Tech Support Forum - View Single Post

DnceForce77 · 12-23-2007, 01:26 PM

OK... please bare with me. I am doing this for my mother because she JUST got this crazy virus, so we shut her computer down so that it would stop acting up. I tried downloading HiJackThis, but it won't run it. So I chose another program and screencap'd a couple of things.

VIRUS NAME: medichi.exe and medichi2.exe

It has taken away the use of the Control Panel, the Task Manager, Properties, and being able to change the date and time. (the time is WAY off and it keeps changing) It keeps copying files randomly and another popup. (which I screencap'd)

The first message I get is when the computer first boots up. (this virus has made it so that it will boot up EACH time you start your computer) I didn't manage to screencap, but this is what it says:

Unable To Locate DLL
The dynamic link library MSVCR80.dll could not be found in the specified path C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;C:\
WINDOWS;C:\WINDOWS\command;C:\ibmtools;c,\;C:\WINDOWS\system32;C:\WINDOWS\
system32\WBEM;c:\windows\command;c:\ibmtools;c:\.

If I try to change the date or time or right click and click on Properties, I get this message:

Restrictions
"This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator."

You click OK and it pops up once more. You click OK again and it goes away.

As I said, HiJackThis wouldn't run. Neither would Spybot Search Destroy. AOL Spyware Protection didn't detect anything, and she runs Symantec AntiVirus Client.

Then it starts copying files:

Shortly after that, this will pop up. This one pops up after the copy files things pops up around 4 or 5 times. It repeats some sort of pattern.

They can't even spell authorized correctly! Why would I dl'd their program?! They spelled it right the first time, but not the second.

Here is the system info that this program (SIW - System Information For Windows) gave me. Please tell me if you need something else. I've never done this before and, since HiJackThis didn't work, I didn't know what to do or capture from her computer.

We are thinking of just scrapping her computer because it's very old and just getting her a new CPU. I'm not sure it's worth trying to save or even if it CAN be saved! But I wanted people to know that this virus is out there and it's a really bad one from what little I've read about it. No one has been able to wipe it from their systems that I'm aware of.

This is the info prevx.com has on the medichi and medichi2 virus. It's the only site that had any info on it:

The filename MEDICHI2.EXE was first seen on Dec 21 2007 in SWEDEN. It has also been seen in the following geographical regions of the Prevx community:

* SPAIN on Dec 21 2007
* The UNITED STATES on Dec 23 2007

The filename MEDICHI2.EXE refers to many versions of an executable program. They share a common file size of 8,192 bytes. These files have no vendor, product or version information specified in the file header.

MEDICHI2.EXE has been seen to perform the following behavior(s):

* The Process is packed and/or encrypted using a software packing process
* Registers a Dynamic Link Library File

MEDICHI2.EXE has been the subject of the following behavior(s):

* Added as a Registry auto start to load Program on Boot up
* Executed as a Process

MEDICHI2.EXE can also use the following file names:

* 39739927.DAT
* 71995254.EXE
* 42778536.EXE

Again.. I apologize if I didn't give the correct info and if I did this wrong.

12-23-2007, 01:26 PM	#1 (permalink)
DnceForce77 Registered User Join Date: Dec 2007 Posts: 2 OS: windows xp home edition, service pack 2	Virus Help? New Virus! OK... please bare with me. I am doing this for my mother because she JUST got this crazy virus, so we shut her computer down so that it would stop acting up. I tried downloading HiJackThis, but it won't run it. So I chose another program and screencap'd a couple of things. VIRUS NAME: medichi.exe and medichi2.exe It has taken away the use of the Control Panel, the Task Manager, Properties, and being able to change the date and time. (the time is WAY off and it keeps changing) It keeps copying files randomly and another popup. (which I screencap'd) The first message I get is when the computer first boots up. (this virus has made it so that it will boot up EACH time you start your computer) I didn't manage to screencap, but this is what it says: Unable To Locate DLL The dynamic link library MSVCR80.dll could not be found in the specified path C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;C:\ WINDOWS;C:\WINDOWS\command;C:\ibmtools;c,\;C:\WINDOWS\system32;C:\WINDOWS\ system32\WBEM;c:\windows\command;c:\ibmtools;c:\. If I try to change the date or time or right click and click on Properties, I get this message: Restrictions "This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator." You click OK and it pops up once more. You click OK again and it goes away. As I said, HiJackThis wouldn't run. Neither would Spybot Search Destroy. AOL Spyware Protection didn't detect anything, and she runs Symantec AntiVirus Client. Then it starts copying files: Shortly after that, this will pop up. This one pops up after the copy files things pops up around 4 or 5 times. It repeats some sort of pattern. They can't even spell authorized correctly! Why would I dl'd their program?! They spelled it right the first time, but not the second. Here is the system info that this program (SIW - System Information For Windows) gave me. Please tell me if you need something else. I've never done this before and, since HiJackThis didn't work, I didn't know what to do or capture from her computer. We are thinking of just scrapping her computer because it's very old and just getting her a new CPU. I'm not sure it's worth trying to save or even if it CAN be saved! But I wanted people to know that this virus is out there and it's a really bad one from what little I've read about it. No one has been able to wipe it from their systems that I'm aware of. This is the info prevx.com has on the medichi and medichi2 virus. It's the only site that had any info on it: The filename MEDICHI2.EXE was first seen on Dec 21 2007 in SWEDEN. It has also been seen in the following geographical regions of the Prevx community: * SPAIN on Dec 21 2007 * The UNITED STATES on Dec 23 2007 The filename MEDICHI2.EXE refers to many versions of an executable program. They share a common file size of 8,192 bytes. These files have no vendor, product or version information specified in the file header. MEDICHI2.EXE has been seen to perform the following behavior(s): * The Process is packed and/or encrypted using a software packing process * Registers a Dynamic Link Library File MEDICHI2.EXE has been the subject of the following behavior(s): * Added as a Registry auto start to load Program on Boot up * Executed as a Process MEDICHI2.EXE can also use the following file names: * 39739927.DAT * 71995254.EXE * 42778536.EXE Again.. I apologize if I didn't give the correct info and if I did this wrong.