Tech Support Forum - View Single Post

dave004 · 12-25-2007, 10:10 PM

OMG, I GOT IT OUT OF MY COMPUTER, SO HERE'S THE SOLUTION!!!!
(I need to shout for people to hear me, sorry if I hurt ur ... eyes)

******* Resetting permission to TaskManager, Control Panel, and RegEdit.exe ******************

Start>Run: gpedit.msc

then set the following to DISABLED

User Configuration>Administrative Templates>Control Panel:
'Prohibit access to the Control Panel'

User Configuration>Administrative Templates>System:
'Prevent access to registry editing tools'

User Configuration>Administrative Templates>System>Ctrl+Alt+Del Options:
'Remove Task Manager'

Your partially up and running. To get Control Panel fully back: go to Start>Run: regedit.exe
In regedit, navigate to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer

and edit/create a DWORD value titled "NoControlPanel" and set it's value to "0" (aka Zero)
control panel is up and running.

**********************************************************************************************

*********** Killing the virus process ********************************************************

Now the program is running as a hidden process, so you need to kill the process, I used ProcessMaster v1.1 to kill it.
(Get it here:
http://www.freedownloadscenter.com/U...ss_Master.html )

patched with "Patch Process Master 1.1 Fixed" avail at:
http://www.mohsen3800.coo.ir/

run ProcessMaster, KILL the MEDICHI.exe, MEDICHI2.EXE and [if running] SUSPEND.exe processes, yay virus is now not running!

If you also have a 'antivirus.exe' or 'trayicon.exe' running, kill them too, and anything else that looks nasty.

**********************************************************************************************

now, the virus is not running, but it's not over yet, it will come back when you load windows.

*********** Removing the virus from the Hard Drive *******************************************
MAKE SYSTEM AND HIDDEN FILES VISIBLE:
In windows Explorer, goto Tools>Folder Options: "View" in the list select "Show Hidden files and folders" and untick "Hide protected operating system files (Recommeneded)". click [YES], click [OK].

DELETE THE FOLLOWING 5 Files:
1) C:\Windows\Medichi.exe

2) C:\Windows\Medichi2.exe

3) C:\Windows\
and there's another file called something like mediat.dat, if windows explorer has files sorted by "date last modified" then it
should be right next to those 2 files, delete that also.

4) C:\Windows\System32\suspend.exe

** Before deleting the next file, make sure you have your original WindowsXP disc handy:
5) C:\Windows\System32\beep.sys

This file is where the virus spawns from, but it's required for windows to run, so delete the file, and windows should ask for the XP disc because it needs to restore the original file

Goto: Start>Programs>StartUp and delete any files that aren't shortcuts, if there are 'exe' files in there, delete them!

Perform a search in the registry (Start>Run: Regedit.exe, then Ctrl+F) for "Medichi", all search options ticked, and UNTICK "Match whole string Only" click [Find] and for every reference found, DELETE IT!

THE FOLLOWING SHOULD BE DONE BY PEOPLE WHO KNOW WHAT ARE SYSTEM FILES AND WHAT AREN'T!!!!

Perform a search on ALL your local HDrives for any files modified between the date of infection and the current date, to see what files are new. Make sure you enabled the searching of "system and hidden files" in the search preferences. Delete the non winXP system files.

Restart Windows. All done. I Hope.

**********************************************************************************************

This is my very first post on a forum, ever, and i wrote this from memory after just cleaning my computer of the virus. I hope i didn't forget anything. It's mainly those 5 files listed above that will cause hell, and removing them will remove the CORE of the virus, unless my computer had multiple virus's, there are other less severe elements to it which should be cleaned using regular virus scanners/spyware removal utilities.

Good luck, it took me several hours to find this solution, so don't hate me for forgetting something i did during that time. Dave -D>

12-25-2007, 10:10 PM	#6 (permalink)
dave004 Registered User Join Date: Dec 2007 Posts: 1 OS: WinXP	Re: Virus Help? SOLUTION IS HERE. -D> OMG, I GOT IT OUT OF MY COMPUTER, SO HERE'S THE SOLUTION!!!! (I need to shout for people to hear me, sorry if I hurt ur ... eyes) ***** Resetting permission to TaskManager, Control Panel, and RegEdit.exe ************** Start>Run: gpedit.msc then set the following to DISABLED User Configuration>Administrative Templates>Control Panel: 'Prohibit access to the Control Panel' User Configuration>Administrative Templates>System: 'Prevent access to registry editing tools' User Configuration>Administrative Templates>System>Ctrl+Alt+Del Options: 'Remove Task Manager' Your partially up and running. To get Control Panel fully back: go to Start>Run: regedit.exe In regedit, navigate to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer and edit/create a DWORD value titled "NoControlPanel" and set it's value to "0" (aka Zero) control panel is up and running. ****************************************************************************************** ******* Killing the virus process **************************************************** Now the program is running as a hidden process, so you need to kill the process, I used ProcessMaster v1.1 to kill it. (Get it here: http://www.freedownloadscenter.com/U...ss_Master.html ) patched with "Patch Process Master 1.1 Fixed" avail at: http://www.mohsen3800.coo.ir/ run ProcessMaster, KILL the MEDICHI.exe, MEDICHI2.EXE and [if running] SUSPEND.exe processes, yay virus is now not running! If you also have a 'antivirus.exe' or 'trayicon.exe' running, kill them too, and anything else that looks nasty. ****************************************************************************************** now, the virus is not running, but it's not over yet, it will come back when you load windows. ******* Removing the virus from the Hard Drive *************************************** MAKE SYSTEM AND HIDDEN FILES VISIBLE: In windows Explorer, goto Tools>Folder Options: "View" in the list select "Show Hidden files and folders" and untick "Hide protected operating system files (Recommeneded)". click [YES], click [OK]. DELETE THE FOLLOWING 5 Files: 1) C:\Windows\Medichi.exe 2) C:\Windows\Medichi2.exe 3) C:\Windows\ and there's another file called something like mediat.dat, if windows explorer has files sorted by "date last modified" then it should be right next to those 2 files, delete that also. 4) C:\Windows\System32\suspend.exe Before deleting the next file, make sure you have your original WindowsXP disc handy: 5) C:\Windows\System32\beep.sys This file is where the virus spawns from, but it's required for windows to run, so delete the file, and windows should ask for the XP disc because it needs to restore the original file Goto: Start>Programs>StartUp and delete any files that aren't shortcuts, if there are 'exe' files in there, delete them! Perform a search in the registry (Start>Run: Regedit.exe, then Ctrl+F) for "Medichi", all search options ticked, and UNTICK "Match whole string Only" click [Find] and for every reference found, DELETE IT! THE FOLLOWING SHOULD BE DONE BY PEOPLE WHO KNOW WHAT ARE SYSTEM FILES AND WHAT AREN'T!!!! Perform a search on ALL your local HDrives for any files modified between the date of infection and the current date, to see what files are new. Make sure you enabled the searching of "system and hidden files" in the search preferences. Delete the non winXP system files. Restart Windows. All done. I Hope. ********************************************************************************************** This is my very first post on a forum, ever, and i wrote this from memory after just cleaning my computer of the virus. I hope i didn't forget anything. It's mainly those 5 files listed above that will cause hell, and removing them will remove the CORE of the virus, unless my computer had multiple virus's, there are other less severe elements to it which should be cleaned using regular virus scanners/spyware removal utilities. Good luck, it took me several hours to find this solution, so don't hate me for forgetting something i did during that time. Dave -D>