This virus was rather new. Most of my updated antivirus doesn't recognize it.
I noticed that this version of the virus create a new user named BatamHacker as an admin when my computer was not joined to a domain. It also tries to hide known extension, "show hidden files" and "hide protected system files" option. It link itself to run when user logon through registry (strangely it doesn't tun itself from startup folder and scheduled task).
The removal tricks that I use to remove this crap were simple and straight forward. It include killing the virus from memory using Process XP, repairing the registry, manual search and destroy, and deleting the registry string that run the virus using Autoruns (or you can do it manually).
- First use an alternative process explorer because the virus will close task manager. My favorite was Process XP from sysinternals. But some virus recognize the program title or the filename and close it immediately. So I use a modified version of the program (an apology to sysinternals :p) to prevent the virus from closing it. Kill any process that has a folder as an icon (usually under explorer).
- Repair the registry, I have a compiled version of registry repair from various virus including this one. Then check "show hidden files and folders", uncheck "hide protected system files and folders (recommended)", and uncheck "hide extension for known file type". This option was under explorer-tools-folder options-view.
- Manually search and destroy the virus. In my version it were at most 4800 KB, and I search for most common file type used by a virus (*.exe,*.cmd;*.scr;*.com;*.bat). Sort by size and delete all file that have a folder icon (in my case it was folder.exe).
- Than use sysinternals Autoruns and delete the virus entry (it doesn’t have a description,publisher,and it's image path fields show file not found because I already delete it in step 3)
Now restart the computer, and run process explorer again. See if under explorer.exe there waas still a process with folder icon.
Crap virus :p
