Fix for Patty.exe


	Patchs for virus
	Tutorials
	Tips
	Forum
	Windows Optimum
	USB FireWall
	Boost Google Search

Information

A virus that await orders (Trojans) from its server once started in your system.

Capable of capturing all keys typed (KeyHooker) on the keyboard of the infected computer, as well, passwords, credit card numbers can be sent by the virus to its server.

Can also modify, alternate or infect certain files.

File

The virus puts files in the System folder.

<System>\S0UNDMANS.EXE
<System>1sasrv.dll
<System>\adsldps.dll
<System>\twain.dll
<System>\realsched.exe

Registry

Creates the keys

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\patfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\patfile\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\patfile\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\patfile\shell\open\command

Les clés suivantes sont crées dans
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

360rpt.exe 
360Safe.exe 
360tray.exe 
adam.exe 
AgentSvr.exe 
AppSvc32.exe 
ArSwp.exe 
ashAvast.exe 
ashDisp.exe 
ashMaiSv.exe 
ashServ.exe 
ashWebSv.exe 
aswUpdSv.exe 
autoruns.exe 
avcenter.exe 
avgamsvr.exe 
avgas.exe 
avgcc.exe 
avgemc.exe 
avgnt.exe 
avguard.exe 
avgupsvc.exe 
avgw.exe 
AvMonitor.exe 
bdmcon.exe 
bdnagent.exe 
bdoesrv.exe 
bdss.exe 
bdswitch.exe 
ccApp.exe 
ccEvtMgr.exe 
ccSetMgr.exe 
ccSvcHst.exe 
cureit.exe 
DefWatch.exe 
ewido.exe 
fch32.exe 
FileDsty.exe 
fsbwsys.exe 
FSGK32.EXE 
fsgk32st.exe 
FSM32.EXE 
FTCleanerShell.exe 
guard.exe 
HijackThis.exe 
IceSword.exe 
iparmo.exe 
isPwdSvc.exe 
KaScrScn.SCR 
KASMain.exe 
KASTask.exe 
KAV32.exe 
KAVDX.exe 
KAVPFW.exe 
KAVSetup.exe 
KAVStart.exe 
KAVsvc.exe 
KAVsvcUI.exe 
KISLnchr.exe 
KMailMon.exe 
KMFilter.exe 
KPFW32.exe 
KPFW32X.exe 
KPFWSvc.exe 
KRegEx.exe 
KRepair.COM 
KsLoader.exe 
KVCenter.kxp 
KvDetect.exe 
KvfwMcl.exe 
KVMonXP.kxp 
KVMonXP_1.kxp 
kvol.exe 
kvolself.exe 
KvReport.kxp 
KVScan.kxp 
KVSrvXP.exe 
KVStub.kxp 
kvupload.exe 
kvwsc.exe 
KvXP.kxp 
KvXP_1.kxp 
KWatch.exe 
KWatch9x.exe 
KWatchX.exe 
loaddll.exe 
mcconsol.exe 
Mcshield.exe 
mmqczj.exe 
mmsk.exe 
MPStart.exe 
NAVSetup.exe 
nod32.exe 
nod32krn.exe

Who have each value
Debugger = "%System%\S0UNDMANS.EXE

This is causing the display of the dialog box each time you run one of these programs, of course, the program can not get started.

"Windows can not find 'cmd'. Make sure that you have entered the name correctly and then try again. To find a file, click the Start button, then click Search."

The virus change the value

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
CheckedValue = 0x00000000

That force option files "show all files" to false.

ATTENTION

This virus may steal the number of your credit card information, your login and password.

	Link

Latest fixs:

cftmonn.exe (ksven, Autorun.dhl)
sbsm.exe, softhomepage.com (sbsm.dll,sbmdl.dll)
Virtual Made (Virtual Maid.dll, http://www.searchmaid.com)
VirusHeat (VirusHeat 4.3.exe, VirusHeat.exe)
MonaRonaDona (srvspool.exe, registrycleaner2008.exe)
Noooh (Sys.exe, ComSys.dll)
NetSky (FVProtect.exe,FirewallSvr.exe,netstats.exe) and all its variants
Tavo.exe (tavo0.dll, tavo1.dll) and all its variants
Patty.exe (S0UNDMANS.EXE,1sasrv.dll,adsldps.dll,twain.dll,realsched.exe)
Kxvo.exe and all its variants
Kavo.exe and all its variants
VirtuMonde (VirtuMondo, Vundo, TROJ_VUNDO, TROJ_MEREDROP,DL.Small.ADIB)
Sohanad fix (SCVVHSOT.exe, svchost.exe) (W32.Imaut.A, TROJ_AUTORUN.AH, Worm.Sohanad)
SdBot fix (ctfmonn.exe) (Backdoor.SdBot, Sdbot.worm.gen.a)
Amvo.exe (3o.exe, y82td3td.com, i.cmd, fppg1.exe, ekugb3.bat...) and its variants other than already proposed here