Disable's your Antivirus
HKLM\Software\Policies\Microsoft\Windows Defender in the registry.
Change it's value to 0 or Just delete that value and Windows Defender should work again.
If you don't see DWORD DisableAntiSpyware, right-click on an empty space, select New, and click on DWORD (32-bit) Value.
Name the key DisableAntiSpyware.
Double-click the newly created key, and set the value from 0 to 1.
Creates bat, vbs files adds it to startup folder
Hides original shortcut & installs spying, adware, miner like sofwares
Creates fake shortcut
Adds registry entry's
Locations
AppData\StartMenu
AppData\Local\Temp
AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup
Read more about trogan here
Registry Locations
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCUSoftware\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCUSoftware\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\ RunOnce\Setup
MORE LOCATIONS HERE
Registry Locations
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCUSoftware\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCUSoftware\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\ RunOnce\Setup
MORE LOCATIONS HERE
Cleanup with Malwarebytes Anti-Rootkit
Removal process with sophos virus removal sofware in SAFE MODE
Infected shortcuts
Reg entry's
(User access control) dll file injected for privilege escalation
Even Worse you can't see some folders & Executables
SEE FULL REPORT
No comments:
Post a Comment