Why does nobody bother just putting in a software restriction policy against %temp%? Yeah okay, it takes you an extra second to disable it if you need to install something legit which unpacks itself in a temp directory but I'll wager it's much less stressful than running around trying to unscrew/restore/fix a network once it's been knackered by the scummers.