My mate has managed to get his comp infected with a brand new virus and I'm trying to sort it out. Even booted in Safe Mode, it has made so many changes: can't see programs on start menu, can't see any files or folders even in DOS, can run System Restore but it doesn't do anything, wouldn't let me install Java (needed for online scan) logged in as Administrator. Absolutely ****ed. Have left it running House Call full system scan, have to walk the dogs now. Any suggestions on how to proceed would be gratefully received. PS: If you get an email from Fedex containing a shipping document, don't open it!
You mean reinstalling Windows? Probably will have to but need to rescue stuff from comp first, it's his business computer with several years of accounts, etc on it. It's Windows XP.
Sounds like system restore virus, it hides files in start menu and everywhere when u run system restore does it ask for activation key?
Delete System Restore files: %LocalAppData%\ %LocalAppData%\.exe %LocalAppData%\~ %LocalAppData%\~ %StartMenu%\Programs\System Restore\ %StartMenu%\Programs\System Restore\System Restore.lnk %StartMenu%\Programs\System Restore\Uninstall System Restore.lnk %Temp%\smtmp\ %Temp%\smtmp\1 %Temp%\smtmp\1 %Temp%\smtmp\2 %Temp%\smtmp\3 %Temp%\smtmp\4 %UserProfile%\Desktop\System Restore.lnk Delete System Restore registry entries: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1' HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU "MRUList"
sounds to me like you have a gltch with the di-lithium crstals. What to do is disenfranchise the regulator and perform a multilateral sweep of the coabis files and then reinstate the nebulus using the multifunctional tricoder. Any problems give me a shout.
No it doesn't ask for key, it let's me select a restore point then when I click "Next", nothing happens. Cheers for the registry entries, I'll have a look at those when I'm back there.
If this is the system restore you are seeing then that is the problem, you can use malwarebytes to remove it if u dont want to do it manually, if its none of these then i dont know. please log in to view this image please log in to view this image
Eddie, it's not a fake system restore virus, it's a virus that has disabled system restore as well as pretty much everything else. Check the link in the OP, it's brand new, most AV software doesn't recognise it, that's why I'm asking you guys because there is zero information out there about how to undo the damage.
Take it to PC World with the octopus sex images and do porridge for Aquariality or bin your computer like that Ginge off News of the World done...
Kick the daft **** in the baws for opening attachments on an unsolicited email. If it's a virus that has infected and continues to infect executable files on your disk then you either have to find a virus scanner that can detect it, or re-install the OS. If it's a trojan you'll have to track it down the hard way. Go through your processes in task manager and isolate the trojan's process(es) by googling the names of each process. This will leave you a list of processes you consider dangerous. Locate where each process on your list is stored on the hard drive and write a batch file to delete them. Don't execute it yet. Do a registry search to locate all keys/data that mention the process names on your list. Write a regedit file that will delete those keys/data. Don't execute it yet. Add any files pointed at by the keys you will delete to your batch file for deletion. Boot into safe mode. Using task manager end all the processes on your list. Execute your batch file. Execute your regedit file. Reboot. If the trojan is back upon normal reboot, you missed something. Either a process and/or registry entry or data file used by the trojan. Repeat the whole thing until the trojan is gone when you reboot, then run system restore. It's may be simpler to just re-install the OS. In short, boot him in the baws and re-install the OS. Boot him in the baws again when he tells you he hasn't backed up his own data. Boot him in the baws and re-install the OS anyway. That will teach the dumb ****.
