"Malware Fix รวมวิธีแก้ปัญหา virus computer โครงการทำดีเพื่อสังคม" "เนื่องจากภาระหน้าที่ทางการงาน ต้องขออภัยผู้เยี่ยมชมทุกท่านนะครับ ที่เ้ข้ามาแล้ว ไม่มีการ update virus ตัวใหม่ นะครับ"

Information

http://malwarefighting.blogspot.com


Photobucket
แจ้งเตือนภัย ! Crypt0L0cker (Ransomware)
เข้ารหัสข้อมูลใน คอมพิวเตอร์ กำลังระบาดในไทย
และกำลังระบาดหนักในเกาหลี
ThaiCERT , Crytpo Prevention Tool

*ห้ามจ่ายเงินโดยเด็ดขาด เพราะจะเสียทั่้งเงินและกู้ข้อมูลไม่ได้
รบกวนคนที่เข้ามาอ่านช่วยแชร์ด้วยนะครับ
http://hotzone-it.blogspot.com/2015/07/how-to-remove-crypt0l0cker-not.html
==============================================
PeeTechFix >> JupiterFix
==============================================
Photobucket

วิธีใช้งาน : JupiterFix-Win32.PSW.OnlineGames
ท่านสามารถตรวจสอบรายชื่อ Virus ที่โปรแกรม สามารถ Clean ได้ ใน VirusList.txt
-------------------------------------------------------------------------------------
ท่านใดที่ Download PeeTechFix tool ไปใช้แล้วมีปัญหาหรือลบไม่ออก โปรดแจ้งปัญหา ที่ email : MalwareHunter.info@gmail.com ด้วยครับ หรือส่งไฟล์ virus ให้ด้วย จะขอบพระคุณอย่างยิ่ง
-------------------------------------------------------------------------------------
Safemode Recovery (.reg) แก้ปัญหา Virus ลบ Key Safeboot แล้วเข้า safemode ไม่ได้
------------------------------------------------------------------------------------
วิธีแก้ Error message (แก้อาการเปิดไฟล์ .exe ใน USB Drive ไม่ได้)
"Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator"
วิธีแก้ ดูที่ link นี้ครับ
-------------------------------------------------------------------------------------
วิธีแก้ MSN /Windows Live Messenger Disconnect (จาก virus OnlineGames)
-------------------------------------------------------------------------------------
How to start Windows in Safe Mode


Friday

How to remove n89f1d1w.exe

n89f1d1w.exe ,aqoeerw.exe
Files size 126,656 bytes
MD5: 0x59410CCC9572CE2851827C23336A174C
SHA-1: 0x3E23464479F3BB7F48980214D6976540F54B273A
===================================================
Files Created
C:\WINDOWS\system32\aqoeerw.exe
C:\WINDOWS\system32\bnmkue0.dll (0-9)
X:\n89f1d1w.exe
X:\autorun.inf

Registry Modifications
Key Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN

Value Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN\
urlinfo : awscjm.r
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
coolsos : %System%\aqoeerw.exe

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoDriveTypeAutoRun: 0x00000091

URL to be downloaded
http://www.765hdc.com/1tw/at1.rar > %Temp%\at1.rar
-----------------------------------------------------------------------
วิธีกำจัด n89f1d1w.exe ,aqoeerw.exe
-----------------------------------------------------------------------
Download Fix Tool: PeeTechFix-PSW.OnlineGame 2.05 AVDB-009

http://hotzone-it.blogspot.com/2009/08/virus-remove-tool.html

How to remove zhido.exe

zhido.exe
File size 276,480 bytes
MD5: 0x29F85A0C52411773AA2BB948ECDC4D76
SHA-1: 0x5CA7344508EC2EEF0A84E35150AC6FD25FC02C1C
==================================================
Files Created
C:\WINDOWS\system32\cao110.dll (0-9)
Files size 55,296 bytes
MD5: 0x34E9FE75D59053FCDDC92B88AB1CC012
SHA-1: 0x8B40882B88CBDB446CCBA0FDF38D86899A68AB73

C:\WINDOWS\system32\cao220.txt
C:\WINDOWS\system32\zhido.exe

Registry Modifications
Value Added

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
zhido : C:\WINDOWS\system32\zhido.exe

-------------------------------------------------------------------------
วิธีกำจัด Virus : zhido.exe
-------------------------------------------------------------------------
Download Fix Tool: PeeTechFix-PSW.OnlineGame 2.05 AVDB-009

http://hotzone-it.blogspot.com/2009/08/virus-remove-tool.html

Thursday

How to remove b00ijwpu.exe

b00ijwpu.exe ,herss.exe, hjvjte.exe
Files size 115,072 bytes
MD5: FEF524E5DC57D4665415E3116DD33911
SHA-1: D6B92F4ED982D9D4223CC5C1DA569DD8C0702138
===================================================
Files Created
C:\autorun.inf
C:\b00ijwpu.exe
C:\hjvjte.exe > ดู link เพิ่มเติม
http://hotzone-it.blogspot.com/2009/10/how-to-remove-hjvjteexe.html

C:\Documents and Settings\[UserName ]\Local Settings\Temp\cvasds0.dll
C:\Documents and Settings\[UserName]\Administrator\Local Settings\Temp\herss.exe

Remote Host
218.59.144.136 Port 80
218.59.144.139 Port 80

URL to be download / data identified
http://www.googlei9p.com/1mg/am1.rar >%temp%\am1.exe
http://www.sina96l.com/1mg/am.rar > %temp%\am1.exe

Registry Modifications
Key Added

HKLM\SOFTWARE\Classes\CLSID\MADOWN

Values added
HKLM\SOFTWARE\Classes\CLSID\MADOWN\urlinfo = "dsa2xsa.r"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft = "%Temp%\herss.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091
-----------------------------------------------------------------------
วิธีกำจัด virus : b00ijwpu.exe ,herss.exe, hjvjte.exe
-----------------------------------------------------------------------
Download : PeeTechFix-Win32/PSW.OnlineGame 2.0.5_ AVDB-008

-----------------------------------------------------------------------

AVDB-008 Update

29/10/2009
PeeTechFix-win32/PSW.OnlineGame 2.0.5 AVDB-008 New !
==============================================
3j2h0tf.bat
b00ijwpu.exe
dhrhyje.bat
dk.exe
eexyv.exe
ep.com
frg89pi.bat
hjvjte.exe
incwf.bat
kqojfw.exe
m1eqos3.exe
nds0q.exe
nyt9mrd3.exe
pnt.com
qbr2q.exe
taso.exe
tasoft.exe
wcgswa.exe
xbvv6o.com
yg.cmd
yf3lu6l8.bat
softqq0.dll
mnso0.dll

Tuesday

Black Screen with mouse virus

Win32/Daonal.L (Detect by NOD32)
Trojan-PSW.Win32.Kates.j (Detect by Kaspersky Lab)
==============================================
cwcsi.old
File size18,432 bytes
MD5: 89F34BE523093E7AF4FD0C4D4FF10B6E

SHA-1: 6FDCBA3C13899D43A205DDF058D1CF4C526DDE4F
==============================================
ffxtt.bak
File size 74,240 bytes
MD5: 1B8A09C403DB8C09CA85A4A3014103E3
SHA-1: 1D8739ECD27D5FF664ECCE13E1BB71FB23CF6136
==============================================
akplbxj.old
MD5: 5BD6DF42DF6F43745F98CFEAF76C1ABD
SHA-1: 9B0E5163ECB1B3F8F3061B029CB0E74F9328D67B
========================================================
exjb.bak
MD5: 60142096DE91560CF0BA7D5096CAC70E
SHA-1: CD92B24B0597321DDB5403154635DB05B883572F
========================================================
~.exe
File size: 16384 bytes
MD5 : 91cd1690546857dbadec1353dd9baf99
SHA1 : f926e07272a8bcfe070eb7044a3e238de49c74a3
==============================================
hmlfayb.dat
MD5: 8D149D4E2098D39AF2320AB9BC4C8749
SHA-1: A4EE1F4DD2CEA2FF34B613ECEDD48811B2D7DB0F
========================================================

Files created
C:\WINDOWS\xxxxx.old
C:\WINDOWS\xxxxx.bak
C:\WINDOWS\xxxxx.dat
C:\Windows\system32\~.exe
C:\Windows\system32\xxxxx.bak
%temp%\xxxxx.tmp
Registry Modifications
Values Added
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
midi9 = "%System%\..\exjb.bak 0yAAAAAAAA"
midi9 = "%System%\..\ffxtt.bak 0yAAAAAAAA"
midi9 = "%System%\..\cwcsi.old 0yAAAAAAAA"
midi9 = "%System%\..\hmlfayb.dat 0yAAAAAAAA"
path และ ชื่อไฟล์อาจเปลี่ยนชื่อเป็นชื่ออื่นๆได้ครับ
(Random name path and file)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
LoadAppInit_DLLs = 0x00000001

------------------------------------------------------------------------
* path อาจอยู่ในตำแหน่ง อื่นๆ หรือชื่ออื่นๆ เช่น
C:\Documents and Settings\[UserName]\Local Settings\Temp\[Random]\bibcfbk.tmp
C:\Windows\rocfnx.bak
C:\Windows\WRPOP.OLD
C:\Windows\ectsyil.bak
C:\Windows\qkpf.old
C:\Windows\fmnvk.old
C:\Windows\ffxtt.bak
C:\Windows\akplbxj.old
C:\Windows\exjb.bak
C:\Windows\system32\~.exe
C:\Windows\system32\emqmu.bak

------------------------------------------------------------------------
อาการที่พบ
หน้าจอมืด มองเห็นแต่เมาส์ หรือ Black Screen with mouse
ไม่สามารถ แสดงหน้าต่าง windows ได้
เข้า safemode แล้วก็มีอาการเดียวกัน คือ ไม่สามารถ เข้า หน้าจอ windows ไ้ด้
-----------------------------------------------------------------------
Anti virus ที่ตรวจพบ
a-squared 4.5.0.41 2009.10.23 Trojan.Win32.Daonol!IK
AhnLab-V3 5.0.0.2 2009.10.23 -
AntiVir 7.9.1.44 2009.10.23 TR/PSW.Kates.K.2
Antiy-AVL 2.0.3.7 2009.10.23 -
Authentium 5.1.2.4 2009.10.24 -
Avast 4.8.1351.0 2009.10.24 -
AVG 8.5.0.423 2009.10.23 -
BitDefender 7.2 2009.10.24 Trojan.PWS.Kates.F
CAT-QuickHeal 10.00 2009.10.23 -
ClamAV 0.94.1 2009.10.24 -
Comodo 2710 2009.10.24 Heur.Packed.Unknown
DrWeb 5.0.0.12182 2009.10.24 Trojan.MulDrop.39218
eSafe 7.0.17.0 2009.10.22 Win32.Infostealer.Da
eTrust-Vet 35.1.7082 2009.10.23 -
F-Prot 4.5.1.85 2009.10.23 -
F-Secure 9.0.15370.0 2009.10.22 -
Fortinet 3.120.0.0 2009.10.24 -
GData 19 2009.10.24 Trojan.PWS.Kates.F
Ikarus T3.1.1.72.0 2009.10.23 Trojan.Win32.Daonol
Jiangmin None 2009.10.23 -
K7AntiVirus 7.10.878 2009.10.23 -
Kaspersky 7.0.0.125 2009.10.24 Trojan-PSW.Win32.Kates.k
McAfee 5780 2009.10.23 -
McAfee+Artemis 5780 2009.10.23 Artemis!91CD16905468
McAfee-GW-Edition 6.8.5 2009.10.24 Trojan.PSW.Kates.K.2
Microsoft 1.5202 2009.10.23 Trojan:Win32/Daonol.H
NOD32 4537 2009.10.23 a variant of Win32/Daonol.L
Norman 6.03.02 2009.10.23 -
nProtect 2009.1.8.0 2009.10.24 -
Panda 10.0.2.2 2009.10.23 Trj/CI.A
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.24 High Risk System Back Door
Rising 21.52.50.00 2009.10.24 -
Sophos 4.46.0 2009.10.24 -
Sunbelt 3.2.1858.2 2009.10.24 -
Symantec 1.4.4.12 2009.10.24 Infostealer.Daonol
TheHacker 6.5.0.2.051 2009.10.22 -
TrendMicro 8.950.0.1094 2009.10.24 PAK_Generic.001
VBA32 3.12.10.11 2009.10.23 -
ViRobot 2009.10.23.2003 2009.10.23 -
VirusBuster 4.6.5.0 2009.10.23 -
-----------------------------------------------------------------------
วิธีกำจัด virus : Win32/Daonal.L
-----------------------------------------------------------------------
วิธีที่ 1 :
1. ถอด Haddisk ที่ติด virus นี้ไป Scan เครื่องที่มี Antivirus update
เนื่องจาก virus ได้ random ที่ไปเรื่อย ไม่เจาะจง โดยจะเลือกใช้ NOD32 , Kaspersky หรือ Avira ก็ได้ครับ
2. เมื่อเข้า Windows ได้แล้วให้ไปตรวจสอบ Registry ด้วยครับว่า Key Driver32 ยังมี midi9 อยู่หรือไม่
ถ้ามีให้ Delete ทิ้งด้วยครับ
"HKLM\Sofeware\Microsoft\Windows NT\CurrentVersion\Drivers32 \
midi9"
##################################################
วิธีที่ 2 :
1. หาแผ่น Hiren boot CD มา boot โดยเลือก boot ที่ Mini PE หรือ Mini XP
หรือ Download จาก Web นี้ครับ
http://www.hirensbootcd.net/ (185.80 MB)
http://d2.hirensbootcd.net/Hirens.BootCD.10.0.zip

2. เข้าไปที่ start > run พิมพ์ regedit เข้าไปที่ HKEY_LOCAL_MACHINE (HKLM)
3. เลือกที่เมนู File เลือกที่ load hive
4.ไปที่ c:\windows\system32\config แล้วเลือกไฟล์ ชื่อ software แล้วตั้งชื่อไฟล์เป็นชื่ออะไรก็ได้ครับ เช่น Fix
5. จากนั้นเข้าไปที่ HKLM\
Fix\Microsoft\Windows NT\CurrentVersion\Drivers32
หา ค่า value ที่ชื่อ
midi9 เมื่อเจอแล้วให้ delete value นี้ทิ้งไป
ตัวอย่าง "C:\DOCUME~1\user\LOCALS~1\Temp\..\bibcfbk.tmp 0yAAAAAAAA"

Photobucket
6. Restart เครื่อง 1 ครั้ง ดูว่าเข้า windows ได้หรือไม่
7. ใช้ ATF cleanner ลบ Temp ต่าง และUpdate Antivirus แล้ว Scan ทั้งระบบ
###################################################
วิธีที่ 3 : (ผมใช้วิธีนี้ ของ free ครับ ซึ่งขนาดไฟล์ เพียงประมาณ 58 MB เท่านั้น)
1. Dowmload
Avira AntiVir Rescue System Date: 26 Oct 2009 - Version : 20091026191731
http://dlpro.antivir.com/package/rescue_system/common/en/rescue_system-common-en.exe
หรือ
Avira AntiVir Rescue SystemDate: 26 Oct 2009 - Version : 20091026191731
http://dlpro.antivir.com/package/rescue_system/common/en/rescue_system-common-en.iso

2. ผมใช้ตัวที่ เป็น exe โดย ใส่แผ่น CD เปล่า แล้ว double click ไฟล์ rescue_system-common-en.exe
จากนั้นclick ปุ่ม Burn CD

Photobucket

3. เมื่อฺ Burn CD เรียบร้อยแล้วให้ Restart โดยให้ boot จาก CD จะขึ้นหน้าต่างดังภาพ
โดยเลือก Boot :1 (1 Boot Avira AntiVir Rescue System)

Photobucket
4.จะขึ้นหน้าต่างดังภาพ ให้ เลือก Virus Scanner แล้ว Click ปุ่ม Start Scanner

Photobucket

5. เมื่อ Scan เรียบร้อยแล้วกดปุ่ม Restart เครื่อง

*เมื่อเข้า windows ได้แล้ว ให้ update Antivirus ให้เป็นปัจจุบัน

##################################################
วิธีที่ 4 :
1. Download Dr.Web Live CD (69.8 MB) ไม่ใหญ่มาก พอๆกับ Avira และ Free เหมือนกัน
ftp://ftp.drweb.com/pub/drweb/livecd/20091028042001/minDrWebLiveCD-5.0.0.iso

2. Burn ใส่แผ่น CD แล้วนำไป Boot

Photobucket

Photobucket

3. Click Start ตรงปุ่มด้านซ้ายล่างสีเขียว เลือก Dr.Web Scanner แล้ว เลือก Drive แล้วทำการ Scan

Photobucket

4. เมื่อ Scan เรียบร้อยแล้วให้ Restart เครื่อง และเมื่อเข้า Windows ได้แล้วให้ Update ฐานข้อมูล virus ให้เป็นปัจจุบันด้วยครับ

###################################################

วิธีที่ 5 : วิธีนี้จะเหมือนๆกับวิธีที่ใช้กับ Hiren Boot
Download Active@ Boot Disk (Win Edition) Demo 4.1.8 (126 MB)
http://software.lsoft.net/BootDiskDemo-Setup.exe
http://download2.lsoft.net/BootDiskDemo-Setup.exe

1. เมื่อ Download และ Set up โปรแกรม เรียบร้อยแล้ว และ Register ด้วยชื่อด้านล่างนี้ครับ
Registered Name:
PeeTech thailand
Registration Key:
0NBBBJ-DWZ1DM-VUNRCJ-UZPUJZ-JMY6TX
หรือใครจะเลือก Register ผ่าน Website ก็ได้โดยเลือก Get key for free

2. เมื่อเปิดหน้าต่าง Active@ Boot Disk Creator เลือกที่ menu
Boot Disk Win Edition

Photobucket

3. เลือกที่ Win CD/DVD Boot Disk โดยใส่แผ่น CD/DVD แล้วเลือก Create !

Photobucket

จะขึ้นหน้าต่างดังภาพ จากนั้นให้กดป่ม Burn ISO
Photobucket

4. เมื่อได้แผ่น Active@ Boot Disk แล้วให้ restart เครื่องโดยเลือก Boot จาก CD/DVD จะขึ้นหน้าต่าง
Windows is loading files ให้รอสักครู่จะขึ้นหน้าต่างดังภาพ แล้วกดปุ่ม OK หรือใครจะ Set ค่าก็ได้ครับ
Photobucket

เมื่อ OK แล้วจะเข้าสู่หน้าจอ Windows ของ Active@ Boot Disk
Photobucket

5. ให้เลือก ที่ เมนู Start (@ ) ซ้ายมือด้านล่าง เลือกไปที่ Utilities > Registry Editor จะขึ้นหน้าต่างดังภาพด้านล่าง Click
ที่ HKEY_LACAL_MACHINE เลือกที่ Menu File เลือก Load Hive
Photobucket

เลือกไปที่ C:\windows\system32\
config แล้วเลือกไฟล์ ชื่อ software แล้วตั้งชื่อไฟล์ Fix_BlackScreen_Virus
5. จากนั้นเข้าไปที่ HKLM\Fix_BlackScreen_Virus\Microsoft\Windows NT\CurrentVersion\
Drivers32 Delete ค่า Value ที่ชื่อ
midi9 นี้ทิ้งไป

ี* Update new 05/11/2009
เพิ่มเติมนะครับ ให้ดู aux ด้วยครับว่าเปลี่ยนไปจาก wdmaud.drv หรือเปล่า เช่น
aux = "%System%\..\vauhrg.gfp"
aux = "%System%\..\nbshlbv.exb"
aux = "%System%\..\rvpd.bha"
aux = "%System%\..\sysxxxx.sys"
ให้แก้เป็น wdmaud.drv (ค่าเดิม) ด้วยครับ > aux = wdmaud.drv

Photobucket

6. Restart และเมื่อเข้า Windows ได้แล้วให้ Update antivirus แล้ว Scan อีกครั้ง

วิธีที่ 6 (update 19/11/2009)
เป็นวิธีจากทาง microsoft ครับ
ตาม link นี้ครับ
http://www.microsoft.com/Security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FDaonol.I


Fix Tool from Kaspersky
KatesKiller

How to remove hjvjte.exe

hjvjte.exe , wcgswa.exe , herss.exe , se12ydam.exe
Files size 115,054 bytes
MD5: 67E7F6CD5C200F0E921C9439941D04E4

SHA-1: 0A01B541005A57F195DE20CF8EE94EBCD31C8A86
==================================================
Files created
C:\Documents and Settings\[UserName]\Local Settings\temp\herss.exe
C:\Documents and Settings\[UserName]\Local Settings\temp\cvasds0.dll (0-9)
X:\hjvjte.exe
X:\wcgswa.exe
X:\autorun.inf
X:\se12ydam.exe (update 30/10/2009)

Remote Host
218.59.144.136 port 80
218.59.144.139 port 80
218.59.144.131 port 80

Registry Modifications
Key Added

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN

Values Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN\ urlinfo : "dsa2xsa.q"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft : "%Temp%\herss.exe"

URL to be downloaded (update 30/10/2009)
http://www.googlei9p.com/1mg/am1.rar > %temp%/am1.exe
http://www.sina96l.com/1mg/am.rar > %temp%/am.exe
http://www.googlec45.com/1mg/am1.rar > %temp%/am1.exe
http://www.sina96l.com/1mg/am.rar %temp%/am.exe

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoDriveTypeAutoRun: 0x00000091
-------------------------------------------------------------------------
วิธีกำจัด virus : hjvjte.exe , wcgswa.exe , se12ydam.exe
-------------------------------------------------------------------------
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGame AVDB-008

Monday

How to remove eexyv.exe ,9jyhdim8.exe (2)

9jyhdim8.exe , herss.exe , eexyv.exe (2) New
Files size : 114,244 bytes
File MD5: C017ADBB0390B20C21B4DB272B3E83E5
File SHA-1: 85001FD655245819AD438A80A8B9203AEFC92E8D

===================================================
รายงานที่เคย post ก่อนหน้านี้ ดู ที่ link ด้านล่างครับ
9jyhdim8.exe , herss.exe , w3.exe * (1) Old
Filesize: 116,840 bytes *
File MD5: FBDD72C49D0C92FA3C6F25ABCAF9A687 *

File SHA-1: 7916C3B3F00E20F1700AF83866DBE26B1F38028D *
http://hotzone-it.blogspot.com/2009/10/how-to-remove-9jyhdim8exe.html
===================================================
Created files
C:\Documents and Settings\[User]\Local Settings\temp\herss.exe
C:\Documents and Settings\[User]\Local Settings\temp\cvasds0.dll (0-9)
X:\9jyhdim8.exe
X:\autorun.inf
X:\eexyv.exe


URL to be downloaded
http://www.googlecai.com/1mg/am1.rar > %temp%\ am1.rar > am1.exe
http://www.googlei9p.com/1mg/am.rar > %temp%\ am.rar > am.exe

Keys added
HKLM\SOFTWARE\Classes\CLSID\MADOWN Values added HKLM\SOFTWARE\Classes\CLSID\MADOWN\urlinfo: "dsa2xsa.p"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft: "%Temp%\herss.exe"


Values modified HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ Advanced\
Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ Advanced\
ShowSuperHidden: 0x00000000 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoDriveTypeAutoRun: 0x00000091
-------------------------------------------------------------------------
วิธีกำจัด virus : 9jyhdim8.exe , eexyv.exe
-------------------------------------------------------------------------
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGame AVDB-008

-------------------------------------------------------------------------

How to remove jj2.com

jj2.com , uret463.exe
File sizes 102,218 bytes
MD5: F39863543C2E4909C08A0896E37783B3
SHA-1: 999CDC3DE17775784A369CC70170385D464CE289

==================================================
Files created
C:\WINDOWS\system32\uret463.exe
C:\WINDOWS\system32\lhgjyit0.dll (0-9)
X:\autorun.inf
X:\jj2.com

File deleted
C:\WINDOWS\system32\drivers\cdaudio.sys

URLs to be download
http://xsderfgbn.com/xjj/cc1.rar
http://iytgfvcxs.com/xjj/cc.rar


Registry Modifications
Keys Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN
HKLM \SYSTEM\ControlSet001\Services\AVPsys
HKLM \SYSTEM\ControlSet001\Services\AVPsys\Security
HKLM \SYSTEM\ControlSet001\Services\AVPsys\Enum
HKLM \SYSTEM\CurrentControlSet\Services\AVPsys
HKLM \SYSTEM\CurrentControlSet\Services\AVPsys\Security
HKLM \SYSTEM\CurrentControlSet\Services\AVPsys\Enum

Values Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN
urlinfo = "eftsdr.h"

HKLM\SYSTEM\ControlSet001\Services\AVPsys\Enum\
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

HKLM\SYSTEM\ControlSet001\Services\AVPsys\Security\
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\SYSTEM\ControlSet001\Services\AVPsys
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\cdaudio.sys"
DisplayName = "AVPsys"

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Enum\
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Security\
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\cdaudio.sys"
DisplayName = "AVPsys"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
dorfgwe = "%System%\uret463.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091
-------------------------------------------------------------------------
วิธีกำจัด Virus : jj2.com
-------------------------------------------------------------------------
Download: PeeTechFix-Win32/PSW.OnlineGames 2.0.5

1. Run PeeTechFix-Win32/PSW.OnlineGames 2.0.5
2. restart 1 ครั้ง

Sunday

how to remove s3ek.exe

s3ek.exe , herss.exe
File sizes 115,522 bytes
MD5: 914E9BEBA66C22CA99B4CE2CD7B86BFE

SHA-1: 9767E147BEFFC87C3009D85A9439A19AC068961F
====================================================
Files Created
C:\Documents and Settings\[Username]\Local Settings\temp\herss.exe
C:\Documents and Settings\[Username]\Local Settings\temp\cvasds0.dll (0-9)
X:\s3ek.exe
X:\autorun.inf

URL to be downloaded
http://www.ckios0.com/1mg/am1.rar %Temp%\am1.rar > am1.exe

Registry Modifications

Values added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft: "%Temp%\herss.exe

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091
-------------------------------------------------------------------------
วิธีกำจัด Virus : s3ek.exe
-------------------------------------------------------------------------
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGames 2.0.5

How to remove ctu8r.exe

ctu8r.exe , herss.exe
File sizes 118,651 bytes

MD5: 16FF127359A9F608ABDE1B54AC746010
SHA-1: 666C871B952C90FCE99B6FD7297E182D6B21D46F

====================================================
Files Created
C:\Documents and Settings\[Username]\Local Settings\temp\herss.exe
C:\Documents and Settings\[Username]\Local Settings\temp\cvasds0.dll (0-9)
X:\ctu8r.exe
X:\autorun.inf

URL to be downloaded
http://www.yahoosdw.com/1mg/am1.rar %Temp%\am1.rar > am1.exe

Registry Modifications

Values added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft: "%Temp%\herss.exe

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091
-------------------------------------------------------------------------
วิธีกำจัด Virus : ctu8r.exe
-------------------------------------------------------------------------
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGames 2.0.5

Saturday

How to remove vlvtdflx.exe

vlvtdflx.exe , herss.exe
Files size 114,819 bytes
MD5: F87EA91860680A40FE4F481DED44A4DA
SHA-1: D9A7913B2614D8A7574A7ABCE5D13358DB7D5BF5

===================================================
Files created
C:\Documents and Settings\[User]\Local Settings\temp\herss.exe
C:\Documents and Settings\[User]\Local Settings\temp\cvasds0.dll (0-9)
X:\vlvtdflx.exe
X:\autorun.inf

URL to be downloaded
http://www.yahoogf2.com/1mg/am1.rar > %Temp%\am1.rar > am1.exe

Registry Modifications
Value Added:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft : "%Temp%\herss.exe"

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091
-------------------------------------------------------------------------
วิธีกำจัด virus : vlvtdflx.exe
-------------------------------------------------------------------------
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGame

1. Run PeeTechFix-Win32/PSW.OnlineGame

Thursday

AVDB-007 Update

22/10/2009
PeeTechFix-Win32/PSW.OnlineGames 2.0.5 AVDB-007 New !
===================================================
11rhbu.cmd
1mteolu9.com
2sm66r.exe
2vk6wn.exe
a1agmur.cmd
bunip.bat
byk.bat
dsewtds0.dll
g6e.exe
gkc6.com
gldegkby.cmd
igxv.cmd
IIEsv44JBS5X.dll
IIEsv44JBS5X2.dll
j.cmd
kk38g1.exe
l6jj.exe
m6r8v.com
minm.cmd
mje12tni.exe
mpstxgx.exe
mqhnawe.bat
okssgcjo.bat
pllq.exe
se12ydam.exe
ste8.bat
sv8c2bjw.bat
tjjqtejq.bat
txfl1rhh.com
u26ufgv.exe
uh.exe
ukfbi3aw.exe
upx.bat
vb0hsoay.exe
wex.exe
x.cmd
XMMR810eno.dll
yh.bat
yphgx8.cmd
yq00tht.exe

how to remove yphgx8.cmd

yphgx8.cmd
File size 107,860 bytes
MD5: 0x4FEAEC5E868AC773A1F08970CEEFC8E5

SHA-1: 0x575741BE76AE8688518FFF3B7B5B91537B103316
===================================================
Files created
C:\WINDOWS\system32\weidfsg.exe
C:\WINDOWS\system32\dsewtds0.dll
X:\yphgx8.cmd
X:\autorun.inf

Registry Modifications
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
nhkletd = "%System%\weidfsg.exe"

URL to be downloaded
http://mjvd9.com/rbv/uu.rar > %Temp%\uu.rar > uu.exe

Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091
------------------------------------------------------------------------
วิธีกำจัด virus : yphgx8.cmd
------------------------------------------------------------------------
Download Fix Tool :
PeeTechFix-Win32/PSW.OnlineGame AVDB-007

*รบกวนผู้ที่ download โปรแกรมไปใช้แล้ว ถ้ามีปัญหาเกี่ยวกับโปรแกรม หรือลบไม่ออก
ให้แจ้งที่ mailto:ให้แจ้งที่analysis.malware@gmail.com เพื่อจะได้แก้ไขปรับปรุงต่อไป หรือช่วยส่งไฟล์
virus ให้ด้วยครับ จะขอบพระคุณยิ่ง
วิธีส่งดูที่นี่ครับ
http://hotzone-it.blogspot.com/2009/07/virus_14.html

Tuesday

How to remove huwesa.exe

huwesa.exe
File size 104,084 bytes
MD5: 487404BD9902B8C44E6F8C751719F681

SHA-1: CFFCDD8B67F6CECEAB5E043520D51F22ED8F02FB
==================================================
Files created
C:\Documents and Settings\[UserName]\Local Settings\Temp\843wee0.dll (0-9)
C:\Documents and Settings\[UserName]\Local Settings\Temp\\huwesa.exe

File deleted
C:\WINDOWS\system32\drivers\cdaudio.sys

Registry Modifications
Keys Added:
HKLM\SYSTEM\ControlSet001\Services\AVPsys
HKLM\SYSTEM\ControlSet001\Services\AVPsys\Security
HKLM\SYSTEM\ControlSet001\Services\AVPsys\Enum
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Security
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Enum

Values Added
HKLM\SYSTEM\ControlSet001\Services\AVPsys\Enum
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

HKLM\SYSTEM\ControlSet001\Services\AVPsys\Security
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\SYSTEM\ControlSet001\Services\AVPsys
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\cdaudio.sys"
DisplayName = "AVPsys"

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Enum
Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Security
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\SYSTEM\CurrentControlSet\Services\AVPsys
Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\cdaudio.sys"
DisplayName = "AVPsys"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
rwasds = "%Temp%\huwesa.exe"


URL to be downloaded
http://cdfgge.net/1tw/a11.rar > %Temp%\a11.rar

---------------------------------------------------------------------
วิธีกำจัด virus : huwesa.exe
---------------------------------------------------------------------
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGames

AVDB-006 Update

-------------------------------------------------------------------------
PeeTechFix-Win32/PSW.OnlineGames 2.0.5
AVDB-006 (update 20/10/2009)
-------------------------------------------------------------------------
0.cmd
0.com
00hoeav.com
0ap.exe
0bcobed.exe
0c2q.com
0c9k.exe
0fkk02x.exe
0iwedat2.cmd
0jbnlnu8.exe
0liyv.com
0o.com
0pqb6qnj.cmd
0s63el.exe
10nb.exe
188qsm.bat
1brfrip.exe
1dg.exe
1di1w.exe
1gia.com
1i.com
1p1f1x.com
1pcyi.exe
1q8p0y.com
1rexh.com
1rfw8hjr.com
1sertc.exe
1t6yxlxx.cmd
1vjio.bat
1weicxa.com
1wkwxgxw.com
1wod1.com
1xniph.bat
1xxec.exe
2.cmd
2.com
2.exe
210ebnkd.com
22wcb21o.exe
22xo.exe
22yj2fy1.exe
23ft.exe
29na61fj.exe
2ckhs.com
2fiji.com
2g.com
2go30q.com
2ifetri.cmd
2nuk.com
2nw3rjta.cmd
2o1ajagt.exe
2px8tdn.bat
2sx0df1f.exe
2y8la.exe
31n3b2h.exe
32.com
32agsg.exe
32e2.com
36.com
39lpji.com
3bcwgap9.com
3c.exe
3dohrt.com
3g.com
3hjs.exe
3hmhv2k.com
3i.com
3iugonx.com
3jkka91.com
3jkkdo.exe
3k.com
3m2.exe
3o.exe
3p9wj19.exe
3slhl.exe
3vf9968r.exe
3wcxx91.cmd
3yalgc.exe
3yseow89.exe
6.com
60k281bl.com
62c9kp.exe
63.com
6bgke.exe
6fq.com
6hbb9d1d.com
6j2j.com
6l6.com
6l6w8.com
6p2dxv.bat
6phx.com
6q.exe
6q8ld.exe
6qaiu.com
6qe.com
6r3p.com
6rxt26.exe
6vu680.com
6xdgw26.com
6xig.com
6ynnac9.exe

7bpapp.dll
806.com
8386nac.com
83l3v.cmd
843wee0.dll
86.exe
86l2qw.bat
8dtyjjf.exe
8gig0ofk.com
8h3hh3m.exe
8hh2b.com
8je.exe
8ot8y86.exe
8q6h.exe
8rcahp.exe
8ti.exe
8u.com
8uot.exe
9.exe
90imhpnc.exe
92j11sm.com
934erew0.dll
982um3s9.exe
9b8kmipy.com
9bid6bl.exe
9cquqs.exe
9dlvtiil.exe
9h.bat
9j.exe
9je0l.com
9jjh.com
9jyhdim8.exe
9m2ke.exe
9u.exe
9vlgaqms.cmd
9yqusig.bat
a.exe
a1.bat
a81lkgv.com
a9.com
ab.cmd
ab31.exe
af93gcf.exe
ahnxsds0.dll
aieh8r.bat
al8u.com
aphqg.exe
apj.com
asneg.com
auq9bor.bat
autorun.inf
awda2.exe
awp.com
b3b9u.com
bd3q0qix.exe
bdiiqq.exe
be2trf.bat
bhbcdd29.exe
bioivm3j.exe
bjj3iccf.com
bnmio.exe
bpu.exe
bqk.bat
br1e.com
br8ym2l.bat
bsncjblw.exe
bt8vuaw.com
buis.exe
bvc0gyp.bat
by.bat
bycfht.exe
c18vk.exe
c9hehpa.bat
cahpcg.cmd
cd8idoyl.com
cdwfql2v.com
ceb6eu98.bat
cfdflx.com
cfv90h.com
chlf9.exe
cjrp8.com
clc1al.com
cm.com
cm0.com
copetttt.com
cqb6wo.exe
cqdis.cmd
cqxj.exe
ctu8r.exe
cunuqem1.com
cv22.cmd
cvcmpxm.com
d.com
d1vmq.exe
d1y36.com
d218eht.exe
d29w8lsx.com
d3bn0j.exe
d8k6hg.com
dgf.exe
dgkx.exe
dhv2u8.cmd
dkpiw.com
dl00th3i.bat
dogyx90.exe
dp.exe
dpu1.exe
dsncb.exe
dsty.com
dwg3gngs.exe
dy9.cmd
dyr2j6mv.exe
e.com
e.exe
e00233it.com
e2u.exe
e6ieg.exe
e898.com
e8kj.exe
eb.bat
eb9ehyh.exe
eej2.exe
eeqt.exe
ej.com
ek.com
ekf6dbg0.com
eq0bstg.com
erdeiect.com
etmt1.bat
ev.com
ev60a2.cmd
ewqij.bat
f.com
f.exe
f2.bat
f9cvum.exe
f9lv.exe
f9o8o.exe
ff1q0gw.bat
fg8m.exe
fksvjygh.exe
fmg83i.exe
fn20.exe
fool0.exe
fp.exe
fpnw.com
fppg1.exe
fr.com
fsaht.cmd
fsmgmt.dll
fsqxr.com
ft96s.exe
fufb6tq3.cmd
fvbk.exe
g.com
g.exe
g068vy6.cmd
g1vn1.exe
g2o1n.exe
g2p3s.exe
g83816.com
g8k.exe
g8rruyw.exe
gc6.cmd
gd6.exe
gfqgq.cmd
ghdf1.com
ghk.bat
giaf.exe
gjn2pjlw.exe
gjnfah.cmd
gkbrewsv.com
gmi1jxy.com
gnwav.exe
gpcdt.cmd
gpmjw.cmd
gsjwyue.com
GTH01569.exe
gwr0lyd.bat
gx.com
gxlxknou.exe
h.cmd
h0ti1de.bat
h1dwg20.exe
h2.com
h2t6u.exe
h3hi1k3.exe
h8i.com
h8txw.exe
hbs.exe
HelpMe.exe
hg.exe
hl80c6b1.com
hm1bfpuj.exe
hni.cmd
hnkvaa2.exe
hnypt.com
hqx292nu.exe
hsi.com
htjtq8o.exe
hv8fv2.exe
hx.exe
hyicc.com
i.exe
i0yva6.exe
i2.com
i8.com
idjx0e.exe
ieso0.dll
ikj0.exe
imo.exe
inertno.exe
ino6.com
io.bat
io.com
iok.exe
iq.bat
iqosrtk.bat
iwjj.com
ixkqows.cmd
ixw.exe
iybim.exe
j0.exe
j39y2.bat
j6.exe
jdhc2x2.com
jdwx.exe
je26200.com
je9.com
jg.com
jg6w3yx.com
jhcqxax.exe
jiwsxh39.exe
jj.cmd
jj2.com
jjcx.com
jllwp.com
jodi2nb.com
jr6.com
ju.com
jv.exe
jvu69hvg.com
k08e.com
k12041101232.exe
k2.cmd
k6wkwon2.exe
k80wh3.exe
kavo0.dll
kek1i20.exe
kg2v.com
kgji.exe
kjibu.com
kk3.bat
kl1.cmd
klp8j6i.com
knupkb.com
kqnns.exe
krg62.cmd
kso6.bat
kt9.com
ku.bat
kw.com
l3up6l.exe
l6w2eaih.exe
las99dn3.com
lbb.com
lbq6.com
lcw.exe
lel3cx.com
lhh3v.exe
lj6hdv.com
ll.exe
ln9.exe
lot.exe
ls0f92.bat
ltdjr2ia.exe
lyhwcea.exe
lyvs1bhu.com
m.com
m.exe
m1t8ta.com
m6dqm2vd.exe
m88coaim.exe
m8wafly.com
m9j.com
mb9x.exe
metdgv.bat
mg.exe
mjafm.exe
mk.com
ml.com
mm6q.exe
msexe.exe
mt.bat
mt.com
mt2.exe
mvmgxe6.exe
mxuclt.exe
n.bat
n.com
n.exe
n0k3b2.bat
n1deiect.com
n6.bat
njibyekk.com
nkbd1v.exe
nncu6kk.com
no.com
nqgcd.com
nt.com
ntde1ect.com
ntdeiect
ntdeiect.com
ntdelect.com
ntnq.exe
ntphyy.com
nudeiect.com
nw0t1l0d.exe
nxvhpc.exe
o2g.exe
o3w2.com
o6mhfog.com
o6pq1n8.com
o8tf6l.exe
o9o2.com
obehha.com
obg.exe
ogcikeq.com
oiwj.exe
ojbss9gv.com
okhr.exe
okqa2g.com
om0.com
ono60.exe
oobbyju.exe
opgde.exe
oq.cmd
otf.cmd
otrewe0.dll
otyh.cmd
oufddh.exe
oukdfgr.exe
ov.cmd
p1f6b.exe
p3.exe
p3r1ud.exe
p8ihdw.exe
p9.exe
p9dwwa61.exe
pdn0ufxh.exe
peyfrf2.cmd
ph.exe
ph8at.cmd
phk1f.cmd
pi.com
pkkwng.exe
pl.bat
pmut.bat
pv6mxu.bat
pxbe.exe
q.com
q0.exe
q0dhfjf.exe
q0rppr.exe
q10js.exe
q1alx.exe
q2vl2fiy.com
q3v.com
Q83IWMGF.BAT
q8e6.bat
q8ot.exe
qcoageh.exe
qcod.exe
qeoc6sj.exe
qh.com
qhp3um.exe
qkarc.exe
qkjxl.exe
qkolx.exe
qoes.bat
qothmn.cmd
qpe6.com
qquq.bat
qs.exe
qv9qc9f.exe
qwc.exe
qx.bat
qxbx9blb.com
qxty9be.cmd
qyq826j2.com
r.bat
r1y1.bat
r26x.cmd
r2g20.exe
r2nl.com
r6r.exe
r8.bat
r9ghv9.com
r9t1v3k.com
ranvrgn.exe
rcvk.exe
rdsfk.com
regtrer.exe
rg.exe
rg9g9bgq.exe
rgjkmy3p.exe
rjiybg.exe
rjx0.exe
rptptmhp.exe
rsbrj.exe
rthrw.com
rtnlpipu.com
rwj0.cmd
rx.exe
s.exe
s2.com
s2vgyp.exe
s3ek.exe
sasm1.cmd
sasyg1y8.com
sdvnon.com
semo2x.exe
sfkn.exe
sfwypsy.exe
sm.exe
snaoc9i.exe
soliee.exe
soss.exe
sp1jensi.exe
spkr9wou.bat
squdq.com
svdioajm.cmd
swstd8ii.cmd
t.com
t.exe
t1xdgvq.exe
t1ypkh.exe
t2ydo.exe
t8s2x.exe
t9peum02.exe
tavo0.dll
tbm9.bat
td2.cmd
te69jyf.exe
tfk8.exe
tg.com
tio8?6.cmd
tio8x6.cmd
tj8odymw.exe
tkvfd03.exe
tl.exe
tmf3w3g0.com
tr.exe
tt.exe
TU.exe
tusihvk6.com
tvlx2fg.exe
tx.bat
tyktjfww.exe
tym8a.exe
u.bat
u0riu2.exe
u9dyi.exe
uaacifr.cmd
udr.com
ufjtre.exe
ufwi6sq.exe
uh31.exe
uhowh.exe
uisvkqr.exe
ukgki.cmd
uo10sn.cmd
usdeiect.com
ut.bat
ut.com
ut9x.bat
utcn8c63.exe
utdetect.com
uwlmj.com
uxdeiect.com
v.exe
v0s.cmd
v0vj.exe
v63enh.exe
v9l1l.com
v9ug2p2.com
vb8jc.exe
vctio.com
vd91t29.exe
vfjc8mxm.exe
vhsax.com
vl.com
vlvtdflx.exe
vn.cmd
vnkucvv.com
vpqdgkx.com
vqv.exe
vscie.exe
vt6e.cmd
vv2.com
vva0hc0p.cmd
vvnbry9s.bat
vwewav8.com
vxl.exe
vyi.exe
vyj9i9gl.com
w.exe
w00g.exe
w1hva13.exe
w2ngo.com
w2qagd.com
w3.exe
w6fvm1.com
w6hikrv.com
w6nx8p8.exe
w98.com
w9hw8.exe
wbj.exe
weg6sp.com
wgp.com
wjlc.exe
wjlfhtfm.cmd
wk.exe
wm93r0.com
wnmuc.exe
wpfdd.exe
wqesvxa.exe
wrk.exe
wrsf.exe
wx.com
x.bat
x0.cmd
x10u6iuj.bat
x2tpc.cmd
x61.exe
x6kpr0.exe
x8sigm.exe
xadeiect.com
xc.exe
xcisvxl.com
xerp8nj.exe
xh319r9b.bat
xhah66s.cmd
xk2n.bat
xlk9.com
xn1i9x.com
xn9uu8.exe
xnibxgr.exe
xo8wr9.exe
xoxx.exe
xpgm0.dll
xpq63xl.exe
xs6kpr0.exe
xwpehlv.com
y.com
y0gcubk.exe
y1j4n4c1j1p6.exe
y319s.exe
y8.exe
yb12j.cmd
ycvvj.exe
yew.bat
yf3lu6l8.ba
yftvl.com
ygitq.com
yi9.exe
ykvqe2n.com
ylr.exe
yssjnngm.cmd
yudald.bat
zhido.exe


Friday

How to remove AT9Jg05.exe

AT9Jg05.exe , svchost.exe
Files size : 200,704 bytes
MD5: 25BD230AE46B86F485F8FBA49126A168

SHA-1: DF1BF1E0039BAE4D9B17B7C5567A9C41D04A3C3C
===================================================
Files created
C:\Documents and Settings\[UserName]\Application Data\microsoft\svchost.exe
C:\AT9Jg05.exe

Registry Modifications
Value Added:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
svchost.exe : "%AppData%\Microsoft\svchost.exe"

Remote Host
epikpanda.info port 3085

Open port
1034 , 1035 , 1038 , 1039
(TCP)

------------------------------------------------------------------------
วิธีกำจัด Virus : AT9Jg05.exe
------------------------------------------------------------------------
1. เปิดโปรแกรม Security task manager แล้วปิด Process ไฟล์ svchost.exe ที่มี path
C:\Documents and Settings\[UserName]\Application Data\microsoft\svchost.exe

2. Delete ไฟล์ที่
C:\Documents and Settings\[UserName]\Application Data\microsoft\svchost.exe
C:\AT9Jg05.exe

3. เปิด Hijack This เลือกที่เมนู Open the misc tool section ที่บรรทัดนี้
O4 - HKCU\..\Run: [svchost.exe] %AppData%\Microsoft\svchost.exe

how to remove ek.com

ek.com
File size :116,664 bytes
MD5: 092DDC2BFB9E81138CD9A23E4DE85418

SHA-1: 2F757A2BFAAF85C3FFF45021EEAC2E5B50799E96
==================================================
Files created
X:\ek.com
X:\autorun.inf
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll (0-9)
C:\Documents and Settings\Administrator\Local Settings\Temp\ra2m5a.dll

Kernel-mode driver installedDriver :
C:\WINDOWS\system32\wincab.sys

Kernel-mode system service functions hooked:
NtEnumerateKey
NtEnumerateValueKey
NtOpenProcess

Registry Modifications
Keys Added:

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SDRTYX
HKLM \SYSTEM\ControlSet001\Enum\Root\LEGACY_SDRTYX\0000
HKLM \SYSTEM\ControlSet001\Enum\Root\LEGACY_SDRTYX\0000\Control
HKLM \SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SDRTYX
HKLM \SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SDRTYX\0000
HKLM \SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SDRTYX\0000\Control

Values Added:
HKLM \SYSTEM\ControlSet001\Enum\Root\LEGACY_SDRTYX\0000\Control\
*NewlyCreated* : 0x00000000
ActiveService : "sdrtyx"

HKLM \SYSTEM\ControlSet001\Enum\Root\LEGACY_SDRTYX\0000\
Service : "sdrtyx"
Legacy : 0x00000001
ConfigFlags : 0x00000000
Class : "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc : "sdrtyx"

HKLM \SYSTEM\ControlSet001\Enum\Root\LEGACY_SDRTYX\
NextInstance : 0x00000001
HKLM \SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SDRTYX\0000\Control\
*NewlyCreated* : 0x00000000
ActiveService : "sdrtyx"

HKLM \SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SDRTYX\0000\
Service : "sdrtyx"
Legacy : 0x00000001
ConfigFlags : 0x00000000
Class = "LegacyDriver"
ClassGUID : "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc : "sdrtyx"

HKLM \SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SDRTYX\
NextInstance : 0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
kava : "%System%\kavo.exe"

Values Modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000
-----------------------------------------------------------------------
วิธีกำจัด virus : ek.com
-----------------------------------------------------------------------
1. restart เข้า Safemode แล้ว Run PeeTechFix-win32/PSW.OnlineGame 2.05 AVDB-005
2. Delete ไฟล์ตามนี้
X:\ek.com
C:\WINDOWS\system32\wincab.sys

3. Click start > Run พิมพ์ regedit แล้วเข้าไป delete key นี้
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SDRTYX
HKLM \SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SDRTYX
------------------------------------------------------------------------
Delete แบบ Auto
Download Fix Tool : PeeTechFix-win32/PSW.OnlineGame 2.05 AVDB-006

กำลังเขียนเพิ่มอยู่ครับ อดใจรอหน่อยครับ Update Comming soon

Thursday

how to remove ljnhwt.bat

ljnhwt.bat , yudald.bat
File size 116,812 bytes
MD5: F1BAE35D296930D2076B9D84BA0C95EA

SHA-1: 9BC4F0C1CBCA3718342BBCAAE2E7BEA759BBFFEE
==================================================
Files created
C:\WINDOWS\system32\olhrwef.exe
C:\WINDOWS\system32\nmdfgds0.dll (0-9)
X:\ljnhwt.bat
X:\yudald.bat
X:\autorun.inf

Remote Host
221.1.204.243 port 80

URL identified
http://ghterwa.com/xmfx/help1.rar
http://ghterwa.com/xmfx/help.rar

Registry Modifications
Keys Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN
HKLM \SYSTEM\ControlSet001\Services\AVPsys
HKLM \SYSTEM\ControlSet001\Services\AVPsys\Security
HKLM \SYSTEM\ControlSet001\Services\AVPsys\Enum
HKLM \SYSTEM\CurrentControlSet\Services\AVPsys
HKLM \SYSTEM\CurrentControlSet\Services\AVPsys\Security
HKLM \SYSTEM\CurrentControlSet\Services\AVPsys\Enum

Values added
HKLM \SOFTWARE\Classes\CLSID\MADOWN\
urlinfo : "mcjhjk.v"

HKLM \ControlSet001\Services\AVPsys\Enum\
Count : 0x00000000
NextInstance : 0x00000000
INITSTARTFAILED : 0x00000001

HKLM \ControlSet001\Services\AVPsys\Security\
Security : 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM \ControlSet001\Services\AVPsys\
Type : 0x00000001
Start : 0x00000003
ErrorControl : 0x00000001
ImagePath : "%System%\drivers\cdaudio.sys"
DisplayName : "AVPsys"

HKLM \CurrentControlSet\Services\AVPsys\Enum\
Count : 0x00000000
NextInstance : 0x00000000
INITSTARTFAILED : 0x00000001

HKLM \SYSTEM\CurrentControlSet\Services\AVPsys\Security\
Security : 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\CurrentControlSet\Services\AVPsys
Type : 0x00000001
Start : 0x00000003
ErrorControl : 0x00000001
ImagePath : "%System%\drivers\cdaudio.sys"
DisplayName : "AVPsys"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft : "%System%\olhrwef.exe"

Values Modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

------------------------------------------------------------------------
วิธีกำจัด virus : ljnhwt.bat
------------------------------------------------------------------------
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGames 2.0.5

1. Run PeeTechFix-Win32/PSW.OnlineGames 2.0.5
2. Delete ไฟล์ ljnhwt.bat , yudald.bat ทุก Root Drive (C:\ - Z:\)

Tuesday

How to remove k2d8j3wa.bat

k2d8j3wa.bat
File size : 321,024 bytes
MD5: 64D35A19ABB5796C2643F4B3A28AA89A

SHA-1: E13A51D550D5BF273D7907D0DA8F713E9ED576C8
===================================================
Files created
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll (0-9)
X:\k2d8j3wa.bat
X:\autorun.inf

URL to be downloaded
http://www.vjccc.com/hp/zz.rar > %Temp%\zz.rar

Registry Modifications
Value Added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
kava : "%System%\kavo.exe"

Values Modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000
------------------------------------------------------------------------
วิธีกำจัด virus : k2d8j3wa.bat
------------------------------------------------------------------------
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGames 2.0.5

1. Run PeeTechFix-Win32/PSW.OnlineGames 2.0.5
2. Delete ไฟล์ k2d8j3wa.bat ทุก Root Drive (C:\ - Z:\)

How to remove dsad11.exe

dsad11.exe
file size 33,800 bytes
MD5: 0x80FD86FF4C432D56DDB1B40F658FA235

SHA-1: 0xED5D5EC1D1BC3D4DA38B89266B4B1E2926AC55B6
===================================================
files created
C:\WINDOWS\system32\afxmgdvr.dll
C:\WINDOWS\system32\vyrkkwkp.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\
3.tmp
dsad11.exe
***********************jfh.exe
***********************.txt

Registry Modifications
Keys Added
HKLM\SOFTWARE\Classes\CLSID\{A51CEFB0-39D2-40f4-81D6-6ADE3EF4C633}
HKLM\SOFTWARE\Classes\CLSID\{A51CEFB0-39D2-40f4-81D6-6ADE3EF4C633}\InProcServer32

Values Added
HKLM\SOFTWARE\Classes\CLSID\{A51CEFB0-39D2-40f4-81D6-6ADE3EF4C633}\InProcServer32]
(Default) : "%System%\afxmgdvr.dll"
ThreadingModel : "Apartment"
(Default) : "%System%\vyrkkwkp.dll"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
ShellExecuteHooks\{A51CEFB0-39D2-40f4-81D6-6ADE3EF4C633} = ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
vyrkkwkp.dll : "{A51CEFB0-39D2-40f4-81D6-6ADE3EF4C633}"
afxmgdvr.dll : "{A51CEFB0-39D2-40f4-81D6-6ADE3EF4C633}"

-------------------------------------------------------------------------
วิธีกำจัด virus : dsad11.exe
-------------------------------------------------------------------------
Download Fix Tool : PeeTech-FixDsad11.zip

*ถ้า clean ไม่ได้ให้ลอง Run ใน safemode

How to remove bjj3iccf.com

bjj3iccf.com
File size 110,982 bytes
MD5: 019754382A500D00DE70F0E242689CCD
SHA-1: 31AB2869863E313383CB59B98E1F81EB14B1B25C
===================================================
Files created
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll (0-9)
x:\bjj3iccf.com
X:\autorun.inf

Remote Host
221.1.222.109 Port 80
URL identified
http://www.fr5th.com/hp/zz.rar

Registry Modifications
Key Added

HKLM\SOFTWARE\Classes\CLSID\MADOWN

Values Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN\urlinfo : "xfcswa.i"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
kava : "%System%\kavo.exe"

Values Modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

------------------------------------------------------------------------
วิธีกำจัด virus : bjj3iccf.com
------------------------------------------------------------------------
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGames 2.0.5

1. Run PeeTechFix-Win32/PSW.OnlineGames 2.0.5
2. Delete ไฟล์ bjj3iccf.com ทุก Root drive (C:\ - Z:\)

How to remove lyhwcea.exe

lyhwcea.exe , uret463.exe
File sizes 124,868 bytes
MD5: 0F570FF4EDEAED820E4DED5E458001D0
SHA-1: EE8EEB6364E13C30626DC036CA1DA63B4447C9F4

===================================================
File created
C:\Documents and Settings\[UserName]\Local Settings\Temp\uret463.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\lhgjyit0.dll (0-9)
C:\lyhwcea.exe
C:\autorun.inf

URL to be downloaded
http://vfgr4.com/1tw/at1.rar > %Temp%\at1.rar

Registry Modifications
Value Added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
dorfgwe = "%Temp%\uret463.exe"

Values Modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0x00000000

------------------------------------------------------------------------
วิธีกำจัด virus : lyhwcea.exe , uret463.exe
------------------------------------------------------------------------
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGames 2.0.5

1. Run PeeTechFix-Win32/PSW.OnlineGames 2.0.5

2. ใช้ HijackThis fix checked ที่บรรทัดนี้
O4 - HKCU\..\Run: [dorfgwe] %Temp%\uret463.exe

3. Delete file lyhwcea.exe ทุก root drive (C:\- Z:\)

หมายเหตุ: จะ Update ให้ใน Fix-NVDB-006 ครับ

How to remove il0byu3h.com

il0byu3h.com , rttrwq.exe
files size : 105,003 bytes
MD5: 36E7D4735C888CD24E1732C1A499910D

SHA-1: A6E8B3017CAFD22BCF2BE34A91326B65BB696F68
===================================================
Files created
C:\WINDOWS\system32\rttrwq.exe
C:\WINDOWS\system32\mkfght0.dll (0-9)
X:\il0byu3h.com
X:\autorun.inf

Registry Modifications
Value Added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
ertyuop = %System%\rttrwq.exe

Values Modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0x00000000

URL to be downloaded
http://mgaazz.com/xxc/ddr.rar > %System%\ddr.exe
http://www.cfdr5.com/hp/zz.rar > %Temp%\zz.rar

------------------------------------------------------------------------
วิธีกำจัด virus : il0byu3h.com , rttrwq.exe
------------------------------------------------------------------------
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGames 2.0.5

1. Run PeeTechFix-Win32/PSW.OnlineGames 2.0.5

Manual delete
2. ใช้ HijackThis fix checked ที่บรรทัดนี้
O4 - HKCU\..\Run: [ertyuop] %System%\rttrwq.exe

3. Delete file il0byu3h.com ทุก root drive (C:\- Z:\)

หมายเหตุ: จะ update ให้ ใน Fix-NVDB-006 นะครับ (ช่วงนี้งานยุ่งเหมือนกันครับ)

How to remove u3uvew6.bat

u3uvew6.bat ,ierdfgh.exe
files size : 105,098 bytes
MD5: 16B3D5192BFD9077EF60B17D0CB12589

SHA-1: A64D3E01C4EFE17535383C0621BD6CC65A6BCF71
==================================================
Files created
C:\WINDOWS\system32\ierdfgh.exe
C:\WINDOWS\system32\pytdfse1.dll
C:\Documents and Settings\[UserName]\Local Settings\Temp\xvassdf.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\4tddfwq0.dll(0-9)
C:\u3uvew6.bat
C:\autorun.inf

File deleted
C:\WINDOWS\system32\drivers\cdaudio.sys

Remote Host
221.1.204.245 port 80

URL identified
http://fgtrtyuo.com/xrbv/uu1.rar
http://sfdght.com/xrbv/uu.rar

Registry Modifications
Keys Added

HKLM\SOFTWARE\Classes\CLSID\MADOWN
HKLM\SYSTEM\ControlSet001\Services\AVPsys
HKLM\SYSTEM\ControlSet001\Services\AVPsys\Security
HKLM\SYSTEM\ControlSet001\Services\AVPsys\Enum
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Security
HKLM\SYSTEM\CurrentControlSet\Services\AVPsys\Enum

Values Added
HKLM\SOFTWARE\Classes\CLSID\MADOWN\urlinfo : "qaswee.e"
HKLM \SYSTEM\ControlSet001\Services\AVPsys\Enum
Count : 0x00000000
NextInstance : 0x00000000
INITSTARTFAILED : 0x00000001

HKLM \SYSTEM\ControlSet001\Services\AVPsys\Security
Security : 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM \SYSTEM\ControlSet001\Services\AVPsys
Type : 0x00000001
Start : 0x00000003
ErrorControl : 0x00000001
ImagePath : "%System%\drivers\cdaudio.sys"
DisplayName = "AVPsys"

HKLM \SYSTEM\CurrentControlSet\Services\AVPsys\Enum
Count : 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED : 0x00000001

HKLM \SYSTEM\CurrentControlSet\Services\AVPsys\Security
Security : 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM \SYSTEM\CurrentControlSet\Services\AVPsys
Type : 0x00000001
Start : 0x00000003
ErrorControl : 0x00000001
ImagePath :"%System%\drivers\cdaudio.sys"
DisplayName : "AVPsys"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
kxswsoft : "%System%\ierdfgh.exe"
54dfsger : "%Temp%\xvassdf.exe"

Values Modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000
------------------------------------------------------------------------
วิธีกำจัด virus : u3uvew6.bat , ierdfgh.exe
------------------------------------------------------------------------
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGames 2.0.5

1. Run PeeTechFix-Win32/PSW.OnlineGames 2.0.5

2. ใช้ HijackThis fix checked ที่บรรทัดนี้
O4 - HKCU\..\Run: [kxswsoft ] "%System%\ierdfgh.exe"
O4 - HKCU\..\Run: [54dfsger ] "%Temp%\xvassdf.exe"

3. Delete file u3uvew6.bat , ทุก root drive (C:\- Z:\)
4. Restart 1 ครั้ง

หมายเหตุ: จะ Update Fix ให้ใน Fix-NVDB-006 ครับ

How to remove obg.exe

obg.exe , uret463.exe

File size118,352 bytes
MD5: 98529588AED40D2B0324A1D5302332C6

SHA-1: 7065A171886C82371CA01AFF6066772B2B6DD68A
===================================================
Files created
C:\Documents and Settings\[UserName]\Local Settings\Temp\uret463.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\lhgjyit0.dll (0-9)
X:\obg.exe
X:\autorun.inf

URL to be downloaded
http://swer1.com/1tw/at1.rar > %Temp%\at1.rar > at1.exe

Registry Modifications
Value Added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
dorfgwe = "%Temp%\uret463.exe"

Values Modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0x00000000
------------------------------------------------------------------------
วิธีกำจัด virus : obg.exe , uret463.exe
------------------------------------------------------------------------
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGames 2.0.5

1. Run PeeTechFix-Win32/PSW.OnlineGames 2.0.5

Manual delete
2. ใช้ HijackThis fix checked ที่บรรทัดนี้
O4 - HKCU\..\Run: [dorfgwe] %Temp%\uret463.exe

3. Delete file obg.exe ทุก root drive (C:\- Z:\)

Exploit-DB updates

Exploits Database by Offensive Security

Metasploit

Metasploit Framework: Activity

iDefense Labs Software Releases