Malware Fighting: How to remove Swucua.exe

"Malware Fix รวมวิธีแก้ปัญหา virus computer โครงการทำดีเพื่อสังคม" "เนื่องจากภาระหน้าที่ทางการงาน ต้องขออภัยผู้เยี่ยมชมทุกท่านนะครับ ที่เ้ข้ามาแล้ว ไม่มีการ update virus ตัวใหม่ นะครับ"

Information

http://malwarefighting.blogspot.com

Click here for more gifs and graphics

แจ้งเตือนภัย ! Crypt0L0cker (Ransomware)
เข้ารหัสข้อมูลใน คอมพิวเตอร์ กำลังระบาดในไทย
และกำลังระบาดหนักในเกาหลี
ThaiCERT , Crytpo Prevention Tool

*ห้ามจ่ายเงินโดยเด็ดขาด เพราะจะเสียทั่้งเงินและกู้ข้อมูลไม่ได้
รบกวนคนที่เข้ามาอ่านช่วยแชร์ด้วยนะครับ
http://hotzone-it.blogspot.com/2015/07/how-to-remove-crypt0l0cker-not.html
==============================================

PeeTechFix >> JupiterFix

==============================================

Download : JupiterFix-Win32.PSW.OnlineGames 2011
(

AVDB-147

)

วิธีใช้งาน : JupiterFix-Win32.PSW.OnlineGames

ท่านสามารถตรวจสอบรายชื่อ Virus ที่โปรแกรม สามารถ Clean ได้ ใน VirusList.txt

-------------------------------------------------------------------------------------
ท่านใดที่ Download PeeTechFix tool ไปใช้แล้วมีปัญหาหรือลบไม่ออก โปรดแจ้งปัญหา ที่ email : MalwareHunter.info@gmail.com ด้วยครับ หรือส่งไฟล์ virus ให้ด้วย จะขอบพระคุณอย่างยิ่ง

-------------------------------------------------------------------------------------

Safemode Recovery (.reg) แก้ปัญหา Virus ลบ Key Safeboot แล้วเข้า safemode ไม่ได้

------------------------------------------------------------------------------------

วิธีแก้ Error message (แก้อาการเปิดไฟล์ .exe ใน USB Drive ไม่ได้)

"Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator"

วิธีแก้ ดูที่ link นี้ครับ

http://hotzone-it.blogspot.com/2010/01/fix-error-peetechfix.html

-------------------------------------------------------------------------------------

วิธีแก้ MSN /Windows Live Messenger Disconnect (จาก virus OnlineGames)

http://hotzone-it.blogspot.com/2010/06/msn-disconect.html

-------------------------------------------------------------------------------------

How to start Windows in Safe Mode

Link1 or Link 2 or Link3

Thursday

How to remove Swucua.exe

ไฟล์ที่ใช้ทดสอบ : Crack_Play.2.Emulator.45059.exe
http://peetech-malwareupdate.blogspot.com/2010/03/48d6344df7358095a2b18f73edccf898.html
------------------------------------------------------------------------------------------------------
Swucua.exe

File size: 172544 bytes

MD5: d6a3a079149ecec7eab9873db6a5441a

SHA1: 80186c1d8951a9bb47cb4be041942c5fc2e598a0

===================================================

Antivirus	Version	Last Update	Result
a-squared	4.5.0.50	2010.03.18	-
AhnLab-V3	5.0.0.2	2010.03.18	-
AntiVir	8.2.1.194	2010.03.18	-
Antiy-AVL	2.0.3.7	2010.03.18	-
Authentium	5.2.0.5	2010.03.18	W32/FraudPack.E!Generic
Avast	4.8.1351.0	2010.03.18	-
Avast5	5.0.332.0	2010.03.18	-
AVG	9.0.0.787	2010.03.18	-
BitDefender	7.2	2010.03.18	-
CAT-QuickHeal	10.00	2010.03.18	-
ClamAV	0.96.0.0-git	2010.03.18	-
Comodo	4304	2010.03.18	-
DrWeb	5.0.1.12222	2010.03.18	-
eSafe	7.0.17.0	2010.03.17	-
eTrust-Vet	35.2.7372	2010.03.18	Win32/FakeAlert.C!generic
F-Prot	4.5.1.85	2010.03.17	W32/FraudPack.E!Generic
F-Secure	9.0.15370.0	2010.03.18	Suspicious:W32/Malware!Gemini
Fortinet	4.0.14.0	2010.03.18	-
GData	19	2010.03.18	-
Ikarus	T3.1.1.80.0	2010.03.18	-
Jiangmin	13.0.900	2010.03.18	-
K7AntiVirus	7.10.1000	2010.03.17	-
Kaspersky	7.0.0.125	2010.03.18	-
McAfee	5923	2010.03.17	-
McAfee+Artemis	5923	2010.03.17	-
McAfee-GW-Edition	6.8.5	2010.03.18	Heuristic.BehavesLike.Win32.Suspicious.H
Microsoft	1.5605	2010.03.17	-
NOD32	4954	2010.03.18	-
Norman	6.04.09	2010.03.18	-
nProtect	2009.1.8.0	2010.03.18	-
Panda	10.0.2.2	2010.03.17	-
PCTools	7.0.3.5	2010.03.18	-
Prevx	3.0	2010.03.18	High Risk Cloaked Malware
Rising	22.39.03.04	2010.03.18	-
Sophos	4.51.0	2010.03.18	Sus/UnkPack-C
Sunbelt	5949	2010.03.18	-
Symantec	20091.2.0.41	2010.03.18	Suspicious.Insight
TheHacker	6.5.2.0.236	2010.03.18	-
TrendMicro	9.120.0.1004	2010.03.18	TROJ_RENOS.SMPE
VBA32	3.12.12.2	2010.03.17	-
ViRobot	2010.3.18.2234	2010.03.18	-
VirusBuster	5.0.27.0	2010.03.17	-

-----------------------------------------------------------------------------------

Files Added

%Temp%\Sfb.exe

%Temp%\Sfc.exe

%Temp%\Sfd.exe

%system%\sshnas21.dll

%WinDir%\Swucua.exe

%Temp% =C:\Documents and Settings\[UserName]\Local Settings\Temp

%system% = C:\Windows\System32

%winDir% = C:\Windows

Keys added

HKLM\SYSTEM\ControlSet001\Services\SSHNAS

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Parameters

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Security

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Security

HKCU\Software\Microsoft\Handle

HKCU\Software\TOY5KNQ8OC

HKCU\Software\WEK9EMDHI9

HKCU\Software\XML

Values added

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Parameters\

ServiceDll: "C:\WINDOWS\system32\sshnas21.dll"

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Type: 0x00000020

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Start: 0x00000002

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\ErrorControl: 0x00000000

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\

ImagePath: "%SystemRoot%\system32\svchost.exe -k netsvcs"

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\DisplayName: "SSHNAS"

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\ObjectName: "LocalSystem"

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters\

ServiceDll: "C:\WINDOWS\system32\sshnas21.dll"

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Type: 0x00000020

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Start: 0x00000002

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\ErrorControl: 0x00000000

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\

ImagePath: "%SystemRoot%\system32\svchost.exe -k netsvcs"

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\DisplayName: "SSHNAS"

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\ObjectName: "LocalSystem"

HKCU\Software\Microsoft\Handle\3: "z+XaaugyuuSvEib0Hft72iB+UUk006BXeWC43zHlD+d+DIXqXp4uefOT9beDyITz2La99TIcO4afCdXyWJFIGNUeghKKVMvgWBDaubQD3whrC/afUzaqs+t3wTqVZ48Xvk0DmiAlNNQr+Y4NR2zEn84/l2Bj4Yta/aiQ+Lzx3QFb+FYoybd2MUxB3kyG9CzslL04l0B67T4O0MXvJ0+gTs8ZDIlxqu0/E+GwO98W2BRHdlwcijUmvPfs8xOxxb2D6nGWmH7bBaVxiMVAT35NKLON4jD0RL6Emf4TzESAf5hfQvlX+b+rG5Ip0ygVBzwG7njxUrdifOgQBng3/9eWq2XbipEeNC/QkJFm+dC1kOwfyoe5wi4CMmrA/60h1hkF3rF/tiu2AxfMTuh9mwcLCSf+joCRSGkrYgK0fc5n2AZ+sEcOQt6rrpH7bWlcE/J04lRYa/39MJjPm+c28pHCHogSVChdgo3los3qf3GoFrMEY7FHdVsyJGUv8LRDhhWLXwZRqs06zVi/ossHbzpnEx76+bE8sHNa1HgG9BnQSGbw5itnmSkYuCnMccVc5f5LBRRN3ZQPualpg/5YKu7LkuRCh3hSppQQ8ZZFRYo5dpbLnDO33o4KE0GGP8ZUo09vRRFs9wGU7979Lc0="

HKCU\Software\Microsoft\Handle\7: "z/Taa/pl0NCrJEynBu9+nW4cKDQAzbpLN370kRnSdoRFI/y8FssFAJj92Jmt0pfo3KLxtSZcIZmLSNG0S6N4CYZchE6WAra3DBKT5K1Rw1kVdcK0AC36/6h11zmVZ48Xvk0dxXMHB+RXj6A4DSaMzq9T/FJYybxc7K+T7PCxw0Fd+UtjyqwoD34SzQye9W6i8cdZ5R0prC0V28U="

HKCU\Software\Microsoft\Handle\5: "z/DcO5EGvtLTXCm7FPhmgDwcNWID0/R+VgSJ5APKWrFlEp37Tc8HVcO7z5H2w5/qh/jwvmUDJoTHA5yBZsAZGM8BnQL3NrKBcFyKtqYUxwtEbpG0UX/5hIhD7x2gAcUMpB8Z1n0oLMV5rpNNBj2VkeEetw9HyKAN7OG9n63igRtA+AZAsM1kJ1FA0USO8z++k6NH6h00uzsIgdmNQ2SiXY0tIatZmZJpcZz4LIwH+nghDQEFlDVvvfe2rV6zhOvfsn69s0qlNNl3vY8IEDEQa/3yh02hWbzLiPIWk1WQf9dWFOAG+r7ZNcl0jj4PG2d5gBCBUM8aGfQUD2VptsuI7CmDyrNjGQDi7eVt4c2mwbBA2524zCJOEQOmrvI0wQ5OkOwzpj7qKzmXTMoC1URSbRM="

HKCU\Software\Microsoft\Handle\8: 0xFFFFFFFF

HKCU\Software\Microsoft\Handle\6: 0xFFFFFFFF

HKCU\Software\Microsoft\Handle\4: 0x00000005

HKCU\Software\Microsoft\Handle\12: 0x01B2AAB8

HKCU\Software\TOY5KNQ8OC\Sk2: "xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Ek/n4gL8s8xs9LeD5KQVh3/j+XFbG3/8Bu5aiMqJVRVcQF7oop6V/nqCjgd83M9F4qOfs643eYxlxdOozwYgVD/95cSbnPGmAgVyQBmtbRWERa5lEWedN4LRl+dUrJAIwPZUYH14pK+/NJlrNxLjI/AC20YeKmx9tVrtKj7YuOVesbvrfIg/JPmwh4/6oQ0njTnXpebMGbAyfR4ujr9LAWcay4J"

HKCU\Software\TOY5KNQ8OC\Sk0: "tSLPLpWL7R22spR48AI743bz2Kge8sEexVqvoCq8k0lsy8Vz6cQms8nYW7WrGAah1q7ZF2rk+EDaFAUifhYCbyBhsJUQGaLvRXFPvj4fPb3FE+GFkPttwkoU/35e3wSx96k/Sm+qoShZxCNckrgXVkqv2QHTPJEWSn62JKxrGyWJWIDvosXgvpQ+9NJnhYSGGm0nfrOhwdNqtOPofvzbe4Kz8vcNucmvyBI0wIQlxQ=="

HKCU\Software\TOY5KNQ8OC\Sk1: "tSbFNJuL/h22spR48AI743bz2Kge8sEFw0u7rzv7hAhii8oz6cUwrtaDX7S0SgekzLLbNRWfqAulcjJ2fxAea2c6poBMROjnSmxS/T4cP/HMUvCOmKZsiUkT4zcFwxmz59RdM2/wpjYVmVwv6/BfBknhmE3COJFbUj73dfd3HTSeC9y0vsH7pY85uZ9rh8bLB3owdK2nm8ptqvG3Y/6LavrLouZn1oHowglk"

HKCU\Software\TOY5KNQ8OC\Sb4: 0x00015180

HKCU\Software\TOY5KNQ8OC\Sb5: 0x00000002

HKCU\Software\TOY5KNQ8OC\Sb2: 0x01CAC75E

HKCU\Software\TOY5KNQ8OC\Sb3: 0x2DB880C0

HKCU\Software\TOY5KNQ8OC\Sb6: 0x00000001

HKCU\Software\TOY5KNQ8OC\Sb0: 0x01CAC697

HKCU\Software\TOY5KNQ8OC\Sb1: 0x8A214D00

HKCU\Software\WEK9EMDHI9\Sna6: "FOqnXdjKQBDY8w=="

HKCU\Software\WEK9EMDHI9\Sna5: "Gbv+C4eSExjnyIpWf4+pYXAo/2QGxA/X94OiMMEM3fg21K7ozkNG88wcCBRfcPq52epvdMeg//Fz+p6csSavmjbegPbMh4ax7rfcfKkoeMvrtfbyG0YYP8SU34vNicpGWhCnbfz9wbF/NBlImT+BVbBlcLPqQ1Jh/wFaVRhb7O8w3FzUzhw0JYsmCyMRI9W9ePgnXGNJ2d+bNtva2R8Wr0zGuC4/9Y0AhF0GRGl2xYDgIk5EV2+LYI34Qv74AMzp3Q=="

HKCU\Software\WEK9EMDHI9\SkoQ: 0x0000000C

HKCU\Software\WEK9EMDHI9\SkoM: 0x000151E4

HHKCU\Software\WEK9EMDHI9\Sko6: 0x000151E4

HKCU\Software\WEK9EMDHI9\Sko9: 0x000151E4

HKCU\Software\WEK9EMDHI9\SkoK: 0x00000000

HKCU\Software\WEK9EMDHI9\SkoV9: 0x00000000

HKCU\Software\WEK9EMDHI9\Sko5: 0x01CAC75E

HKCU\Software\WEK9EMDHI9\SkoV: 0x1D603CE0

Values modified

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs: '6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN SSHNAS'

-------------------------------------------------------------------------------

วิธีกำจัด/แก้ : Swucua.exe, sfd.exe , sfb.exe , sfc.exe

-------------------------------------------------------------------------------

วิธีที่ 1 Download Fix Tool : PeeTechFix-SSHNAS21 version 1.3.00

http://www.mediafire.com/?zuwmmmnjmky

-------------------------------------------------------------------------------

วิธีที่ 2 Manual delete

1. กด Ctrl+Alt+Del แล้ว เลือก End Process ไฟล์ sfd.exe , Swucua.exe , rundll32.exe

2. Click ที่ Start > Run พิมพ์ %temp% แล้ว Enter

แล้ว Delete ไฟล์ sfd.exe , sfb.exe , sfc.exe

3. Delete ไฟล์ Swucua.exe ใน C:\WINDOWS

4. Delete ไฟล์ sshnas21.dll ใน C:\WINDOWS\system32

5. ใช้ Hijack This แล้ว Fix Checked ที่บรรทัดนี้

O4 - HKCU\..\Run: [TOY5KNQ8OC] %Temp%\Sfd.exe

6. Click ที่ Start > Run พิมพ์ regedit.exe แล้ว Enter แล้ว Delete Key ตามนี้

HKLM\SYSTEM\ControlSet001\Services\SSHNAS

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS

HKCU\Software\Microsoft\Handle

HKCU\Software\TOY5KNQ8OC

HKCU\Software\WEK9EMDHI9

HKCU\Software\XML

7. แก้ไข Value ของ netsvcs ใน Key

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\

โดย delete คำว่า SSHNAS

Malware Fighting

Menu

Information

Thursday

How to remove Swucua.exe

No comments:

Post a Comment

Exploit-DB updates

Exploits Database by Offensive Security

Metasploit

Metasploit Framework: Activity

iDefense Labs Software Releases

Popular Posts

Online Scan

Multi AV Scan malware