|
Written by Administrator |
Thursday, 17 September 2009 18:18
|
|
The particularity of this virus is that it disables all services and networks you can not connect to other networks.
Some variants of this malware prohibits launching of any application. So how could this patch happens to run? Just renaming the file to rundll32.exe? The advantage of this patch is that it removes all restrictions in your system and your system's parameters. Other tools or Antivirus only remove the virus without restauring your system.
- Mal/EncPk-CZ [Sophos]
- Rootkit.Win32.TDSS [Ikarus]
- SpywareGuard2008 [Symantec]
- Program:Win32/FakeSpyguard [Microsoft]
- <CommonAppData>\svhost.exe
- <DesktopDir>\Spyware Guard 2008.lnk
- <Windir>\reged.exe
- <Windir>spoolsystem.exe
- <Windir>sys.com
- <Windir>syscert.exe
- <Windir>\sysexplorer.exe
- <Windir>\vmreg.dll
- <System>\winscenter.exe
- <Programs>\Spyware Guard 2008\Spyware Guard 2008.lnk
- <Programs>\Spyware Guard 2008\Uninstall.lnk
- <ProgramFiles>\Spyware Guard 2008\conf.cfg
- <ProgramFiles>\Spyware Guard 2008\mbase.vdb
- <ProgramFiles>\Spyware Guard 2008\quarantine.vdb
- <ProgramFiles>\Spyware Guard 2008\queue.vdb
- <ProgramFiles>\Spyware Guard 2008\spywareguard.exe
- <ProgramFiles>\Spyware Guard 2008\uninstall.exe
- <ProgramFiles>\Spyware Guard 2008\vbase.vdb
- <ProgramFiles>\spyware guard 2008\spywareguard.exe
- <System>\winscenter.exe
- <CommonAppData>\svhost.exe
- HKEY_CURRENT_USER\Software\Spyware Guard
- HKEY_CURRENT_USER\Software\Spyware Guard 2008
- HKEY_CURRENT_USER\Software\Spyware Guard 2008\Info
- HKEY_CURRENT_USER\Software\Spyware Guard 2008\Lic
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A5261D-ED19-44E2-9CBD-B3CD262311BF}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A5261D-ED19-44E2-9CBD-B3CD262311BF}\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E1F38E8-7785-430C-958D-B9E219BB8E9D}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E1F38E8-7785-430C-958D-B9E219BB8E9D}\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- CTEMON.EXE = ""%CommonAppData%\svhost.exe" /h" /*Variante*/
- spywareguard = "%ProgramFiles%\Spyware Guard 2008\spywareguard.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A5261D-ED19-44E2-9CBD-B3CD262311BF}\InprocServer32]
- (Default) = "%CommonAppData%\Microsoft\Internet Explorer\DLLs\pgiobxtrjv.dll"
- ThreadingModel = "Apartment"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A5261D-ED19-44E2-9CBD-B3CD262311BF}]
- (Default) = "InternetConnection"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
- ieModule = "{9E1F38E8-7785-430C-958D-B9E219BB8E9D}"
- InternetConnection = "{09A5261D-ED19-44E2-9CBD-B3CD262311BF}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E1F38E8-7785-430C-958D-B9E219BB8E9D}\InprocServer32]
- (Default) = "%CommonAppData%\Microsoft\Internet Explorer\DLLs\ieModule.dll"
- ThreadingModel = "Apartment"
- Et tous les restrictions dans
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
You should download this patch on another machine and run it on the infected machine. Do not change the name of the patch (rundll32.exe). It is better to launch the patch in safe mode but the patch will still be effective even in normal mode.

|