Introduction

I got into the hands of the file format pif. This is a shortcut to the MS-DOS program, as Windows itself describes it. The name he had was the same as the name of the folder in which he lay. Since the folder was received via Yandex.Disk from a friend (he, like me, does not have an antivirus installed on the system), I didn’t suspect anything, or rather, I didn’t have time to make out how this file system object should, accidentally launch it. When I realized that I had launched, it was already too late. I packed this folder in a zip-archive and sent it for scanning on VirusTotal. Here is the result .

Symptoms caused by a virus

• 1. Creating your own files in the System32, Windows and user temp folders (% tmp%);
• 2. Run these files;
• 3. Creation in the roots of all available disks of their files;
• 4. The ban on editing the registry;
• 5. Prevent display of hidden files and folders;
• 6. Creation in all network folders of all computers that it finds through the network of executable files and rar-archives with the name of the parent folder;
• 7. Continuous spam temp files (with the extension “tmp”) in the same network folders.

It is possible that here is an incomplete list of symptoms. If you know more, please add in the comments.

Virus destruction

Before starting this part of the article I would like to draw your attention to the fact that all further actions on deleting files and completing processes are absolutely at your own peril and risk. We kindly ask you: if you are not sure whether it is a suspicious file, look for its name in the search engine first, in order not to accidentally delete the system file, such as "ctfmon.exe", "csrss.exe" or "lsass.exe".

Although I already had the experience of removing such a virus (a friend had infected his computer a little earlier), I went to Yandex to see how it was being destroyed by the people. The names of this virus turned out, as always, a lot. This is what the most famous antivirus is called:

• AVG - Generic_r.TT;
• Ad-Aware - Trojan.Dropper.VIO;
• Agnitum - Trojan.MulDrop! 4ElCgmJSsOY;
• Avast - Win32: Chydo [Drp];
• Comodo - Worm.Win32.AutoRunAgent.TV2;
• DrWeb - Trojan.MulDrop5.14836;
• ESET-NOD32 - Win32 / AutoRun.Agent.TV;
• Kaspersky - Worm.Win32.AutoRun.iea;
• Microsoft - TrojanDropper: Win32 / Pykspa.A ...

You can see the remaining names by clicking on the link to VirusTotal indicated in the first part of the article. Having entered one or another name alternately in the Yandex search and I didn’t find a description of the normal way to get rid of this virus, I decided to write this article.
')

Let's get down to business.

First, open the task manager and find the files of this virus in the processes. Its files have unmatched names consisting of a certain number of letters of the English alphabet, arranged in a completely random order. For example: "aekswdk.exe", "ufqwfvjecot.exe", "zmbsfvlbtndtaojc.exe" and so on. It is clear that the standard in the operating system is not so strangely named files, and it is unlikely what a normal program will create such files. There may be two or more such suspicious processes. They monitor one after another, that is, at the completion of one - the second immediately launches it back; at the completion of the second, it launches the first with lightning speed, and so on. Consequently, the task before me was to simultaneously complete all these malicious processes so that they would not start each other and give themselves a normal deletion. This was helped by the utility "KillProc" from, unfortunately, an unknown author. You can take it here or, if you wish, and the ability to program to write yourself. It consists of only two files: executable and text. The name of the process is separately written on the text line on each line, and the executable at startup completes all these processes in the order in which they appear in the text file. I registered each process three times just in case, arranging the names in random order and running the utility. Since the utility runs fairly quickly, the processes were instantly completed, before they could start each other. After that, it would seem, it is necessary to clean the autoload, but this was not the case. Since editing this registry has been forbidden to us, we must first allow it. To do this, go to the start and select the command "Run" or press the key combination Windows + r, where we type "gpedit.msc" and press enter. We are in the group policy edit window. There we open the user configuration, administrative templates, the "System" item and in the list of parameters we find the "Make registry editing tools unavailable" option. Click the right mouse button and select "Properties", then change the position of the radio button to "Disable" and apply the changes. Next, we calmly open the registry (click Windows + r and enter “regedit” without quotes), we move along the path HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run and in the list of parameters we also look for files with the name consisting of an incomprehensible set of English letters Suspicious are subject to removal. After the autoload is cleaned, we restore the display of hidden files and folders in the system. To do this, go to the registry along the path HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced and look for the “Hidden” option in the list. Make a right click on it, click the "Edit" item and prescribe a unit. Next, go to another registry path: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL and find the parameter "CheckedValue", the value of which is also changed by one. After the registry editor, we can close freely and go to the control panel and folder settings, where on the “view” tab we mark the display of hidden files and folders, as well as protected system files. Then we clean the roots of all our disks from the files “autorun.inf” and bat-files with names like “ralyhtfrfvht.bat”, “rcpepdrfvnbpug.bat” and so on. (Warning: do not accidentally delete “AUTOEXEC.BAT”). You also need to clear the temp folder, which you can open by typing "% tmp%" in the Run window that is already familiar to us and delete in the Windows and System32 folders those files that you deleted from the autoload and the processes you completed.

Sources used

• wecrasoft.narod.ru/soft/KillProc.zip - A small but useful utility KillProc;
• vindavoz.ru/win_obwee/409-vosstanovit-pokazyvat-skrytye-fayly-i-papki.html - How to restore the display of hidden files and folders;
• roadvictory.ru/blockreestr.html - How to restore registry editing, if it is prohibited by the system administrator.