Virus Alert: Sys.exe Noooh

Posted by

Ghiath in May 31st, 2007

Summary:

This virus enters you computer from an external device (Flash Disk, External HD, Memoery Card). It runs with explorer autoplay. It copies Sys.exe to this folder “c:\Windows\Web\Sys.exe”.

Effects:

1- Disables Windows Task Manager.

2- Disables Windows Command Prompt.

3- Disables Windows Folder Options.

4- Copies itself to all removable media.

Resolution:

Restart your computer.

After restart a message will appear “Noooh.. please try to open task manager” and an OK Button.

Don’t click the OK button.

Open the task manager and this process “Sys.exe”

Click ‘Start‘.
Open ‘My Computer‘.
Select the ‘Tools‘ menu and click ‘Folder Options‘.
Select the ‘View’ tab.
Under the ‘Hidden files and folders‘ heading select ‘Show hidden files and folders‘.
Uncheck the ‘Hide file extensions for known types‘ option.
Uncheck the ‘Hide protected operating system files (recommended)‘ option.
Click Yes to confirm.
Click OK.

Download KillBox,unzip/extract it to your desktop.

Start up Killbox and place a check in ‘Delete on Reboot‘.
In the ‘Full path of file to delete‘ box,copy and paste:

C:\Windows\Web\Sys.exe

Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does’nt reboot automatically,reboot manually.

————————————————————————————-

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting ‘Fix checked’.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 – HKLM\..\Run: [NoooH] C:\Windows\Web\Sys.exe

Exit Hijackthis,restart your pc,post a new Hijackthis log in your next reply.

Rate this:

2.5

Share this article: These icons link to social bookmarking sites where readers can share and discover new web pages.