"Malware Fix รวมวิธีแก้ปัญหา virus computer โครงการทำดีเพื่อสังคม" "เนื่องจากภาระหน้าที่ทางการงาน ต้องขออภัยผู้เยี่ยมชมทุกท่านนะครับ ที่เ้ข้ามาแล้ว ไม่มีการ update virus ตัวใหม่ นะครับ"

Information

http://malwarefighting.blogspot.com


Photobucket
แจ้งเตือนภัย ! Crypt0L0cker (Ransomware)
เข้ารหัสข้อมูลใน คอมพิวเตอร์ กำลังระบาดในไทย
และกำลังระบาดหนักในเกาหลี
ThaiCERT , Crytpo Prevention Tool

*ห้ามจ่ายเงินโดยเด็ดขาด เพราะจะเสียทั่้งเงินและกู้ข้อมูลไม่ได้
รบกวนคนที่เข้ามาอ่านช่วยแชร์ด้วยนะครับ
http://hotzone-it.blogspot.com/2015/07/how-to-remove-crypt0l0cker-not.html
==============================================
PeeTechFix >> JupiterFix
==============================================
Photobucket

วิธีใช้งาน : JupiterFix-Win32.PSW.OnlineGames
ท่านสามารถตรวจสอบรายชื่อ Virus ที่โปรแกรม สามารถ Clean ได้ ใน VirusList.txt
-------------------------------------------------------------------------------------
ท่านใดที่ Download PeeTechFix tool ไปใช้แล้วมีปัญหาหรือลบไม่ออก โปรดแจ้งปัญหา ที่ email : MalwareHunter.info@gmail.com ด้วยครับ หรือส่งไฟล์ virus ให้ด้วย จะขอบพระคุณอย่างยิ่ง
-------------------------------------------------------------------------------------
Safemode Recovery (.reg) แก้ปัญหา Virus ลบ Key Safeboot แล้วเข้า safemode ไม่ได้
------------------------------------------------------------------------------------
วิธีแก้ Error message (แก้อาการเปิดไฟล์ .exe ใน USB Drive ไม่ได้)
"Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator"
วิธีแก้ ดูที่ link นี้ครับ
-------------------------------------------------------------------------------------
วิธีแก้ MSN /Windows Live Messenger Disconnect (จาก virus OnlineGames)
-------------------------------------------------------------------------------------
How to start Windows in Safe Mode


Wednesday

Fake : GreatDefender

-----------------------------------------------------------------------
Fake Alert : GreatDefender
Photobucket

a-squared 4.5.0.43 2009.12.30 -
AhnLab-V3 5.0.0.2 2009.12.29 -
AntiVir 7.9.1.122 2009.12.30 -
Antiy-AVL 2.0.3.7 2009.12.30 -
Authentium 5.2.0.5 2009.12.30 -
Avast 4.8.1351.0 2009.12.30 -
AVG 8.5.0.430 2009.12.30 -
BitDefender 7.2 2009.12.30 -
CAT-QuickHeal 10.00 2009.12.30 -
ClamAV 0.94.1 2009.12.30 -
Comodo 3414 2009.12.30 -
DrWeb 5.0.1.12222 2009.12.30 -
eSafe 7.0.17.0 2009.12.29 -
eTrust-Vet 35.1.7206 2009.12.30 -
F-Prot 4.5.1.85 2009.12.30 -
F-Secure 9.0.15370.0 2009.12.30 -
Fortinet 4.0.14.0 2009.12.30 -
GData 19 2009.12.30 -
Ikarus T3.1.1.79.0 2009.12.30 -
Jiangmin 13.0.900 2009.12.30 -
K7AntiVirus 7.10.932 2009.12.28 -
Kaspersky 7.0.0.125 2009.12.30 -
McAfee 5846 2009.12.29 FakeAlert-JM
McAfee+Artemis 5846 2009.12.29 FakeAlert-JM
McAfee-GW-Edition 6.8.5 2009.12.30 -
Microsoft 1.5302 2009.12.30 -
NOD32 4728 2009.12.30 -
Norman 6.04.03 2009.12.30 W32/FakeAV.JFW
nProtect 2009.1.8.0 2009.12.30 -
Panda 10.0.2.2 2009.12.30 -
PCTools 7.0.3.5 2009.12.30 -
Prevx 3.0 2009.12.30 -
Rising 22.28.02.04 2009.12.30 -
Sophos 4.49.0 2009.12.30 -
Sunbelt 3.2.1858.2 2009.12.30 -
Symantec 1.4.4.12 2009.12.30 -
TheHacker 6.5.0.3.121 2009.12.30 -
TrendMicro 9.120.0.1004 2009.12.30 -
VBA32 3.12.12.1 2009.12.30 -
ViRobot 2009.12.30.2116 2009.12.30 -
VirusBuster 5.0.21.0 2009.12.29 -
==================================================
Files Created
CommonDesktopDir%\GreatDefender.lnk
%CommonPrograms%\GreatDefender\1 GreatDefender.lnk
%CommonPrograms%\GreatDefender\2 Homepage.lnk
%CommonPrograms%\GreatDefender\3 Uninstall.lnk
%Temp%\nsa3.tmp\nsProcess.dll
%ProgramFiles%\GreatDefender Software\GreatDefender\GreatDefender.exe
%ProgramFiles%\GreatDefender Software\GreatDefender\uninstall.exe
%Windir%\10501sp5mbot2z19.dll
%Windir%\10550zor53ad9.exe
%Windir%\110z0s9y3d5.ocx
%Windir%\11153troj5z89.ocx
%Windir%\114859orm5e4z.exe
%Windir%\115fspzwar92928.ocx
%Windir%\115tzief9853.ocx
%Windir%\1165stealz629.exe
%Windir%\11sza95ot111.bin
%Windir%\122689r5j5zb.ocx
%Windir%\12558ha9ktool4z05.bin
%Windir%\126z1wo5m98f.ocx
%Windir%\130595zef3243.exe
%Windir%\13827tr9jza5.exe
%Windir%\13936sp5zbo9755.ocx
%Windir%\1494not-a-59rzs3c.exe
%Windir%\1503a5dwa9e195z.ocx
%Windir%\15080not5a-vzru969f.dll
%Windir%\15429ir10z.exe
%Windir%\15459z5rus18f.exe
%Windir%\15615vi9uz6aa5.dll
%Windir%\15728z9oj559.bin
%Windir%\15739ir83z.cpl
%Windir%\1594zhackt9ol6655.bin
%Windir%\159z9worm49.exe
%Windir%\15ddsparse2z97.bin
%Windir%\15z065ro95e9.bin
%Windir%\15z48sp9601.exe
%Windir%\15z49virus399.cpl
%Windir%\16982zor595c.ocx
%Windir%\16z64sp95245.bin
%Windir%\174515py917z.dll
%Windir%\17614trojzc95.ocx
%Windir%\17752troj99z.exe
%Windir%\1795vizu5628.ocx
%Windir%\17fzspyware29375.exe
%Windir%\18964spam5ot5az.bin
%Windir%\18ea95zrse2651.ocx
%Windir%\1950not5z-vi9us670.exe
%Windir%\196z1t9oj559.cpl
%Windir%\19865sp5mbot5az.exe
%Windir%\1991059rzs50b.dll
%Windir%\19950tz9j18d.dll
%Windir%\19z53s5am9ot335.bin
%Windir%\19z95h9ck5ool73.bin
%Windir%\1b9thiez1533.cpl
%Windir%\1cb3sparsez295.bin
%Windir%\1d25tzreat29018.bin
%Windir%\1d93addwzr52565.exe
%Windir%\1ez9do5nl9ader2545.exe
%Windir%\20959oz-a-virus1535.exe
%Windir%\20b3baczdo5r14649.dll
%Windir%\21139zp5mbot648.cpl
%Windir%\21815not-9-virus57z.bin
%Windir%\21f5th9eat29945z.dll
%Windir%\21z905ir9s163.cpl
%Windir%\222not-a-z5rus794.ocx
%Windir%\22714hackt9ol5z5.exe
%Windir%\2295ad9war538z.exe
%Windir%\230159py79z.cpl
%Windir%\23199sp5mzot2a2.exe
%Windir%\239105izu93a4.exe
%Windir%\23952spy585z.dll
%Windir%\24291not-a-v5zus2c5.cpl
%Windir%\249765orm5z4.dll
%Windir%\253625pzmbo929e.ocx
%Windir%\25514h5cktool49bz.exe
%Windir%\25531szambot199.ocx
%Windir%\25532spy96z.dll
%Windir%\255faddwz9e31715.ocx
%Windir%\255z0wor931b.dll
%Windir%\25713wo9z5c6.ocx
%Windir%\2594steaz5279.exe
%Windir%\25999no9-a-virusz35.dll
%Windir%\259bdowz9oader1051.cpl
%Windir%\25b9th9eatz9391.exe
%Windir%\25c2do9nloaderz054.bin
%Windir%\25d69hizf1155.exe
%Windir%\25s9yzfa5.cpl
%Windir%\2604addz9re5193.bin
%Windir%\26566h9ck5ool199z.bin
%Windir%\265zpambot109.ocx
%Windir%\269095zrus573.cpl
%Windir%\275679pambotz15.exe
%Windir%\277359pz540.ocx
%Windir%\28235zpy5b9.exe
%Windir%\28522tro975z.cpl
%Windir%\286dzt9al1615.ocx
%Windir%\288865ot-a-vizus2c9.ocx
%Windir%\29154haczt5ol2bd.exe

%CommonDesktopDir% = C:\Documents and Settings\All Users\Desktop
%CommonPrograms% = C:\Documents and Settings\All Users\Start Menu\Programs
%Windir% = C:\Wondows

Registry Modifications
Keys Added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GreatDefender
HKLM\SOFTWARE\GreatDefender

Values Added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
cf = ""
tr = ""

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GreatDefender\
DisplayName = "GreatDefender"
UninstallString = ""%ProgramFiles%\GreatDefender Software\GreatDefender\uninstall.exe""
NoModify = 0x00000001
NoRepair = 0x00000001

HKLM\SOFTWARE\GreatDefender\
Lang = "English"
Install_Dir = "%ProgramFiles%\GreatDefender Software\GreatDefender"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
GreatDefender = %ProgramFiles%\GreatDefender Software\GreatDefender\GreatDefender.exe

==================================================
วิธีกำจัด /แก้ : Fake Alert : GreatDefender
==================================================
Download Fix Tool :

How to remove vscie.exe

vscie.exe , bigdoor.exe
Files Size 176,000 bytes
MD5: F97BE1AA4571D641686DE0E321B5BF0C
SHA-1: BE9BE037AC4AA4EC54040684E985480E728E0FB1
=================================================
r2p81t.exe , zoorfat.exe
Files Size 177,300 bytes
MD5: 6EEEF9DF72B8F3A99895E9851F8361E6
SHA-1: D75BA37660E5BED5D53D4A04F885D469C6303995
=================================================
Files Created
%System%\bigdoor.exe
%System%\zoorfat.exe
%System%\bigie0.dll (0-9)
%System%\bigmn0.dll (0-9)
%System%\zorie0.dll (0-9)
%System%\zormn0.dll (0-9)
X:\vscie.exe
X:\r2p81t.exe
X:\autorun.inf

%System% = C:\Windows\System32\
X:\ = C:\-Z:\

Registry Modifications
Key Added
HKLM\SOFTWARE\Classes\CLSID\MNDOWN
HKLM\SOFTWARE\Classes\CLSID\
{238C32AB-955D-4707-AAB9-C9B3AB8D4225}
HKLM\SOFTWARE\Classes\CLSID\
{238C32AB-955D-4707-AAB9-C9B3AB8D4225}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\
{238C32AB-955D-4707-AAB9-C9B3AB8D4225}\ProgID
HKLM\SOFTWARE\Classes\CLSID\
{238C32AB-955D-4707-AAB9-C9B3AB8D4225}\Programmable
HKLM\SOFTWARE\Classes\CLSID\
{238C32AB-955D-4707-AAB9-C9B3AB8D4225}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\ProgID
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\Programmable
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\Interface\
{238C32AC-955D-4707-AAB9-C9B3AB8D4225}
HKLM\SOFTWARE\Classes\Interface\
{238C32AC-955D-4707-AAB9-C9B3AB8D4225}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\
{238C32AC-955D-4707-AAB9-C9B3AB8D4225}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\
{238C32AC-955D-4707-AAB9-C9B3AB8D4225}\TypeLib
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\
{238C32A2-955D-4707-AAB9-C9B3AB8D4225}
HKLM\SOFTWARE\Classes\TypeLib\
{238C32A2-955D-4707-AAB9-C9B3AB8D4225}\1.0
HKLM\SOFTWARE\Classes\TypeLib\
{238C32A2-955D-4707-AAB9-C9B3AB8D4225}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\
{238C32A2-955D-4707-AAB9-C9B3AB8D4225}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\
{238C32A2-955D-4707-AAB9-C9B3AB8D4225}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\
{238C32A2-955D-4707-AAB9-C9B3AB8D4225}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{238C32AB-955D-4707-AAB9-C9B3AB8D4225}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}

Values Added
HKLM\SOFTWARE\Classes\CLSID\MNDOWN\urlinfo = "csacdf.r"

HKLM\SOFTWARE\Classes\CLSID\
{238C32AB-955D-4707-AAB9-C9B3AB8D4225}\VersionIndependentProgID\
(Default) = "IEHlprObj.IEHlprObj"

HKLM\SOFTWARE\Classes\CLSID\
{238C32AB-955D-4707-AAB9-C9B3AB8D4225}\ProgID\
(Default) = "IEHlprObj.IEHlprObj.1"

HKLM\SOFTWARE\Classes\CLSID\
{238C32AB-955D-4707-AAB9-C9B3AB8D4225}\InprocServer32\
(Default) = "%System%\bigmn1.dll"
ThreadingModel = "Apartment"

HKLM\SOFTWARE\Classes\CLSID\
{238C32AB-955D-4707-AAB9-C9B3AB8D4225}\
(Default) = "IEHlprObj Class"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\VersionIndependentProgID\
(Default) = "IEHlprObj.IEHlprObj"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\ProgID\
(Default) = "IEHlprObj.IEHlprObj.1"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\InprocServer32\
(Default) = "%System%\zormn0.dll"
ThreadingModel = "Apartment"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\
(Default) = "IEHlprObj Class"

HKLM\SOFTWARE\Classes\Interface\
{238C32AC-955D-4707-AAB9-C9B3AB8D4225}\TypeLib\
(Default) = "{238C32A2-955D-4707-AAB9-C9B3AB8D4225}"
Version = "1.0"

HKLM\SOFTWARE\Classes\Interface\
{238C32AC-955D-4707-AAB9-C9B3AB8D4225}\ProxyStubClsid32\
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKLM\SOFTWARE\Classes\Interface\
{238C32AC-955D-4707-AAB9-C9B3AB8D4225}\ProxyStubClsid\
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKLM\SOFTWARE\Classes\Interface\
{238C32AC-955D-4707-AAB9-C9B3AB8D4225}\
(Default) = "IIEHlprObj"
HKLM\SOFTWARE\Classes\Interface\{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\TypeLib\
(Default) = "{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}"
Version = "1.0"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid32\
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid\
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\
(Default) = "IIEHlprObj"

HKLM\SOFTWARE\Classes\TypeLib\
{238C32A2-955D-4707-AAB9-C9B3AB8D4225}\1.0\0\win32\
(Default) = "%System%\bigmn1.dll"
HKLM\SOFTWARE\Classes\TypeLib\
{238C32A2-955D-4707-AAB9-C9B3AB8D4225}\1.0\HELPDIR\
(Default) = "%System%\"
HKLM\SOFTWARE\Classes\TypeLib\
{238C32A2-955D-4707-AAB9-C9B3AB8D4225}\1.0\FLAGS\
(Default) = "0"
HKLM\SOFTWARE\Classes\TypeLib\
{238C32A2-955D-4707-AAB9-C9B3AB8D4225}\1.0\
(Default) = "IEHelper 1.0 Type Library"
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0\win32\
(Default) = "%System%\zormn0.dll"
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\HELPDIR\
(Default) = "%System%\"
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\FLAGS\
(Default) = "0"
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\
(Default) = "IEHelper 1.0 Type Library"
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\
(Default) = "IEHlprObj.IEHlprObj.1"
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\
(Default) = "IEHlprObj Class"
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\
(Default) = "{238C32AB-955D-4707-AAB9-C9B3AB8D4225}"
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\
(Default) = "IEHlprObj Class"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
bigsoft = "%System%\bigdoor.exe"
zoorfat = "%System%\zoorfat.exe"


Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden = 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun = 0x00000091

Remote Host
218.59.144.138 port 80

URLs to be download/data identified
http://dfsd6.com/1hg/ah1.rar
http://dfsd6.com/1hg/ah.rar

==================================================
วิธีกำจัด/แก้ virus : vscie.exe , bigdoor.exe
==================================================


How to remove r2p81t.exe

r2p81t.exe , zoorfat.exe
Files size 178,319 bytes
MD5: FB63BE88DB061911A447BA031432B1E1
SHA-1: BC5826FE1BF83C6539F2B53353790BA999A4EC38
=================================================
Files Created

%System%\zoorfat.exe
%System%\zorie0.dll (0-9)
%System%\zormn0.dll (0-9)
X:\r2p81t.exe
X:\autorun.inf

%System% = C:\Windows\System32\
X:\ = C:\-Z:\

Registry Modifications
Keys Added
HKLM\SOFTWARE\Classes\CLSID\MNDOWN
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\ProgID
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\Programmable
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}

Values Added
HKLM\SOFTWARE\Classes\CLSID\MNDOWN\urlinfo = "csacdf.s"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\VersionIndependentProgID\
(Default) = "IEHlprObj.IEHlprObj"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\ProgID\
(Default) = "IEHlprObj.IEHlprObj.1"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\InprocServer32\
(Default) = "%System%\zormn0.dll"
ThreadingModel = "Apartment"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\
(Default) = "IEHlprObj Class"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\TypeLib\
(Default) = "{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}"
Version = "1.0"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid32\
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid\
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\
(Default) = "IIEHlprObj"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0\win32\
(Default) = "%System%\zormn0.dll"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\HELPDIR\
(Default) = "%System%\"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\FLAGS\
(Default) = "0"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\
(Default) = "IEHelper 1.0 Type Library"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\
(Default) = "IEHlprObj.IEHlprObj.1"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\
(Default) = "IEHlprObj Class"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\
(Default) = "{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\
(Default) = "IEHlprObj Class"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
zoorfat = "%System%\zoorfat.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden = 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun = 0x00000091

Remote Host
218.59.144.138 port80

URL to be download/data identified
http://dfsd6.com/1hg/ah1.rar
http://dfsd6.com/1hg/ah.rar
==================================================
วิธีกำจัด/แก้ virus : r2p81t.exe , zoorfat.exe
==================================================


How to remove 0qw6vege.exe

0qw6vege.exe , herss.exe
Files size 114,071 bytes
MD5: 012E574DDFADDD5478DD59BBF58112E5
SHA-1: DE81CD67BB8160A3409F5E857D382EDD1A0C5C9B
================================================
Files Created

%Temp%\herss.exe
%Temp%\cvasds0.dll (0-9)
X:\0qw6vege.exe
X:\autorun.inf

%Temp% = C:\Documents and Settings\[UserName]\Local Settings\Temp\
X:\ = C:\-Z:\

Registry Modifications
Value added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft = "%Temp%\herss.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden = 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun = 0x00000091

URL to be download/data identified
http://www.yahoo803.com/1mg/am1.rar> %Temp%\am1.rar> am1.exe

==================================================
วิธีกำจัด/แก้ virus : 0qw6vege.exe , herss.exe
==================================================


How to remove kpvqk.exe

kpvqk.exe , uret463.exe
Files Size 100,274 bytes
MD5: C472648D9D0FE10D58516F4132A8F7B8
SHA-1: 36E55A7F6768B91E4B61BC8C3AADC4EF393D452B
=================================================
Files Created
%System%\uret463.exe
%System%\lhgjyit0.dll (0-9)
X:\kpvqk.exe
X:\autorun.inf

File deleted
%System%\drivers\cdaudio.sys

%System% = C:\Windows\System32\
X:\ = C:\-Z:\

Registry Modifications
Keys Added
HKLM\SYSTEM\ControlSet001\Services\AVPsys
HKLM\SYSTEM\ControlSet001\Services\AVPsys\Security
HKLM\SYSTEM\ControlSet001\Services\AVPsys\Enum
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Security
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Enum

Values Added
HKLM\SYSTEM\ControlSet001\Services\AVPsys\Enum\
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

HKLM\SYSTEM\ControlSet001\Services\AVPsys\Security\
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\SYSTEM\ControlSet001\Services\AVPsys\
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\cdaudio.sys"
DisplayName = "AVPsys"

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Enum\
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Security\
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\cdaudio.sys"
DisplayName = "AVPsys"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
dorfgwe = "%System%\uret463.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden = 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun = 0x00000091

URL to be download/data identified
http://cdju9.com/xjj/cc31.rar > %Temp%\cc31.rar
http://sderfg.com/m/c.rar > %System%\c.exe

==================================================
วิธีกำจัด/แก้ virus : kpvqk.exe , uret463.exe
==================================================


Hoe to remove emmsc2tf.exe

emmsc2tf.exe , xvassdf.exe
Files size 111,137 bytes
MD5: 201E4E78EAED156B504422A20E5559AF
SHA-1: 4361A699E6173803C00EACCA0DE5FE0672D8A1E0
================================================
Files Created
%Temp%\xvassdf.exe
%Temp%\4tddfwq0.dll (0-9)
X:\emmsc2tf.exe
X:\autorun.inf

%Temp% = C:\Documents and Settings\[UserName]\Local Settings\Temp\
X:\ = C:\-Z:\

Registry Modifications
Value added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
54dfsger = "%Temp%\xvassdf.exe"


Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden = 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun = 0x00000091

URL to be download/data identified
http://www.googler3g.com/1rb/ar1.rar %Temp%\ar1.rar

==================================================
วิธีกำจัด/แก้ virus : emmsc2tf.exe , xvassdf.exe
==================================================


Tuesday

AVDB-025 Update

29/12/2009
==========
PeeTechFix-Win32.PSW.OnlineGames 2.0.6
AVDB-025 (Virus signature database update)
- Update new virus (OnlineGames)
=======================================================
0qw6vege.exe
9ffp.exe
9ql.exe
9y.exe
ar.exe
fx063d.exe
h.exe
hedqlwdq.bat
isr3b.exe
jxahjo.exe
kv2.exe
l61w.exe
oagb.exe
p0crvg.exe
q.cmd
r2p81t.exe
t8g.exe
tbecdala.exe
u16sqrqn.exe
uu.exe
w8lsj26.bat
wglb9q.exe
xuagegp.com
yu3.exe

Monday

AVDB-024 Update

28/12/2009
==========
PeeTechFix-Win32.PSW.OnlineGames 2.0.6
AVDB-024 (Virus signature database update)
- Update new virus (OnlineGames)
=================================================
del.bat
del1a0af.bat
imghyva6.exe
intitdll.exe
iyhsdh.exe
kqcsq.exe
lbsaiw.exe
lirtd.exe
pipogqwt.exe
plxqw.exe
pnrfx.exe
wldevna.exe
ydxl.exe
kb182352955.dll
kb82352615.dll
mesggedjt.dll
mzxedad.dll
t320045.dll
t3rpcss.dll
bmtpws31.dat
vga1.dat

How to remove imghyva6.exe

imghyva6.exe , herss.exe
Files size 106496 bytes
MD5: 9383CF94210BBDF523CD2343CAC04437
SHA-1: 4819E7FA2F66B5C960AE219178FD9824714B4C6D
================================================
a-squared 2009.12.27 -
AhnLab-V3 2009.12.26 -
AntiVir 2009.12.26 -
Antiy-AVL 2009.12.25 -
Authentium 2009.12.26 -
Avast 2009.12.27 -
AVG 2009.12.27 -
BitDefender 2009.12.27 -
CAT-QuickHeal 2009.12.26 -
ClamAV 2009.12.27 PUA.Packed.ASPack212
Comodo 2009.12.27 Heur.Packed.Unknown
DrWeb 2009.12.27 -
eSafe 2009.12.24 -
eTrust-Vet 2009.12.25 -
F-Prot 2009.12.26 -
F-Secure 2009.12.27 Suspicious:W32/Malware!Gemini
Fortinet 2009.12.27 -
GData 2009.12.26 -
Ikarus 2009.12.27 -
Jiangmin 2009.12.27 -
K7AntiVirus 2009.12.26 -
Kaspersky 2009.12.27 -
McAfee 2009.12.26 -
McAfee+Artemis 2009.12.26 -
McAfee-GW-Edition 2009.12.27 Heuristic.LooksLike.Win32.Suspicious.H
Microsoft 2009.12.26 -
NOD32 2009.12.27 -
Norman 2009.12.27 -
nProtect 2009.12.27 -
Panda 2009.12.15 -
PCTools 2009.12.27 -
Rising 2009.12.27 -
Sophos 2009.12.27 -
Sunbelt 2009.12.26 Worm.Win32.AutoRun
Symantec 2009.12.27 -
TheHacker 2009.12.26 -
TrendMicro 2009.12.27 PAK_Generic.001
VBA32 2009.12.26 -
ViRobot 2009.12.26 -
VirusBuster 2009.12.26 -
================================================
Files Created
%Temp%\cvasds0.dll (0-9)
%Temp%\herss.exe
X:\imghyva6.exe
X:\autorun.inf

%Temp% = C:\Documents and Settings\[UserName]\Local Settings\Temp\
X:\ = C:\- Z:\

Registry Modifications
Value Added

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft = "%Temp%\herss.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun = 0x00000091

==================================================
วิธีกำจัด/แก้ virus : imghyva6.exe , herss.exe
==================================================

Thursday

How to remove Win32.Kates, Win32/Daonol

Trojan PSW.Win32.Kates , Win32/Daonol
Aliases : Kasperspy , ESET NOD32 , MicroSoft
==================================================
รู้สึกว่ากำลังระบาดอยู่พอสมควร สำหรับเจ้าไวรัสตัวนี้
หรือหลายๆคนรู้จักกันในนาม เจ้า virus black screen ซึ่งทำให้หน้าจอดำมืด
ซึ่งผมเคยเขียนบทความแล้วครั้งหนึ่ง

ทาง Kaspersky ได้ออก Tool สำหรับกำจัด virus ตระกูลแล้ว ชื่อว่า KatesKiller
ท่านสามารถ Download KatesKiller ได้ที่ link นี้ึครับ


ตัวอย่าง Program

Photobucket

How to remove RootKit Win32.PMax

ตัวอย่างจาก ThrearExpert
http://www.threatexpert.com/report.aspx?md5=6cd7f13b1f144218b0cbf0fbc8acc564

==================================================
วิีธีกำจัด RootKit Win32.PMax (Detect by Kaspersky)
==================================================
Downoad PMaxKiller จาก line นี้ครับ


ตัวอย่าง Program

Photobucket

How to Remove Win32.Virut (family)

ผมเคยเขียนบทความเกี่ยวกับ virus ตัวนี้ไปครั้งหนึ่งแล้ว
ซึ่งเป็น Tool ของ AVG และ Symantec
มาคราวนี้ ได้ Tool จาก Kaspersky มาเพื่อกำจัด virus ตระกูล Win32.Virut
ใครที่มีปัญหาติด virus ตระกูล Virut ก็ลอง download ไปทดสอบดูได้ครับ

วิธีกำจัด Win32.Virut.ce (Virut family)

Download VirutKiller จาก link นี้ครับ


1. ปิด system restore ก่อน โดย Click ขวา ที่ My Computer > Properties > System Restore
ติ๊กเครื่องหมายถูก ที่ Tern off system Restore on all drives
2. Run VirutKiller

Photobucket

ตัวอย่าง

Photobucket

How to remove sdra64.exe (Win32.Zbot )

How to remove sdra64.exe
(Trojan-Spy.Win32.Zbot family : Detect by Kaspersky )

วิธีกำจัด
Trojan-Spy.Win32.Zbot family
=========================
ผมกำลังจะทำ Project Fix Tool สำหรับ เจ้า Win32.Zbot
พอดีมาเจอตัวกำจัดของ Kaspersky คิดว่าน่าจะใ้ช้ได้ดีกว่า
ใครที่ติด Win32.Zbot มักจะมีไฟล์และ folder พวกนี้อยู่ในเครื่อง

%System%\sdra64.exe
%System%\lowsec\local.ds
%System%\lowsec\user.ds
%System%\lowsec\user.ds.lll

ให้ Download โปรแกรม ZbotKiller ของ Kaspersky จาก link นี้ครับ


ตัวอย่าง

Photobucket

How to remove Rootkit.Win32.TDSS

วิธีกำจัด Rootkit ตระกูล Win32.TDSS (family)
===========================
ให้ Download TDSSKiller ของ Kasperasky จาก link นี้ครับ


ตัวอย่าง

Photobucket

Update last version




อาการของการติด Rootkit (TDL1 , TDL2) ที่ตรวจด้วยโปรแกรม GMER



Rootkit (TDL3)


Credit : Kaspersky

Wednesday

AVDB-023 Update

23/12/2009
==========
AVDB-023 (Virus signature database update)
- Update new virus (OnlineGames)
===========================================================
emmsc2tf.exe
kpvqk.exe
nx.exe
sop.exe
u3iwl3.exe

How to remove strom2.exe

strom2.exe, Origin.exe, Browsers, Player.exe
Files size 628,736 bytes
MD5: 23CAFA5DBF348DA43B710B8874181D14
SHA-1: 5A132B5A9FAFCC23B6D3A93F331B9060501C4628
==================================================
Aliases :
a-squared 2009.12.21 Trojan-Spy.Win32.Banker.bbh!IK
AhnLab-V3 2009.12.21 -
AntiVir 2009.12.21 TR/Spy.628736.1
Antiy-AVL 2009.12.18 Trojan/Win32.Scar.gen
Authentium 2009.12.02 W32/SysVenFak.A.gen!Eldorado
Avast 2009.12.20 Win32:Spyware-gen
AVG 2009.12.20 Generic15.BQNB
BitDefender 2009.12.21 Gen:Trojan.Heur.MG0@rOs5Makb
CAT-QuickHeal 2009.12.21 Trojan.Scar.asap
ClamAV 2009.12.21 -
Comodo 2009.12.21 TrojWare.Win32.Trojan.Agent.Gen
DrWeb 2009.12.21 Trojan.DownLoad.61707
eSafe 2009.12.20 -
eTrust-Vet 2009.12.21 -
F-Prot 2009.12.20 W32/SysVenFak.A.gen!Eldorado
F-Secure 2009.12.21 Gen:Trojan.Heur.MG0@rOs5Makb
Fortinet 2009.12.20 W32/Scar.ASAP!tr
GData 2009.12.21 Gen:Trojan.Heur.MG0@rOs5Makb
Ikarus 2009.12.21 Trojan-Spy.Win32.Banker.bbh
Jiangmin 2009.12.21 Trojan/Scar.esx
K7AntiVirus 2009.12.17 Trojan.Win32.Malware.1
Kaspersky 2009.12.21 Trojan.Win32.Scar.asap
McAfee 2009.12.20 Generic.dx!ior
McAfee+Artemis 2009.12.20 Generic.dx!ior
McAfee-GW-Edition 2009.12.21 Heuristic.BehavesLike.Win32.Spyware.J
Microsoft 2009.12.21 -
NOD32 2009.12.21 -
Norman 2009.12.21 -
nProtect 2009.12.21 Trojan/W32.Scar.628736
Panda 2009.12.15 Trj/Downloader.MDW
PCTools 2009.12.21 Spyware.007Spy
Prevx 2009.12.21 High Risk Spyware
Rising 2009.12.21 -
Sophos 2009.12.21 Mal/Behav-056
Sunbelt 2009.12.20 Trojan.Win32.Generic!SB.0
Symantec 2009.12.21 Spyware.007Spy
TheHacker 2009.12.21 -
TrendMicro 2009.12.21 -
VBA32 2009.12.19 Trojan.Win32.Scar.asap
ViRobot 2009.12.21 -
VirusBuster 2009.12.20 -

Files Created
%System%\Storm2.exe
%System%\Origin.exe
D:\Browsers.exe

%System% = C:\Windows\System32\

Registry Modifications
Values Added
HKLM\SOFTWARE\Classes\txtfile\shell\open\command\
(Default) = "d:\Browsers.exe %1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
WBOpen = "%System%\Storm2.exe"
Verdana = "%System%\Origin.exe"

Value deleted
HKLM\SOFTWARE\Classes\txtfile\shell\open\command\
(Default) = "%System%\NOTEPAD.EXE %1"

Remote Host
d.laiyiba.com port 1034

HTTP URLs were started reading
hxxp://d.laiyiba.com/admin/inc/mac2.php?macaddr=&banben=1123&oper=run&flag=3
http://www.hao123.cn
http://www.123456.cn
http://www.hao123.cn/xing.htm
http://www.163jiankang.com/zhuanqian/index9501.htm
http://www.hao22.com/zhuanqian/article_biaotixia500.htm
http://www.5678.cn/zhuanqian/tuijian.htm
http://www.123xa.net/chao/lunxian3001.html
http://www.163jiankang.com/zhuanqian/article3001.html
http://www.123xa.net/chao/neiindex.html
http://www.hao123.cn/meinv/
http://www.sifanghua.com/zhuanqian/biaotixia.htm
hxxp://d.laiyiba.com/dianji2.htm
hxxp://d.laiyiba.com/sureh/player.exe
hxxp://d.laiyiba.com/sureh/origin.exe

อาจมี pop up ให้ set default home page ดังตัวอย่าง

Photobucket

====================================================
วิีธีกำจัด/แก้ virus : Storm2.exe , Origin.exe, Browsers.exe, Player.exe
====================================================
---------------------------------------------------------------------------
เมื่อติดไวรัสตัวนี้จะมีเสียงดังรัวๆออกทางลำโพงตลอดเวลา วิธีแก้คือ
1. Run โปรแกรม Process Explorer แล้ว
Kill process ไฟล์ Strom2.exe, Origin.exe, Browsers.exe

2. Run โปรแกรม NOD32RecoveryTool แล้วเลือก Fix now เพื่อ Show hidden files และ Reset winlogon

3. เข้าไป Delete ไฟล์ ตามนี้

%System%\Storm2.exe
%System%\Origin.exe
D:\Browsers.exe

4. Run Hijack This > Fix checked ที่บรรทัดต่อไปนี้

O4 - HKCU\..\Run: [WBOpen] C:\WINDOWS\System32\Storm2.exe
O4 - HKCU\..\Run: [Verdana] c:\windows\system32\Origin.exe

How to remove j8dfa.exe

j8dfa.exe , ahnsbsb.exe
MD5: CE295C940F5D7681733EB2E0C21E68B5
SHA-1: 7B38540A639A7E2C9BEF214F7656A15145F016E7
=================================================
Files Created
%System%\ahnsbsb.exe
%System%\ahnfgss0.dll (0-9)
%System%\ahnxsds0.dll (0-9)
X:\j8dfa.exe
X:\autorun.inf

%System% = C:\Windows\System32\
X:\ = C:\- Z:\

File deleted
%System%\drivers\cdaudio.sys

Registry Modifications
Keys Added
HKLM\SOFTWARE\Classes\CLSID\
{AF4DA69B-E1D6-469A-855B-6445294857D4}
HKLM\SOFTWARE\Classes\CLSID\
{AF4DA69B-E1D6-469A-855B-6445294857D4}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\
{AF4DA69B-E1D6-469A-855B-6445294857D4}\ProgID
HKLM\SOFTWARE\Classes\CLSID\
{AF4DA69B-E1D6-469A-855B-6445294857D4}\Programmable
HKLM\SOFTWARE\Classes\CLSID\
{AF4DA69B-E1D6-469A-855B-6445294857D4}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\Interface\
{AF4DA69C-E1D6-469A-855B-6445294857D4}
HKLM\SOFTWARE\Classes\Interface\
{AF4DA69C-E1D6-469A-855B-6445294857D4}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\
{AF4DA69C-E1D6-469A-855B-6445294857D4}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\
{AF4DA69C-E1D6-469A-855B-6445294857D4}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\
{AF4DA692-E1D6-469A-855B-6445294857D4}
HKLM\SOFTWARE\Classes\TypeLib\
{AF4DA692-E1D6-469A-855B-6445294857D4}\1.0
HKLM\SOFTWARE\Classes\TypeLib\
{AF4DA692-E1D6-469A-855B-6445294857D4}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\
{AF4DA692-E1D6-469A-855B-6445294857D4}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\
{AF4DA692-E1D6-469A-855B-6445294857D4}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\
{AF4DA692-E1D6-469A-855B-6445294857D4}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{AF4DA69B-E1D6-469A-855B-6445294857D4}
HKLM\SYSTEM\ControlSet001\Services\AVPsys
HKLM\SYSTEM\ControlSet001\Services\AVPsys\Security
HKLM\SYSTEM\ControlSet001\Services\AVPsys\Enum
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Security
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Enum

Values Added
HKLM\SOFTWARE\Classes\CLSID\
{AF4DA69B-E1D6-469A-855B-6445294857D4}\VersionIndependentProgID\
(Default) = "IEHlprObj.IEHlprObj"

HKLM\SOFTWARE\Classes\CLSID\
{AF4DA69B-E1D6-469A-855B-6445294857D4}\ProgID\
(Default) = "IEHlprObj.IEHlprObj.1"

HKLM\SOFTWARE\Classes\CLSID\
{AF4DA69B-E1D6-469A-855B-6445294857D4}\InprocServer32\
(Default) = "%System%\ahnxsds0.dll"
ThreadingModel = "Apartment"

HKLM\SOFTWARE\Classes\CLSID\
{AF4DA69B-E1D6-469A-855B-6445294857D4}\
(Default) = "IEHlprObj Class"

HKLM\SOFTWARE\Classes\Interface\
{AF4DA69C-E1D6-469A-855B-6445294857D4}\TypeLib\
(Default) = "{AF4DA692-E1D6-469A-855B-6445294857D4}"
Version = "1.0"

HKLM\SOFTWARE\Classes\Interface\
{AF4DA69C-E1D6-469A-855B-6445294857D4}\ProxyStubClsid32\
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKLM\SOFTWARE\Classes\Interface\
{AF4DA69C-E1D6-469A-855B-6445294857D4}\ProxyStubClsid\
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKLM\SOFTWARE\Classes\Interface\
{AF4DA69C-E1D6-469A-855B-6445294857D4}\
(Default) = "IIEHlprObj"

HKLM\SOFTWARE\Classes\TypeLib\
{AF4DA692-E1D6-469A-855B-6445294857D4}\1.0\0\win32\
(Default) = "%System%\ahnxsds0.dll"

HKLM\SOFTWARE\Classes\TypeLib\
{AF4DA692-E1D6-469A-855B-6445294857D4}\1.0\HELPDIR\
(Default) = "%System%\"

HKLM\SOFTWARE\Classes\TypeLib\
{AF4DA692-E1D6-469A-855B-6445294857D4}\1.0\FLAGS\
(Default) = "0"

HKLM\SOFTWARE\Classes\TypeLib\
{AF4DA692-E1D6-469A-855B-6445294857D4}\1.0\
(Default) = "IEHelper 1.0 Type Library"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\
(Default) = "IEHlprObj.IEHlprObj.1"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\
(Default) = "IEHlprObj Class"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\
(Default) = "{AF4DA69B-E1D6-469A-855B-6445294857D4}"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\
(Default) = "IEHlprObj Class"

HKLM\SYSTEM\ControlSet001\Services\AVPsys\Enum\
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

HKLM\SYSTEM\ControlSet001\Services\AVPsys\Security\
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\SYSTEM\ControlSet001\Services\AVPsys\
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\cdaudio.sys"
DisplayName = "AVPsys"

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Enum\
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Security\
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\cdaudio.sys"
DisplayName = "AVPsys"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
ahnsoft = "%System%\ahnsbsb.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun = 0x00000091

=======================================================
วิธีกำจัด/แก้ virus : j8dfa.exe , ahnsbsb.exe
=======================================================



How to remove cs6phv6d.exe

cs6phv6d.exe
File size 114,928 bytes
MD5: 4A6F61520764CC1DE3F7EC8B3B87445F
SHA-1: 4E8AC3F0771167DEA8A28CD70F3B5F9AA778F547
================================================
Files Created
%Temp%\cvasds0.dll (0-9)
%Temp%\herss.exe
X:\cs6phv6d.exe
X:\autorun.inf

C:\Documents and Settings\[UserName]\Local Settings\Temp\
X:\ = C:\-Z:\

Registry Modifications
Value Added

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft = "%Temp%\herss.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun = 0x00000091

URL to be download/data identified
http://www.googlem7k.com/1mg/am1.rar>%Temp%\am1.rar

==================================================
วิธีกำจัด/แก้ virus : cs6phv6d.exe
==================================================
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGames

How to remove 32bbi0.exe , pwbnd.exe

32bbi0.exe , pwbnd.exe ,cyban.exe
Files size 182,309 bytes
MD5: AE246C8151A08E8603E333194558231E
SHA-1: D8A292BE16CFD8EAD09980897199756F2F3560A7
================================================
Files Created
%System%\cyban.exe
%System%\cyban0.dll (0-9)
%System%\ieban0.dll (0-9)
X:\32bbi0.exe
X:\pwbnd.exe
X:\autorun.inf

%System% = C:\Windows\System32
X:\ = C:\- Z:\

Registry Modifications
Keys Added
HKLM\SOFTWARE\Classes\CLSID\MNDOWN
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\ProgID
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\Programmable
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}

Values Added
HKLM\SOFTWARE\Classes\CLSID\MNDOWN\urlinfo = "chtovj.x"
HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\VersionIndependentProgID\
(Default) = "IEHlprObj.IEHlprObj"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\ProgID\
(Default) = "IEHlprObj.IEHlprObj.1"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\InprocServer32\
(Default) = "%System%\ieban0.dll"
ThreadingModel = "Apartment"

HKLM\SOFTWARE\Classes\CLSID\
{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\
(Default) = "IEHlprObj Class"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\TypeLib\
(Default) = "{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}"
Version = "1.0"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid32\
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid\
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKLM\SOFTWARE\Classes\Interface\
{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\
(Default) = "IIEHlprObj"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0\win32\
(Default) = "%System%\ieban0.dll"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\HELPDIR\
(Default) = "%System%\"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\FLAGS\
(Default) = "0"

HKLM\SOFTWARE\Classes\TypeLib\
{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0]
(Default) = "IEHelper 1.0 Type Library"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\
(Default) = "IEHlprObj.IEHlprObj.1"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\
(Default) = "IEHlprObj Class"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\
(Default) = "{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}"

HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\
(Default) = "IEHlprObj Class"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cybansos = "%System%\cyban.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden = 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden = 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun = 0x00000091

Remote Host
218.59.144.142 port 80

URLs to be download/data identified
http://www.googled3m.com/1hg/ah1.rar
http://www.googled3m.com/1hg/ah.rar

=======================================================
วิธีกำจัด/แก้ virus : 32bbi0.exe , pwbnd.exe ,cyban.exe
=======================================================


Exploit-DB updates

Exploits Database by Offensive Security

Metasploit

Metasploit Framework: Activity

iDefense Labs Software Releases