I've been seeing this virus pop up on tons of PCs lately. In the past week alone I've probably fixed it on 10-15 PCs.
Luckily, it's payload is pretty easy to get rid of and the damage, while annoying, is reversible.
Open Task manager
Luckily, it's payload is pretty easy to get rid of and the damage, while annoying, is reversible.
Open Task manager
If task manager is disabled:
· Click Start, Run and type Regedit.exe
· Navigate to the following branch:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System
· In the right-pane, delete the value named DisableTaskMgr
· Close Regedit.exe
Kill all .exes that look like the virus (random number).exe
To unhide all files
1. Press Windows + R, and type "cmd". Ok.
2. Right click the command icon and the bottom, then right click ‘command prompt’ and click ‘Run as Administrator’
3. In the new Administrator Command Prompt enter this command,
3. In the new Administrator Command Prompt enter this command,
4. attrib -s -h -r C:\*.* /s /d
5. Press Enter and wait for the command to execute.
Install and run a Full Scan of the latest Malware Bytes Anti Malware with current definitions
Three items tend to go missing: Desktop icons, Start Program icons and pinned Taskbar icons.
They wind up here: c:\users\[USER]\appdata\local\temp\smtmp
Here’s the code in case it goes missing or gets saved over with the wrong information:
@echo off
xcopy "C:\Users\[USER]\AppData\Local\Temp\smtmp\1\*" "C:\Program Data\Start Menu\" /s
xcopy "C:\Users\[USER]\AppData\Local\Temp\smtmp\2\*" "C:\Users\[USER]\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\" /s
xcopy "C:\Users\[USER]\AppData\Local\Temp\smtmp\4\*" "C:\Program Data\Desktop\" /s
exit
Here is a description of what was moved (or the manual way to move it back):
Files in folder 1 go back to the all user start menu:
C:\ProgramData\Microsoft\Windows\Start Menu
Files in folder 2 and 4 go back to the desktop (4) or taskbar pinning (2)
Desktop Location: C:\Users\[USER]\Desktop
Pinned Taskbar Location: C:\Users\[USER]\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
Delete user temp files after scan completes and above moves have been completed: C:\Users\[USER]\AppData\Local\Temp
Check the following folders after scans have been completed and delete the following items:
%AllUsersProfile%\~<random>
%AllUsersProfile%\~<random>r
%AllUsersProfile%\<random>.dll
%AllUsersProfile%\<random>.exe
%AllUsersProfile%\<random>
%AllUsersProfile%\<random>.exe
%UserProfile%\Desktop\Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\
%UserProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
%AllUsersProfile%\~<random>r
%AllUsersProfile%\<random>.dll
%AllUsersProfile%\<random>.exe
%AllUsersProfile%\<random>
%AllUsersProfile%\<random>.exe
%UserProfile%\Desktop\Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\
%UserProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
