It's also displayed under the ProductID in your System Properties > General:
In the Registry, the following values are affected and replaced with VIRUS ALERT!
[HKEY_CURRENT_USER\Control Panel\International]
"sTimeFormat"="h:mm: VIRUS ALERT!"
Which explains the VIRUS ALERT! words in the clock.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"ProductId"="VIRUS ALERT!"
Which explains the VIRUS ALERT! in the System Properties.
In both cases, on every computer, above default values are different, because for the clock settings, it depends what the Regional Settings are.
To restore the VIRUS ALERT! in the clock settings, Go to start > run and type: intl.cpl
Hit enter
This opens the Regional Settings properties.
Under the tab Regional Options > standards and formats, from the dropdown list, re-select your region again.
In my case it is set to English (United States), but in your case, it may be different ofcourse.
By default the correct region should already be displayed there, but you have to re-select it, or select another Region first and then select your Region again > click apply and OK. This will reset the default data in the Registry for the sTimeFormat, so the VIRUS ALERT! should be gone.
(in some cases, you need to log off in order to make the changes)
(Extra note: In case you're having problems with above instructions, see the latest part of this post how to restore the policies first.)
For the ProductID - this is somewhat more advanced since every ProductID is different.
You need to restore that value in the Registry again with your ProductID. The ProductID will be a 20 long string of numbers and is used when you call Microsoft for support. It may also affect Windows XP Validation, an error in System tray with "Unable to complete genuine Windows validation" and/or you *may receive the error: "0x80080201 Cannot detect product ID (PID)"
The ProductID that was modified here is under the:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"ProductId"="XXXX-XXX-XXXXXXX-XXXXX"
Note, this is not your Product Key used to install Windows!
To retrieve your Product ID and restore it for above key/value, you can find it under next value in the registry as well:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
"ProductId"="XXXX-XXX-XXXXXXX-XXXXX"
If you're not familiar with the registry, I suggest you use the Microsoft Genuine Advantage Diagnostic (MGADIAG) tool instead to retrieve your Product ID.
Run MGADiag.exe, click Continue and you'll find your Product ID under the Windows Tab.
There you can find your Product ID.
Now you have to restore that value in the registry again.
To do this, go to start > run and type: regedit
This will open your Registry Editor.
(Extra note: In case you're having problems with above instructions, see the latest part of this post how to restore the policies first.)
Now browse to the following key by expanding the folders (keys)
HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows NT > CurrentVersion
On the right, you should find: ProductId
In your case, you'll see VIRUS ALERT! next to it.
Doubleclick the value to open it and edit the string as you see in the screenshot below:
Where you see VIRUS ALERT! in the "edit string Window", delete the VIRUS ALERT! in there and replace it with your Product ID key you retrieved previously: XXXX-XXX-XXXXXXX-XXXXX
The X stands for random numbers/letters
Click the OK button after you edited the ProductID value in the Edit string Window to apply the changes.
This infection also adds a lot of policies (taskmanager disabled, registry editor disabled etc..) and also made some modifications in the startmenu as you see in the screenshot below:
To fix this, download this zipfile to your desktop.
Unzip it. Then RIGHTCLICK the VArestorepolicies.inf and select to Install from the Context menu.
Then, log off or reboot to apply the changes.
Note: Above will set the display in the Startmenu to Windows default. This in case you have modified this previously and already "disabled" some StartMenu items there.
It will also delete some policies which you *may have set yourself previously.
Note2: Above instructions only remove the VIRUS ALERT! in the clock and System properties and the restrictive policies+registry modifications being set. This doesn't clean the infection itself if still present. As long as the infection is still present and active, it will replace above values (with VIRUS ALERT!)+policies again.
To receive help to remove the infection (if still present), register at one of the forums present on the right, or register at my personal forum here. It's a dutch forum but I also give english support.
0 comments:
Post a Comment