled many of the services that the computer uses to transfer information (Ex: external USB/internet) making it difficult to acquire MalWareByte's software to cleanse the system. Normal, Safe-mode, and Safe-mode with Networking were all affected. I discovered a way to bypass any of the following: removing the internal hard drive and using a clean system; performing a complete system format/re-installation; loading from a System Restore point that may have undesirable results. My tutorial simply removes the malware and fixes the damage done.
OS affected: Windows Vista Home Premium (base installation, neither Service Pack 1 or 2)
ATTENTION: The following tutorial only works with Windows Vista. Attempting to apply these steps to infected Windows XP OS will not work.
Here are the steps that I performed to do so:
1) Boot the system normally and login to the system. The Virus Protector will start and flood your screen with all the jargon it's known for.
2) Press 'WindowsKey+U' to open the Utility Manager window. This window gives you access to the root structure to the hard drive via the navigation edit box up top. Note: VP will prevent access to the Registry, Task Manager and the Internet, so don't bother.
3) Navigate to your System32 folder located under the Windows installation folder (Generally: c:\windows\system32\). Run "msconfig.exe" located in the System32 directory.
4) Under the "System Configuration Utility" you want to do the following:
a) Under the "Services" Tab, click "Enable All".
B) Under the "Startup" Tab, click "Disable All".
c) Under the "General" Tab, select the "Selective Startup" with the only sub-option checked: "Load System Services"
d) Under the "Boot" Tab, check "Safe boot" leaving the "Minimal" option as the only sub-option selected.
5) Click "OK" in the "System Configuration Utility" and upon exiting a dialog will pop-up and ask if you wish to restart the system. Click "Restart Now". Note: You DO NOT have to hit F8 anymore to select "Safe Mode with Networking".
6) The system will boot into the selective Safe Mode and the Virus Protector will continue to load at this time. BUT, press 'WindowsKey+U' to open the Utility Manager window again. Use the navigation edit box above and type in "http://www.malwarebytes.org/".
You now have access to the internet! YAY!
7) I chose to go to MalWarebByte's website and download their free edition of their MalwareByte's Anti-Malware program. You should do the same, and go ahead and click "Run" when clicking to download.
8) When it finishes downloading, the program will run and proceed to update it's database with the most current version. Run a "Full System Scan", the program may state that it is going to fix access to the registry, click to continue and it will run the scan. Note: Virus Protector had infected files located outside the search scope of Malwarebyte's Quick Scan.
9) Once the program's scan is complete. Delete all the infected files discovered. You may close the program.
10) Press 'WindowsKey+U', navigate to the System32, and launch "msconfig.exe" as described above.
a) Under the "Boot" Tab, deselect "Safe boot".
B) Under the "General" Tab, select "Normal Startup"
11) Click "OK" and choose to reboot.
12) The system will reboot into Normal mode and you will discover that the Virus Protector is now gone. BUT, your Task Manager and Registry are still disabled. First we need to gain access to the registry (a.k.a. "regedit.exe"):
a) I used "Symantec's | Tool to reset shell\open\command registry keys" inf-file, located at "http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99".
B) Download this inf-file to your Desktop. Right-click the inf file and choose "Install". This will re-enable your registry.
Note: I chose this tool because I believe this may have fixed other problems besides the registry.
13) Re-activate the Task Manager (a.k.a. "taskmgr.exe"):
a) Press 'WindowsKey+R' to bring up the "Run" dialog.
B) Enter this string exactly as provided, "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f"
Note: Don't include the quotations :)
14) You now have removed Virus Protector and re-enabled all disabled system functions.
a) Update/Install Virus protection softare
B) Run Windows Update and download all Service Packs and Critical Updates available.
c) Run "msconfig.exe" once more and go to the "Startup" Tab. Select the programs you wish to load at startup.
If there is any missing information that I have not provided please let me know and I will append it to this tutorial.
Edited by Digitalcherub, 08 March 2010 - 08:39 PM.