Translate

Saturday, January 11, 2014

How to remove Windows Virtual Protector (Rogue)

Alright, there's a new rogue making the rounds today. It's called Windows Virtual Protector. And here's how to remove it.

For those of you who do not know, a rogue antivirus program is a piece of malware that pretends to be an antivirus program. It then scans your computer and detects threats that are not actually on your computer. It is just trying to make you purchase it.

Step #1: Reboot your computer. As soon as you see anything on your screen, press the F8 key.

Step #2: On the boot menu, choose Safe Mode with Command Prompt.

Step #3: Once the computer has started up, in the command prompt window, type in regedit and press enter.

Step #4: On the left side of the new window, navigate to the following location: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\

Step #5: Highlight Winlogon.

Step #6: Double-click Shell and clear the entry data and replace it with "explorer.exe" (without quotes)

Step #7: Run explorer.exe.

Step #8: Navigate to %appdata% and delete guard-xxxx.exe. (Please note that the "xxxx" may be just a random string of letters)

Step #9: Reboot into regular mode.

Step #10: In order to make sure that your computer is fully cleaned, we will run MalwareBytes Anti-Malware. Download it here: http://www.malwarebytes.org/mwb-download/

Step #11: Run Malwarebytes Anti-Malware and install it.

Step #12: Run a full scan. This may take some time depending on the number of files on your computer. So I suggest that you go do something else while you are waiting for the scan to finish.

This may be a good time to watch a 30 minute show you've been meaning to see, or finish that good book you have been reading that you just cannot seem to put down.

Step #13: Once the scan is done, click OK on the dialog box in order to see the results.

Step #14: Should it find anything, click Remove Selected and allow it to reboot your computer if it asks you to.

Step #15: Your computer should now be free of Windows Virtual Protector.

Like what I'm doing? Want to help keep my website ad-free? You can now donate to me via Bitcoin.
Wallet:
15TizPBxBGbbuE9RQmCLtoBtExWQZBeMcn
Posted by at
Labels: ,

3 comments:

  1. Terrence MylesJanuary 28, 2014 at 1:02 PM

    Step #6: Double-click Shell and clear the entry data and replace it with "explorer.exe" (without quotes)

    What is "Shell"?

    ReplyDelete
    Replies
    1. HJanuary 28, 2014 at 1:42 PM

      Shell refers to a value name in the registry key we are dealing with when removing this.

      Generally, if the value data in Shell is set to explorer.exe, we get the taskbar. Which we can then use to launch applications without having to use something such as task manager.

      By replacing the value data with itself, the rogue makes itself much harder to remove because task manager is blocked and there is no easy way to launch any applications from the Normal windows mode that would help get rid of this.

      Hope this answers you question.

      Delete
    2. HJanuary 28, 2014 at 1:43 PM

      ^Hope this answers your question, that is.

      Delete

Subscribe to: Post Comments (Atom)