"Malware Fix รวมวิธีแก้ปัญหา virus computer โครงการทำดีเพื่อสังคม" "เนื่องจากภาระหน้าที่ทางการงาน ต้องขออภัยผู้เยี่ยมชมทุกท่านนะครับ ที่เ้ข้ามาแล้ว ไม่มีการ update virus ตัวใหม่ นะครับ"

Information

http://malwarefighting.blogspot.com


Photobucket
แจ้งเตือนภัย ! Crypt0L0cker (Ransomware)
เข้ารหัสข้อมูลใน คอมพิวเตอร์ กำลังระบาดในไทย
และกำลังระบาดหนักในเกาหลี
ThaiCERT , Crytpo Prevention Tool

*ห้ามจ่ายเงินโดยเด็ดขาด เพราะจะเสียทั่้งเงินและกู้ข้อมูลไม่ได้
รบกวนคนที่เข้ามาอ่านช่วยแชร์ด้วยนะครับ
http://hotzone-it.blogspot.com/2015/07/how-to-remove-crypt0l0cker-not.html
==============================================
PeeTechFix >> JupiterFix
==============================================
Photobucket

วิธีใช้งาน : JupiterFix-Win32.PSW.OnlineGames
ท่านสามารถตรวจสอบรายชื่อ Virus ที่โปรแกรม สามารถ Clean ได้ ใน VirusList.txt
-------------------------------------------------------------------------------------
ท่านใดที่ Download PeeTechFix tool ไปใช้แล้วมีปัญหาหรือลบไม่ออก โปรดแจ้งปัญหา ที่ email : MalwareHunter.info@gmail.com ด้วยครับ หรือส่งไฟล์ virus ให้ด้วย จะขอบพระคุณอย่างยิ่ง
-------------------------------------------------------------------------------------
Safemode Recovery (.reg) แก้ปัญหา Virus ลบ Key Safeboot แล้วเข้า safemode ไม่ได้
------------------------------------------------------------------------------------
วิธีแก้ Error message (แก้อาการเปิดไฟล์ .exe ใน USB Drive ไม่ได้)
"Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator"
วิธีแก้ ดูที่ link นี้ครับ
-------------------------------------------------------------------------------------
วิธีแก้ MSN /Windows Live Messenger Disconnect (จาก virus OnlineGames)
-------------------------------------------------------------------------------------
How to start Windows in Safe Mode


Monday

AVDB-018 update

30/11/2009 New update ! (2) Time 19:40 น.
PeeTechFix-win32/PSW.OnlineGame 2.0.5 AVDB-018
Add new virus singature database
=======================================================
6ruaqx.exe
curqp.exe
lphfa.exe
q93fi6kf.exe
wu1n.exe
ahndoor0.dll (0-9)

AVDB-017 Update

30/11/2009 New update !

PeeTechFix-win32/PSW.OnlineGame 2.0.5 AVDB-017
=============================================
b9w9.exe
q3kku.exe
r8wb.bat
wfx062.exe
forxuan.dll

Friday

How to remove Advanced Virus Remover

Fake : Advanced Virus remover (2009 - 2010)


Photobucket


Files Created
C:\Program Files\AdvancedVirusRemover\PAVRM.exe
C:\Program Files\AdvancedVirusRemover\AVR.exe
C:\Program Files\AdvancedVirusRemover\Viruses.bdt
C:\Program Files\AdvancedVirusRemover\AdvancedVirusRemover.exe

C:\Windows\system32\AVR10.exe
C:\Windows\system32\41.exe
C:\Windows\system32\winupdate86.exe
C:\Windows\system32\winhelper86.dll
C:\Windows\system32\critical_warning.html
C:\s


%UserProfile%\Desktop\Viruses.bdt
%UserProfile%\Desktop\Advanced Virus Remover.lnk
%UserProfile%\Start Menu\Advanced Virus Remover.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\
Quick Launch\AdvancedVirusRemover.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\
Advanced Virus Remover.lnk
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\s1jqw0bz.default\cookies.sqlite

Registry Modifications
Keys Added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Software\AVR

Values Added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\
NoChangingWallpaper = 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
NoSetActiveDesktop = 0x00000001
NoActiveDesktopChanges = 0x00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKCU\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
winupdate86.exe = C:\Windows\System32\winupdate86.exe"
Advanced Virus Remover = C:\ProgramFiles\AdvancedVirusRemover\AVR.exe
AdvancedVirusRemover = C:\ProgramFiles\AdvancedVirusRemover\AVR.exe
PAVRM.exe = C:\Program Files\AdvancedVirusRemover\PAVRM.exe
PAVRM = C:\Program Files\AdvancedVirusRemover\PAVRM.exe
AVR = C:\Program Files\AdvancedVirusRemover\PAVRM.exe

HKCU\Software\
8636065b-fef0-4255-b14f-54639f7900a4 =
"8636065b-fef0-4255-b14f-54639f7900a4"

5222009A-DD62-49c7-A735-7BD18ECC7350 =
"5222009A-DD62-49c7-A735-7BD18ECC7350"
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
Wallpaper = "%System%\critical_warning.html"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoSetActiveDesktop = 0x00000001
NoActiveDesktopChanges = 0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
NoChangingWallpaper = 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableTaskMgr = 0x00000001

HKCU\Software\Microsoft\Internet Explorer\Main\
NotifyDownloadComplete = "yes

HKCU\Software\AVR\
LastVFC = "25"
VirList = "71255354154320429142454491823411617202092515"
LastD = "18"

LastVFC = "25"
VirList = "504115033127181484212398385028451851153126451537"
LastD = "20"
LastScan = "20.11.2009 08:16
Values deleted
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\
Wallpaper = ""
The following Registry Value was modified:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\
WallpaperLocalFileTime =

Hosts modified
89.149.210.61 www.google.com
89.149.210.61 www.google.de
89.149.210.61 www.google.fr
89.149.210.61 www.google.co.uk
89.149.210.61 www.google.com.br
89.149.210.61 www.google.it
89.149.210.61 www.google.es
89.149.210.61 www.google.co.jp
89.149.210.61 www.google.com.mx
89.149.210.61 www.google.ca
89.149.210.61 www.google.com.au
89.149.210.61 www.google.nl
89.149.210.61 www.google.co.za
89.149.210.61 www.google.be
89.149.210.61 www.google.gr
89.149.210.61 www.google.at
89.149.210.61 www.google.se
89.149.210.61 www.google.ch
89.149.210.61 www.google.pt
89.149.210.61 www.google.dk
89.149.210.61 www.google.fi
89.149.210.61 www.google.ie
89.149.210.61 www.google.no
89.149.210.61 search.yahoo.com
89.149.210.61 us.search.yahoo.com
89.149.210.61 uk.search.yahoo.com

URLs to be download / data identified
http://advanced-virusremover2010.com/buy/?code=00000920
http://advanced-virusremover2010.com/buy/jq.js
http://downloadavr10.com/loads.php?code=0001001
http://downloadavr10.com/dfghfghgfj.dll
http://testavrdown.com/cgi-bin/get.pl?l=0001001
http://downloadavr10.com/cgi-bin/download.pl?code=0001001
http://advanced-virusremover2010.com/buy/?code=0000112
http://downloadavr11.com/loads.php?code=0001122
http://downloadavr11.com/dfghfghgfj.dll
http://testavrdown.com/cgi-bin/get.pl?l=0001122
http://downloadavr11.com/cgi-bin/download.pl?code=0001122
http://downloadavr10.com/loads.php?code=0000070
http://downloadavr10.com/dfghfghgfj.dll
http://downloadavr10.com/cgi-bin/download.pl?code=0000070
http://testavrdown.com/cgi-bin/get.pl?l=0000070
http://advanced-virusremover2010.com/buy/?code=00000000
===================================================
วิธีกำจัด Fake : Advanced Virus remover (2009-2010)
===================================================

1. Run PeeTechFix-Advanced Virus remover 1.0
2. ใช้ Hijack This Fix บรรทัด 01 - Hosts

O1 - Hosts: 89.149.210.61 www.google.com
O1 - Hosts: 89.149.210.61 www.google.de
O1 - Hosts: 89.149.210.61 www.google.fr
O1 - Hosts: 89.149.210.61 www.google.co.uk
O1 - Hosts: 89.149.210.61 www.google.com.br
O1 - Hosts: 89.149.210.61 www.google.it
O1 - Hosts: 89.149.210.61 www.google.es
O1 - Hosts: 89.149.210.61 www.google.co.jp
O1 - Hosts: 89.149.210.61 www.google.com.mx
O1 - Hosts: 89.149.210.61 www.google.ca
O1 - Hosts: 89.149.210.61 www.google.com.au
O1 - Hosts: 89.149.210.61 www.google.nl
O1 - Hosts: 89.149.210.61 www.google.co.za
O1 - Hosts: 89.149.210.61 www.google.be
O1 - Hosts: 89.149.210.61 www.google.gr
O1 - Hosts: 89.149.210.61 www.google.at
O1 - Hosts: 89.149.210.61 www.google.se
O1 - Hosts: 89.149.210.61 www.google.ch
O1 - Hosts: 89.149.210.61 www.google.pt
O1 - Hosts: 89.149.210.61 www.google.dk
O1 - Hosts: 89.149.210.61 www.google.fi
O1 - Hosts: 89.149.210.61 www.google.ie
O1 - Hosts: 89.149.210.61 www.google.no
O1 - Hosts: 89.149.210.61 search.yahoo.com
O1 - Hosts: 89.149.210.61 us.search.yahoo.com
O1 - Hosts: 89.149.210.61 uk.search.yahoo.com
-----------------------------------------------------------------------
หรือ download Host จาก mvp.org
Download: hosts.zip [right-click - Select: Save Target As] [Updated NOV-13-2009]
โดยแตกไฟล์แล้ว run ไฟล์ MVPS.bat หรือนำไฟล์ Hosts ไปวางที่ตำแหน่ง
C:\WINDOWS\system32\drivers\etc
เพื่อ block website download fake
ส่วนใครที่ใครใช้ Windows vista ให้ศึกษาเพิ่มเติมจาก link นี้ครับ
Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

และขอแนะนำให้ ติดตั้งโปรแกรม mcafee advisor เพื่อตรวจสอบ website ที่กำลังจะเข้าไปเยี่ยมชม

How to remove ohdv.exe

ohdv.exe
File size 111,639 bytes
MD5: F013823E247A79183961EC8C1F1197F1
SHA-1: 9F0D1D21FB0BDB332AD45A1AB0A59838782D14D8

hps.bat
File size 111,771 bytes
MD5: A7E25375E1475FE2D6861AF51A2DDD7F
SHA-1: 85B52BB3BBFDA384B2E7E8B38DD664D163221A7E

AhnRpta.exe
File size 69,120 bytes
MD5: 388B8FBC36A8558587AFC90FB23A3B99
SHA-1:ED55AD0A7078651857BD8FC0EEDD8B07F94594CC

29na61fj.exe
File size 112,355 bytes 
MD5: 898295D22DC77AF5DAA0AE42027DF323
SHA-1: BDE26938A7A18D30AC346BF91081935E27B99270

===============================================
Files created
C:\WINDOWS\system32
C:\WINDOWS\AhnRpta.exe
C:\WINDOWS\system32\e8main0.dll (0-9)
C:\Documents and Settings\[UserName]\Local Settings\Temp\xvassdf.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\4tddfwq1.dll(0-9)
X:\ohdv.exe
X:\hps.bat
X:\29na61fj.exe
X:\autorun.inf

Registry Modifications
Keys Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN
HKLM\SOFTWARE\Classes\CLSID\NOD32KVBIT
HKLM\Classes\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}
HKLM\SOFTWARE\Classes\CLSID\
{BB4C402F-882A-4526-8C08-51278EA437C1}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\{BB4C402F-882A-8C08-4526-51278EA437C1}

Values Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN\urlinfo = "nmevdg.u"

HKLM\SOFTWARE\Classes\CLSID\NOD32KVBIT\KVBIT_2 = "555"

HKLM\SOFTWARE\Classes\CLSID\
{BB4C402F-882A-4526-8C08-51278EA437C1}\InprocServer32\
(Default) = "%System%\e8main0.dll"
ThreadingModel = "Apartment"

HKLM\SOFTWARE\Classes\CLSID\
{BB4C402F-882A-8C08-4526-51278EA437C1}\
VcbitExeModuleName = "[file and pathname]"
VcbitDllModuleName = "%System%\e8main0.dll"
VcbitSobjEventName = "CVBASDDOOPADSAMN_0"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
{BB4C402F-882A-4526-8C08-51278EA437C1} = "hook dll rising"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
54dfsger = "%Temp%\xvassdf.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

Remote Host
218.59.144.131 port 80
218.59.144.141 port 80

URL to be download/data identified
http://123rkm.com/1rb/ar1.rar
http://www.sinax7l.com/1rb/ar.rar
http://ik453g.com/1rb/ar1.txt
http://ik453g.com/1rb/ar2.txt
http://ik453g.com/1rb/ar.rar
http://www.sinax7l.com/1rb/ar1.rar
http://www.sinax7l.com/1rb/ar.rar

=======================================================
วิธีกำจัด/แก้ virus : ohdv.exe
=======================================================

How to remove ngp8l.exe

ngp8l.exe
Files size 116,090 bytes
MD5: 5720F1D9A3ECB4A962D9E30E4C195CDE
SHA-1: BDE4A51717CBAA44579966613349162D7D612846
===============================================
Files created
C:\Documents and Settings\[UserName]\Local Settings\Temp\herss.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\cvasds0.dll(0-9)
X:\i9bwjpqc.exe
X:\ngp8l.exe
X:\vb0hsoay.exe
X:\eexyv.exe
X:\autorun.inf
(X:\ = C:\ - Z:\)

Registry Modifications

Key Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN

Values Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN\urlinfo = "dsdcdsr.a"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft = "%Temp%\herss.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

Remote Host
218.59.144.140 port 80
218.59.144.136 port 80

URL to be download/data identified
http://www.googlem7k.com/1mg/am1.rar
http://www.googlem7k.com/1mg/am.rar
http://www.googlei9p.com/1mg/am1.rar
http://www.googlem7k.com/1mg/am.rar

=======================================================
วิธีกำจัด/แก้ virus : ngp8l.exe ,i9bwjpqc.exe , vb0hsoay.exe , eexyv.exe
=======================================================



How to remove j0.exe

j0.exe , uret463.exe
Files size 113,645 bytes
MD5: FFEE34D8FA3DA703DE54D878F14C8C25
SHA-1: 9BA58C57AF146352B349CA0494BF57C7E0793184
===============================================
Files created
C:\Documents and Settings\[UserName]\Local Settings\Temp\uret463.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\lhgjyit0.dll(0-9)
X:\j0.exe
X:\autorun.inf
(X: = C:\ - Z:\)

File deleted
C:\WINDOWS\system32\drivers\cdaudio.sys

Memory Modifications
New kernel-mode driver installed
C:\WINDOWS\system32\drivers\cdaudio.sys

Registry Modifications
Keys Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN
HKLM\SYSTEM\ControlSet001\Services\AVPsys
HKLM\SYSTEM\ControlSet001\Services\AVPsys\Security
HKLM\SYSTEM\ControlSet001\Services\AVPsys\Enum
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Security
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Enum

Values Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN\urlinfo = "awsser.u"

HKLM\SYSTEM\ControlSet001\Services\AVPsys\Enum\
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

HKLM\SYSTEM\ControlSet001\Services\AVPsys\Security\
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\SYSTEM\ControlSet001\Services\AVPsys\
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\cdaudio.sys"
DisplayName = "AVPsys"

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Enum\
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Security\
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\cdaudio.sys"
DisplayName = "AVPsys"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
dorfgwe = "%Temp%\uret463.exe

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091


Remote Host
218.59.144.131 port80
218.59.144.135 port 80


URL to be download/data identified
http://996733.net/1tw/at1.rar >%temp%\at1.exe
http://www.sina6ho.com/1tw/at.rar >%temp%\at.exe

=======================================================
วิธีกำจัด/แก้ virus : j0.exe , uret463.exe
=======================================================



Thursday

AVDB-016 Update

26/11/2009 New update !
PeeTechFix-win32/PSW.OnlineGame 2.0.5 AVDB-016
=============================================
- update new virus (OnlineGame)
- เพิ่มการแก้ไข การ Clean registry ที่โดน virus เขียนดักไฟล์ไม่ให้ run
ในส่วนของ Image File Execution Options
- เพิ่มการแก้ไข การ Clean registry ในส่วนของ ShellExecuteHooks
= Virus name =
hps.bat
i9bwjpqc.exe
ngp8l.exe
ohdv.exe
qv9qc9f.exe
1048101621.exe

dEAXUPxQWEyAvpH4Pd3brcyYSHV.inf
yfwxjedmk5zygvbbt.inf
hxxfduw9keqtcep6z.ttf
vcdkbjy9rzntvwhxdnvbr.ttf

awrctxwdejxquap6brhj4cd6z4pdyt.dll
bjussqfkzy4frmcwtcmz.dll
pj83zgsqjcwunwjrrp42tfw.dll
e3367679.dll
198ff3d8.dll
processa.dll
ro.dll
kb1018224115.dll
kb101851727.dll
kb118223959.dll
kb118224130.dll
kb11851611.dll
kb11851743.dll
kb120234420.dll
kb12023447.dll
kb21822409.dll
kb218224130.dll
kb21851622.dll
kb21851743.dll
kb220234420.dll
kb318224020.dll
kb31851632.dll
kb31851743.dll
kb320234434.dl
kb518224044.dll
kb518224130.dll
kb51851656.dll
kb51851743.dll
kb618224054.dll
kb618224130.dll
kb61851743.dll
kb6185177.dll
kb81822415.dll
kb81851717.dll

Saturday

How to remove gvljsysguard.exe

gvljsysguard.exe (Trojan.Win32.FraudPack.zcq :Detect by Kaspersky Lab)
Files size261,120 bytes
MD5: 6C3FBB123876E29DA7F47DDA34239B41
SHA-1: 5DA1537714A019B34BF5BE6924C35A227F6223E5
=================================================
File created
%ProgramFiles%\sytnko\gvljsysguard.exe


Registry Modifications
Keys Added:
HKLM\SOFTWARE\AvScan
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
HKLM\Software\Microsoft\Windows Script
HKLM\Software\Microsoft\Windows Script\Settings


Values Added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
system tool = "%ProgramFiles%\sytnko\gvljsysguard.exe"


HKLM\SOFTWARE\AvScan\knkd = 0x00000001
HKCU\Software\Microsoft\Internet Explorer\Download\
RunInvalidSignatures = 0x00000001


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
LowRiskFileTypes = ".exe"


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
SaveZoneInformation = 0x00000001


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
system tool = "%ProgramFiles%\sytnko\gvljsysguard.exe"


HKCU\Software\Microsoft\Windows Script\Settings
JITDebug = 0x00000001


Value deleted
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
AppInit_DLLs = ""


Value modified
HKCU\Software\Microsoft\Internet Explorer\Download\
CheckExeSignatures =


Remote Host
91.212.127.226 port 80


Data identified
http://91.212.127.226/check
http://winguard-2009.com/loads2.php?r=59.5


Hosts modified
127.0.0.1 localhost
::1 localhost
91.212.127.226 winguard2009.microsoft.com
91.212.127.226 winguard-2009.com
91.212.127.226 www.winguard-2009.com


=======================================================
วิธีกำจัด/แก้ virus : gvljsysguard.exe
=======================================================


Download Fix Tool : PeeTechFix-Win32.FraudPack.zcq 1.0
็Hijack This


1. Run PeeTechFix-Win32.FraudPack.zcq 1.0
2. ใช้ Hijack This Fix checked ตามนี้


O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 winguard2009.microsoft.com
O1 - Hosts: 91.212.127.226 winguard-2009.com
O1 - Hosts: 91.212.127.226 www.winguard-2009.com

How to remove ld08.exe

ld08.exe ( Net-Worm.Win32.Koobface.he Detect by Kaspersky Lab)
File size 36,864 bytes
MD5: 7301917268A05DCB0D3D4BB159950B15
SHA-1: BE635003AE29D94B554BA39DEBF2C2534CE9CC93
===============================================
File created

C:\WINDOWS\system32\ld08.exe

Registry Modifications
Keys deleted
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default

Value Added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
sysldtray = "%Windir%\ld08.exe"


Values deleted
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default\
(Default) = "%SystemRoot%\media\Windows XP Start.wav"
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current\
(Default) = "%SystemRoot%\media\Windows XP Start.wav"
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\
(Default) = ""

Remote Hosts
216.240.187.103 port 80
74.125.95.105 port 80

Data identified
http://lastshanse26032009.com/achcheck.php
http://www.google.com/

=======================================================
วิธีกำจัด/แก้ virus : ld08.exe
=======================================================



How to remove uxnrt.exe

uxnrt.exe , cyban.exe
Files size 185,556 bytes
MD5: 4CE43F3CABFD32CAE672A120E1B6286D
SHA-1: CC7B82A0EC60591B4F18DBC8C1BCBCB2E3DFB7C7
================================================
Files Created
C:\WINDOWS\system32\cyban.exe
C:\WINDOWS\system32\cyban0.dll (0-9)
C:\WINDOWS\system32\ieban0.dll (0-9)
X:\uxnrt.exe
X:\autorun.inf
(X:\ = C:\ - Z:\)

Registry Modifications

Keys Added
HKLM\SOFTWARE\Classes\CLSID\MNDOWN
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\ProgID
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\Programmable
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}

Values Added
HKLM\SOFTWARE\Classes\CLSID\MNDOWN\urlinfo = "maver1.0"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\VersionIndependentProgID\
(Default) = "IEHlprObj.IEHlprObj"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\ProgID\
(Default) = "IEHlprObj.IEHlprObj.1"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\InprocServer32\
(Default) = "%System%\ieban0.dll"
ThreadingModel = "Apartment"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\
(Default) = "IEHlprObj Class"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\TypeLib\
(Default) = "{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}"
Version = "1.0"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid32\
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid\
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\
(Default) = "IIEHlprObj"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0\win32\
(Default) = "%System%\ieban0.dll"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\HELPDIR\
(Default) = "%System%\"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\FLAGS\
(Default) = "0"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\
(Default) = "IEHelper 1.0 Type Library"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\
(Default) = "IEHlprObj.IEHlprObj.1"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\
(Default) = "IEHlprObj Class"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\
(Default) = "{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1]
(Default) = "IEHlprObj Class"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cybansos = "%System%\cyban.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

Remote Host
218.59.144.138 port 80

URL to be downloaded/data identified
http://dfsd6.com/1hg/ah1.rar
http://dfsd6.com/1hg/ah.rar


=======================================================
วิธีกำจัด/แก้ virus : uxnrt.exe , cyban.exe
=======================================================


Thursday

How to remove xmnm2.cmd

xmnm2.cmd , amvo.exe
Files size 114,611 bytes
MD5: 2AF89CD07ED12C9CE68AAB3B05382970
SHA-1: 8940C4408FC39B242518C2B656ECCDD9BDFA59DB
===============================================
Files created
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\yv.dll
X:\xmnm2.cmd
X:\autorun.inf
(X:\ = C:\ - Z:\)

Registry Modifications

Value Added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
amva = "%System%\amvo.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

URL to be downloaded/data identified
http://www.gdgft76.com/fm4/help.rar %Temp%\help.rar

=======================================================
วิธีกำจัด/แก้ virus : xmnm2.cmd , amvo.exe
=======================================================


How to remove yh.cmd

yh.cmd , olhrwef.exe
Files size 111,734 bytes
MD5: 06DC0B836AE7279F0823DF6105B61E2C
SHA-1: D7EA3D8208BDF962EFE8546CDD4737FDE74DFE14
==============================================
Files created
C:\WINDOWS\system32\olhrwef.exe
C:\WINDOWS\system32\nmdfgds0.dll (0-9)
X:\yh.cmd
X:\autorun.inf
(X:\ = C:\ - Z:\)

Registry Modifications
Value Added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
cdoosoft = "%System%\olhrwef.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

URL to be downloaded/data identified
http://qwdghu.com/xmfx/help1.rar > %Temp%\help1.rar >help1.exe

=======================================================
วิธีกำจัด/แก้ virus : yh.cmd , olhrwef.exe
=======================================================


Wednesday

How to remove 9g86.exe

9g86.exe , herss.exe
Files size 114,987 bytes
MD5: 9EF56415BA48A3EC8569B97AFEEA1536
SHA-1: B3E18DD8611C0846E58877E4CCD9D847A87ED3C4
===============================================
Files created
c:\9g86.exe
c:\autorun.inf
C:\Documents and Settings\[UserName]\Local Settings\Temp\herss.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\cvasds0.dll(0-9)
X:\9g86.exe
X:\autorun.inf
(X:\ = C:\ - Z:\)

Registry Modifications
Value Added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft = "%Temp%\herss.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

URL to be downloaded/data identified
http://www.yahoo803.com/1mg/am1.rar >%Temp%\am1.rar >am1.exe
=======================================================
วิธีกำจัด/แก้ virus : 9g86.exe , herss.exe
=======================================================


Tuesday

AVDB-015 Update

17/11/2009 New update !
PeeTechFix-win32/PSW.OnlineGame 2.0.5 AVDB-015
=============================================
opdux.exe
xmnm2.cmd
9g86.exe
=============
.dll
=============
yv.dll

How to remove 8dtyjjf.exe

8dtyjjf.exe
File size 109,631 bytes
MD5: 06E6BBA8C843B3738BD5CB603D4AB1C0
SHA-1: 42FF1B2CFC5667647319E87AE7B37D60D2D76E37
===============================================
Files created
C:\Documents and Settings\[UserName]\Local Settings\Temp\nmdfgds0.dll (0-9)
C:\Documents and Settings\[UserName]\Local Settings\Temp\olhrwef.exe
X:\8dtyjjf.exe
X:\autorun.inf
(X:\ = C:\ - Z:\)

File deleted
C:\WINDOWS\system32\drivers\cdaudio.sys

Registry Modifications
Keys Added
HKLM\SYSTEM\ControlSet001\Services\AVPsys
HKLME\SYSTEM\ControlSet001\Services\AVPsys\Security
HKLME\SYSTEM\ControlSet001\Services\AVPsys\Enum
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Security
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Enum

Values Added
HKLM\SYSTEM\ControlSet001\Services\AVPsys\Enum\
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

HKLM\SYSTEM\ControlSet001\Services\AVPsys\Security\
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\SYSTEM\ControlSet001\Services\AVPsys\
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\cdaudio.sys"
DisplayName = "AVPsys"

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Enum\
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Security\
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\cdaudio.sys"
DisplayName = "AVPsys"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft = "%Temp%\olhrwef.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

URL to be downloaded/data identified
http://sdsdkj.net/1mg/am1.rar > %Temp%\am1.rar >am1.exe

=======================================================
วิธีกำจัด/แก้ virus : 8dtyjjf.exe
=======================================================



How to remove i3nd.exe

i3nd.exe , cyban.exe
Files size 178,554 bytes
MD5: 83A6C8A865B9871CE0ECC779FB02C385
SHA-1: DB3420048276785B9328A0263DBDE1D9DDA64A3C
=================================================
Files Created
C:\WINDOWS\system32\cyban.exe
C:\WINDOWS\system32\cyban0.dll (0-9)
C:\WINDOWS\system32\ieban0.dll (0-9)
X:\i3nd.exe
X:\autorun.inf
(X:\ = C:\ - Z:\)

Registry Modifications
Keys Added
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\ProgID
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\Programmable
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}

Values Adeed
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\VersionIndependentProgID\
(Default) = "IEHlprObj.IEHlprObj"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\ProgID\
(Default) = "IEHlprObj.IEHlprObj.1"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\InprocServer32\
(Default) = "%System%\ieban0.dll"
ThreadingModel = "Apartment"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\
(Default) = "IEHlprObj Class"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\TypeLib\
(Default) = "{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}"
Version = "1.0"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid32\
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid\
(Default) = "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\
(Default) = "IIEHlprObj"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0\win32\
(Default) = "%System%\ieban0.dll"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\HELPDIR\
(Default) = "%System%\"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\FLAGS\
(Default) = "0"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\
(Default) = "IEHelper 1.0 Type Library"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\
(Default) = "IEHlprObj.IEHlprObj.1"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\
(Default) = "IEHlprObj Class"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\
(Default) = "{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\
(Default) = "IEHlprObj Class"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cybansos = "%System%\cyban.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

URL to be downloaded/data identified
http://dfsd6.com/1hg/ah1.rar > %Temp%\ah1.rar > ah1.exe
=======================================================
วิธีกำจัด/แก้ virus : i3nd.exe , cyban.exe
=======================================================

How to remove opdux.exe

opdux.exe , herss.exe
Files size116,017 bytes
MD5: FB023F287D2EE2207F466DBF8BA5145E
SHA-1: 2E174AFB45C7A07F7B57B44FC6CF296758A81B42
==================================================
a-squared 4.5.0.41 2009.11.15 Packed.Win32.Krap!IK
AhnLab-V3 5.0.0.2 2009.11.13 -
AntiVir 7.9.1.65 2009.11.13 TR/Crypt.XPACK.Gen
Antiy-AVL 2.0.3.7 2009.11.13 -
Authentium 5.2.0.5 2009.11.14 -
Avast 4.8.1351.0 2009.11.14 -
AVG 8.5.0.425 2009.11.14 -
BitDefender 7.2 2009.11.15 -
CAT-QuickHeal 10.00 2009.11.13 -
ClamAV 0.94.1 2009.11.15 -
Comodo 2957 2009.11.15 -
DrWeb 5.0.0.12182 2009.11.15 -
eSafe 7.0.17.0 2009.11.12 Suspicious File
eTrust-Vet 35.1.7121 2009.11.14 -
F-Prot 4.5.1.85 2009.11.14 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.15 -
GData 19 2009.11.15 -
Ikarus T3.1.1.74.0 2009.11.15 Packed.Win32.Krap
Jiangmin 11.0.800 2009.11.12 -
K7AntiVirus 7.10.896 2009.11.13 -
Kaspersky 7.0.0.125 2009.11.15 -
McAfee 5802 2009.11.14 -
McAfee+Artemis 5802 2009.11.14 Artemis!FB023F287D2E
McAfee-GW-Edition 6.8.5 2009.11.14 Heuristic.LooksLike.Win32.SuspiciousPE.B
Microsoft 1.5202 2009.11.14 -
NOD32 4608 2009.11.14 -
Norman 6.03.02 2009.11.15 OnLineGames.KGCC
nProtect 2009.1.8.0 2009.11.15 -
Panda 10.0.2.2 2009.11.15 Suspicious file
PCTools 7.0.3.5 2009.11.13 -
Prevx 3.0 2009.11.15 High Risk Cloaked Malware
Rising 22.21.06.05 2009.11.15 -
Sophos 4.47.0 2009.11.15 Mal/Taterf-A
Sunbelt 3.2.1858.2 2009.11.12 BehavesLike.Win32.Malware (v)
Symantec 1.4.4.12 2009.11.15 -
TheHacker 6.5.0.2.070 2009.11.14 -
TrendMicro 9.0.0.1003 2009.11.15 -
VBA32 3.12.10.11 2009.11.15 Trojan-PSW.Win32.OnlineGames.3
ViRobot 2009.11.14.2037 2009.11.14 -
VirusBuster 4.6.5.0 2009.11.14 -
------------------------------------------------------------------------
Files created
C:\Documents and Settings\[UserName]\Local Settings\Temp\herss.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\cvasds0.dll(0-9)
X:\opdux.exe
X:\autorun.inf

Registry Modifications

Value Added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft = "%Temp%\herss.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

URL to be downloaded/data identified
http://www.yahoofv0.com/1mg/am1.rar > %Temp%\am1.rar >am1.exe

=======================================================
วิธีกำจัด/แก้ virus : opdux.exe , herss.exe
=======================================================



How to remove pbudsara.exe

pbudsara.exe , herss.exe , vlvtdflx.exe
Files size 113,817 bytes
MD5: 373CCBA241EBCFB811769AF921EC5F0A
SHA-1: 9CA53569553BC8835CF121460E074991D3B4B190
=====================================================
Files created
C:\Documents and Settings\[UserName]\Local Settings\Temp\herss.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\cvasds0.dll (0-9)
X:\pbudsara.exe
X:\vlvtdflx.exe
X:\autorun.inf
(X:\ = C:\ - Z:\)

Registry Modifications (Update 17/11/2009)
Key Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN

Value Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN\urlinfo = "dsa2whj.j"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft = "%Temp%\herss.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

Remote Host
218.59.144.136 port 80
218.59.144.137 port 80

URL to be downloaded/data identified
http://www.yahooxd9.com/1mg/am.rar
http://www.yahoogf2.com/1mg/am1.rar

=======================================================
วิธีกำจัด/แก้ virus : pbudsara.exe , herss.exe
=======================================================


How to remove l61yyp.exe

l61yyp.exe ,herss.exe
Files size 114,311 bytes
MD5: 0CED4D5F9D073ED733ED1F76A955CED0
SHA-1: 1E6D31A0640B5235EE9AF142E71F5BC9767737F3
==================================================
Files created
C:\Documents and Settings\[UserName]\Local Settings\Temp\herss.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\cvasds0.dll(0-9)
X:\l61yyp.exe
X:\autorun.inf
(X:\ = C:\ - Z:\)

Registry Modifications
Value Added

HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
cdoosoft = "%Temp%\herss.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

URL to be downloaded/data identified
http://www.yahooxd9.com/1mg/am1.rar > %Temp%\am1.rar >am1.exe

=======================================================
วิธีกำจัด/แก้ virus : l61yyp.exe ,herss.exe
=======================================================



How to remove d1vmq.exe

d1vmq.exe , urretnd.exe
Files size 108,840 bytes
MD5: AF5E5D4AF3655E16AF64D77188F275EA
SHA-1: BC0710CE807B3DFB2D166B94987AD60FD9B0B0AF
==================================================
Files Created
C:\Documents and Settings\[UserName]\Local Settings\Temp\ker1.tmp
C:\WINDOWS\system32\urretnd.exe
C:\WINDOWS\system32\optyhww0.dll(0-9)
X:\autorun.inf
X:\d1vmq.exe
(X:\ = C:\ - Z:\)

Registry Modifications
Value Added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
cbvcs = "%System%\urretnd.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

URL to be downloaded/data identified
http://vfgtyp.com/fm4/help.rar > %Temp%\help.rar >help.exe

=======================================================
วิธีกำจัด/แก้ virus : d1vmq.exe,urretnd.exe
=======================================================



AVDB-014 Update

17/11/2009
PeeTechFix-win32/PSW.OnlineGame 2.0.5 AVDB-014
=============================================
063h1.exe
2pm8.bat
2tq.exe
2w2.com
81j.bat
arquivo1.exe
arquivo2.exe
g12g.exe
jdwwl.exe
kl.exe
l61yyp.exe
pbudsara.exe
q8ot.com
vk0w.exe

=============
.dll
=============
kb61604621.dll

=============
.inf
=============
t9hdtMrwMeQcvYV3CMvhtNZpC.inf
hv29afbje3zxaak.inf
jmq7bper4xa8ev5ftcb.inf
nwsdwj9kszcnsatktnsuwv8p7vu.inf
pecfwpj48y6dadf87r.inf
ces5wqx3apqmpmmbyzuxpyh.inf
zuzgu8wwpyntt6nfuwt.inf

Monday

How to remove vk0w.exe

vk0w.exe ,herss.exe
Files size 114,778 bytes
MD5: 0FC4144A2BC7728EFBEC83FFB8FDAE70
SHA-1: A9510BA1DE23E6B8B32208A13FD24412E000178C
==================================================
a-squared 4.5.0.41 2009.11.15 Worm.Win32.Taterf!IK
AhnLab-V3 5.0.0.2 2009.11.13 Win32/Autorun.worm.114778
AntiVir 7.9.1.65 2009.11.13 TR/Crypt.ZPACK.Gen
Antiy-AVL 2.0.3.7 2009.11.13 -
Authentium 5.2.0.5 2009.11.14 W32/Magania.UP
Avast 4.8.1351.0 2009.11.14 Win32:Soolo
AVG 8.5.0.425 2009.11.14 PSW.OnlineGames3.UPP
BitDefender 7.2 2009.11.15 -
CAT-QuickHeal 10.00 2009.11.13 TrojanGameThief.Magania.cmjp
ClamAV 0.94.1 2009.11.15 -
Comodo 2957 2009.11.15 -
DrWeb 5.0.0.12182 2009.11.15 Trojan.PWS.Wsgame.12661
eSafe 7.0.17.0 2009.11.12 Suspicious File
eTrust-Vet 35.1.7121 2009.11.14 -
F-Prot 4.5.1.85 2009.11.14 W32/Magania.UP
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.15 W32/LdPinch.WPO!tr
GData 19 2009.11.15 Win32:Soolo
Ikarus T3.1.1.74.0 2009.11.15 Worm.Win32.Taterf
Jiangmin 11.0.800 2009.11.12 -
K7AntiVirus 7.10.896 2009.11.13 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.11.15 Trojan-GameThief.Win32.Magania.cmjp
McAfee 5802 2009.11.14 PWS-Gamania.gen.p
McAfee+Artemis 5802 2009.11.14 PWS-Gamania.gen.p
McAfee-GW-Edition 6.8.5 2009.11.14 Heuristic.LooksLike.Win32.SuspiciousPE.B
Microsoft 1.5202 2009.11.14 Worm:Win32/Taterf.B
NOD32 4608 2009.11.14 Win32/PSW.OnLineGames.NNU
Norman 6.03.02 2009.11.15 OnLineGames.KGCC
nProtect 2009.1.8.0 2009.11.15 Trojan-PWS/W32.WebGame.114778
Panda 10.0.2.2 2009.11.15 Generic Malware
PCTools 7.0.3.5 2009.11.13 Malware.Gammima
Prevx 3.0 2009.11.15 High Risk Cloaked Malware
Rising 22.21.06.05 2009.11.15 Trojan.Win32.Generic.51F0DE72
Sophos 4.47.0 2009.11.15 Mal/Taterf-A
Sunbelt 3.2.1858.2 2009.11.12 BehavesLike.Win32.Malware (v)
Symantec 1.4.4.12 2009.11.15 W32.Gammima
TheHacker 6.5.0.2.070 2009.11.14 -
TrendMicro 9.0.0.1003 2009.11.15 WORM_GAMETHI.DDE
VBA32 3.12.10.11 2009.11.15 Trojan-PSW.Win32.OnlineGames.3
ViRobot 2009.11.14.2037 2009.11.14 -
VirusBuster 4.6.5.0 2009.11.14 Trojan.PWS.Magania.XUN
---------------------------------------------------------------------
C:\Documents and Settings\[UserName]\Local Settings\Temp\herss.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\cvasds0.dll (0-9)
X:\vk0w.exe
X:\autorun.inf
(X:\ = C:\ - Z:\)

Registry Modifications
Value Added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft = "%Temp%\herss.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

URL to be downloaded
http://www.yahooxd9.com/1mg/am1.rar > %Temp%\am1.rar

=======================================================
วิธีกำจัด/แก้ virus : vk0w.exe ,herss.exe
=======================================================



How to remove jdwwl.exe

virus ตัวนี้ผมไม่มีข้อมูลมาก
พอดี มีคน mail มาหา บอกว่าของวิธีแก้ WORM_TATERF.CX
ผมไม่แน่ใจว่าใช่ตัวเดียวกันกับที่เจ้าของ mail บอกมาหรือเปล่า เพราะแต่ละค่ายจะตั้งชื่อต่างกัน
ผมได้ข้อมูลจาก Trend Micro ที่เดียวเท่านั้น แต่เป็นตระกูล Psw.onlineGame แน่นอน
=======================================================
jdwwl.exe (WORM_TATERF.CX : Detect by Trend Micro)
==============================================================
%System Root%\jdwwl.exe
%System%\4tddfwq0.dll
%System%\dllcache\cdaudio.sys
%System%\xvassdf.exe

Value Added
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
54dfsger = "%System%\xvassdf.exe"

URL to be downloaded
http://{BLOCKED}.com/xrbv/uu1.rar

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091

ข้อมูลอ้างอิง Credit : Trend Micro
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_TATERF.CX&VSect=Sn
=======================================================
วิธีกำจัด/แก้ virus : jdwwl.exe , xvassdf.exe
=======================================================



*ถ้าผิดพลาดประการใดต้องขออภัยด้วยครับ

Exploit-DB updates

Exploits Database by Offensive Security

Metasploit

Metasploit Framework: Activity

iDefense Labs Software Releases