- Posts: 230
- Thank you received: 1
New virus
17 years 3 months ago #22412
by Alans
always Face your Fears...
hi, my pc is infected with a virus that adds some extra items in the right click menu
on the harddisk drives like "If freedom is outlawed, only outlaws will have freedom"
and under it there is "J U S T A G A M E", if i click the first one (i.e, if freedom..." it tries to open
drive letter:\RECYCLER\systems.com like
\RECYCLER\systems.com
if the file is run then it appeares a lot of fake popup message that says something like this "my picture
is corupted please run chkdsk", also it adds a mypicture.exe file to some folders,
disables taskmanager in the CTRL,ALT+DEL menu and
you can't open regedit in the run window.
any way, i restored my pc to a specifid date with acronis true image and the virus is
gone (only for the restored drives) but now i can open taskmanager and regedit.
in regedit i searched for systems.com and here is what i found:
HKEY_USERS\S-1-5-21-4217527386-1433810888-3187400971-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{746afdd6-1c53-11db-b5b5-806d6172696f}\Shell\start\command >>the command value is\RECYCLER\systems.com
i deleted this and every thing was normal for a few days but it comed again with out using any using
for external medias.
I have NOD32 AV updated but it didn't catch it, i googled it and i found that sophos is the only AV(as i know)
that can catch this virus
www.sophos.com/security/analyses/w32outlawa.html
so what shouls i do? waiting till nod32 update their db?or..
thanks
on the harddisk drives like "If freedom is outlawed, only outlaws will have freedom"
and under it there is "J U S T A G A M E", if i click the first one (i.e, if freedom..." it tries to open
drive letter:\RECYCLER\systems.com like
\RECYCLER\systems.comif the file is run then it appeares a lot of fake popup message that says something like this "my picture
is corupted please run chkdsk", also it adds a mypicture.exe file to some folders,
disables taskmanager in the CTRL,ALT+DEL menu and
you can't open regedit in the run window.
any way, i restored my pc to a specifid date with acronis true image and the virus is
gone (only for the restored drives) but now i can open taskmanager and regedit.
in regedit i searched for systems.com and here is what i found:
HKEY_USERS\S-1-5-21-4217527386-1433810888-3187400971-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{746afdd6-1c53-11db-b5b5-806d6172696f}\Shell\start\command >>the command value is
\RECYCLER\systems.comi deleted this and every thing was normal for a few days but it comed again with out using any using
for external medias.
I have NOD32 AV updated but it didn't catch it, i googled it and i found that sophos is the only AV(as i know)
that can catch this virus
www.sophos.com/security/analyses/w32outlawa.html
so what shouls i do? waiting till nod32 update their db?or..
thanks
always Face your Fears...
17 years 3 months ago #22416
by yadav
u cant get the run window and taskmanger if ur pc is infected with this kind of viruse evne i also faced same problem.......try to clean the virus using "stinger" its freely availabel in net. Download and scan ur pc in safe mode..........it can cure up to some instinct...... 
17 years 3 months ago #22419
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: New virus
As yadav suggested, i would reboot in Safe Mode and clean it out of the registry. Also, look to move to Sophos, lol
Also, most AV vendors will have an e-mail address that you can send Viruses to them for Analysis. I would also do that because they may already have a signature that hasn't quite been released yet or even send instructions on its removal.
Cheers
Also, most AV vendors will have an e-mail address that you can send Viruses to them for Analysis. I would also do that because they may already have a signature that hasn't quite been released yet or even send instructions on its removal.
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.131 seconds