TR/PSW.OnlineGames.KBNO.2
就是這個病毒讓我的電腦無法上網
用Ping的方式是Ping的到~~
但就是連不進去
不知道版上的大大們是否有對抗此病毒的經驗
或是有解毒的方法
請救救我吧~~我不想要重灌windows啊....
謝謝~~
已解除了~~呼~~花了不少力量
果然Google是非常有效果的~~
也謝謝版上大大們的幫助囉~~
自己看看有用沒用~~~~~
http://www.avira.com/en/threats/section/fulldetails/id_vir/4191/tr_onlinegames.b.html
Virus: TR/Onlinegames.B
Date discovered: 19/05/2008
Type: Trojan
In the wild: Yes
Reported Infections: Low
Distribution Potential: Low to medium
Damage Potential: Medium
Static file: No
File size: ~100.000 Bytes
IVDF version: 7.00.04.63 - Tue, 20 May 2008 08:38 (GMT+1)
General Method of propagation:
• Mapped network drives
Aliases:
• Mcafee: PWS-LegMir.gen.k
• Kaspersky: Trojan-PSW.Win32.OnLineGames.ngm
• F-Secure: Trojan-PSW.Win32.OnLineGames.ngm
• Grisoft: Worm/AutoRun.Y
• Eset: Win32/PSW.OnLineGames.NLI
• Bitdefender: Trojan.PWS.OnlineGames.WME
Similar detection:
• TR/Onlinegames.B.%number%
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Drops malicious files
• Registry modification
• Steals information
Files It copies itself to the following location:
• %SYSDIR%\amvo.exe
It drops a copy of itself using a filename from a list:
– To: %drive%\ Using one of the following names:
• %random character string%.exe
• %random character string%.bat
• %random character string%.cmd
• %random character string%.com
The following files are created:
– Temporary files that might be deleted afterwards:
• %TEMPDIR%\%random character string%.sys
• %TEMPDIR%\%random character string%.dll
– %drive%\autorun.inf This is a non malicious text file with the following content:
• %code that runs malware%
– %TEMPDIR%\%random character string%.sys Further investigation pointed out that this file is malware, too. Detected as: RKIT/Vanti
– %TEMPDIR%\%random character string%.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.NSPM.Gen
– %SYSDIR%\amvo0.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.NSPM.Gen
Registry The following registry key is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• amva = %SYSDIR%\amvo.exe
The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
Old value:
• Hidden = %user defined settings%
• ShowSuperHidden = %user defined settings%
New value:
• Hidden = 2
• ShowSuperHidden = 0
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
Old value:
• CheckedValue = %user defined settings%
New value:
• CheckedValue = 0
Stealing It tries to steal the following information:
– Passwords from the following programs:
• Maple Story
• Lineage
Injection – It injects the following file into a process: %SYSDIR%\amvo0.dll
Process name:
• explorer.exe
If successful, the malware process terminates while the injected part remains active.
Hello April
內文搜尋