Boro

iTrader: (1)

Went over a mates house tonight and he showed me his desktop PC thats having issues. I think its fair to say it has more than one virus and some other problems.

He doesnt have any av software or any malware software. So i started by trying to download Adaware and Spybot. Both programs couldnt be downloaded giving error message and i suspect the virus has made some changes to the registry to prevent them being downloaded.

I then downloaded Adaware and Spybot on his laptop to a memory stick and tried running them in SAFE MODE. Again, the virus had disabled running of these programs, registry again?

So basically, i need to know where in the registry the changes would have been made so that i can atleast start to get it back to normal.

From my limited knowledge, would the registry changes be as simple as changing a 1 to 0 or vice versa?

Any ideas?

HPLovecraft

Don't know if this would be much help to you but I've used it in the past as an aid to removing spyware and browser hijackers, but you have to know what you're doing so you don't delete legitimate entries:

Trend Micro HijackThis - Free software downloads and reviews - CNET Download.com

theres a tutorial here:

HijackThis Tutorial - How to use HijackThis to remove Browser Hijackers & Spyware

Boro

iTrader: (1)

Thanks for that, but i think i will have trouble running the program because of possible registry changes made by the virus.

I really need to know where to change permissions in the registry before i even start on getting rid of it.

mike1210

If the PC really is buggered it may be quicker to do a re-build on it.

Hard to tell how badly it's infected but if its been running without AV and the like (it is behind a router?)

Hijack this as above is good also have a look at this

UBCD for Windows

could run the tools on that and try to improve it but installing AV and the like now is kinda like closing a gate after the horse has bolted if you get my drift

It may be fixable but if it's beyond the point of no return I'd rebuild it from scratch.

Use Nod32 for anti-virus (Avira if you don't want to pay), CCcleaner is also useful and make sure a firewall is present, be it router or software or both.

Then tell him some do and dont's i.e. close popups dont install what they tell you, stay away from virus ridden programs (Kazaa etc)

jaytc2003

iTrader: (1)

if he can access the web then go to the mcafee website as they do an online virus checker

alternatively, boot into safemode and log on as the administrator and hopefully it will let you install whatever needs installing.

I would also boot into windows normally and have a look at the processes that are running, and also do msconfig from the start menu then run

StratosWRC

Dont know about the registry, but can you use a restore point?
I used \malwarebytes.org recently which found a nasty virus which kaspersky, spybot, adaware missed.

Boro

iTrader: (1)

Will try the restore points tonight as im going back over there to have another look.

Ive already tried booting in safe mode logged on as admin and still no joy in running any programs, just keep getting declined.

Does anyone have any understanding of which registry keys would have been changed to deny permissions?

Kieran_Burns

iTrader: (1)

You could try MSCONFIG and turn EVERYTHING off. This will certainly stop any startup malware from running... then try the online scans (such as Mcafee)

Boro

iTrader: (1)

Will try some online scans 2nite and see how that deals with it. Im not hopeful as i think the registry is fubar'd

mike1210

Fixing lecturers machines over the years, msconfig may help but some will re-enable themselves and come back on at startup with all options unticked without doing serious diggin into the registry and other system files

Boro

iTrader: (1)

What would have changed in the registry to disallow programs to run or even be downloaded? Im sure i just need to change a 1 to a 0 somewhere. But where?

mike1210

dont get me wrong msconfig is a good idea, but things may re-eanble on boot, you may be able to see which ones by checking msconfig again on re-boot seeing which things are ticked and looking at the reg location of that entry. As above check running processes and google dubious ones, if a nasty program has been installed google for a removal tool. I've used a few over the years which were great. Not sure off the of my head why all progs wouldnt run (gota shoot off for a curry) but sounds like it's boogered from that

Boro

iTrader: (1)

Does anyone know anything about regedit and the registry?

bioforger

iTrader: (1)

Run all your tools in safemode 1st.

Boro

iTrader: (1)

Managed to find an old restore point before the point of infection.

jaytc2003

iTrader: (1)

the virus and malware will still be there though, so get hold of a virus checker spyware checker and run them by doing full deep system scans and include all archives etc

Boro

iTrader: (1)

Thanks for everyones input. Didnt have time to cleanse the whole system last night but have downloaded a couple of malware checkers and FREE AVG (better than nothing, lol). I will run them in safemode next time i pop over.

Simon 69

Malwarebytes will help.

jowl

Being Brutally honest: Stop pissing around.

If they had no AV or Malware protection then just wipe the whole thing and re-install. It's the only way you can be sure you've removed the virus.

You'll probably want to move the documents to another location. Just make sure you scan them thoroughly when moving them back!

Simon 69

FDisk; Format; re-master.

Iain Young

Yes, and you are very unlikely to be able to fix anything by manually hacking it, especially without a lot of experience. You can easily do a lot more damage than good. I'd recommend formatting and a re-install as well...

Dedrater

Just to add, this MSCONFIG talk will never work if its a virus, because ultimately its not a process but a service, a hidden one at that and has been said, once a computer has been compromised by a virus, it is not wise to continue using the same computer without completely reinstalling the operating system.