Answer the question
In order to leave comments, you need to log in
Trojan in the office
Good afternoon, I will be brief. A Trojan was seized in the office - first, it flashed a board on the desktop that it wants 100 euros for removing itself from the screen.
I stupidly rebooted the computer in safe mode and removed the muck with the help of cureit. However, instead of documents, there are hundreds and thousands of files with a name like LikfoihpioufpiUGFIOP and do not open anything.
Tried a couple of utilities from DrWeb - does not help.
Who fell for this crap?
What to do?
I am writing chaotically here, at the same time I am making a backup of everything on flash drives.
Answer the question
In order to leave comments, you need to log in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\, most programs are written to these two keys.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\,
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NT CurrentVersion\Image File Execution Options\
HKEY_LOCAL_MACHINE\System \CurrentControlSet\Services\VxD\ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\SYSTEM\NamesServices\CurrentControlSet2 Catalog_Entries and its branches...
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices\ are loaded as device drivers.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\ when booting any user.
Look closely at these registry keys!
or restrict the rights of users and put patches
or be prepared to meet with him regularly
they brought me a laptop with a similar problem: ransomware + encrypted files on the desktop. which in fact turned out to be not encrypted, but simply corrupted: in the first 12kb of each file there was just random garbage, it cannot be decrypted (in any case, there was no solution). backup helps (if it was done, of course. although practice shows that no one cares about backup until it's too late)
1. regularly updating honestly purchased operating system, drivers, office suite, browsers, flash, Java and other software,
2. regular automatic daily backups, duplication of critical systems and virtualization,
3. as well as separating roles according to their accounts,
4. cutting off rights to everyone who doesn’t need them - it’s really an admin, helpdesk, 1-s accountant with outdated client banks and service providers,
5. cutting off social networks, asec / Skype, file dumps, torrents, free mailers to everyone who doesn’t need them
6. documenting everything and everything, and approving all procedures at the level of company pericase
will save the father-administrator from 99% of problems.
In my company, after rolling out a banal vsus to all workstations, they solved problems with viruses in about a week. support already forgot what cureit is
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question