As I mentioned before, malware starts to become smart and hard to detect. I had few experience while submitting a sample to totalvirus.com which the result I got not fully detected by all antivirus distributors. I do not know why but I assume they have a problem to identify it as a malware because it not give a lot of problem to computer and usually this kind of malware is not start/execute/run payload at normal startup services.
It is strange that this kind of malware modify the registry at strange setting other than normal malware do. For example, see below registry modification made by malware.
HKLM \ControlSet001\Services\AVPsys\
Type : 0x00000001
Start : 0x00000003
ErrorControl : 0x00000001
ImagePath : "%System%\drivers\cdaudio.sys"
DisplayName : "AVPsys"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000
Actually, I am still not study and inexperience to teach myself to understand above registry. But, I think this is huge and I need a new method to identify this new kind of malware manually and beat them without antivirus.
For the time being, we have to depend on Google to look after info on some sample we found in the computer.
Luckily, I found a website (a blog actually) that explain how malware make a modification on registry other than normal startup registry. I found it interesting because not only he explained what the malware did but also he created a tool to remove it. He named his tool as PeeTechFix-Win32/PSW.OnlineGames 2.0.5. Maybe the tool only cover malware from game applications.
I can not review much about this site and how he did because I do not have a clue and need time to understand. I am an amateur, you know. Whatever it is, this site can help us immediately understand and troubleshoot of some samples and infected PC behavior. I already put it in my Advisories. Ok. Maybe the owner is from Thailand because so many Thai charactor inside the site. Good job to the owner.
Oh! I need a time to understand the registry.