DnceForce77

OK... please bare with me. I am doing this for my mother because she JUST got this crazy virus, so we shut her computer down so that it would stop acting up. I tried downloading HiJackThis, but it won't run it. So I chose another program and screencap'd a couple of things.

VIRUS NAME: medichi.exe and medichi2.exe

It has taken away the use of the Control Panel, the Task Manager, Properties, and being able to change the date and time. (the time is WAY off and it keeps changing) It keeps copying files randomly and another popup. (which I screencap'd)

The first message I get is when the computer first boots up. (this virus has made it so that it will boot up EACH time you start your computer) I didn't manage to screencap, but this is what it says:

Unable To Locate DLL
The dynamic link library MSVCR80.dll could not be found in the specified path C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;C:\
WINDOWS;C:\WINDOWS\command;C:\ibmtools;c,\;C:\WINDOWS\system32;C:\WINDOWS\
system32\WBEM;c:\windows\command;c:\ibmtools;c:\.

If I try to change the date or time or right click and click on Properties, I get this message:

Restrictions
"This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator."

You click OK and it pops up once more. You click OK again and it goes away.


As I said, HiJackThis wouldn't run. Neither would Spybot Search Destroy. AOL Spyware Protection didn't detect anything, and she runs Symantec AntiVirus Client.


Then it starts copying files:




Shortly after that, this will pop up. This one pops up after the copy files things pops up around 4 or 5 times. It repeats some sort of pattern.



They can't even spell authorized correctly! Why would I dl'd their program?! They spelled it right the first time, but not the second.


Here is the system info that this program (SIW - System Information For Windows) gave me. Please tell me if you need something else. I've never done this before and, since HiJackThis didn't work, I didn't know what to do or capture from her computer.



We are thinking of just scrapping her computer because it's very old and just getting her a new CPU. I'm not sure it's worth trying to save or even if it CAN be saved! But I wanted people to know that this virus is out there and it's a really bad one from what little I've read about it. No one has been able to wipe it from their systems that I'm aware of.


This is the info prevx.com has on the medichi and medichi2 virus. It's the only site that had any info on it:


The filename MEDICHI2.EXE was first seen on Dec 21 2007 in SWEDEN. It has also been seen in the following geographical regions of the Prevx community:

* SPAIN on Dec 21 2007
* The UNITED STATES on Dec 23 2007

The filename MEDICHI2.EXE refers to many versions of an executable program. They share a common file size of 8,192 bytes. These files have no vendor, product or version information specified in the file header.

MEDICHI2.EXE has been seen to perform the following behavior(s):

* The Process is packed and/or encrypted using a software packing process
* Registers a Dynamic Link Library File

MEDICHI2.EXE has been the subject of the following behavior(s):

* Added as a Registry auto start to load Program on Boot up
* Executed as a Process

MEDICHI2.EXE can also use the following file names:

* 39739927.DAT
* 71995254.EXE
* 42778536.EXE



Again.. I apologize if I didn't give the correct info and if I did this wrong.

techpro5238

Follow the steps in this link: (Updated!) IMPORTANT - Read This Before Posting A Log and post your results in the Hijackthis Log Help Forum. Follow the steps to the best of your ability and if you have an issue with one of the steps then include information on it with your new topic. Please give time as our analysts are very busy working with cases and other forum things.

CD27

This sounds like a boot virus. This one has definitely gotten into your autoexec.bat file and screwed around with it. has it caused any real damage yet? you obviously still have internet, but it's also messing with your registery, which is really bad. Have you attempted getting something like Norton or AVG? Perhaps those can get it. you might end up having to flash your BIOS if it gets too bad.

A few tips for when you do in fact get your computer working again: Get a working anti-virus program (like Norton, AVG, or McAfee-AVG is pretty good) and keep it updated all the time, get Spybot: seek and destroy. Disable remote access on your computer (also disable any and all Telnet services) Filter what sites you go to, if you do see any symptoms on viruses DON'T WAIT to solve the problem. Immediately close the internet, unplug it from your wall and run a full system scan on your computer. Also, when pop-ups do appear, do not click on them at all, not even the little "x" in the corner, instead press ctrl+alt+delete (maybe strl+shift+esc depending on your OS), find the program, right click on it and press "find process", then close/kill the process TREE. Clicking on it in any way shows the system sending you the virus that you're there (it's like a ping, and then it'll send you more and maybe even a virus itself). Don't go to any un-verified sites and unregistered sites.

As for the virus itself you seem to be having alot of trouble with it. This one is too complex for me to handle and i can tell that if it get's any worse then you'll end up having to do a windows reinstall and possibly even flash the bios completely just to get rid of it (if it's in the bios then reinstalling windows won't do anything for it). Follow the first response you have and see if you can't get it that way, try more sources, get some help any way you can, but if it gets to the point that it's messing with how your computer PHYSICALLY operates (heating up unexpectedly, won't cut on, etc.), then it has gone too far and has physically damaged your computer. This one has gotten pretty far already and its next step could be overloading your ram and processor, causing it to overheat, possibly melt your computer's equipment, and cause serious damage to your computer. Watch it closely, inspect it every time you get on it, but see first of all if you can counter-attack it as an individual virus as the first response showed, but i'm warning you, don't take too much time on this, the more time you give it the more damage it can make for you.

God Bless and In Him,

Eric

techpro5238

CD27: Our facilities are the best, TSF removes all spyware/adware/viruses/trojans etc. Also, it is the CMOS you art thinking of, the BIOS has not gotten many a virus I have known of. The CMOS, which holds settings for the BIOS is probably where the best place for it would be.

CD27

Well then Dnceforce it looks to me like you're in good hands, just remember, when you get this computer fixed please make sure you take the proper precautions to keep it and your personal information safe from viruses and hackers (not so much hackers, but viruses). I have been here several times to fix my own computer needs and TSF has helped me greatly, so if you ever have any more problems just come on back here.

God Bless and In Him,

Eric

dave004

OMG, I GOT IT OUT OF MY COMPUTER, SO HERE'S THE SOLUTION!!!!
(I need to shout for people to hear me, sorry if I hurt ur ... eyes)

******* Resetting permission to TaskManager, Control Panel, and RegEdit.exe ******************

Start>Run: gpedit.msc

then set the following to DISABLED

User Configuration>Administrative Templates>Control Panel:
'Prohibit access to the Control Panel'

User Configuration>Administrative Templates>System:
'Prevent access to registry editing tools'

User Configuration>Administrative Templates>System>Ctrl+Alt+Del Options:
'Remove Task Manager'

Your partially up and running. To get Control Panel fully back: go to Start>Run: regedit.exe
In regedit, navigate to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer

and edit/create a DWORD value titled "NoControlPanel" and set it's value to "0" (aka Zero)
control panel is up and running.

**********************************************************************************************

*********** Killing the virus process ********************************************************

Now the program is running as a hidden process, so you need to kill the process, I used ProcessMaster v1.1 to kill it.
(Get it here:
http://www.freedownloadscenter.com/U...ss_Master.html )

patched with "Patch Process Master 1.1 Fixed" avail at:
http://www.mohsen3800.coo.ir/

run ProcessMaster, KILL the MEDICHI.exe, MEDICHI2.EXE and [if running] SUSPEND.exe processes, yay virus is now not running!

If you also have a 'antivirus.exe' or 'trayicon.exe' running, kill them too, and anything else that looks nasty.

**********************************************************************************************

now, the virus is not running, but it's not over yet, it will come back when you load windows.

*********** Removing the virus from the Hard Drive *******************************************
MAKE SYSTEM AND HIDDEN FILES VISIBLE:
In windows Explorer, goto Tools>Folder Options: "View" in the list select "Show Hidden files and folders" and untick "Hide protected operating system files (Recommeneded)". click [YES], click [OK].

DELETE THE FOLLOWING 5 Files:
1) C:\Windows\Medichi.exe

2) C:\Windows\Medichi2.exe

3) C:\Windows\
and there's another file called something like mediat.dat, if windows explorer has files sorted by "date last modified" then it
should be right next to those 2 files, delete that also.

4) C:\Windows\System32\suspend.exe

** Before deleting the next file, make sure you have your original WindowsXP disc handy:
5) C:\Windows\System32\beep.sys

This file is where the virus spawns from, but it's required for windows to run, so delete the file, and windows should ask for the XP disc because it needs to restore the original file

Goto: Start>Programs>StartUp and delete any files that aren't shortcuts, if there are 'exe' files in there, delete them!

Perform a search in the registry (Start>Run: Regedit.exe, then Ctrl+F) for "Medichi", all search options ticked, and UNTICK "Match whole string Only" click [Find] and for every reference found, DELETE IT!

THE FOLLOWING SHOULD BE DONE BY PEOPLE WHO KNOW WHAT ARE SYSTEM FILES AND WHAT AREN'T!!!!

Perform a search on ALL your local HDrives for any files modified between the date of infection and the current date, to see what files are new. Make sure you enabled the searching of "system and hidden files" in the search preferences. Delete the non winXP system files.

Restart Windows. All done. I Hope.

**********************************************************************************************

This is my very first post on a forum, ever, and i wrote this from memory after just cleaning my computer of the virus. I hope i didn't forget anything. It's mainly those 5 files listed above that will cause hell, and removing them will remove the CORE of the virus, unless my computer had multiple virus's, there are other less severe elements to it which should be cleaned using regular virus scanners/spyware removal utilities.

Good luck, it took me several hours to find this solution, so don't hate me for forgetting something i did during that time. Dave -D>

CD27

Alright Dave! That's fantastic, great job! Let's hope Dnceforce get's on fast enough to get this solution and fix his/her own problem with it.

God Bless and In Him,

Eric

justpassingby

@ CD27 and dave004 : please read this :
Please Read! "Who is Helping you?"

There are different variants of a given virus and an infected computer is usually prone to be infected by other malwares. The 5 steps before posting a log are required to identify the various threats and know what we're dealing with.

We understand that you are willing to help but eventually this may end up worse if the removal steps are not taken in the right order.

Regards,
justpassingy

CD27

okay, sorry, i appologize.

God Bless and In Him,

Eric

DnceForce77

I want to thank everyone for their suggestions of help. Unfortunately, we have found the computer to be a lost cause. Mom deserves a new computer but, man!... what an awful excuse to do so. It's a mean virus.

LonnyRJones

DnceForce77
There is a fix available, but you would need to fallow the instructions posted by techpro5238 earler on this thead

Virus Help? New Virus!

dcaratella

Hi guys,

I just wanted to let you know, that I had the same problem.
I registered here to help you with the following hint.

I solved it following the removal instructions by Symantec.

Link: Trojan.Virantix.B Removal

After that I ran Spybot Search & Destroy in Safemode.

Kind regards
Denis