really bad virus....i need advice

[BrianG]

Quote:

Originally Posted by scarletboa

that's exactly what it is. the blue shield thing isn't visible after a few seconds after the program starts after start-up because it is soon replaced by those red shields with x's.


how did you combat it? my avira antivir couldn't detect it.

If it's called "Antivirus Live", this should kill it. This is what we used at work and it fixed all the computers with it.


1: Reboot the PC in safe mode: As soon as the PC gets beyond the BIOS POST screen, press the F8 key (maybe repeatedly). When a “DOS” menu appears, select “Safe Mode”. This step is needed to make sure the virus is not loaded into memory, which would make it impossible to remove otherwise.


2: Once you are able, log in as the user experiencing the issue. This virus can run under all users, but since most computers are operated by a single primary user, this issue is most likely confined to that user. If more than one user has been operating the machine, steps 3-7 must be repeated for each user.


3: Run Regedit: Click Start -> Run -> type “regedit” and hit “enter”.


4: It is advised to back up the registry hive affected, but I did not. If you wish to do so, highlight “HKEY_CURRENT_USER”, go to file, export, and save it.


5: Delete the following registry keys:

HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download -> “RunInvalidSignatures” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings -> ”ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings -> “ProxyServer” = “http=127.0.0.1:5555″
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Associations -> “LowRiskFileTypes” = “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Attachments -> “SaveZoneInformation” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run -> “[RANDOM CHARACTERS]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run -> “[RANDOM CHARACTERS]”

The virus program may not be listed in one of the last two entries above. It will definitely be in one place, but maybe both.


6: Remove the following files:

For Vista:
C:\ Users \ [user] \ AppData \ Local \ [RANDOM CHARACTERS] \
C:\ Users \ [user] \ AppData \ Local \ [RANDOM CHARACTERS] \ [RANDOM CHARACTERS]sysguard.exe
C:\ Users \ [user] \ AppData \ Local \ sysguard.exe

For XP:
C:\ document and settings \ [user] \ local settings \ Application Data \ [RANDOM CHARACTERS] \
C:\ document and settings \ [user] \ local settings \ Application Data \ [RANDOM CHARACTERS]sysguard.exe
C:\ document and settings \ [user] \ local settings \ Application Data \ sysguard.exe


7: Reboot the computer normally, log in as the user again, and check task manager for any questionable processes. Also open Internet Explorer and make sure other websites are available (Yahoo, rcm, etc).

[tashpop]

Quote:

Originally Posted by JThiessen

I assume you are referring to "system restore"? In the case of my daughters pc, it wouldn''t run System restore, even in Safe mode. Somehow, it disabled it.

yes you are correct, but like i said you have to first prevent the software from starting then system restore. thats key otherwise you cannot do anything unless you have software that can remove it.

[Savage03]

Been dealing with this stupid thing myself lately and its not kool, had pretty much the same issues as boa and I know some about pc's and tried many things but this thing locked everything up and even deleted all my restore points and it would even start in safe mode so at that point it was obvious a format was in order. Gonna save those steps posted but if he has as bad as I did dont think its gonna help him.

[Arct1k]

Yeah - It actually infected safe mode on Harrolds PC

[scarletboa]

Quote:

Originally Posted by BrianG

If it's called "Antivirus Live", this should kill it. This is what we used at work and it fixed all the computers with it.

that's exactly what it is. antivirus live

i'm not a complete pc noob. i just forgot how to do safe mode. i am pretty familiar with the registry and task manager, so now that i have that list of commands, i'm sure i'll be able to kill this thing.

[Overdriven]

My Pc modo is, if after an hour of trying to fix it with no luck, format and reinstall. But if you don't have a DVD writer to backup your pics, favorites, etc, get one. Or better yet an external hard drive. $125 will get you 1 terabyte these days. Makes starting all over alot easier, especially if you save an image of the drive (Norton Ghost or similar) on the external drive.

[scarletboa]

ok, well i couldn't find these files:

For XP:
C:\ document and settings \ [user] \ local settings \ Application Data \ [RANDOM CHARACTERS] \
C:\ document and settings \ [user] \ local settings \ Application Data \ [RANDOM CHARACTERS]sysguard.exe
C:\ document and settings \ [user] \ local settings \ Application Data \ sysguard.exe

or

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run -> “[RANDOM CHARACTERS]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run -> “[RANDOM CHARACTERS]”

but everything seems normal at the moment. i am able to use my itunes and ccleaner, but the internet is not working due to firewall settings? i am doing a virus scan right now