ไฟล์ที่่ใช้่ทดสอบ : exe.exe
81.5 KB (83,456 bytes)
MD5: 71599A02190D5DBF428C52F07347E9D4
SHA-1: 076449BCCDF20E37890D63DD676A564D4D2C02C1
=======================================================
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| a-squared | 4.5.0.50 | 2010.02.25 | - |
| AhnLab-V3 | 5.0.0.2 | 2010.02.24 | - |
| AntiVir | 8.2.1.172 | 2010.02.24 | - |
| Antiy-AVL | 2.0.3.7 | 2010.02.24 | - |
| Authentium | 5.2.0.5 | 2010.02.25 | - |
| Avast | 4.8.1351.0 | 2010.02.24 | - |
| AVG | 9.0.0.730 | 2010.02.24 | - |
| BitDefender | 7.2 | 2010.02.25 | - |
| CAT-QuickHeal | 10.00 | 2010.02.24 | - |
| ClamAV | 0.96.0.0-git | 2010.02.25 | - |
| Comodo | 4053 | 2010.02.25 | Heur.Packed.Unknown |
| DrWeb | 5.0.1.12222 | 2010.02.25 | - |
| eSafe | 7.0.17.0 | 2010.02.24 | - |
| eTrust-Vet | 35.2.7327 | 2010.02.24 | - |
| F-Prot | 4.5.1.85 | 2010.02.24 | - |
| F-Secure | 9.0.15370.0 | 2010.02.25 | - |
| Fortinet | 4.0.14.0 | 2010.02.21 | - |
| GData | 19 | 2010.02.25 | - |
| Ikarus | T3.1.1.80.0 | 2010.02.25 | - |
| Jiangmin | 13.0.900 | 2010.02.24 | - |
| K7AntiVirus | 7.10.981 | 2010.02.23 | - |
| Kaspersky | 7.0.0.125 | 2010.02.25 | - |
| McAfee | 5902 | 2010.02.24 | - |
| McAfee+Artemis | 5902 | 2010.02.24 | - |
| McAfee-GW-Edition | 6.8.5 | 2010.02.24 | - |
| Microsoft | 1.5502 | 2010.02.25 | - |
| NOD32 | 4893 | 2010.02.24 | - |
| Norman | 6.04.08 | 2010.02.24 | - |
| nProtect | 2009.1.8.0 | 2010.02.24 | - |
| Panda | 10.0.2.2 | 2010.02.24 | Suspicious file |
| PCTools | 7.0.3.5 | 2010.02.24 | - |
| Rising | 22.34.01.03 | 2010.02.11 | - |
| Sophos | 4.50.0 | 2010.02.25 | - |
| Sunbelt | 5698 | 2010.02.25 | - |
| Symantec | 20091.2.0.41 | 2010.02.25 | Suspicious.Insight |
| TheHacker | 6.5.1.6.209 | 2010.02.25 | - |
| TrendMicro | 9.120.0.1004 | 2010.02.24 | TROJ_QAKBOT.SMG |
| VBA32 | 3.12.12.2 | 2010.02.24 | - |
| ViRobot | 2010.2.24.2200 | 2010.02.24 | - |
| VirusBuster | 5.0.27.0 | 2010.02.24 | - |
-------------------------------------------------------------------------------
ijfuptb.exe ( Win32.Spy.Bebloh.A : NOD32 Last update 25/02/2010)
57.5 KB (58,880 bytes)
MD5: CDA0DBF7EB74CB8638C3022332744034
SHA-1: 53B9F8F8D8B76A691A6BA33D7FA67E47B2B63543
=======================================================
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| a-squared | 4.5.0.50 | 2010.02.25 | - |
| AhnLab-V3 | 5.0.0.2 | 2010.02.25 | - |
| AntiVir | 8.2.1.172 | 2010.02.24 | - |
| Antiy-AVL | 2.0.3.7 | 2010.02.24 | - |
| Authentium | 5.2.0.5 | 2010.02.25 | - |
| Avast | 4.8.1351.0 | 2010.02.24 | - |
| AVG | 9.0.0.730 | 2010.02.24 | - |
| BitDefender | 7.2 | 2010.02.25 | - |
| CAT-QuickHeal | 10.00 | 2010.02.25 | - |
| ClamAV | 0.96.0.0-git | 2010.02.25 | - |
| Comodo | 4056 | 2010.02.25 | - |
| DrWeb | 5.0.1.12222 | 2010.02.25 | - |
| eSafe | 7.0.17.0 | 2010.02.24 | - |
| eTrust-Vet | 35.2.7327 | 2010.02.24 | - |
| F-Prot | 4.5.1.85 | 2010.02.24 | - |
| F-Secure | 9.0.15370.0 | 2010.02.25 | - |
| Fortinet | 4.0.14.0 | 2010.02.21 | - |
| GData | 19 | 2010.02.25 | - |
| Ikarus | T3.1.1.80.0 | 2010.02.25 | - |
| Jiangmin | 13.0.900 | 2010.02.25 | - |
| K7AntiVirus | 7.10.981 | 2010.02.23 | - |
| Kaspersky | 7.0.0.125 | 2010.02.25 | - |
| McAfee | 5902 | 2010.02.24 | - |
| McAfee+Artemis | 5902 | 2010.02.24 | - |
| McAfee-GW-Edition | 6.8.5 | 2010.02.24 | - |
| Microsoft | 1.5502 | 2010.02.25 | - |
| NOD32 | 4893 | 2010.02.24 | - |
| Norman | 6.04.08 | 2010.02.24 | - |
| nProtect | 2009.1.8.0 | 2010.02.25 | - |
| Panda | 10.0.2.2 | 2010.02.24 | - |
| PCTools | 7.0.3.5 | 2010.02.25 | - |
| Prevx | 3.0 | 2010.02.25 | - |
| Rising | 22.34.01.03 | 2010.02.11 | - |
| Sophos | 4.50.0 | 2010.02.25 | Mal/FakeAV-CH |
| Sunbelt | 5698 | 2010.02.25 | - |
| Symantec | 20091.2.0.41 | 2010.02.25 | Suspicious.Insight |
| TheHacker | 6.5.1.6.210 | 2010.02.25 | - |
| TrendMicro | 9.120.0.1004 | 2010.02.25 | - |
| VBA32 | 3.12.12.2 | 2010.02.24 | - |
| ViRobot | 2010.2.25.2201 | 2010.02.25 | - |
| VirusBuster | 5.0.27.0 | 2010.02.24 | - |
-------------------------------------------------------------------------------
Files Created
C:\WINDOWS\system32\hnrgm.exe
C:\WINDOWS\system32\ijfuptb.exe
Keys added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\B41431AD
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\Z
Values Added
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger: "C:\Program Files\Internet Explorer\iexplore.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe\Debugger: "C:\Program Files\Internet Explorer\iexplore.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger: "C:\Program Files\Internet Explorer\iexplore.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe\Debugger: "C:\Program Files\Internet Explorer\iexplore.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\Debugger: "ijfuptb.exe"
Values modified
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies: "C:\WINDOWS\system32\config\systemprofile\Cookies"
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache: "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files"
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History: "C:\WINDOWS\system32\config\systemprofile\Local Settings\History"
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies: "C:\WINDOWS\system32\config\systemprofile\Cookies"
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache: "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files"
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History: "C:\WINDOWS\system32\config\systemprofile\Local Settings\History"
-------------------------------------------------------------------------
วิธีกำจัด/แก้ไข : ijfuptb.exe
-------------------------------------------------------------------------
1. เข้าไปที่ C:\Windows\System32 แล้ว click ขวาที่ไฟล์ ijfuptb.exe เลือก Unlocker
เมื่อขึ้นหน้าต่าง Unlocker ให้ click ที่บรรทัดของ ijfuptb.exe แ้ล้วกดปุ่ม unlock
แล้ว delete ไฟล์ทิ้งไป
2.เปิดโปรแกรม Autoruns แล้ว click ไปที่ Tab ของ Image Hijack แล้ว delete Registry
Image File Execution ดังนี้
chrome.exe
navigator.exe
opera.exe
safari.exe
userinit.exe
3. Click Start > Run พิมพ์ Regedit.exe แล้วไป delete key นี้
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\B41431AD
ไม่มีความคิดเห็น:
แสดงความคิดเห็น