Fake Alert : Antivirus Plus
-------------------------------------------------------------------------------
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| a-squared | 4.5.0.50 | 2010.04.15 | Trojan.SuspectCRC!IK |
| AhnLab-V3 | 5.0.0.2 | 2010.04.14 | - |
| AntiVir | 7.10.6.77 | 2010.04.14 | TR/Crypt.ZPACK.Gen |
| Antiy-AVL | 2.0.3.7 | 2010.04.14 | - |
| Authentium | 5.2.0.5 | 2010.04.15 | W32/Genome.B.gen!Eldorado |
| Avast | 4.8.1351.0 | 2010.04.14 | Win32:Trojan-gen |
| Avast5 | 5.0.332.0 | 2010.04.14 | Win32:Trojan-gen |
| AVG | 9.0.0.787 | 2010.04.14 | Generic17.AYNV |
| BitDefender | 7.2 | 2010.04.15 | Trojan.Generic.KD.6291 |
| CAT-QuickHeal | 10.00 | 2010.04.14 | - |
| ClamAV | 0.96.0.3-git | 2010.04.14 | - |
| Comodo | 4600 | 2010.04.15 | Heur.Suspicious |
| DrWeb | 5.0.2.03300 | 2010.04.15 | - |
| eSafe | 7.0.17.0 | 2010.04.14 | Win32.TRCrypt.ZPACK |
| eTrust-Vet | 35.2.7426 | 2010.04.14 | - |
| F-Prot | 4.5.1.85 | 2010.04.14 | W32/Genome.B.gen!Eldorado |
| F-Secure | 9.0.15370.0 | 2010.04.15 | Trojan.Generic.KD.6291 |
| Fortinet | 4.0.14.0 | 2010.04.12 | - |
| GData | 19 | 2010.04.15 | Trojan.Generic.KD.6291 |
| Ikarus | T3.1.1.80.0 | 2010.04.15 | Trojan.SuspectCRC |
| Jiangmin | 13.0.900 | 2010.04.13 | - |
| Kaspersky | 7.0.0.125 | 2010.04.15 | Trojan-Downloader.Win32.FraudLoad.xaht |
| McAfee | 5.400.0.1158 | 2010.04.15 | - |
| McAfee-GW-Edition | 6.8.5 | 2010.04.15 | Trojan.Crypt.ZPACK.Gen |
| Microsoft | 1.5605 | 2010.04.14 | Trojan:Win32/FakePlus |
| NOD32 | 5029 | 2010.04.14 | a variant of Win32/Kryptik.COO |
| Norman | 6.04.11 | 2010.04.14 | - |
| nProtect | 2010-04-14.01 | 2010.04.14 | - |
| Panda | 10.0.2.7 | 2010.04.14 | Trj/CI.A |
| PCTools | 7.0.3.5 | 2010.04.15 | - |
| Prevx | 3.0 | 2010.04.15 | High Risk Cloaked Malware |
| Rising | 22.43.02.04 | 2010.04.14 | - |
| Sophos | 4.52.0 | 2010.04.15 | Mal/FakeAV-CQ |
| Sunbelt | 6177 | 2010.04.15 | Trojan.Win32.Generic!BT |
| Symantec | 20091.2.0.41 | 2010.04.15 | Trojan.FakeAV |
| TheHacker | 6.5.2.0.261 | 2010.04.14 | - |
| TrendMicro | 9.120.0.1004 | 2010.04.14 | - |
| VBA32 | 3.12.12.4 | 2010.04.14 | - |
| ViRobot | 2010.4.14.2276 | 2010.04.14 | - |
| VirusBuster | 5.0.27.0 | 2010.04.14 | Trojan.FakePlus.IC |
-------------------------------------------------------------------------------
File size: 223232 bytes
MD5 : 4ab2cb0dd839df64ec8d682f904827ef
SHA1 : 6446a7980e27582a8c3f44903a38fa5d79be910d
-------------------------------------------------------------------------------
Files Added
C:\Documents and Settings\[User name]\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll
C:\Documents and Settings\[User name]\Application Data\avp.ico
C:\Documents and Settings\[User name]\Start Menu\Programs\Startup\AntiVirus Plus.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk
C:\Documents and Settings\[User name]\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
C:\Documents and Settings\[User name]\Start Menu\Programs\AntiVirus Plus\EULA.url
C:\Documents and Settings\[User name]\Start Menu\Programs\AntiVirus Plus\Uninstall.lnk
C:\Documents and Settings\[User name]\Desktop\AntiVirus Plus.lnk
C:\Documents and Settings\[User name]\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk
C:\Documents and Settings\[User name]\Desktop\~res.htm
C:\Documents and Settings\[User name]\Recent\Antivirus plus.log.lnk
Keys Added
HKLM\SOFTWARE\Classes\CLSID\{C2B5AAB8-2183-4be7-81A6-F11493C45872}
HKLM\SOFTWARE\Classes\CLSID\{C2B5AAB8-2183-4be7-81A6-F11493C45872}\InProcServer32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2B5AAB8-2183-4be7-81A6-F11493C45872}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus
Values added
HKLM\SOFTWARE\Classes\CLSID\
{C2B5AAB8-2183-4be7-81A6-F11493C45872}\
InProcServer32\: "%userProfile%\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll"
HKLM\SOFTWARE\Classes\CLSID\
{C2B5AAB8-2183-4be7-81A6-F11493C45872}\
InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\
{C2B5AAB8-2183-4be7-81A6-F11493C45872}\: 41 6E 74 69 76 69 72 75 73 20 50 6C 75 73 20 42 48 4F 00 00 43 4C 53 49
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2B5AAB8-2183-4be7-81A6-F11493C45872}\NoExplorer: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Plus: ""%system32%\rundll32.exe" "%userProfile%\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll", start 1"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus\DisplayName: "AntiVirus Plus"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus\UninstallString: ""%system%\rundll32.exe" "%userProfile%\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll", start 1 uninstall"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus\
NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus\
NoRepair: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Plus\DisplayIcon: "%userProfile%\Application Data\avp.ico,0"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
AntiVirus Plus: ""%system%\rundll32.exe" "%userProfile%\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll", start 1"
Values modified
HKLM\SYSTEM\ControlSet001\Services\wscsvc\Start: 0x00000004
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000004
Hosts Modified
O1 - Hosts: 78.159.125.56 www.google.co.jp
O1 - Hosts: 78.159.125.56 www.google.co.uk
O1 - Hosts: 78.159.125.56 search.yahoo.com
O1 - Hosts: 78.159.125.56 us.search.yahoo.com
O1 - Hosts: 78.159.125.56 www.google.ch
O1 - Hosts: 78.159.125.56 www.google.gr
O1 - Hosts: 78.159.125.56 www.google.fr
O1 - Hosts: 78.159.125.56 www.google.com.br
O1 - Hosts: 78.159.125.56 www.google.co.za
O1 - Hosts: 78.159.125.56 www.google.be
O1 - Hosts: 78.159.125.56 uk.search.yahoo.com
O1 - Hosts: 78.159.125.56 www.google.at
O1 - Hosts: 78.159.125.56 www.google.com.au
O1 - Hosts: 78.159.125.56 www.google.dk
O1 - Hosts: 78.159.125.56 www.google.nl
O1 - Hosts: 78.159.125.56 www.google.pt
O1 - Hosts: 78.159.125.56 www.google.ie
O1 - Hosts: 78.159.125.56 www.google.com
O1 - Hosts: 78.159.125.56 www.google.de
O1 - Hosts: 78.159.125.56 www.google.no
O1 - Hosts: 78.159.125.56 www.google.fi
O1 - Hosts: 78.159.125.56 www.google.es
O1 - Hosts: 78.159.125.56 www.google.com.mx
O1 - Hosts: 78.159.125.56 www.google.ca
O1 - Hosts: 78.159.125.56 www.google.se
O1 - Hosts: 78.159.125.56 www.google.it
-------------------------------------------------------------------------
วิธีกำจัด / แก้ไข : Fake Alert : Antivirus Plus
-------------------------------------------------------------------------
1. Run rkill.com
2. ใช้ Hijack This fix checked บรรทัดต่อไปนี้
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system\rundll32.exe
O1 - Hosts: 78.159.125.56 www.google.co.jp
O1 - Hosts: 78.159.125.56 www.google.co.uk
O1 - Hosts: 78.159.125.56 search.yahoo.com
O1 - Hosts: 78.159.125.56 us.search.yahoo.com
O1 - Hosts: 78.159.125.56 www.google.ch
O1 - Hosts: 78.159.125.56 www.google.gr
O1 - Hosts: 78.159.125.56 www.google.fr
O1 - Hosts: 78.159.125.56 www.google.com.br
O1 - Hosts: 78.159.125.56 www.google.co.za
O1 - Hosts: 78.159.125.56 www.google.be
O1 - Hosts: 78.159.125.56 uk.search.yahoo.com
O1 - Hosts: 78.159.125.56 www.google.at
O1 - Hosts: 78.159.125.56 www.google.com.au
O1 - Hosts: 78.159.125.56 www.google.dk
O1 - Hosts: 78.159.125.56 www.google.nl
O1 - Hosts: 78.159.125.56 www.google.pt
O1 - Hosts: 78.159.125.56 www.google.ie
O1 - Hosts: 78.159.125.56 www.google.com
O1 - Hosts: 78.159.125.56 www.google.de
O1 - Hosts: 78.159.125.56 www.google.no
O1 - Hosts: 78.159.125.56 www.google.fi
O1 - Hosts: 78.159.125.56 www.google.es
O1 - Hosts: 78.159.125.56 www.google.com.mx
O1 - Hosts: 78.159.125.56 www.google.ca
O1 - Hosts: 78.159.125.56 www.google.se
O1 - Hosts: 78.159.125.56 www.google.it
O2 - BHO: Antivirus Plus BHO - {C2B5AAB8-2183-4be7-81A6-F11493C45872} - %UserProfile%\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll
O4 - HKLM\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "%UserProfile%\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll", start 1
O4 - HKCU\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "%UserProfile%\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll", start 1
O4 - Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
O4 - Global Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
3. Scan ด้วย Malwarebytes' Anti-Malware อีกครั้งหนึ่ง
...
No comments:
Post a Comment