Can't get rid of Virus protector malware

DELL Dimension 3100
Windows XP SP3
The computer is plagued with the Virus protector. I ran avast BART CD which found 539 items that it detected to be malicious. I removed them. When I started up the computer the Virus protector is still there!

According to bleepingcomputer.com it suggested to run Malwarebytes.
The problem is that I can’t run Malwarebytes. The Virus protector will not allow me to gain access to the computer. Not even in safe mode. The only way that I can run Malwarebytes is to take the drive out of the computer place the HD into a hard drive enclosure attach it to a computer that has Malwarebytes installed and run Malwarebytes against that HD enclosure.  

If someone knows of an easier way of handling this please let me know!
Thanks!
LVL 1
Elton BrownAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kruger_monkeyCommented:
The following items will help you clean up your pc - there was a post 2 weeks back with a similar problem on here and the below is what I posted and seemed to fix it..

Download all of the following, reboot into safe mode and starting with Drweb run/install each in the order listed.  I've included links to the definitions which will overcome the lock that these things place on program updates.

http://www.freedrweb.com/cureit/?lng=en

http://www.superantispyware.com/download.html  - main application - once installed deselect automatically update definitions.  Install the file below instead instead.
http://www.superantispyware.com/definitions.html  - sas definitions,

http://mbam.malwarebytes.org/database/mbam-rules.exe  - malwarebytes definitions.

Between these 3 items I've been able to clean loads of infections.

Reboot into safe mode, run drweb cureit (don't worry about updates) this should pickup most of the stuff.  Reboot, and  go back into safe mode, run dr web again. If the same file comes up again, make a note, you will possibly have to replace it.

Install superantispyware and it's associated definitions and run a quick scan.

Again reboot and go back into safe mode.

Install malwarebytes definitions and run a scan.  After that repeat all in normal mode.  Generally after that you will be spyware free. Although you may have to reset some file associations.  In which case see this link.

http://www.dougknox.com/xp/file_assoc.htm

The above will hopefully help you sort out all the problems.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kruger_monkeyCommented:
Ah found the post, there are some other suggestions in there, but I've found the above to be largely sufficient in most cases.

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_25518708.html
0
Elton BrownAuthor Commented:
Thank you Kruger_monkey for the fast response!
I never heard of the Cureit software - Thanks!

When I go into >safe mode< I can't get to the prompt. I can't even get the run box. I can't do anything.

My question is: How can I run the cleaners above it Virus protector continues to lock me out even in Safe mode?
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

SnibborgOwnerCommented:
Try creating a Ultimate Boot CD.  Boot from that and have Malwarebytes close to hand on a thumb drive.
0
Kruger_monkeyCommented:
In safe mode can you not even browse with explorer/my computer?  Sneaky virus that one.

As above, get a boot cd and put the necessary tools on a USB stick and try it that way.  Failing that, can you start safe mode command prompt only?  if you can you should still be able to cd to the location for drweb and then run it from there.

You could also check the following reg key for suspicious items, (if it will let you into regedit)
HKLM/software/microsoft/windows/run = >  If regedit won't work, try renaming it to something else, fixedit etc and try that.

0
Thomas Zucker-ScharffSolution GuideCommented:
Have you tried using a boot disk instead?  I suggest UBCD or UBCD4Win (the latter has to be built while the former is prebuilt ISO).  There are instructions for building the CD in the article below and there is a link to a listing of prebuilt boot disks.

http://www.experts-exchange.com/articles/Storage/Misc/Creating-a-bootable-CD-USB.html

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

NOTE: the UBCD4Win boot disk has everything you need already on it.  While you build it you update the virus definitions/malware defs.
0
optomaCommented:
Can you download Hitmanpro onto USB stick>can run from usb stick/network share

Hold down on left CTRL key and open Hitmanpro

Try in normal mode or safe mode with networking
http://www.surfright.nl/en/hitmanpro
0
Elton BrownAuthor Commented:
>>>Update<<<

I have removed the hard drive from the Dell Dimension 3100. I have placed the hard drive into a HD enclosure connected it to another computer that has Malwarebytes installed running Malwarebytes against the HD enclosure.
So far Malwarebytes has found 14 objects infected. I hope Malwarebytes grabbed hold of the >Virus Protector< malware. It has really given me a headache!
Once Malwarebytes completes its scan and since I have it in the HD enclosure I might as well run a few more scanners such as:
Superantispyware
Cureit
Hitman Pro

I’ve already ran AVAST, avast BART CD and AVG rescue CD
Then I will run HijackThis to see if anything nasty is left behind.
0
optomaCommented:
Just get hold of the scanner logfiles in case machine wont boot afterwards, depending on what was removed!

Hitmanpro will have to be ran when drive is back in own system.
Also re run Mbam
0
Elton BrownAuthor Commented:
OK after several passes of:

SuperAnitiSpyware
TrojanHunter
Malwarebytes
Spyware Doctor
avast BART CD (updated)

I am able to boot, get to the wallpaper and if I wait long enough I will see the screen saver. But I don't have any Icons on the desktop nor do I have a task-bar. I am so close (I think) to get this OS going again... No more Virus protector I think. It has not reared its ugly head!

How do I restore the Icons and task-bar?

Thanks!
0
optomaCommented:
Try Hitmanpro
Can you bring up a run box or task manager?

Also run Exehelper>ignore AV warning on this file>false positive!
http://raktor.net/exeHelper/exeHelper.com
0
c_a_n_o_nCommented:
If your system is/was infected with a pest, malware, trojan, or virus your system will behave unexpectedly.  The best method to attempt resolution is to completely rule out the operating system by bypassing it.  To do so, you will need a rescue CD.  There are several that are out there, you might be able to create one, there are instructions and sites that can assist with that.  But the easiest way is to use a product that is FREE, and I have used successfully for several of my clients and on many workstations.

BitDefender (FREE Downloadable Rescue CD).  Available Here.
http://download.bitdefender.com/rescue_cd/

Instructions on the product.
http://www.bitdefender.com/KB417-en--Using-the-BitDefender-Rescue-CD.html

Hope this helps.

PS.  This may sound like a "canned" response, it just might be.  However, it is the easiest and most effective method to resolve a situation like this.
0
rpggamergirlCommented:
Can you bring up task manager via Alt + Ctrl + Delete
If so, then on the File menu > New Task(Run...)
and type:

explorer.exe

and see if explorer will load.
Also check if regedit runs, bring up task manager, File > New Task(run...)
type in:

regedit

and navigate to this key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

If explorer.exe is listed as a subkey delete it.
0
Elton BrownAuthor Commented:
I was missing the taskbar and icons on the desktop. I decided to do an XP repair on the operating system. Before I performed an XP repair I tried to use Reimage on the computer but that process failed.

After using XP repair I was able to get the icons, taskbar and for the most part I had a functioning computer. After all of the tugging and pulling spyware, Trojans from that computer took its toll. It's a miracle that the computer comes up at all. Oh by the way I ran Malwarebytes this morning and pulled another 17 infected files from the computer.

Ran Windows updates without any significant problems. All of the updates were installed successfully. I think there were about 57 Windows updates. I am going to run the Bit Defender Rescue CD. Followed by Hitman Pro. The OS stands at XP SP2.
0
crzyivan0000Commented:
Never had a problem with the combofix.org link (out of  the 100's of times I've used it) but that's fine with me.
0
sb7785Commented:
In addition to the other great suggestions posted; if they all fail, try creating a bootable antivirus CD. If that doesn't fix it, then you've got some serious problems. It's always good to keep on hand at anytime:
http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/Q_25347695.html 
http://www.experts-exchange.com/articles/Storage/Misc/Creating-a-bootable-CD-USB.html
0
Elton BrownAuthor Commented:
Thank you for all your help! After all of the cleaning including using combo fix. I think the machine is well again! What a journey!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Spyware

From novice to tech pro — start learning today.