Files Created
C:\Program Files\AdvancedVirusRemover\PAVRM.exe
C:\Program Files\AdvancedVirusRemover\AVR.exe
C:\Program Files\AdvancedVirusRemover\Viruses.bdt
C:\Program Files\AdvancedVirusRemover\AdvancedVirusRemover.exe
C:\Windows\system32\AVR10.exe
C:\Windows\system32\41.exe
C:\Windows\system32\winupdate86.exe
C:\Windows\system32\winhelper86.dll
C:\Windows\system32\critical_warning.html
C:\s
%UserProfile%\Desktop\Viruses.bdt
%UserProfile%\Desktop\Advanced Virus Remover.lnk
%UserProfile%\Start Menu\Advanced Virus Remover.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\
Quick Launch\AdvancedVirusRemover.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\
Advanced Virus Remover.lnk
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\s1jqw0bz.default\cookies.sqlite
Registry Modifications
Keys Added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Software\AVR
Values Added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\
NoChangingWallpaper = 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
NoSetActiveDesktop = 0x00000001
NoActiveDesktopChanges = 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKCU\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
winupdate86.exe = C:\Windows\System32\winupdate86.exe"
Advanced Virus Remover = C:\ProgramFiles\AdvancedVirusRemover\AVR.exe
AdvancedVirusRemover = C:\ProgramFiles\AdvancedVirusRemover\AVR.exe
PAVRM.exe = C:\Program Files\AdvancedVirusRemover\PAVRM.exe
PAVRM = C:\Program Files\AdvancedVirusRemover\PAVRM.exe
AVR = C:\Program Files\AdvancedVirusRemover\PAVRM.exe
HKCU\Software\
8636065b-fef0-4255-b14f-54639f7900a4 =
"8636065b-fef0-4255-b14f-54639f7900a4"
5222009A-DD62-49c7-A735-7BD18ECC7350 =
"5222009A-DD62-49c7-A735-7BD18ECC7350"
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
Wallpaper = "%System%\critical_warning.html"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoSetActiveDesktop = 0x00000001
NoActiveDesktopChanges = 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
NoChangingWallpaper = 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableTaskMgr = 0x00000001
HKCU\Software\Microsoft\Internet Explorer\Main\
NotifyDownloadComplete = "yes
HKCU\Software\AVR\
LastVFC = "25"
VirList = "71255354154320429142454491823411617202092515"
LastD = "18"
LastVFC = "25"
VirList = "504115033127181484212398385028451851153126451537"
LastD = "20"
LastScan = "20.11.2009 08:16
Values deleted
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\
Wallpaper = ""
The following Registry Value was modified:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\
WallpaperLocalFileTime =
Hosts modified
89.149.210.61 www.google.com
89.149.210.61 www.google.de
89.149.210.61 www.google.fr
89.149.210.61 www.google.co.uk
89.149.210.61 www.google.com.br
89.149.210.61 www.google.it
89.149.210.61 www.google.es
89.149.210.61 www.google.co.jp
89.149.210.61 www.google.com.mx
89.149.210.61 www.google.ca
89.149.210.61 www.google.com.au
89.149.210.61 www.google.nl
89.149.210.61 www.google.co.za
89.149.210.61 www.google.be
89.149.210.61 www.google.gr
89.149.210.61 www.google.at
89.149.210.61 www.google.se
89.149.210.61 www.google.ch
89.149.210.61 www.google.pt
89.149.210.61 www.google.dk
89.149.210.61 www.google.fi
89.149.210.61 www.google.ie
89.149.210.61 www.google.no
89.149.210.61 search.yahoo.com
89.149.210.61 us.search.yahoo.com
89.149.210.61 uk.search.yahoo.com
URLs to be download / data identified
http://advanced-virusremover2010.com/buy/?code=00000920
http://advanced-virusremover2010.com/buy/jq.js
http://downloadavr10.com/loads.php?code=0001001
http://downloadavr10.com/dfghfghgfj.dll
http://testavrdown.com/cgi-bin/get.pl?l=0001001
http://downloadavr10.com/cgi-bin/download.pl?code=0001001
http://advanced-virusremover2010.com/buy/?code=0000112
http://downloadavr11.com/loads.php?code=0001122
http://downloadavr11.com/dfghfghgfj.dll
http://testavrdown.com/cgi-bin/get.pl?l=0001122
http://downloadavr11.com/cgi-bin/download.pl?code=0001122
http://downloadavr10.com/loads.php?code=0000070
http://downloadavr10.com/dfghfghgfj.dll
http://downloadavr10.com/cgi-bin/download.pl?code=0000070
http://testavrdown.com/cgi-bin/get.pl?l=0000070
http://advanced-virusremover2010.com/buy/?code=00000000
===================================================
วิธีกำจัด Fake : Advanced Virus remover (2009-2010)
===================================================
1. Run PeeTechFix-Advanced Virus remover 1.0
2. ใช้ Hijack This Fix บรรทัด 01 - Hosts
O1 - Hosts: 89.149.210.61 www.google.com
O1 - Hosts: 89.149.210.61 www.google.de
O1 - Hosts: 89.149.210.61 www.google.fr
O1 - Hosts: 89.149.210.61 www.google.co.uk
O1 - Hosts: 89.149.210.61 www.google.com.br
O1 - Hosts: 89.149.210.61 www.google.it
O1 - Hosts: 89.149.210.61 www.google.es
O1 - Hosts: 89.149.210.61 www.google.co.jp
O1 - Hosts: 89.149.210.61 www.google.com.mx
O1 - Hosts: 89.149.210.61 www.google.ca
O1 - Hosts: 89.149.210.61 www.google.com.au
O1 - Hosts: 89.149.210.61 www.google.nl
O1 - Hosts: 89.149.210.61 www.google.co.za
O1 - Hosts: 89.149.210.61 www.google.be
O1 - Hosts: 89.149.210.61 www.google.gr
O1 - Hosts: 89.149.210.61 www.google.at
O1 - Hosts: 89.149.210.61 www.google.se
O1 - Hosts: 89.149.210.61 www.google.ch
O1 - Hosts: 89.149.210.61 www.google.pt
O1 - Hosts: 89.149.210.61 www.google.dk
O1 - Hosts: 89.149.210.61 www.google.fi
O1 - Hosts: 89.149.210.61 www.google.ie
O1 - Hosts: 89.149.210.61 www.google.no
O1 - Hosts: 89.149.210.61 search.yahoo.com
O1 - Hosts: 89.149.210.61 us.search.yahoo.com
O1 - Hosts: 89.149.210.61 uk.search.yahoo.com
-----------------------------------------------------------------------
หรือ download Host จาก mvp.org
โดยแตกไฟล์แล้ว run ไฟล์ MVPS.bat หรือนำไฟล์ Hosts ไปวางที่ตำแหน่ง
C:\WINDOWS\system32\drivers\etc
เพื่อ block website download fake
ส่วนใครที่ใครใช้ Windows vista ให้ศึกษาเพิ่มเติมจาก link นี้ครับ
Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm
และขอแนะนำให้ ติดตั้งโปรแกรม mcafee advisor เพื่อตรวจสอบ website ที่กำลังจะเข้าไปเยี่ยมชม
ไม่มีความคิดเห็น:
แสดงความคิดเห็น