View Full Version : How To Remove Virusprotect Or Virus Protect (removal Instructions)

How to remove VirusProtect or Virus Protect (Removal Instructions)
What this programs does: VirusProtect, which was originally called VirusProtectPro, is a rogue anti-spyware (http://spywarewarrior.com/rogue_anti-spyware.htm) program installed via Zlob infections. VirusProtect is installed via a type of Trojan infection called Zlob Trojans which masquerade as video or audio codecs required to view a movie or listen to a audio file. In reality, though, these Trojans instead install VirusProtect as well as other malware on to your computer without permission. When the Zlob Trojan is launched on your computer, it will automatically download and install Virus Protect. When VirusProtect has finished downloading and is installed, it will automatically launch and start a scan of your computer. This scan will provide exaggerated or false results and state that the only way to clean these "infections" is to purchase the commercial version of the software. They do this purely as a way to scare you into purchasing the full commercial version of their software. Needless to say, you should not purchase VirusProtect. A screenshot of VirusProtect and VirusProtectPro can be found below.
VirusProtect Screenshot

VirusProtectPro Screenshot

Another byproduct of the Zlob Trojans are that you will see fake security alerts in your Windows taskbar saying there is a problem with your computer or that you are infected. Once again these alerts are false and are only being used as a scare tactic. When you click on the alert, it will automatically launch VirusProtect and do a scan. The current text of the fake security alert is:

System has detected a number of active spyware applications that may impact the performance of your computer. Click the icon to get rid of unwanted spyware by downloading an up-to-date anti-spyware solution. An example of the fake alert is shown below:

VirusProtect Fake Security Alert

Download SmitfraudFix.exe from here and save it to your desktop:

SmitFraudFix.exe (http://www.bleepingcomputer.com/files/smitfraudfix.php)Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:


Next, please reboot your computer into Safe Mode (http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/) by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
When you are at the logon prompt, log in as the same user that you had performed the previous steps as.

Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen.

Your computer should now be free of the VirusProtect infection. If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Posting A Hijackthis Log (http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/)

Scroll through the list of files in this folder and look for fftktmk.dll. Right-click on fftktmk.dll and select rename. Rename the file to fftktmk.dll.bad.

Look for the file ucmbegr.dll and rename the file to ucmbegr.dll.bad

Look for the file moywh.dll and rename the file to moywh.dll.bad

Look for the file wygomd.dll and rename the file to wygomd.dll.bad

Look for the file rldyt.dll and rename the file to rldyt.dll.bad

Look for the file chzbi.dll and rename the file to chzbi.dll.bad

Look for the file ymmzwd.dll and rename the file to ymmzwd.dll.bad

Look for the file ivrllc.dll and rename the file to ivrllc.dll.bad

Look for the file zcwlnic.dll and rename the file to zcwlnic.dll.bad

Look for the file ncrjf.dll and rename the file to ncrjf.dll.bad

Look for the file uglgs.dll and rename the file to uglgs.dll.bad

Look for the file tvtpwp.dll and rename the file to tvtpwp.dll.bad

Look for the file wowlze.dll and rename the file to wowlze.dll.bad

Look for the file cjuvwa.dll and rename the file to cjuvwa.dll.bad

Look for the file gnjsjc.dll and rename the file to gnjsjc.dll.bad

Look for the file ezzhjmt.dll and rename the file to ezzhjmt.dll.bad

Look for the file fsehfcu.dll and rename the file to fsehfcu.dll.bad

Look for the file qhcvdw.dll and rename the file to qhcvdw.dll.bad

Look for the file axdpfl.dll and rename the file to axdpfl.dll.bad

Look for the file svxmhpz.dll and rename the file to svxmhpz.dll.bad

Look for the file ofcpi.dll.dll and rename the file to ofcpi.dll.dll.bad

Look for the file iinqyl.dll and rename the file to iinqyl.dll.bad

Note: Please rename any of the above files that you may find. If you do not find any of these files, then you should post a note about it in the Am I Infected? (http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/) forum.