មេរៀន សម្លាប់មេរោគលប់ក្នុង Registry

aវិធីសម្លាប់មេរោគដោយប្រើដៃចូលក្នុងលប់ ក្នុង Registry
កម្មវិធីសម្រាប់សម្លាប់មេរោគមានប្រសិទ្ធភាពខ្ពស់
1. កំចាត់លាក់មេរោគ folder_option
2. កំចាត់លាក់មេរោគ registry
3. បំបាត់មេរោគAutorun
4. ការពារមេរោគ virus USB
5. មេរោគ Process list
6. ឧបករណ៍ Hijackthis
7. សម្លាប់មេរោគ Macro 4
8. កម្មវិធីសម្លាប់របស់ Symantec
9. Phần mềm Remote
10. Hiren’s boot CD 9.0
11. Logmein
12. លប់ file មិនអាចលប់បាន
1.របៀបសម្លាប់មេរោគ Trojan.Wincod
I. ការអធិប្បាយ ចាប់ផ្តើមឆ្លងនៅ: ថ្ងៃទី ០7 ខែ 03 ឆ្នាំ 2009 វេលាម៉ោង 9:37:02 AMឈ្មោះមេរោគ: W32.Downadup.Cជាប្រភេទមេរោគ: Trojan ធ្វើអោយជាប់គាំងខូចកម្មវិធីប្រើប្រាស់កំរិតគ្រោះថ្នាក់: មធ្យម
ទំហំ: 57,344 bytes
វាធ្វើអោយខូចខាងប្រព័ន្ធ: Windows XP, Windows Vista, Windows Server 2003, Windows 2000។
II. របៀបសម្លាប់មេរោគ
- ចុចលើ Start à Run
- វាយសរសេរ Regedit
- ចុចជ្រើសរើសយក OK
- រកមើលតម្លៃរួចហើយលប់ចោលនៅក្នុង Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”WmpTray” = “[PATH TO TROJAN]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\”Debugger” = “http://wincodecpro.com/purchase.php?id=2″
HKEY_LOCAL_MACHINE\SOFTWARE\GenericMultiMedia\WinCoDecPRO\”countr” = “[NUMBER OF TIMES TROJAN HAS EXECUTED]”
HKEY_LOCAL_MACHINE\SOFTWARE\GenericMultiMedia
HKEY_LOCAL_MACHINE\SOFTWARE\GenericMultiMedia\WinCoDecPRO
- បិទ Registry​ ចាកចេញពី Windows
2. របៀបសម្លាប់មេរោគ  W32.Downadup.C
I. ការអធិប្បាយ
ចាប់ផ្តើមឆ្លងនៅ: ថ្ងៃទី ០6 ខែ 03 ឆ្នាំ 2009 វេលាម៉ោង 4:12:59 PM
ឈ្មោះមេរោគ: W32.Downadup.C
ជាប្រភេទមេរោគ: Trojan Worm
កំរិតគ្រោះថ្នាក់: មធ្យម
ទំហំ: 88,576 bytes
វាធ្វើអោយខូចខាងប្រព័ន្ធ: Windows XP, Windows Vista, Windows Server 2003, Windows 2000។
II. របៀបសម្លាប់មេរោគ
- ចុចលើ Start à Run
- វាយសរសេរ Regedit
- ចុចជ្រើសរើសយក OK
- រកមើលតម្លៃរួចហើយលប់ចោលនៅក្នុង Registry
វាបំផ្លាញធ្វើអោយខូចខាងប្រព័ន្ធ: Windows XP, Windows Vista, Windows Server 2003, Windows 2000។ ការណែនាំប្រើប្រាស់កម្មវិធី
Symantec ដើម្បីចាប់មេរោគដែលជាផលិតផលរបស់ Norton។
- លោកអ្នកផ្តាច់ប្រព័ន្ធ System Restore (Windows Me/XP)
- រកមើលកម្មវិធីថ្មី និងមាន file update
- Scan ក្នុង Drive ទាំងអស់ក្នុងកុំព្យូទ័ត
- លប់តម្លៃដែលនៅជាប់ក្នុង Registry
II. របៀបកំចាប់មេរោគ
- ចុចលើ Start à Run
- វាយសរសេរ Regedit
- ចុចជ្រើសរើសយក OK
- រកមើលតម្លៃរួចហើយលប់ចោលនៅក្នុង Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 1]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 1]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”[RANDOM CHARACTERS]” = “rundll32.exe “[RANDOM DLL FILE NAME]“, [RANDOM PARAMETER STRING]”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\”ImagePath” = “%System%\svchost.exe -k netsvcs”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\Parameters\”ServiceDll” = “[PATH TO THE THREAT]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\”[WORD 1][WORD 2]” = “[BINARY DATA]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\”[WORD 1][WORD 2]” = “[BINARY DATA]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\”[WORD 1][WORD 2]” = “[BINARY DATA]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\”[WORD 1][WORD 2]” = “[BINARY DATA]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\”[WORD 1][WORD 2]” = “[BINARY DATA]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\”[WORD 1][WORD 2]” = “[BINARY DATA]”
បញ្ចូលតម្លៃថ្មីក្នុង Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Windows Defender”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
- បិទ Registry​ ចាកចេញពី Windows
3. របៀបសម្លាប់មេរោគ  W32.SillyFDC.BAZ
I. ការអធិប្បាយ
ចាប់ផ្តើមឆ្លងនៅ: ថ្ងៃទី ០4 ខែ 03 ឆ្នាំ 2009 វេលាម៉ោង 8:31:32 AM
ឈ្មោះមេរោគ: W32.SillyFDC.BAZ
ជាប្រភេទមេរោគ: Worm
កំរិតគ្រោះថ្នាក់: មធ្យម
ទំហំ: 27,072 bytes
វាធ្វើអោយខូចខាងប្រព័ន្ធ: Windows XP, Windows Vista, Windows Server 2003, Windows 2000។
II. របៀបសម្លាប់មេរោគ
- ចុចលើ Start à Run
- វាយសរសេរ Regedit
- ចុចជ្រើសរើសយក OK
- រកមើលតម្លៃរួចហើយលប់ចោលនៅក្នុង Registry
វាបំផ្លាញធ្វើអោយខូចខាងប្រព័ន្ធ: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP ។ ការណែនាំប្រើប្រាស់កម្មវិធី
Symantec ដើម្បីចាប់មេរោគដែលជាផលិតផលរបស់ Norton។
- លោកអ្នកផ្តាច់ប្រព័ន្ធ System Restore (Windows Me/XP)
- រកមើលកម្មវិធីថ្មី និងមាន file update
- Scan ក្នុង Drive ទាំងអស់ក្នុងកុំព្យូទ័ត
- លប់តម្លៃដែលនៅជាប់ក្នុង Registry
II. របៀបកំចាប់មេរោគ
- ចុចលើ Start à Run
- វាយសរសេរ Regedit
- ចុចជ្រើសរើសយក OK
- រកមើលតម្លៃរួចហើយលប់ចោលនៅក្នុង Registry
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\”ProxyEnable” = “0″
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\”DefaultConnectionSettings” = “[BINARY DATA]”
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\”SavedLegacySettings” = “[BINARY DATA]”
- បិទ Registry​ ចាកចេញពី Windows
4. របៀបសម្លាប់មេរោគ  W32.SillyFDC.BBAY
I. ការអធិប្បាយ
ចាប់ផ្តើមឆ្លងនៅ: ថ្ងៃទី ០4 ខែ 03 ឆ្នាំ 2009 វេលាម៉ោង 8:31:32 AM
ឈ្មោះមេរោគ: W32.SillyFDC.BBAY
ជាប្រភេទមេរោគ: Worm
កំរិតគ្រោះថ្នាក់: មធ្យម
ទំហំ: 40,960 bytes
វាធ្វើអោយខូចខាងប្រព័ន្ធ: Windows XP, Windows Vista, Windows Server 2003, Windows 2000។
II. របៀបសម្លាប់មេរោគ
- ចុចលើ Start à Run
- វាយសរសេរ Regedit
- ចុចជ្រើសរើសយក OK
- រកមើលតម្លៃរួចហើយលប់ចោលនៅក្នុង Registry
វាបំផ្លាញធ្វើអោយខូចខាងប្រព័ន្ធ: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP ។ ការណែនាំប្រើប្រាស់កម្មវិធី
Symantec ដើម្បីចាប់មេរោគដែលជាផលិតផលរបស់ Norton។
- លោកអ្នកផ្តាច់ប្រព័ន្ធ System Restore (Windows Me/XP)
- រកមើលកម្មវិធីថ្មី និងមាន file update
- Scan ក្នុង Drive ទាំងអស់ក្នុងកុំព្យូទ័ត
- លប់តម្លៃដែលនៅជាប់ក្នុង Registry
II. របៀបកំចាប់មេរោគ
- ចុចលើ Start à Run
- វាយសរសេរ Regedit
- ចុចជ្រើសរើសយក OK
- រកមើលតម្លៃរួចហើយលប់ចោលនៅក្នុង Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}\”StubPath” = “%SystemDrive%\SYSTEM\[SID]\Perfume.exe”
- បិទ Registry​ ចាកចេញពី Windows
5. របៀបសម្លាប់មេរោគ  W32.SillyFDC.BAY
I. ការអធិប្បាយ
ចាប់ផ្តើមឆ្លងនៅ: ថ្ងៃទី ០4 ខែ 03 ឆ្នាំ 2009 វេលាម៉ោង 6:36:09 AM
ឈ្មោះមេរោគ: W32.SillyFDC.BAY
ជាប្រភេទមេរោគ: Worm
កំរិតគ្រោះថ្នាក់: មធ្យម
ទំហំ: 49,023 bytes
វាធ្វើអោយខូចខាងប្រព័ន្ធ: Windows XP, Windows Vista, Windows Server 2003, Windows 2000។
II. របៀបសម្លាប់មេរោគ
- ចុចលើ Start à Run
- វាយសរសេរ Regedit
- ចុចជ្រើសរើសយក OK
- រកមើលតម្លៃរួចហើយលប់ចោលនៅក្នុង Registry
វាបំផ្លាញធ្វើអោយខូចខាងប្រព័ន្ធ: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 ។ ការណែនាំប្រើប្រាស់កម្មវិធី
Symantec ដើម្បីចាប់មេរោគដែលជាផលិតផលរបស់ Norton។
- លោកអ្នកផ្តាច់ប្រព័ន្ធ System Restore (Windows Me/XP)
- រកមើលកម្មវិធីថ្មី និងមាន file update
- Scan ក្នុង Drive ទាំងអស់ក្នុងកុំព្យូទ័ត
- លប់តម្លៃដែលនៅជាប់ក្នុង Registry
II. របៀបកំចាប់មេរោគ
- ចុចលើ Start à Run
- វាយសរសេរ Regedit
- ចុចជ្រើសរើសយក OK
- រកមើលតម្លៃរួចហើយលប់ចោលនៅក្នុង Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoGuarder.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IsHelp.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavCopy.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStore.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngPS.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Syscheck2.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ToolsUp.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arvmon.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findt2005.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killhidepid.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvfw.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravt08.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwolusr.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safebank.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartassistant.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syscheck.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\????????.exe\”Debugger” = “ntsd -d”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”xSafe” = “%ProgramFiles%\Common Files\xSafe.exe”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DOGKILLER\”NextInstance” = “1″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DOGKILLER\0000\”Class” = “LegacyDriver”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DOGKILLER\0000\”ClassGUID” = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DOGKILLER\0000\”ConfigFlags” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DOGKILLER\0000\”DeviceDesc” = “DogKiller”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DOGKILLER\0000\”Legacy” = “1″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DOGKILLER\0000\”Service” = “DogKiller”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRSKL\”NextInstance” = “1″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRSKL\0000\”Class” = “LegacyDriver”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRSKL\0000\”ClassGUID” = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRSKL\0000\”ConfigFlags” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRSKL\0000\”DeviceDesc” = “srskl”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRSKL\0000\”Legacy” = “1″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SRSKL\0000\”Service” = “srskl”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DogKiller\”DisplayName” = “DogKiller”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DogKiller\”ErrorControl” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DogKiller\”ImagePath” = “\??\%UserProfile%\LOCALS~1\Temp\~dwphx.tmp”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DogKiller\”Start” = “3″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DogKiller\”Type” = “1″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DogKiller\Security\”Security” = “[BINARY DATA]”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srskl\”DisplayName” = “srskl”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srskl\”ErrorControl” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srskl\”ImagePath” = “\??\%Windir%\Fonts\srskl.fon”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srskl\”Start” = “3″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srskl\”Type” = “1″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srskl\Security\”Security” = “[BINARY DATA]”
បញ្ចូលតម្លៃថ្មីឡើងវិញ
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify\”PastIconsStream” = “[BINARY DATA]”
HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\”ARPAccess” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\”ExecAccess” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\”IEProtAccess” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\”LeakShowed” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\”MonAccess” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\”SiteAccess” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\”UDiskAccess” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\”weeken” = “0″
- បិទ Registry​ ចាកចេញពី Windows
6. របៀបសម្លាប់មេរោគ  Win32/Botgor.B
I. ការអធិប្បាយ
ចាប់ផ្តើមឆ្លងនៅ: ថ្ងៃទី ០4 ខែ 03 ឆ្នាំ 2009 វេលាម៉ោង 6:36:09 AM
ឈ្មោះមេរោគ: Win32/Botgor.B
ជាប្រភេទមេរោគ: Worm
ទំហំ: variable មិនថេរ
វាធ្វើអោយខូចខាងប្រព័ន្ធ: Windows XP, Windows Vista, Windows Server 2003, Windows 2000។
II. របៀបសម្លាប់មេរោគ
- ចុចលើ Start à Run
- វាយសរសេរ Regedit
- ចុចជ្រើសរើសយក OK
- រកមើលតម្លៃរួចហើយលប់ចោលនៅក្នុង Registry
វាបំផ្លាញធ្វើអោយខូចខាងប្រព័ន្ធ: Windows XP, Windows Me, Windows Vista, Windows Server 2003, Windows 2008។ មេរោគនេះបានឆ្លងចូលក្នុងទីតាំង %windir% \system \bot1.exe ដើម្បីរត់ចូលក្នុងប្រព័ន្ធមេរោគដែលនៅជាប់ក្នុង Registry​ មេរោគនេះបានឆ្លងតាមគេហទំព័រពីប្រព័ន្ធ Internet។
II. របៀបកំចាប់មេរោគ
- ចុចលើ Start à Run
- វាយសរសេរ Regedit
- ចុចជ្រើសរើសយក OK
- រកមើលតម្លៃរួចហើយលប់ចោលនៅក្នុង Registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]“Userinit” = “%system%\userinit.exe,%windir%\system\bot1.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\BN1]
“G” = “%variable1%”
“AN” = “%variable2%”
“UA” = “%variable3%”
“UA_” = “%variable4%”
មេរោគដែលចូលក្នុង file ហើយបង្កើតជាកន្ទុយ *.exe បណ្តាមេរោគបានបង្កើត
ផ្ទុកក្នុង %program files% ដែលមានឈ្មោះខាងក្រោម:
%windir%\system32\cleanmgr.exe
%windir%\system32\dxdiag.exe
%windir%\system32\msconfig.exe
%windir%\system32\regedit.exe
%windir%\system32\sol.exe
%windir%\system32\spider.exe
%windir%\system32\taskmgr.exe
%windir%\system32\sndrec32.exe
%windir%\system32\mspaint.exe
%windir%\system32\write.exe
%windir%\system32\notepad.exe
%windir%\system32\calc.exe
ក្រោយមកវាធ្វើអោយ បានបង្ហាញព័ត៌មានដូចជា
មេរោគបានពីការ Download តាម Internet ចូលក្នុង %Windir% ដោយប្រើ ប្រាស់បង្កើតជា bot1_Update.exe វាផ្ទុកក្នុង
%windir%\bot1_update.exe, %windir%\system\bot1.exe
7. របៀបសម្លាប់មេរោគ  Win32/Agent.OLJ Win32/Agent.OLJ
I. ការអធិប្បាយចាប់ផ្តើមឆ្លងនៅ: ថ្ងៃទី ០4 ខែ 03 ឆ្នាំ 2009 វេលាម៉ោង 6:36:09 AMឈ្មោះមេរោគ: Win32/Agent.OLJ Win32/Agent.OLJ
ជាប្រភេទមេរោគ: Trojan
ទំហំ: 4286 Byte
វាធ្វើអោយខូចខាងប្រព័ន្ធ: Microsoft Windows
II) វាចូលផ្ទុកក្នុងប្រព័ន្ធ
ពេលមេរោគ Trojan បានបង្កើតជា file ដែលផ្ទុកក្នុង %temp%\bt% variable%.bat  %windir%\Command\Command.bat (4286 Byte)
%userprofile%\startm~1\Programme\Autostart\%variable%.bat (4286 Byte) និងក្នុង C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Command.bat (4286 Byte) C:\Programm Files\bt%variable%.bat (4286 Byte)
វាបានផ្លាស់ប្តូរក្នុង %variable%។ មេរោគ Trojan នេះបានចូលក្នុងជាប់ក្នុង Registry។
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]”Winlogon” = “%windir%\Command\Command.bat”
The following Registry entries are set: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Mouclass]
“Start” = 4
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kbdclass]
“Start” = 4
  • avgnt.exe
  • avguard.exe
  • taskmgr.exe
  • explorer.exe
  • lsass.exe
ដើម្បីច្បាស់លោកអ្នកចុចពីរដងលើរូបភាពខាងលើ​ ឃើញ file ខាងក្រោមត្រូវ លប់ចោល។
C:\*.sys
C:\*.bin
C:\*.bat
%system%\bootvid.dll
%system%\explorer.exe
%system%\logon.scr
%system%\logonui.exe
%system%\logonui.exe.manifest
%system%\lsass.exe
%system%\seclogon.dll
%system%\taskmgr.exe
%system%\usrlogon.cmd
%system%\WindowsLogon.manifest
%system%\winlogon.exe
%system%\dllcache\logon.scr
%system%\dllcache\logonui.exe
%system%\dllcache\winlogon.exe
%windir%\bootstat.dat
%windir%\explorer.exe
%windir%\Cursors\*.*
%windir%\Prefetch\NTOSBOOT-B00DFAAD.pf
%userprofile%\NTUSER.dat
ព័ត៌មានផ្សេងពីមេរោគ
ក្រោយពេលមេរោគបានវាយប្រហារក្នុងម៉ាស៊ី មេរោគ Trojan បានបង្កើត ដំណើរការដូចខាងក្រោម:
iexplore.exe www.batch-rockz.dl.am
net.exe user “-Sph1nX-” “0wn3d” /add”
net.exe localgroup Administratoren “-Sph1nX-” /add
net.exe user “Sph1nX – %random%” “%random%” /add
net.exe localgroup Administratoren “Sph1nX – %random%” /add
shutdown.exe -s -t 30 -c “%username% g0t 0wn3d bY -Sph1nX-”
បណ្តាសេរវាដែលមេរោគបានបង្កើត
AntiVirService
cryptsvc
Designs
Anmeldedienst
avgnt.exe
avguard.exe
taskmgr.exe
explorer.exe
lsass.exe
ក្រោយមកមេរោគ Trojan និងបង្ហាញរូបភាពខាងក្រោម
8. របៀបសម្លាប់មេរោគ  W32.SillyFDC.BAW
I. ការអធិប្បាយ
ចាប់ផ្តើមឆ្លងនៅ: ថ្ងៃទី ០2 ខែ 03 ឆ្នាំ 2009 វេលាម៉ោង 8:30:09 AM
ឈ្មោះមេរោគ: W32.SillyFDC.BAW
ជាប្រភេទមេរោគ: Worm
ទំហំ: 530,944 bytes
វាធ្វើអោយខូចខាងប្រព័ន្ធ: Windows XP, Windows Vista, Windows Server 2003, Windows 2000។
II. របៀបសម្លាប់មេរោគ
- ចុចលើ Start à Run
- វាយសរសេរ Regedit
- ចុចជ្រើសរើសយក OK
- រកមើលតម្លៃរួចហើយលប់ចោលនៅក្នុង Registry
វាបំផ្លាញធ្វើអោយខូចខាងប្រព័ន្ធ:Windows XP, Windows Me, Windows Vista, Windows Server 2003, Server 2008។
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMISYS\”NextInstance” = “1″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMISYS\0000\”Class” = “LegacyDriver”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMISYS\0000\”ClassGUID” = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMISYS\0000\”ConfigFlags” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMISYS\0000\”DeviceDesc” = “WMI System App”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMISYS\0000\”Legacy” = “1″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMISYS\0000\”Service” = “WMISYS”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\”%System%\wmisys.exe” = “%System%\wmisys.exe:*:Microsoft Enabled”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMISYS\”Description” = “Spools WMI applications.”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMISYS\”DisplayName” = “WMI System App”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMISYS\”ErrorControl” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMISYS\”FailureActions” = “[BINARY DATA]”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMISYS\”ImagePath” = “%System%\wmisys.exe”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMISYS\”ObjectName” = “LocalSystem”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMISYS\”Start” = “2″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMISYS\”Type” = “272″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMISYS\Security\”Security” = “[BINARY DATA]”
បង្កើតតម្លៃបន្ថែមក្នុង Registry
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\”WaitToKillServiceTimeout” = “7000″
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\”ProxyEnable” = “0″
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\”SavedLegacySettings” = “[BINARY DATA]”
- បិទ Registry​ ចាកចេញពី Windows
9. របៀបសម្លាប់មេរោគ ThreatNuker
I. ការអធិប្បាយ
ចាប់ផ្តើមឆ្លងនៅ: ថ្ងៃទី 26 ខែ 02 ឆ្នាំ 2009 វេលាម៉ោង 8:53:33 AM
ឈ្មោះមេរោគ: ThreatNuker
ជាប្រភេទមេរោគ: Worm
ទំហំ: 1,398,480 bytes
វាធ្វើអោយខូចខាងប្រព័ន្ធ: Windows XP, Windows Vista, Windows Server 2003, Windows 2000។
II. របៀបសម្លាប់មេរោគ
- ចុចលើ Start à Run
- វាយសរសេរ Regedit
- ចុចជ្រើសរើសយក OK
- រកមើលតម្លៃរួចហើយលប់ចោលនៅក្នុង Registry
HKEY_CURRENT_USER\Software\ThreatNuker
HKEY_CLASSES_ROOT\CLSID\{1334158E-0314-405F-84E2-504815415812}
HKEY_CLASSES_ROOT\CLSID\{9A1D3451-03D2-AADD-034E-35D42B5B1B27}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ThreatNuker
HKEY_LOCAL_MACHINE\SOFTWARE\ThreatNuker
-បិទក្នុង Registry ពីក្នុង Windows
10. របៀបសម្លាប់មេរោគ  W32.Ackantta.B@mm
I. ការអធិប្បាយ
ចាប់ផ្តើមឆ្លងនៅ: ថ្ងៃទី 25 ខែ 02 ឆ្នាំ 2009 វេលាម៉ោង 1:14:25 AM
ឈ្មោះមេរោគ: W32.Ackantta.B@mm
ជាប្រភេទមេរោគ: Worm
ទំហំ: 266, 240 bytes
កំរិតប្រហារមធ្យម
វាធ្វើអោយខូចខាងប្រព័ន្ធ: Windows XP, Windows Vista, Windows Server 2003, Windows 2000។
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SunJava Updater v7″ = “%System%\javale.exe”
សរសេរតម្លៃបន្ថែមក្នុង Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%System%\”javale.exe” = “%System%\javale.exe:*:Enabled:Explorer”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”javastation1.1″ = “02″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”ultrasparc1.1″ = “25″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”CheckExeSignatures” = “0×1″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”RunInvalidSignatures” = “no”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\”LowRiskFileTypes” = “.zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav”
-បិទក្នុង Registry ពីក្នុង Windows
  1. 11.    វិធីសម្លាប់មេរោគ ​​ Win32/Virut.NBK
ឈ្មោះមេរោគ: Virus.Win32.Virut.ce (សម្លាប់ដោយ Kaspersky), W32.Virut.CF (សម្លាប់ដោយ Symantec), W32/Virut.n (សម្លាប់ដោយ McAfee
ទំហំ:  វាអាចផ្លាស់ប្តូរទំហំ
អាចបំផ្លាញបានតែជាមួយ Microsoft Windows
I.  ការអធិប្បាយ
នៅពេលដែលមេរោគ ឆ្លងចូលក្នុងម៉ាស៊ីន វាបានតោងជាប់ជាមួយ IRC និងអាច ឆ្លងទៅ កុំព្យូទ័រផ្សេងទៀត ដោយការលេងនិយាយ chat។
II. របៀបសម្លាប់
មេរោគនេះ បង្កើតបង្កើតជាកម្មវិធីថ្មី ដែលរត់ជា file ខាងក្រោម:
Winlogon.exe
វាបង្កើតតម្លៃថ្មីនៅជាប់ក្នុង Registry           HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesSharedAccess\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List]
“\??\%system%\winlogon.exe” = “\??\%system%\
winlogon.exe:*:enabled:@shell32.dll,-1″
នៅពេលដែលឆ្លងមេរោគ វានិងបង្កើតជា file ដែលមាន .exe និង .scr
វានិងប្រឆាំង​ រំខានការងាររបស់យើងគ្រប់ពេល និងបង្កើតជា strings ដែលមាន ឈ្មោះដូចខាងក្រោមនេះ:
WINC
WCUN
WC32
OTSP
វាគំរាមកំហែងនិងធ្វើអោយខូចដល់ file ដូចខាងក្រោម:
*. htm
*.php *. php
*.asp *. asp
*.html *. html



ប្រភព:itcambo
Posted by Admin at
Labels:
Share this post
  • Share to Facebook
  • Share to Twitter
  • Share to Google+
  • Share to Stumble Upon
  • Share to Evernote
  • Share to Blogger
  • Share to Email
  • Share to Yahoo Messenger
  • More...

0 comments

 
© 2011 អាយធីក្លាស់៤០១
Designed by MUON RATANA
Made On 25/06/2013
Tel:098 50 99 66

Back to top