Wednesday, May 7, 2008

Getting rid of Black Pegasus Virus

Black Pegasus virus: Be gone! Just two days ago, my laptop started acting weird. The screen kept going blank, as if it was resetting the desktop or the explorer.exe process. My task manager, search, and hidden folders were also "disallowed". Finally, I found a message in my C:/ named [pegasus]. The virus is made by a group of hackers named Black Pegasus. They're from one of the computer colleges here in the Philippines. Fucking group should be hunted down. When I searched for solutions to the problem, there were only 3 sites that gave advice. So I decided to post this to add to the help pool. If you notice the same symptoms, here are some instructions to beat it. 1. Turn off system restore. The virus automatically erases previous restore points so it's better to just turn it off. This also helps prevent the virus from coming back. (Note: Make sure you don't plug in any media into your computer or it will infect your USB/IPOD/MP3 player as well. If you already did that, leave it plugged/plug it in when you're doing these steps) Turn off system restore for any media you plug in as well.2. Download TuneUp Utilities (preferrably use another computer) and RRT TuneUp Utilities is free for trial. It will see you through the whole process. Since your computer tries to prevent access to the virus files, it may not allow you to log on to the net. Get the program through a comp shop or a friend's computer. As you install it, make sure you allow the program to create icons on your desktop. This will save on time and headaches. RRT is a registry repair tool. Install it. It will unblock the task manager and any other utility the virus disallows. But at this point, the blocks will still come back. 3. Access TuneUp process manager You have to be very fast, and I mean VERY FAST when clicking. Double-click the "TuneUp Utilities 2008" icon (not the maintenance one). You may have to repeatedly click the program from the start/manager bar since the virus will minimize the program repeatedly. The speed of minimization varies so you have at least 1 second to click "Other processes" when the program shows you some options. "Other processes" is the last choice. When you click it, a menu will show on the right side with a list of actions. Choose TuneUp Process Manager.4. Search for SVCHOST.exe In the list of processes, there are a lot of svchost.exe processes. Make sure you select the one whose location is in C:/WINDOWS/sysnten32. Impt: Don't delete any of the scvhost.exe processes that run from your SYSTEM32 folder. Those are necessary processes for you PC. Click on the little "x" button on top. This should stop the virus from rebooting your screen when you click on the start bar.5. Run RRT.exe Here's where the RRT tool comes in. When you run it, a list of utilities will come up. Just click "check all" then "remove". This will remove the blocks on your task manager, hidden files, etc. 6. Delete the virus files You can use your anti-virus program or your search button (mine was totally erased TT_TT) to search for these files. Or you can manually check everything. The most common files are: autorun.inf, isetup.exe, and transmit.exe You will find these three files in any of the media you plugged into your computer while it was infected. Don't forget to scan your USB/IPOD/etc. for these three files too. Other files include: diffuse.dat and p3645u5.something (pegasus T_T). There may be other files that I forgot to mention. An updated AVG scan will get them all. If you have other drives besides your C:\, such as a backup drive D:\ or another hard drive, then scan them as well. 7. Run TuneUp 1-step Maintenance When you've killed every possible virus file, run this program to find any errors or changes that the virus made to your registry/programs/files. I had 500+ registry errors and a couple of program and file problems. Just let the program take its course. Oh by the way, the program also checks if you computer needs defragmentation. Allow it to check this, but if you don't want to wait 5 hours or so, skip the actual defragmentation. 8. Check everything with TuneUP If you're an OC (obsessive-compulsive) like me, you may want to run every process offered by TuneUp. Just be sure not to delete any necessary process. I accidentally deleted ntdetect.com, thinking it was spyware. T_T My computer crashed. I was able to copy it from the Windows XP recovery disk...but that's another story.9. Annoyances There's also the fucking message from the person who made the virus. It's in your C:/ folder- [pegasus].rtf or .doc. Delete it and grin.10. (because 10 steps are cooler than 9) Celebrate You beat the virus!