The tasksche.exe virus, WannaCrypt 2.0 file (Virus Removal guide)

About tasksche.exe (WannaCrypt 2.0)

The tasksche.exe file is a main executable process of WannaCrypt 2.0 ransomware. In short, this process installs along with all other modules of Wanna Decryptor and rights itself in a registry of your system. This will allow tasksche.exe to start along with Windows every time. Before trying to do anything with your encrypted files, we advise you to remove all files associated with Wanna Decryptor


tasksche.exe virus tasksche.exe

There are three versions of Wanna Decryptor at the moment of this article being published. Each one differst from the other and tasksche.exe files are not the same. Though computers can be infected by several methods, the tasksche.exe file will have the same location:

[installation_folder]\tasksche.exe

After the encryption process is over, this process will right itself in the registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random]

The process of encryption is quite similar to other ransomware. WannaDecryptor uses same algorithms and changes file extension in order to mark it.Example of encrypted files:

b.wnry
c.wnry
r.wnry
s.wnry
t.wnry
u.wnry

Detailed information on tasksche.exe (Wanna Decryptor):

Original name: diskpart.exe
MD5: 84c82835a5d21bbcf75a61706d8ab549
SHA1: 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
File size: 3.4 MB

Detection rate:

Antivirus Result
Ad-Aware

Trojan.GenericKD.5057860

AegisLab

Uds.Dangerousobject.Multi!c

AhnLab-V3

Trojan/Win32.WannaCryptor.R200571

ALYac

Trojan.Ransom.WannaCryptor

Antiy-AVL

Trojan[Ransom]/Win32.Scatter

Arcabit

Trojan.Generic.D4D2D44

Avast

Win32:WanaCry-A [Trj]

AVG

Ransom_r.CFY

Avira (no cloud)

TR/AD.RansomHeur.aexdn

AVware

Trojan.Win32.Generic!BT

Baidu

Win32.Trojan.WisdomEyes.16070401.9500.9973

BitDefender

Trojan.GenericKD.5057860

Bkav

W32.RansomwareTBE.Trojan

CAT-QuickHeal

Ransom.WannaCrypt.A4

ClamAV

Win.Trojan.Agent-6312832-0

Comodo

UnclassifiedMalware

CrowdStrike Falcon (ML)

malicious_confidence_100% (W)

Cyren

W32/Trojan.AHAZ-1193

DrWeb

Trojan.Encoder.11432

Emsisoft

Trojan.GenericKD.5057860 (B)

ESET-NOD32

Win32/Filecoder.WannaCryptor.D

F-Prot

W32/WannaCrypt.D

F-Secure

Trojan.GenericKD.5057860

Fortinet

W32/WannaCryptor.D!tr

GData

Win32.Trojan-Ransom.WannaCry.A

Ikarus

Trojan-Ransom.WanaCrypt

Jiangmin

Trojan.WanaCry.b

K7AntiVirus

Trojan ( 0050d7171 )

K7GW

Trojan ( 0050d7171 )

Kaspersky

Trojan-Ransom.Win32.Wanna.b

Malwarebytes

Ransom.WanaCrypt0r

McAfee

Ransom-O

McAfee-GW-Edition

BehavesLike.Win32.Backdoor.wc

Microsoft

Ransom:Win32/WannaCrypt

eScan

Trojan.GenericKD.5057860

NANO-Antivirus

Trojan.Win32.Ransom.eoptnj

nProtect

Ransom/W32.Wanna.3514368

Palo Alto Networks (Known Signatures)

generic.ml

Panda

Trj/RansomCrypt.K

Qihoo-360

Win32/Trojan.Multi.daf

Rising

Malware.Heuristic!ET#89% (cloud:vZkqDj6QDKF)

Sophos

Troj/Ransom-EMG

Symantec

Ransom.Wannacry

Tencent

Win32.Trojan.Ransomlocker.Rokl

TrendMicro

Ransom_WANA.A

TrendMicro-HouseCall

Ransom_WANA.A

VIPRE

Trojan.Win32.Generic!BT

ViRobot

Trojan.Win32.S.WannaCry.3514368.N[h]

Webroot

W32.Ransomware.Wcry

ZoneAlarm by Check Point

Trojan-Ransom.Win32.Wanna.b

Files associated with tasksche.exe and Wanna Decryptor:

(Names):
taskdl.exe
taskse.exe
@WanaDecryptor@.exe

Original name: lhdfrgui.exe
MD5: db349b97c37d22f5ea1d1841e3c89eb4
SHA1: e889544aff85ffaf8b0d0da705105dee7c97fe26
SHA256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
File size: 3.6 MB
(https://virustotal.com/en/file/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c/analysis/)

MD5: d724d8cc6420f06e8a48752f0da11c66
SHA1: 3b669778698972c402f7c149fc844d0ddb3a00e8
SHA256: 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
File size: 3.6 MB
(https://virustotal.com/en/file/07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd/analysis/)

MD5: 82fd8635ff349f2f0d8d42c27d18bcb7
SHA1: c91b27f3ab872999a8f0a4ed96909d6f3970cb8b
SHA256: 4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee
File size: 3.4 MB ( 3514368 bytes )
(https://virustotal.com/en/file/4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee/analysis/)

For more detailed information of WannaCrypt we have a separate post. Also, if you want to return your encrypted files, there is a detailed guide inside of this link, follow these steps. There are no guaranties that this will work, but you should try anyway. If you are asking will you return your file if you pay the ransom, then the answer is most likely no. We have some reports from users who paid the ransom and got their file back, but criminals is not the most trustworthy group of people. Before procceding to the recovery guide, perform the removal guide! In other case you may end up in repeated ecnryption.


Step by step instructions how to remove tasksche.exe virus.

STEP 1. Remove tasksche.exe virus from the system

First of all, tasksche.exe is a browser extension, like many others. So, here is the simple way to remove them from the browser and get your homepage and search engine back. You just need to reset your browser settings. To do this automatically and for free, you can use the Reset Browser Settings tool from GridinSoft.

  1. Return to main screen and choose the type of scan.
  2. Trojan Killer Portable
  3. Start the scan and wait untill it`s finished:
  4. Trojan Killer Portable
  5. After the scan is completed, you need to click on “Cure PC!” button to remove tasksche.exe virus:
  6. Trojan Killer Portable
  7. Now your system is free from annoying tasksche.exe browser extension!
  8. GridinSoft Trojan Killer

STEP 2. Remove tasksche.exe virus from your browser

  1. Reset Browser Setting is a tool, included to the complex anti-malware program. So, first of all, you need to download and install GridinSoft Trojan Killer (here or from the product page):
  2. Open the program and click on the Reset browser settings button.
  3. Trojan Killer Portable
  4. Select when options you want to reset and press “Reset
  5. Trojan Killer Portable
  6. Wait untill Trojan Killer sets selected options to the default state. Successful results will be checked with green checkmark.

  7. Trojan Killer Portable

Video guide bellow display how to remove tasksche.exe from your system completaly:

STEP 3. tasksche.exe prevention

  • Avoid advertisements, you shouldn’t click on any ads and pop-ups in your browser, this can lead to the redirection on potentially viral pages!
  • Spam messages from email, attached files in emails can appear to be malicious in most cases. Don’t download or open such attachments they can be infected with adware of malware!
  • Surfing the internet, there are millions of phishing website on the internet. Each one of them can be very dangerous for your computer. Avoid such pages, try only reliable and trusted websites!
  • Pay attention to what you install, there are tons of hijackers and malicious program that are being installed through bundled applications and downloaders. Don’t install any suspicious program and files, always check signer before proceding further!

By following this removal instruction we hope you will deal with tasksche.exe virus once and for all. In case you have any problems or this virus is still inside, leave a comment below or contact our Support Team.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Leave a Reply

Back to top button