"Malware Fix รวมวิธีแก้ปัญหา virus computer โครงการทำดีเพื่อสังคม" "เนื่องจากภาระหน้าที่ทางการงาน ต้องขออภัยผู้เยี่ยมชมทุกท่านนะครับ ที่เ้ข้ามาแล้ว ไม่มีการ update virus ตัวใหม่ นะครับ"

Information

http://malwarefighting.blogspot.com


Photobucket
แจ้งเตือนภัย ! Crypt0L0cker (Ransomware)
เข้ารหัสข้อมูลใน คอมพิวเตอร์ กำลังระบาดในไทย
และกำลังระบาดหนักในเกาหลี
ThaiCERT , Crytpo Prevention Tool

*ห้ามจ่ายเงินโดยเด็ดขาด เพราะจะเสียทั่้งเงินและกู้ข้อมูลไม่ได้
รบกวนคนที่เข้ามาอ่านช่วยแชร์ด้วยนะครับ
http://hotzone-it.blogspot.com/2015/07/how-to-remove-crypt0l0cker-not.html
==============================================
PeeTechFix >> JupiterFix
==============================================
Photobucket

วิธีใช้งาน : JupiterFix-Win32.PSW.OnlineGames
ท่านสามารถตรวจสอบรายชื่อ Virus ที่โปรแกรม สามารถ Clean ได้ ใน VirusList.txt
-------------------------------------------------------------------------------------
ท่านใดที่ Download PeeTechFix tool ไปใช้แล้วมีปัญหาหรือลบไม่ออก โปรดแจ้งปัญหา ที่ email : MalwareHunter.info@gmail.com ด้วยครับ หรือส่งไฟล์ virus ให้ด้วย จะขอบพระคุณอย่างยิ่ง
-------------------------------------------------------------------------------------
Safemode Recovery (.reg) แก้ปัญหา Virus ลบ Key Safeboot แล้วเข้า safemode ไม่ได้
------------------------------------------------------------------------------------
วิธีแก้ Error message (แก้อาการเปิดไฟล์ .exe ใน USB Drive ไม่ได้)
"Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator"
วิธีแก้ ดูที่ link นี้ครับ
-------------------------------------------------------------------------------------
วิธีแก้ MSN /Windows Live Messenger Disconnect (จาก virus OnlineGames)
-------------------------------------------------------------------------------------
How to start Windows in Safe Mode


Thursday

Trojan Anti AV

*ผมไม่มีตัวอย่างไฟล์ Trojan Anti AV ตัวนี้ นะครับ
อยากได้ เหมือนกันครับ ผมเจอ link ที่ Download Trojan ตัวนี้ แต่ Download ไม่ได้*

เมื่อติดแล้ว เจ้าโทรจันตัวนี้ จะไป uninstall ตัวโปรแกรม Antivirus ตัวเิดิมออก
แล้วติดตั้ง ตัวเอง โดย เลียนแบบ icon ของ antivirus ยี่ห้อดังหลายตัว เช่น
KAV, ESET, Outpost, Comodo, Agava, Avast, McAfee, Avira, Norton, DrWeb, MSE, MSD, AVG, Panda
-----------------------------------------------------------------------

Flash-Player.exe
MD5 : 38acffb9479dbfe7869fa46b9f8c40a8
SHA1 : faabde662b668c6c82c347a75cc439b771919773

MD5 : bfe737620506583c7cddd18a71479b1c
SHA1 : 81e5a20461980bc70523812aca5a05edd873f81e
...
AntivirusVersionLast updateResult
AhnLab-V32011.07.30.002011.07.29Win-Trojan/Vkont.1201664
AntiVir7.11.12.1672011.07.29BDS/Bafruz.B
Antiy-AVL2.0.3.72011.07.29Trojan/win32.agent.gen
Avast4.8.1351.02011.07.29Win32:Malware-gen
Avast55.0.677.02011.07.29Win32:Malware-gen
AVG10.0.0.11902011.07.29SHeur3.CLIY
BitDefender7.22011.07.29Trojan.Agent.ASAI
CAT-QuickHeal11.002011.07.29-
ClamAV0.97.0.02011.07.29-
Commtouch5.3.2.62011.07.29-
Comodo95572011.07.29Heur.Suspicious
DrWeb5.0.2.033002011.07.29Trojan.VkBase.73
Emsisoft5.1.0.82011.07.29Backdoor.Win32.Bafruz!IK
eSafe7.0.17.02011.07.27-
eTrust-Vet36.1.84722011.07.29-
F-Prot4.6.2.1172011.07.29-
F-Secure9.0.16440.02011.07.29Trojan.Agent.ASAI
Fortinet4.2.257.02011.07.29-
GData222011.07.29Trojan.Agent.ASAI
IkarusT3.1.1.104.02011.07.29Backdoor.Win32.Bafruz
Jiangmin13.0.9002011.07.29Trojan/AntiAV.btb
K7AntiVirus9.109.49612011.07.29Trojan
Kaspersky9.0.0.8372011.07.29Trojan.Win32.AntiAV.oax
McAfee5.400.0.11582011.07.29FakeAlert-SecurityAntivirus
McAfee-GW-Edition2010.1D2011.07.29FakeAlert-SecurityAntivirus
Microsoft1.71042011.07.29Backdoor:Win32/Bafruz.B
NOD3263352011.07.29Win32/Delf.QCZ
Norman6.07.102011.07.29Delf.FHUF
nProtect2011-07-29.022011.07.29Trojan/W32.AntiAV.1201664
Panda10.0.3.52011.07.29Trj/CI.A
PCTools8.0.0.52011.07.29Trojan.Generic
Prevx3.02011.07.29-
Rising23.68.04.032011.07.29Suspicious
Sophos4.67.02011.07.29Mal/Generic-L
SUPERAntiSpyware4.40.0.10062011.07.29-
Symantec20111.1.0.1862011.07.29Trojan Horse
TheHacker6.7.0.1.2642011.07.28-
TrendMicro9.200.0.10122011.07.29-
TrendMicro-HouseCall9.200.0.10122011.07.29TROJ_ANTIAV.CW
VBA323.12.16.42011.07.29-
VIPRE99992011.07.29Trojan.Win32.Generic!BT
ViRobot2011.7.29.45952011.07.29Dropper.Agent.1201664
VirusBuster14.0.145.22011.07.29Trojan.AntiAV!/9aazmSPFg0

...

File Added
%Windir%\sysdriver32.exe
%Windir%\sysdriver32_.exe
%Windir%\Temp\2105191.exe
%Windir%\loader2.exe_ok
%Windir%\services32.exe
%Windir%\update.1\svchost.exe

%Temp%\141329.exe
%Temp%\4621672.exe
%Temp%\1962094.bat
%Temp%\40296133.bat
([number].exe or .bat)

%Profiles%\LocalService\Start Menu
%Profiles%\LocalService\Start Menu\Programs
%Windir%\update.1

%Temp% = C:\Documents and Settings\[UserName]\Local Settings\Temp
%Profiles% = C:\Documents and Settings
%Windir% = C:\Windows or C:\Winnt

Registry Modifications
Keys added
HKLM\SOFTWARE\services32.exe
HKLM\SOFTWARE\sysdriver32.exe
HKLM\SOFTWARE\systeminfog
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\wxpdrivers
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\wxpdrivers
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRVSYSDRIVER32
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRVSYSDRIVER32\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRVSYSDRIVER32\0000\Control
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXPDRIVERS
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXPDRIVERS\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXPDRIVERS\0000\Control
HKLM\SYSTEM\ControlSet001\Services\srvsysdriver32
HKLM\SYSTEM\ControlSet001\Services\srvsysdriver32\Security
HKLM\SYSTEM\ControlSet001\Services\srvsysdriver32\Enum
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers\Security
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers\Enum
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\wxpdrivers
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\wxpdrivers
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WXPDRIVERS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WXPDRIVERS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WXPDRIVERS\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\srvsysdriver32
HKLM\SYSTEM\CurrentControlSet\Services\srvsysdriver32\Security
HKLM\SYSTEM\CurrentControlSet\Services\srvsysdriver32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\wxpdrivers
HKLM\SYSTEM\CurrentControlSet\Services\wxpdrivers\Security
HKLM\SYSTEM\CurrentControlSet\Services\wxpdrivers\Enum
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Policies
HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Policies\Associations

Values added
HKLM\SOFTWARE\Microsoft\Security Center
DisableThumbnailCache = 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnableLUA = 0x00000000
EnableSecureUIAPaths = 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wxpdrv = "%Windir%\update.1\svchost.exe"
4621672.exe = ""%Temp%\4621672.exe""
sysdriver32.exe = ""%Windir%\sysdriver32.exe" rezerv"
sysdriver32_.exe = ""%Windir%\sysdriver32_.exe" rezerv"
141329.exe = ""%Temp%\141329.exe""
2105191.exe = ""%Windir%\TEMP\2105191.exe""

HKLM\SOFTWARE\services32.exe
close = "0"
ver = "3.14"
HKLM\SOFTWARE\sysdriver32.exe
time = "3520950973"
ver = "1.37"
path = "%Windir%\"
HKLM\SOFTWARE\systeminfog
ip_list = "188.231.226.178
[78.153.109.112]
95.158.189.4 = 46.118.28.239
[24.50.254.65]
77.122.73.101 = 82.208.135.110
[31.63.210.89]
79.116.55.111 = 217.129.77.109
[46.0.33.186]
190.213.221.57 = 94.112.230.65
[79.121.115.162]
84.201.207.27 = 109.160.118.175
[46.16]
HKLM\SOFTWARE\systeminfog = ip_list_time
["3520950927"]
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\wxpdrivers = (Default)
["Service"]
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\wxpdrivers = (Default)
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRVSYSDRIVER32\0000\Control = *NewlyCreated*
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\wxpdrivers = (Default)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers = (Default)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers = (Default)
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32\0000\Control = *NewlyCreated*
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRVSYSDRIVER32\0000 = Service
[0x00000000]
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRVSYSDRIVER32\0000\Control = ActiveService
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRVSYSDRIVER32\0000 = Class
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXPDRIVERS\0000\Control = ActiveService
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXPDRIVERS\0000 = Class
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers = ImagePath
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32\0000\Control = ActiveService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32\0000 = Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WXPDRIVERS\0000\Control = ActiveService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WXPDRIVERS\0000 = Class
HKLM\SYSTEM\CurrentControlSet\Services\wxpdrivers = ImagePath
["srvsysdriver32"]
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRVSYSDRIVER32\0000 = Service
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRVSYSDRIVER32\0000 = Legacy
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRVSYSDRIVER32 = NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32\0000 = Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32\0000 = Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32 = NextInstance
[0x00000001]
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRVSYSDRIVER32\0000 = ConfigFlags
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXPDRIVERS\0000\Control = *NewlyCreated*
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXPDRIVERS\0000 = ConfigFlags
HKLM\SYSTEM\ControlSet001\Services\srvsysdriver32\Enum = 0
HKLM\SYSTEM\ControlSet001\Services\srvsysdriver32\Enum = NextInstance
HKLM\SYSTEM\ControlSet001\Services\srvsysdriver32\Security = Security
HKLM\SYSTEM\ControlSet001\Services\srvsysdriver32 = ImagePath
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers\Enum = NextInstance
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers\Security = Security
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32\0000 = ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WXPDRIVERS\0000\Control = *NewlyCreated*
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WXPDRIVERS\0000 = ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Services\srvsysdriver32\Enum = 0
HKLM\SYSTEM\CurrentControlSet\Services\srvsysdriver32\Enum = NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\srvsysdriver32\Security = Security
HKLM\SYSTEM\CurrentControlSet\Services\srvsysdriver32 = ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\wxpdrivers\Enum = NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\wxpdrivers\Security = Security
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXPDRIVERS\0000 = Service
["LegacyDriver"]
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRVSYSDRIVER32\0000 = ClassGUID
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXPDRIVERS\0000 = ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32\0000 = ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WXPDRIVERS\0000 = ClassGUID
["{8ECC055D-047F-11D1-A537-0000F8753ED1}"]
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRVSYSDRIVER32\0000 = DeviceDesc
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXPDRIVERS\0000 = DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32\0000 = DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WXPDRIVERS\0000 = DeviceDesc
["wxpdrivers"]
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXPDRIVERS\0000 = Service
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXPDRIVERS\0000 = Legacy
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WXPDRIVERS = NextInstance
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers = ObjectName
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WXPDRIVERS\0000 = Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WXPDRIVERS\0000 = Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WXPDRIVERS = NextInstance
["Root\LEGACY_SRVSYSDRIVER32\0000"]
HKLM\SYSTEM\ControlSet001\Services\srvsysdriver32\Enum = Count
HKLM\SYSTEM\CurrentControlSet\Services\srvsysdriver32\Enum = Count
[01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0]
HKLM\SYSTEM\ControlSet001\Services\srvsysdriver32 = Type
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers = Type
HKLM\SYSTEM\CurrentControlSet\Services\srvsysdriver32 = Type
HKLM\SYSTEM\CurrentControlSet\Services\wxpdrivers = Type
[0x00000010]
HKLM\SYSTEM\ControlSet001\Services\srvsysdriver32 = Start
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers = Start
HKLM\SYSTEM\CurrentControlSet\Services\srvsysdriver32 = Start
HKLM\SYSTEM\CurrentControlSet\Services\wxpdrivers = Start
[0x00000002]
HKLM\SYSTEM\ControlSet001\Services\srvsysdriver32 = ErrorControl
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers = ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\srvsysdriver32 = ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\wxpdrivers = ErrorControl
["%Windir%\sysdriver32.exe srv"]
HKLM\SYSTEM\ControlSet001\Services\srvsysdriver32 = ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\srvsysdriver32 = ObjectName
["LocalSystem"]
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers\Enum = 0
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\wxpdrivers = (Default)
HKLM\SYSTEM\CurrentControlSet\Services\wxpdrivers\Enum = 0
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers\Security = Security
["Root\LEGACY_WXPDRIVERS\0000"]
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers\Enum = Count
HKLM\SYSTEM\CurrentControlSet\Services\wxpdrivers\Enum = Count
["%Windir%\update.1\svchost.exe srv"]
HKLM\SYSTEM\ControlSet001\Services\wxpdrivers = DisplayName

Values modified
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride =
HKLM\SYSTEM\ControlSet001\Control\SafeBoot
AlternateShell =
HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent
(Default) =
HKLM\SYSTEM\ControlSet002\Control\SafeBoot
AlternateShell =
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell =
HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
(Default) =
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Programs =
...
อาการหลังติด Trojan Anti AV

Photobucket

ตัวอย่าง ไฟล์ที่ trojan สร้างไว้
Photobucket


ตัวอย่้าง Avast ก่อนติดตั้ง Fake

Photobucket

icon หลังติดตั้ง Trojan

Photobucket

เมื่อลอง click ที่ icon จะพบข้อความดังภาพ

avast
Photobucket

Microsoft Security Essentials

Photobucket

เมื่อลองเลือก Shortcut program จะพบว่าไม่ได้ชี้ไปยัง Antivirus แต่ชี้ไปที่ svchost.exe
ที่ไม่ใช้ไฟล์ของ ระบบ Windows

Photobucket

Icon ที่ Trojan ใช้ เลียนแบบ

Photobucket

ถ้าลองเปิดด้วยโปรแกรม Process Exlorer จะพบ Process ของ Trojan ที่ Run อยู่
Photobucket

Trojan แก้ไขค่าในไฟล์ hosts

Photobucket

........................................................................................................................
วิธีแก้ไข / กำจัด : Trojan Anti AV (Fake AV)
........................................................................................................................
Download :Rkill.com , TDSS Killer ,
ดูรายละเีอียด hosts จาก link นี้ครับ http://winhelp2002.mvps.org/hosts.htm

1. Run Rkill.com
2. Run TDSSKiller
2. ติดตั้ง Kaspersky Virus Remove Tool (2010 หรือ 2011) แล้ว Scan
หรืออาจใช้ malwarebytes' anti-malware ก็ได้ครับ
3. แก้ไข Hosts โดย Run ไฟล์ MVP.bat หรืออาจใช้ HostsXpert แ้ก้ไข Hosts
4. ลองเปิด HijackThis ขึ้นมา หาบรรทัดเหล่านี้(ถ้ามี)
โดยตัวเลขอาจไม่ตรงตามนี้ [number].exe แต่ให้สังเกตุที่ path จาก %temp%

O4 - HKLM\..\Run: [wxpdrv] "%Windir%\update.1\svchost.exe"
O4 - HKLM\..\Run: [4621672.exe] "%Temp%\4621672.exe"
O4 - HKLM\..\Run: [sysdriver32.exe] "%Windir%\sysdriver32.exe" rezerv"
O4 - HKLM\..\Run: [sysdriver32_.exe] "%Windir%\sysdriver32_.exe" rezerv"
O4 - HKLM\..\Run: [141329.exe] "%Temp%\141329.exe"
O4 - HKLM\..\Run: [2105191.exe] "%Windir%\Temp\2105191.exe"

5. Restart

ขอขอบคุณแหล่งข้อมูลอ้างอิง

Exploit-DB updates

Exploits Database by Offensive Security

Metasploit

Metasploit Framework: Activity

iDefense Labs Software Releases