WHAT HAPPENS WHEN MALWARE ENTERS INTO YOUR PC?


Disable's your Antivirus


HKLM\Software\Policies\Microsoft\Windows Defender in the registry.
Change it's value to 0 or Just delete that value and Windows Defender should work again. 
If you don't see DWORD DisableAntiSpyware, right-click on an empty space, select New, and click on DWORD (32-bit) Value.
Name the key DisableAntiSpyware.
Double-click the newly created key, and set the value from 0 to 1.


Creates bat, vbs files adds it to startup folder


Hides original shortcut & installs spying, adware, miner like sofwares


Creates fake shortcut




Adds registry entry's



Locations 

AppData\StartMenu
AppData\Local\Temp
AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup
Read more about trogan here

Registry Locations 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCUSoftware\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCUSoftware\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\ RunOnce\Setup

MORE LOCATIONS HERE



Cleanup with Malwarebytes Anti-Rootkit


Removal process with sophos virus removal sofware in SAFE MODE
Infected shortcuts


Reg entry's


(User access control) dll file injected for privilege escalation


Even Worse you can't see some folders & Executables


SEE FULL REPORT



No comments:

Post a Comment

Popular Posts