Malware Fighting: Win32/Kryptik.DLW (NOD32)

"Malware Fix รวมวิธีแก้ปัญหา virus computer โครงการทำดีเพื่อสังคม" "เนื่องจากภาระหน้าที่ทางการงาน ต้องขออภัยผู้เยี่ยมชมทุกท่านนะครับ ที่เ้ข้ามาแล้ว ไม่มีการ update virus ตัวใหม่ นะครับ"

Information

http://malwarefighting.blogspot.com

Click here for more gifs and graphics

แจ้งเตือนภัย ! Crypt0L0cker (Ransomware)
เข้ารหัสข้อมูลใน คอมพิวเตอร์ กำลังระบาดในไทย
และกำลังระบาดหนักในเกาหลี
ThaiCERT , Crytpo Prevention Tool

*ห้ามจ่ายเงินโดยเด็ดขาด เพราะจะเสียทั่้งเงินและกู้ข้อมูลไม่ได้
รบกวนคนที่เข้ามาอ่านช่วยแชร์ด้วยนะครับ
http://hotzone-it.blogspot.com/2015/07/how-to-remove-crypt0l0cker-not.html
==============================================

PeeTechFix >> JupiterFix

==============================================

Download : JupiterFix-Win32.PSW.OnlineGames 2011
(

AVDB-147

)

วิธีใช้งาน : JupiterFix-Win32.PSW.OnlineGames

ท่านสามารถตรวจสอบรายชื่อ Virus ที่โปรแกรม สามารถ Clean ได้ ใน VirusList.txt

-------------------------------------------------------------------------------------
ท่านใดที่ Download PeeTechFix tool ไปใช้แล้วมีปัญหาหรือลบไม่ออก โปรดแจ้งปัญหา ที่ email : MalwareHunter.info@gmail.com ด้วยครับ หรือส่งไฟล์ virus ให้ด้วย จะขอบพระคุณอย่างยิ่ง

-------------------------------------------------------------------------------------

Safemode Recovery (.reg) แก้ปัญหา Virus ลบ Key Safeboot แล้วเข้า safemode ไม่ได้

------------------------------------------------------------------------------------

วิธีแก้ Error message (แก้อาการเปิดไฟล์ .exe ใน USB Drive ไม่ได้)

"Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator"

วิธีแก้ ดูที่ link นี้ครับ

http://hotzone-it.blogspot.com/2010/01/fix-error-peetechfix.html

-------------------------------------------------------------------------------------

วิธีแก้ MSN /Windows Live Messenger Disconnect (จาก virus OnlineGames)

http://hotzone-it.blogspot.com/2010/06/msn-disconect.html

-------------------------------------------------------------------------------------

How to start Windows in Safe Mode

Link1 or Link 2 or Link3

Wednesday

Win32/Kryptik.DLW (NOD32)

File size: 108032 bytes

MD5 : 93ea7967d3f0d4c609ce021764d350ac

SHA1 : 669c36523b22872f708a02b4ff8aea585f538ba5

-------------------------------------------------------------------------------

Antivirus	Version	Last Update	Result
a-squared	4.5.0.50	2010.04.07	Trojan.Win32.FakeAV!IK
AhnLab-V3	5.0.0.2	2010.04.06	Dropper/Malware.108032.AL
AntiVir	7.10.6.31	2010.04.06	TR/Renos.PCH
Antiy-AVL	2.0.3.7	2010.04.07	Trojan/Win32.FraudPack
Authentium	5.2.0.5	2010.04.07	W32/FraudPack.E!Generic
Avast	4.8.1351.0	2010.04.06	Win32:Trojan-gen
Avast5	5.0.332.0	2010.04.06	Win32:Trojan-gen
AVG	9.0.0.787	2010.04.07	Downloader.Generic9.BNBF
BitDefender	7.2	2010.04.07	Trojan.Renos.PCH
CAT-QuickHeal	10.00	2010.04.07	Trojan.FraudPack.apqd
ClamAV	0.96.0.3-git	2010.04.07	-
Comodo	4525	2010.04.07	TrojWare.Win32.Trojan.Agent.Gen
DrWeb	5.0.2.03300	2010.04.07	Trojan.DownLoader1.4438
eSafe	7.0.17.0	2010.04.06	-
eTrust-Vet	35.2.7412	2010.04.07	-
F-Prot	4.5.1.85	2010.04.06	W32/FraudPack.E!Generic
F-Secure	9.0.15370.0	2010.04.07	Trojan.Renos.PCH
Fortinet	4.0.14.0	2010.04.06	-
GData	19	2010.04.07	Trojan.Renos.PCH
Ikarus	T3.1.1.80.0	2010.04.07	Trojan.Win32.FakeAV
Jiangmin	13.0.900	2010.04.07	-
Kaspersky	7.0.0.125	2010.04.07	Trojan.Win32.FraudPack.apqd
McAfee-GW-Edition	6.8.5	2010.04.06	Trojan.Renos.PCH
Microsoft	1.5605	2010.04.07	TrojanDownloader:Win32/Renos.KX
NOD32	5005	2010.04.06	a variant of Win32/Kryptik.DLW
Norman	6.04.11	2010.04.06	W32/FakeAV.LWI
nProtect	2009.1.8.0	2010.04.06	Trojan.Renos.PCH
Panda	10.0.2.2	2010.04.06	Generic Trojan
PCTools	7.0.3.5	2010.04.07	-
Prevx	3.0	2010.04.07	Medium Risk Malware Dropper
Rising	22.42.02.02	2010.04.07	Trojan.Win32.Generic.51FD2F1A
Sophos	4.52.0	2010.04.07	Mal/FakeAV-CX
Sunbelt	6146	2010.04.07	Win32.Malware!Drop
Symantec	20091.2.0.41	2010.04.07	SpywareStrike
TheHacker	6.5.2.0.256	2010.04.07	Trojan/FraudPack.apqd
TrendMicro	9.120.0.1004	2010.04.07	-
VBA32	3.12.12.4	2010.04.05	-
ViRobot	2010.4.7.2264	2010.04.07	-
VirusBuster	5.0.27.0	2010.04.06	Trojan.Codecpack.Gen.4

------------------------------------------------------------------------------

Files Added

%Temp%\Sfb.exe

%Temp%\Sfc.exe

%Temp%\Sfd.exe

%system%\sshnas21.dll

%WinDir%\Swucua.exe

%Temp% =C:\Documents and Settings\[UserName]\Local Settings\Temp

%system% = C:\Windows\System32

%winDir% = C:\Windows

Keys added

HKLM\SYSTEM\ControlSet001\Services\SSHNAS

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Parameters

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Security

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Security

HKCU\Software\Microsoft\Handle

HKCU\Software\WEK9EMDHI9

HKCU\Software\XML

HKCU\Software\YVIBBBHA8C

Values added

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Parameters\ServiceDll: "C:\WINDOWS\system32\sshnas21.dll"

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Type: 0x00000020

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Start: 0x00000002

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\ErrorControl: 0x00000000

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\ImagePath: "%SystemRoot%\system32\svchost.exe -k netsvcs"

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\DisplayName: "SSHNAS"

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\ObjectName: "LocalSystem"

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters\ServiceDll: "C:\WINDOWS\system32\sshnas21.dll"

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Type: 0x00000020

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Start: 0x00000002

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\ErrorControl: 0x00000000

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\ImagePath: "%SystemRoot%\system32\svchost.exe -k netsvcs"

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\DisplayName: "SSHNAS"

HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\ObjectName: "LocalSystem"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

YVIBBBHA8C : "%Temp%\Sfd.exe"

HKCU\Software\Microsoft\Handle\3:"z+XaaugyuuSvEib0Hft72iB+UUk006BXeWC43zHlD+d+DIXqXp4uefOT9beDyITz2La99TIcO4afCdXyWJFIGNUeghKKVMvgWBDaubQD3whrC/afUzaqs+t3wTqVZ48Xvk0DmiAlNNQr+Y4NR2zEn84/l2Bj4Yta/aiQ+Lzx3QFb+FYoybd2MUxB3kyG9CzslL04l0B67T4O0MXvJ0+gTs8ZDIlxqu0/E+GwO98W2BRHdlwcijUmvPfs8xOxxb2D6nGWmH7bBaVxiMVAT35NKLON4jD0RL6Emf4TzESAf5hfQvlX+b+rG5Ip0ygVBzwG7njxUrdifOgQBng3/9eWq2XbipEeNC/QkJFm+dC1kOwfyoe5wi4CMmrA/60h1hkF3rF/tiu2AxfMTuh9mwcLCSf+joCRSGkrYgK0fc5n2AZ+sEcOQt6rrpH7bWlcE/J04lRYa/39MJjPm+c28pHCHogSVChdgo3los3qf3GoFrMEY7FHdVsyJGUv8LRDhhWLXwZRqs06zVi/ossHbzpnEx76+bE8sHNa1HgG9BnQSGbw5itnmSkYuCnMccVc5f5LBRRN3ZQPualpg/5YKu7LkuRCh3hSppQQ8ZZFRYo5dpbLnDO33o4KE0GGP8ZUo09vRRFs9wGU7979Lc0="

HKCU\Software\Microsoft\Handle\7:"z/Taa/pl0NCrJEynBu9+nW4cKDQAzbpLN370kRnSdoRFI/y8FssFAJj92Jmt0pfo3KLxtSZcIZmLSNG0S6N4CYZchE6WAra3DBKT5K1Rw1kVdcK0AC36/6h11zmVZ48Xvk0dxXMHB+RXj6A4DSaMzq9T/FJYybxc7K+T7PCxw0Fd+UtjyqwoD34SzQye9W6i8cdZ5R0prC0V28U="

HKCU\Software\Microsoft\Handle\5:"z/DcO5EGvtLTXCm7FPhmgDwcNWID0/R+VgSJ5APKWrFlEp37Tc8HVcO7z5H2w5/qh/jwvmUDJoTHA5yBZsAZGM8BnQL3NrKBcFyKtqYUxwtEbpG0UX/5hIhD7x2gAcUMpB8Z1n0oLMV5rpNNBj2VkeEetw9HyKAN7OG9n63igRtA+AZAsM1kJ1FA0USO8z++k6NH6h00uzsIgdmNQ2SiXY0tIatZmZJpcZz4LIwH+nghDQEFlDVvvfe2rV6zhOvfsn69s0qlNNl3vY8IEDEQa/3yh02hWbzLiPIWk1WQf9dWFOAG+r7ZNcl0jj4PG2d5gBCBUM8aGfQUD2VptsuI7CmDyrNjGQDi7eVt4c2mwbBA2524zCJOEQOmrvI0wQ5OkOwzpj7qKzmXTMoC1URSbRM="

HKCU\Software\Microsoft\Handle\8: 0xFFFFFFFF

HKCU\Software\Microsoft\Handle\6: 0xFFFFFFFF

HKCU\Software\Microsoft\Handle\4: 0x00000005

HKCU\Software\Microsoft\Handle\12: 0x01CCD32A

HKCU\Software\WEK9EMDHI9\SnaR: "FOqmVdfJTB7S8g=="

HKCU\Software\WEK9EMDHI9\Sna6:"Gbv+C4eSExjnyIpWf4+pYXAo/2QGxA/X94OiMMEM3fg2wLXvzVZF8MwcCBRfcPq52epvdMeg//Fz+p6csSavmjbegPbMh4ax7rfcfKkoeMvrtfbyG0YYP8id3oLexcxbGVypZIzo3J5uYxlFx3PGUP4mO8yMdGMehFEPRAYC/+l0jkeHzlMqaNgiWXIKcNXsfq5tRC0ShofRatvT0BICrAPCsm1z+4RwkUApVT52yN6sZUsKFCT0Bo/aK5iqE9fiw/U009Tswc2Ty+RZGt+NWqbLdocrmMXQdtLgHKzQBEwyDY2v3hz4PxzYDE3kba5xa6yJ2dmmL0ahlTEIOr8Zme53xg=="

HKCU\Software\WEK9EMDHI9\SkoW: 0x0000000C

HKCU\Software\WEK9EMDHI9\SkoA: 0x000151E4

HKCU\Software\WEK9EMDHI9\SkoR: 0x000151E4

HKCU\Software\WEK9EMDHI9\Sko4: 0x000151E4

HKCU\Software\WEK9EMDHI9\SkoQ: 0x00000000

HKCU\Software\WEK9EMDHI9\SkoH4: 0x00000000

HKCU\Software\WEK9EMDHI9\Sko6: 0x01CAD6F5

HKCU\Software\WEK9EMDHI9\SkoH: 0x843A1110

HKCU\Software\YVIBBBHA8C\Sk6:"xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Ek/n4gL8s8xs9LeD5KQVh3/j+XFbG3/8Bu5aiMqJVRVcQF7oop6V/nqCjgd83M9F4qOfs643eYxlxdOozwYgVD/95cSbnPGmAgVyQBmtbRWERa5lEWedN4LRl+dUrJAIwPZUYH14pK+/NJlrNxLjI/AC20YeKmx9tVrtKj7YuOVesbvrfIg/JPmwh4/6oQ0njTnXpebMGbAyfR4ujr9LAWcay4J"

HKCU\Software\YVIBBBHA8C\Sk1:"tSLPLpWL7R22spR48AI743bz2Kge8sERw0ysuyb7hAhii9o56M45qdHEQLLqBkChgvGQSnOomXTeInlsZ1oGJTxl/soFQuXnVGpOtjNdMbHDEvCPjrtz0k0S/GUExgOv5fYiSD+72VA8xlsk96QBVl//zk6II4sJVnmscuI5QH6eDcCkp9mhr486uI5hmYbFHXw9frH6xdJ15uLtZODZWf39sapv3ZPpzEM="

HKCU\Software\YVIBBBHA8C\SkI:"tSbFNJuL/h22spR48AI743bz2Kge8sEd3kq5oXy2iAogxscu/8Qnr4vdR6z4WV2j0uDoMhaq4Qy7IGRqfxRUfmdxooxGWqPhS2QJsTIBNrvcTqyalaQjiEwJ/zUnvGLjrKs7BDvxoCoP1QE4/vMFV0/7313JI4gECn6qYvdxHH+JCt/849X9oN5anfU4n5vFVmAgZa/umpVuu6D3ePiPepSu8+Zi3Ifkzg8piJ0qi1ipX4afIFvk8PMtiSW2GzXQNW8dbhb/8FeGIAZl8cmIH6+M1ZwAYSUg0OZDcVEm7HVr3E9t4kOJq3kE5aAQkWHLqyZ9/xt6"

HKCU\Software\YVIBBBHA8C\SbZ: 0x00015180

HKCU\Software\YVIBBBHA8C\SbM: 0x00000002

HKCU\Software\YVIBBBHA8C\Sb6: 0x01CAD6F5

HKCU\Software\YVIBBBHA8C\SbD: 0x878F7DA0

HKCU\Software\YVIBBBHA8C\Sb5: 0x00000001

HKCU\Software\YVIBBBHA8C\Sb1: 0x01CAD62E

HKCU\Software\YVIBBBHA8C\SbI: 0xD03033A0

Values modified

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs: '6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN SSHNAS'

------------------------------------------------------------------------------

วิธีกำจัด / แก้ไข : Win32/Kryptik.DLW (NOD32)

sfd.exe , sfb.exe , sfc.exe , Swucua.exe

------------------------------------------------------------------------------

Download Fix Tool : PeeTechFix-SSHNAS21 Ver 1.3.00 (new 28/05/2010)

ของเดิมคือ PeeTechFix-FakeAlert.ATQ

Link ที่เคย post ไว้ ซึ่งการทำงานเหมือนกันครับ

http://hotzone-it.blogspot.com/2010/03/how-to-remove-swucuaexe.html

http://hotzone-it.blogspot.com/2010/02/trojandownloaderfakealertatq.html

-------------------------------------------------------------------------------

Manual Delete

1. กด Ctrl+Alt+Del แล้ว เลือก End Process ไฟล์ sfd.exe , Swucua.exe , rundll32.exe
2. Click ที่ Start > Run พิมพ์ %temp% แล้ว Enter
แล้ว Delete ไฟล์ sfd.exe , sfb.exe , sfc.exe

3. Delete ไฟล์ Swucua.exe ใน C:\WINDOWS
4. Delete ไฟล์ sshnas21.dll ใน C:\WINDOWS\system32

5. ใช้ Hijack This แล้ว Fix Checked ที่บรรทัดนี้
O4 - HKCU\..\Run: [YVIBBBHA8C] %Temp%\Sfd.exe

6. Click ที่ Start > Run พิมพ์ regedit.exe แล้ว Enter แล้ว Delete Key ตามนี้

HKLM\SYSTEM\ControlSet001\Services\SSHNAS
HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS
HKCU\Software\Microsoft\Handle
HKCU\Software\TOY5KNQ8OC
HKCU\Software\WEK9EMDHI9
HKCU\Software\XML

7. แก้ไข Value ของ netsvcs ใน Key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\
โดย delete คำว่า SSHNAS

...

Malware Fighting

Menu

Information

Wednesday

Win32/Kryptik.DLW (NOD32)

No comments:

Post a Comment

Exploit-DB updates

Exploits Database by Offensive Security

Metasploit

Metasploit Framework: Activity

iDefense Labs Software Releases

Popular Posts

Online Scan

Multi AV Scan malware