Virus help: can't run regedit / "can't detect free hard drive space"

**helppleease** · 10-03-2012

Hi

I have a virus on my computer

Basically this is the problem:

"windows can't detect free hard drive space" virus?

There is a fake system check and a lot of pop-ups saying there might be something wrong with my hard drive.

The background is black and a lot of icons are missing from my desktop. Also the start menu is empty but i can still search for programs individually.

I'd like to follow the instructions from that site but i can't run task manager or the registry editor to remove the files.

I don't know how to fix the registry editor or remove the virus.

If you know anything that would be great.

Thank you.

I discovered that by typing cmd into the run box you can get a black box with white writing, but when i type in "reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system"
it says DisableTaskMgr REG_DWORD 0x0 and DisableRegistryTools REG_DWORD 0x0 but i read that "1" means it's been disabled so they should be running?

**helppleease** · 10-03-2012

I am also trying to follow the directions from here

I can't run Virus scans or do Updates

Chances are your hosts file has been hijacked and modified. Your host file is used to tell your browser where it should find files/sites -- normally it's never used except by experienced users. By default, the only thing that comes with a clean Windows install in your host file is 127.0.0.1 Localhost. In essence what that means is that anything that has the 127.0.0.1 address in your hosts file redirects to your computer, hence making the webpage undisplayable (for example if you included 127.0.0.1 http://www.google.com in your hosts file you would get a page not found error, because your browser would be looking for google on your machine). What many new viruses / trojans attempt to do is edit your hosts file to essentially make most recognized antivirus proggies unusable, or disallow access to definition updates. This file is located in c:\WINDOWS\system32\drivers\etc. or c:\WINNT\system32\drivers\etc (depending on what version of Windows you use) and does not include a file extension. In order to open and edit it, you can use Notepad, but to see it, you must select "all files" from the dropdown menu instead of text .txt files. If this file contains anything other than 127.0.0.1 Localhost that you didn't add there yourself, then delete the additional entries and save the file (be sure to scroll all the way down as some viruses add their entries with many spaces below the valid ones.) When you save, select File and Save. Do not select "Save As" as this will by default add a .txt file extension and will make the file unusable. *note the host file in system32 is not the same as hosts.ics or lmhosts.sam. Do not confuse them.

By editing this file (without rebooting - rebooting may cause the file to be overwritten again by the virus), there is a possibility that you could now update your virus protection files or at least run online scans. It doesn't completely fix the problem but at least it's a start. Your best practice is to attempt to get a dat update for your Virus protection and then reboot to safemode and run your virus protection in safemode. If you have configuration options available, configure your virus protection to first "clean" infected files, and as a second option "delete". In my opinion Quarantine is useless. Why would you want to leave a virus on your machine? Get rid of it from the start. Your virus protection may or may not find anything, depending on how current the virus is, and how up-to-date your anti-virus definition files are.

This is what the entry on my computer says:

Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost

is the "::1 localhost" bad?

Thanks.

**JAMES_911** · 10-03-2012

Can you check if booting in to safe mode with networking helps, run .exe files and download MalWarebytes and install it. That should get rid of the rogue software. If that doesnt work then boot from the vista disk to the install screen and on the bottom left click on the repair option.

**helppleease** · 12-03-2012

Hi, thank you for your response!

Internet explorer wasn't work but firefox is still working so i downloaded Malwarebytes from it and ran it in.

(I tried to boot to safe mode by pressing F8 but wasn't successful. I think i'm doing something wrong).

The popups are all gone now, but all my files are missing.
The start menu is still empty and some of my desktop icons are missing but the programs are still there.

I'm wondering if some of the virus is still there hiding these?

I hope i can recover some of my files.

Also, i share this computer with other people but only my account is affected.

Thank you for your help!

If anyone has more advice i would really appreciate it.

Thanks.

**SUpER CoP** · 13-03-2012

Well, you can check in the add and remove programs list whether the programs are listed there or not. If not then you might have to reinstall it, if they appear then simply choose to repair the programs and afterwards check if they are returning back to normal or not.

**helppleease** · 14-03-2012

Hi,

Thank you again.

I was able to find all my programs/files. They were still on my computer, only hidden by the virus.

I have one more question.

The virus popped up a fake "System Check" scan, and when

I was looking through my files i found a "System Check" folder that was created about the same time i was infected with the virus. There is even an "uninstall System Check" shortcut in the folder, but when i check in Add/Remove programs, "System Check" is not listed.

I'm thinking of deleting everything from that folder in case it's related to the virus, and wanted to check that it would be okay, and that it

would be better to just delete it rather than use the uninstall shortcut.

ps. (i found the "System Check" folder in C:\Users\[my user]\AppData\Roaming\Microsoft\Start Menu and in ...\Roaming\Microsoft\Internet Explorer)