Malware Fighting: How to remove sovhst.exe

"Malware Fix รวมวิธีแก้ปัญหา virus computer โครงการทำดีเพื่อสังคม" "เนื่องจากภาระหน้าที่ทางการงาน ต้องขออภัยผู้เยี่ยมชมทุกท่านนะครับ ที่เ้ข้ามาแล้ว ไม่มีการ update virus ตัวใหม่ นะครับ"

Information

http://malwarefighting.blogspot.com

Click here for more gifs and graphics

แจ้งเตือนภัย ! Crypt0L0cker (Ransomware)
เข้ารหัสข้อมูลใน คอมพิวเตอร์ กำลังระบาดในไทย
และกำลังระบาดหนักในเกาหลี
ThaiCERT , Crytpo Prevention Tool

*ห้ามจ่ายเงินโดยเด็ดขาด เพราะจะเสียทั่้งเงินและกู้ข้อมูลไม่ได้
รบกวนคนที่เข้ามาอ่านช่วยแชร์ด้วยนะครับ
http://hotzone-it.blogspot.com/2015/07/how-to-remove-crypt0l0cker-not.html
==============================================

PeeTechFix >> JupiterFix

==============================================

Download : JupiterFix-Win32.PSW.OnlineGames 2011
(

AVDB-147

)

วิธีใช้งาน : JupiterFix-Win32.PSW.OnlineGames

ท่านสามารถตรวจสอบรายชื่อ Virus ที่โปรแกรม สามารถ Clean ได้ ใน VirusList.txt

-------------------------------------------------------------------------------------
ท่านใดที่ Download PeeTechFix tool ไปใช้แล้วมีปัญหาหรือลบไม่ออก โปรดแจ้งปัญหา ที่ email : MalwareHunter.info@gmail.com ด้วยครับ หรือส่งไฟล์ virus ให้ด้วย จะขอบพระคุณอย่างยิ่ง

-------------------------------------------------------------------------------------

Safemode Recovery (.reg) แก้ปัญหา Virus ลบ Key Safeboot แล้วเข้า safemode ไม่ได้

------------------------------------------------------------------------------------

วิธีแก้ Error message (แก้อาการเปิดไฟล์ .exe ใน USB Drive ไม่ได้)

"Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator"

วิธีแก้ ดูที่ link นี้ครับ

http://hotzone-it.blogspot.com/2010/01/fix-error-peetechfix.html

-------------------------------------------------------------------------------------

วิธีแก้ MSN /Windows Live Messenger Disconnect (จาก virus OnlineGames)

http://hotzone-it.blogspot.com/2010/06/msn-disconect.html

-------------------------------------------------------------------------------------

How to start Windows in Safe Mode

Link1 or Link 2 or Link3

Friday

How to remove sovhst.exe

sovhst.exe , MZ.PIF

Files size 25,252 bytes

MD5: CE8FB133F066E1DD99D0BA4CB7BB45CB

SHA-1: 3CC8B2DC3488C355413C47CB7E590E2B1BEFF7DD

=======================================================

Files Created

%ProgramFiles%\sovhst.exe

%ProgramFiles%\Common Files\PushWare\Uninst.exe

%FontsDir%\iexplo.exe

C:\MZ.PIF

C:\AUTORUN.INF

%Temp%\abb14.tmp

%Temp%\abb9.tmp

%Temp%\abbF.tmp

%Temp%\dll1.tmp

%FontsDir%\tbh.ini

%FontsDir%\uuc.ini

%FontsDir%\syttem.exe

%Windir%\MICROSOFT\winsys.dll

%Windir%\Tasks\connie.exe

%Windir%\Tasks\SRA.PIF

%Windir%\system\VGA13.dat

%System%\dllcache\linkinfo.dll

%Windir%\Tasks\dEAXUPxQWEyAvpH4Pd3brcyYSHV.inf

%Windir%\Tasks\NSk5AtYYEPKtaSgzknZvW.ico

%ProgramFiles% = C:\Program Files\

%FontsDir% = C:\Windows\Fonts

%Windir% = C:\Windows\

%System% = C:\Windows\System32\

%Temp% = C:\Documents and Settings\[UserName]\Local Settings\Temp\

Registry Modifications

Keys Added

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safeup.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360upp.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arpfw.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KpfwSvc.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSWebShield.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.KXP

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravservice.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTRAY.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwstub.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngLdr.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.KXP

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.EXE

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HAOT

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HAOT\0000

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HAOT\0000\Control

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JAOND

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JAOND\0000

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JAOND\0000\Control

HKLM\SYSTEM\ControlSet001\Services\haot

HKLM\SYSTEM\ControlSet001\Services\haot\Security

HKLM\SYSTEM\ControlSet001\Services\haot\Enum

HKLM\SYSTEM\ControlSet001\Services\jaond

HKLM\SYSTEM\ControlSet001\Services\jaond\Security

HKLM\SYSTEM\ControlSet001\Services\jaond\Enum

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAOT

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAOT\0000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAOT\0000\Control

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JAOND

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JAOND\0000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JAOND\0000\Control

HKLM\SYSTEM\CurrentControlSet\Services\haot

HKLM\SYSTEM\CurrentControlSet\Services\haot\Security

HKLM\SYSTEM\CurrentControlSet\Services\haot\Enum

HKLM\SYSTEM\CurrentControlSet\Services\jaond

HKLM\SYSTEM\CurrentControlSet\Services\jaond\Security

HKLM\SYSTEM\CurrentControlSet\Services\jaond\Enum

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run

Values Added

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safeup.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360upp.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arpfw.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KpfwSvc.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSWebShield.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.KXP

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravservice.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTRAY.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwstub.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngLdr.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.KXP

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.EXE

debugger = "ntsd -d"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE

debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.EXE

debugger = "ntsd -d"

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HAOT\0000\Control

*NewlyCreated* = 0x00000000

ActiveService = "haot"

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HAOT\0000

Service = "haot"

Legacy = 0x00000001

ConfigFlags = 0x00000000

Class = "LegacyDriver"

ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

DeviceDesc = "haot"

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HAOT

NextInstance = 0x00000001

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JAOND\0000\Control

*NewlyCreated* = 0x00000000

ActiveService = "jaond"

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JAOND\0000

Service = "jaond"

Legacy = 0x00000001

ConfigFlags = 0x00000000

Class = "LegacyDriver"

ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

DeviceDesc = "jaond"

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JAOND

NextInstance = 0x00000001

HKLM\SYSTEM\ControlSet001\Services\haot\Enum

0 = "Root\LEGACY_HAOT\0000"

Count = 0x00000001

NextInstance = 0x00000001

HKLM\SYSTEM\ControlSet001\Services\haot\Security

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

HKLM\SYSTEM\ControlSet001\Services\haot

Type = 0x00000001

Start = 0x00000003

ErrorControl = 0x00000001

ImagePath = "\??\%FontsDir%\haot.sys"

DisplayName = "haot"

HKLM\SYSTEM\ControlSet001\Services\jaond\Security

HKLM\SYSTEM\ControlSet001\Services\jaond

Type = 0x00000001

Start = 0x00000003

ErrorControl = 0x00000001

ImagePath = "\??\%FontsDir%\jaond.sys"

DisplayName = "jaond

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\

360safe: "C:\WINDOWS\Fonts\iexplo.exe"

Value modified

HKLM\SOFTWARE\Classes\CLSID\

{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\

Command\: ""C:\Program Files\Internet Explorer\iexplore.exe" http://www.07129.com/"

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.07129.com/"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\

Advanced\Hidden: 0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\

Advanced\ShowSuperHidden: 0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

NoDriveTypeAutoRun: 0x00000091

Remote Host

76.73.72.69 port 80

76.73.86.26 port 80

Hosts modified

127.0.0.1 rsup10.rising.com.cn

127.0.0.1 cloudinfo.rising.com.cn

127.0.0.1 go.rising.com.cn

127.0.0.1 f.360.cn

127.0.0.1 www.114baines.com

127.0.0.1 qup.f.360.cn

127.0.0.1 down.langlangdoor.com

127.0.0.1 1232355.8866.org

127.0.0.1 www.8788se.cn

127.0.0.1 www.889sese.cn

127.0.0.1 ddd.ds22aa.cn

127.0.0.1 img.downbt.com

127.0.0.1 www.dy2004.com

127.0.0.1 ok3.114graph.com

127.0.0.1 ok1.114oldest.com

127.0.0.1 down.114graph.com

URL to be download /data identified

hxxp://y.moneyinfom.com/v.txt

hxxp://76.73.86.26/d/ee.exe > %FontsDir%\iexplo.exe

(NOD32-4677 Cannot detect 10/12/2009)

ee.exe : Test by www.VirusTotal.com

Aliases:

a-squared 4.5.0.43 2009.12.11 Trojan.Win32.StartPage!IK

AhnLab-V3 5.0.0.2 2009.12.10 -

AntiVir 7.9.1.108 2009.12.10 TR/Crypt.XDR.Gen

Antiy-AVL 2.0.3.7 2009.12.10 -

Authentium 5.2.0.5 2009.12.02 -

Avast 4.8.1351.0 2009.12.10 Win32:Trojan-gen

AVG 8.5.0.426 2009.12.10 -

BitDefender 7.2 2009.12.11 Gen:Trojan.Heur.bmKfIPnH8Kjb

CAT-QuickHeal 10.00 2009.12.11 Backdoor.Wuca.gv

ClamAV 0.94.1 2009.12.11 -

Comodo 3103 2009.12.01 -

DrWeb 5.0.0.12182 2009.12.11 STPAGE.Trojan

eSafe 7.0.17.0 2009.12.10 Suspicious File

eTrust-Vet 35.1.7170 2009.12.11 -

F-Prot 4.5.1.85 2009.12.10 -

F-Secure 9.0.15370.0 2009.12.10 Gen:Trojan.Heur.bmKfIPnH8Kjb

Fortinet 4.0.14.0 2009.12.11 -

GData 19 2009.12.11 Gen:Trojan.Heur.bmKfIPnH8Kjb

Ikarus T3.1.1.74.0 2009.12.11 Trojan.Win32.StartPage

Jiangmin 13.0.900 2009.12.11 -

K7AntiVirus 7.10.917 2009.12.10 -

Kaspersky 7.0.0.125 2009.12.11 Backdoor.Win32.Wuca.hh

McAfee 5828 2009.12.10 New Malware.ab

McAfee+Artemis 5828 2009.12.10 Artemis!EF19E8FCE928

McAfee-GW-Edition 6.8.5 2009.12.11 Trojan.Crypt.XDR.Gen

Microsoft 1.5302 2009.12.10 TrojanDropper:Win32/Kufgal.A

NOD32 4677 2009.12.10 -

Norman 6.04.03 2009.12.10 -

nProtect 2009.1.8.0 2009.12.11 -

Panda 10.0.2.2 2009.12.10 Trj/CI.A

PCTools 7.0.3.5 2009.12.11 Trojan.Generic

Prevx 3.0 2009.12.11 -

Rising 22.25.04.03 2009.12.11 Trojan.Win32.Generic.51F37414

Sophos 4.48.0 2009.12.11 Troj/PWS-AXY

Sunbelt 3.2.1858.2 2009.12.11 Trojan.Win32.Generic!BT

Symantec 1.4.4.12 2009.12.11 Trojan Horse

TheHacker 6.5.0.2.090 2009.12.10 -

TrendMicro 9.100.0.1001 2009.12.11 -

VBA32 3.12.12.0 2009.12.10 -

ViRobot 2009.12.11.2082 2009.12.11 -

VirusBuster 5.0.21.0 2009.12.10 -

=========================================================

วิธีกำจัด/ แก้ virus : sovhst.exe , MZ.PIF

=========================================================

Download Fix Tool : Comming soon

Malware Fighting

Menu

Information

Friday

How to remove sovhst.exe

No comments:

Post a Comment

Exploit-DB updates

Exploits Database by Offensive Security

Metasploit

Metasploit Framework: Activity

iDefense Labs Software Releases

Popular Posts

Online Scan

Multi AV Scan malware