"Malware Fix รวมวิธีแก้ปัญหา virus computer โครงการทำดีเพื่อสังคม" "เนื่องจากภาระหน้าที่ทางการงาน ต้องขออภัยผู้เยี่ยมชมทุกท่านนะครับ ที่เ้ข้ามาแล้ว ไม่มีการ update virus ตัวใหม่ นะครับ"

Information

http://malwarefighting.blogspot.com


Photobucket
แจ้งเตือนภัย ! Crypt0L0cker (Ransomware)
เข้ารหัสข้อมูลใน คอมพิวเตอร์ กำลังระบาดในไทย
และกำลังระบาดหนักในเกาหลี
ThaiCERT , Crytpo Prevention Tool

*ห้ามจ่ายเงินโดยเด็ดขาด เพราะจะเสียทั่้งเงินและกู้ข้อมูลไม่ได้
รบกวนคนที่เข้ามาอ่านช่วยแชร์ด้วยนะครับ
http://hotzone-it.blogspot.com/2015/07/how-to-remove-crypt0l0cker-not.html
==============================================
PeeTechFix >> JupiterFix
==============================================
Photobucket

วิธีใช้งาน : JupiterFix-Win32.PSW.OnlineGames
ท่านสามารถตรวจสอบรายชื่อ Virus ที่โปรแกรม สามารถ Clean ได้ ใน VirusList.txt
-------------------------------------------------------------------------------------
ท่านใดที่ Download PeeTechFix tool ไปใช้แล้วมีปัญหาหรือลบไม่ออก โปรดแจ้งปัญหา ที่ email : MalwareHunter.info@gmail.com ด้วยครับ หรือส่งไฟล์ virus ให้ด้วย จะขอบพระคุณอย่างยิ่ง
-------------------------------------------------------------------------------------
Safemode Recovery (.reg) แก้ปัญหา Virus ลบ Key Safeboot แล้วเข้า safemode ไม่ได้
------------------------------------------------------------------------------------
วิธีแก้ Error message (แก้อาการเปิดไฟล์ .exe ใน USB Drive ไม่ได้)
"Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator"
วิธีแก้ ดูที่ link นี้ครับ
-------------------------------------------------------------------------------------
วิธีแก้ MSN /Windows Live Messenger Disconnect (จาก virus OnlineGames)
-------------------------------------------------------------------------------------
How to start Windows in Safe Mode


Thursday

How to remove Swucua.exe

ไฟล์ที่ใช้ทดสอบ : Crack_Play.2.Emulator.45059.exe
http://peetech-malwareupdate.blogspot.com/2010/03/48d6344df7358095a2b18f73edccf898.html
------------------------------------------------------------------------------------------------------
Swucua.exe
File size: 172544 bytes
MD5: d6a3a079149ecec7eab9873db6a5441a
SHA1: 80186c1d8951a9bb47cb4be041942c5fc2e598a0
===================================================

AntivirusVersionLast UpdateResult
a-squared4.5.0.502010.03.18-
AhnLab-V35.0.0.22010.03.18-
AntiVir8.2.1.1942010.03.18-
Antiy-AVL2.0.3.72010.03.18-
Authentium5.2.0.52010.03.18W32/FraudPack.E!Generic
Avast4.8.1351.02010.03.18-
Avast55.0.332.02010.03.18-
AVG9.0.0.7872010.03.18-
BitDefender7.22010.03.18-
CAT-QuickHeal10.002010.03.18-
ClamAV0.96.0.0-git2010.03.18-
Comodo43042010.03.18-
DrWeb5.0.1.122222010.03.18-
eSafe7.0.17.02010.03.17-
eTrust-Vet35.2.73722010.03.18Win32/FakeAlert.C!generic
F-Prot4.5.1.852010.03.17W32/FraudPack.E!Generic
F-Secure9.0.15370.02010.03.18Suspicious:W32/Malware!Gemini
Fortinet4.0.14.02010.03.18-
GData192010.03.18-
IkarusT3.1.1.80.02010.03.18-
Jiangmin13.0.9002010.03.18-
K7AntiVirus7.10.10002010.03.17-
Kaspersky7.0.0.1252010.03.18-
McAfee59232010.03.17-
McAfee+Artemis59232010.03.17-
McAfee-GW-Edition6.8.52010.03.18Heuristic.BehavesLike.Win32.Suspicious.H
Microsoft1.56052010.03.17-
NOD3249542010.03.18-
Norman6.04.092010.03.18-
nProtect2009.1.8.02010.03.18-
Panda10.0.2.22010.03.17-
PCTools7.0.3.52010.03.18-
Prevx3.02010.03.18High Risk Cloaked Malware
Rising22.39.03.042010.03.18-
Sophos4.51.02010.03.18Sus/UnkPack-C
Sunbelt59492010.03.18-
Symantec20091.2.0.412010.03.18Suspicious.Insight
TheHacker6.5.2.0.2362010.03.18-
TrendMicro9.120.0.10042010.03.18TROJ_RENOS.SMPE
VBA323.12.12.22010.03.17-
ViRobot2010.3.18.22342010.03.18-
VirusBuster5.0.27.02010.03.17-

-----------------------------------------------------------------------------------
Files Added
%Temp%\Sfb.exe
%Temp%\Sfc.exe
%Temp%\Sfd.exe
%system%\sshnas21.dll
%WinDir%\Swucua.exe

%Temp% =C:\Documents and Settings\[UserName]\Local Settings\Temp
%system% = C:\Windows\System32
%winDir% = C:\Windows

Keys added
HKLM\SYSTEM\ControlSet001\Services\SSHNAS
HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Parameters
HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Security
HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS
HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Security
HKCU\Software\Microsoft\Handle
HKCU\Software\TOY5KNQ8OC
HKCU\Software\WEK9EMDHI9
HKCU\Software\XML

Values added
HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Parameters\
ServiceDll: "C:\WINDOWS\system32\sshnas21.dll"

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Type: 0x00000020
HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\SSHNAS\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\SSHNAS\
ImagePath: "%SystemRoot%\system32\svchost.exe -k netsvcs"

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\DisplayName: "SSHNAS"
HKLM\SYSTEM\ControlSet001\Services\SSHNAS\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters\
ServiceDll: "C:\WINDOWS\system32\sshnas21.dll"

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Type: 0x00000020
HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\
ImagePath: "%SystemRoot%\system32\svchost.exe -k netsvcs"

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\DisplayName: "SSHNAS"
HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\ObjectName: "LocalSystem"
HKCU\Software\Microsoft\Handle\3: "z+XaaugyuuSvEib0Hft72iB+UUk006BXeWC43zHlD+d+DIXqXp4uefOT9beDyITz2La99TIcO4afCdXyWJFIGNUeghKKVMvgWBDaubQD3whrC/afUzaqs+t3wTqVZ48Xvk0DmiAlNNQr+Y4NR2zEn84/l2Bj4Yta/aiQ+Lzx3QFb+FYoybd2MUxB3kyG9CzslL04l0B67T4O0MXvJ0+gTs8ZDIlxqu0/E+GwO98W2BRHdlwcijUmvPfs8xOxxb2D6nGWmH7bBaVxiMVAT35NKLON4jD0RL6Emf4TzESAf5hfQvlX+b+rG5Ip0ygVBzwG7njxUrdifOgQBng3/9eWq2XbipEeNC/QkJFm+dC1kOwfyoe5wi4CMmrA/60h1hkF3rF/tiu2AxfMTuh9mwcLCSf+joCRSGkrYgK0fc5n2AZ+sEcOQt6rrpH7bWlcE/J04lRYa/39MJjPm+c28pHCHogSVChdgo3los3qf3GoFrMEY7FHdVsyJGUv8LRDhhWLXwZRqs06zVi/ossHbzpnEx76+bE8sHNa1HgG9BnQSGbw5itnmSkYuCnMccVc5f5LBRRN3ZQPualpg/5YKu7LkuRCh3hSppQQ8ZZFRYo5dpbLnDO33o4KE0GGP8ZUo09vRRFs9wGU7979Lc0="

HKCU\Software\Microsoft\Handle\7: "z/Taa/pl0NCrJEynBu9+nW4cKDQAzbpLN370kRnSdoRFI/y8FssFAJj92Jmt0pfo3KLxtSZcIZmLSNG0S6N4CYZchE6WAra3DBKT5K1Rw1kVdcK0AC36/6h11zmVZ48Xvk0dxXMHB+RXj6A4DSaMzq9T/FJYybxc7K+T7PCxw0Fd+UtjyqwoD34SzQye9W6i8cdZ5R0prC0V28U="

HKCU\Software\Microsoft\Handle\5: "z/DcO5EGvtLTXCm7FPhmgDwcNWID0/R+VgSJ5APKWrFlEp37Tc8HVcO7z5H2w5/qh/jwvmUDJoTHA5yBZsAZGM8BnQL3NrKBcFyKtqYUxwtEbpG0UX/5hIhD7x2gAcUMpB8Z1n0oLMV5rpNNBj2VkeEetw9HyKAN7OG9n63igRtA+AZAsM1kJ1FA0USO8z++k6NH6h00uzsIgdmNQ2SiXY0tIatZmZJpcZz4LIwH+nghDQEFlDVvvfe2rV6zhOvfsn69s0qlNNl3vY8IEDEQa/3yh02hWbzLiPIWk1WQf9dWFOAG+r7ZNcl0jj4PG2d5gBCBUM8aGfQUD2VptsuI7CmDyrNjGQDi7eVt4c2mwbBA2524zCJOEQOmrvI0wQ5OkOwzpj7qKzmXTMoC1URSbRM="

HKCU\Software\Microsoft\Handle\8: 0xFFFFFFFF
HKCU\Software\Microsoft\Handle\6: 0xFFFFFFFF
HKCU\Software\Microsoft\Handle\4: 0x00000005
HKCU\Software\Microsoft\Handle\12: 0x01B2AAB8
HKCU\Software\TOY5KNQ8OC\Sk2: "xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Ek/n4gL8s8xs9LeD5KQVh3/j+XFbG3/8Bu5aiMqJVRVcQF7oop6V/nqCjgd83M9F4qOfs643eYxlxdOozwYgVD/95cSbnPGmAgVyQBmtbRWERa5lEWedN4LRl+dUrJAIwPZUYH14pK+/NJlrNxLjI/AC20YeKmx9tVrtKj7YuOVesbvrfIg/JPmwh4/6oQ0njTnXpebMGbAyfR4ujr9LAWcay4J"

HKCU\Software\TOY5KNQ8OC\Sk0: "tSLPLpWL7R22spR48AI743bz2Kge8sEexVqvoCq8k0lsy8Vz6cQms8nYW7WrGAah1q7ZF2rk+EDaFAUifhYCbyBhsJUQGaLvRXFPvj4fPb3FE+GFkPttwkoU/35e3wSx96k/Sm+qoShZxCNckrgXVkqv2QHTPJEWSn62JKxrGyWJWIDvosXgvpQ+9NJnhYSGGm0nfrOhwdNqtOPofvzbe4Kz8vcNucmvyBI0wIQlxQ=="

HKCU\Software\TOY5KNQ8OC\Sk1: "tSbFNJuL/h22spR48AI743bz2Kge8sEFw0u7rzv7hAhii8oz6cUwrtaDX7S0SgekzLLbNRWfqAulcjJ2fxAea2c6poBMROjnSmxS/T4cP/HMUvCOmKZsiUkT4zcFwxmz59RdM2/wpjYVmVwv6/BfBknhmE3COJFbUj73dfd3HTSeC9y0vsH7pY85uZ9rh8bLB3owdK2nm8ptqvG3Y/6LavrLouZn1oHowglk"

HKCU\Software\TOY5KNQ8OC\Sb4: 0x00015180
HKCU\Software\TOY5KNQ8OC\Sb5: 0x00000002
HKCU\Software\TOY5KNQ8OC\Sb2: 0x01CAC75E
HKCU\Software\TOY5KNQ8OC\Sb3: 0x2DB880C0
HKCU\Software\TOY5KNQ8OC\Sb6: 0x00000001
HKCU\Software\TOY5KNQ8OC\Sb0: 0x01CAC697
HKCU\Software\TOY5KNQ8OC\Sb1: 0x8A214D00
HKCU\Software\WEK9EMDHI9\Sna6: "FOqnXdjKQBDY8w=="
HKCU\Software\WEK9EMDHI9\Sna5: "Gbv+C4eSExjnyIpWf4+pYXAo/2QGxA/X94OiMMEM3fg21K7ozkNG88wcCBRfcPq52epvdMeg//Fz+p6csSavmjbegPbMh4ax7rfcfKkoeMvrtfbyG0YYP8SU34vNicpGWhCnbfz9wbF/NBlImT+BVbBlcLPqQ1Jh/wFaVRhb7O8w3FzUzhw0JYsmCyMRI9W9ePgnXGNJ2d+bNtva2R8Wr0zGuC4/9Y0AhF0GRGl2xYDgIk5EV2+LYI34Qv74AMzp3Q=="

HKCU\Software\WEK9EMDHI9\SkoQ: 0x0000000C
HKCU\Software\WEK9EMDHI9\SkoM: 0x000151E4
HHKCU\Software\WEK9EMDHI9\Sko6: 0x000151E4
HKCU\Software\WEK9EMDHI9\Sko9: 0x000151E4
HKCU\Software\WEK9EMDHI9\SkoK: 0x00000000
HKCU\Software\WEK9EMDHI9\SkoV9: 0x00000000
HKCU\Software\WEK9EMDHI9\Sko5: 0x01CAC75E
HKCU\Software\WEK9EMDHI9\SkoV: 0x1D603CE0

Values modified
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs: '6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN SSHNAS'
-------------------------------------------------------------------------------
วิธีกำจัด/แก้ : Swucua.exe, sfd.exe , sfb.exe , sfc.exe
-------------------------------------------------------------------------------
วิธีที่ 1 Download Fix Tool : PeeTechFix-SSHNAS21 version 1.3.00




-------------------------------------------------------------------------------
วิธีที่ 2 Manual delete

1. กด Ctrl+Alt+Del แล้ว เลือก End Process ไฟล์ sfd.exe , Swucua.exe , rundll32.exe
2. Click ที่ Start > Run พิมพ์ %temp% แล้ว Enter
แล้ว Delete ไฟล์ sfd.exe , sfb.exe , sfc.exe

3. Delete ไฟล์ Swucua.exe ใน C:\WINDOWS
4. Delete ไฟล์ sshnas21.dll ใน C:\WINDOWS\system32

5. ใช้ Hijack This แล้ว Fix Checked ที่บรรทัดนี้
O4 - HKCU\..\Run: [TOY5KNQ8OC] %Temp%\Sfd.exe

6. Click ที่ Start > Run พิมพ์ regedit.exe แล้ว Enter แล้ว Delete Key ตามนี้

HKLM\SYSTEM\ControlSet001\Services\SSHNAS
HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS
HKCU\Software\Microsoft\Handle
HKCU\Software\TOY5KNQ8OC
HKCU\Software\WEK9EMDHI9
HKCU\Software\XML

7. แก้ไข Value ของ netsvcs ใน Key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\
โดย delete คำว่า SSHNAS

Photobucket

Photobucket

No comments:

Post a Comment

Exploit-DB updates

Exploits Database by Offensive Security

Metasploit

Metasploit Framework: Activity

iDefense Labs Software Releases