TSPY LINEAGE.GEN病毒

TSPY LINEAGE.GEN病毒

我中ㄌ這ㄍ病毒..可是我找不到我中毒ㄉ檔案

也無法用防毒軟體隔離或刪除他

我中毒ㄉ檔案是C:\WINDOWS\_msvc.dll

誰可以幫我解答一下.....拜託拜託

6 Answers

Rating
  • Anonymous
    2 decades ago
    Favorite Answer

    http://www.trendmicro.com/vinfo/zh-tw/virusencyclo...

    說明:

    OVERVIEW

    Type: Spyware

    In the wild: No

    Destructive: No

    Language: English

    Systems affected: Windows 95, 98, ME, NT, 2000, XP

    Encrypted: No

    Reported detections: Low

    This Trojan attempts to steal user passwords and account information of the game application Lineage and send the gathered information via SMTP to a potentially malicious user.

    This Trojan also modifies the HOSTS file to prevent a user from accessing antivirus-related Web sites. It may also terminate certain applications actively running in a system.

    SOLUTION

    Minimum scan engine version needed: 6.810

    Virus pattern version needed: 2.591.05

    Identifying the Malware Program

    To remove this malware, first identify the malware program.

    Scan your system with your Trend Micro antivirus product.

    NOTE all files detected as TSPY_LINEAGE.GEN.

    Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro's online virus scanner.

    Terminating the Malware Program

    This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

    Open Windows Task Manager.

    ?On Windows 95, 98, and ME, press

    CTRL+ALT+DELETE

    ?On Windows NT, 2000, and XP, press

    CTRL+SHIFT+ESC, then click the Processes tab.

    In the list of running programs*, locate the malware file(s) detected earlier.

    Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.

    Do the same for all detected malware files in the list of running processes.

    To check if the malware process has been terminated, close Task Manager, and then open it again.

    Close Task Manager.

    --------------------------------------------------------------------------------

    *NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing at startup. In this procedure, you will need the name(s) of the file(s) detected earlier.

    Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.

    In the left panel, double-click the following:

    HKEY_LOCAL_MACHINE>Software>Microsoft>

    Windows>CurrentVersion>Run

    In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.

    Close Registry Editor.

    Deleting malware entries from the HOSTS file removes all malware-made changes on host name association.

    Open the following file using a text editor (such as NOTEPAD):

    %System%\drivers\etc\HOSTS

    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

    Delete the following entries:

    127.0.0.1 avp.com

    127.0.0.1 ca.com

    127.0.0.1 customer.symantec.com

    127.0.0.1 dispatch.mcafee.com

    127.0.0.1 download.mcafee.com

    127.0.0.1 downloads1.kaspersky-labs.com

    127.0.0.1 downloads2.kaspersky-labs.com

    127.0.0.1 downloads3.kaspersky-labs.com

    127.0.0.1 downloads4.kaspersky-labs.com

    127.0.0.1 downloads5.kaspersky-labs.com

    127.0.0.1 downloads-eu1.kaspersky-labs.com

    127.0.0.1 downloads-eu2l.kaspersky-labs.com

    127.0.0.1 downloads-us1.kaspersky-labs.com

    127.0.0.1 downloads-us1.kaspersky-labs.com

    127.0.0.1 downloads-us22.kaspersky-labs.com

    127.0.0.1 downloads-us2l.kaspersky-labs.com

    127.0.0.1 f-secure.com

    127.0.0.1 ftp.avp.ru

    127.0.0.1 ftp.kaspersky.com

    127.0.0.1 kaspersky.com

    127.0.0.1 kaspersky-labs.com

    127.0.0.1 liveupdate.symantec.com

    127.0.0.1 liveupdate.symantecliveupdate.com

    127.0.0.1 mast.mcafee.com

    127.0.0.1 mcafee.com

    127.0.0.1 my-etrust.com

    127.0.0.1 nai.com

    127.0.0.1 networkassociates.com

    127.0.0.1 rads.mcafee.com

    127.0.0.1 secure.nai.com

    127.0.0.1 securityresponse.symantec.com

    127.0.0.1 sophos.com

    127.0.0.1 symantec.com

    127.0.0.1 trendmicro.com

    127.0.0.1 update.symantec.com

    127.0.0.1 updates.symantec.com

    127.0.0.1 updates1.kaspersky-labs.com

    127.0.0.1 updates2.kaspersky-labs.com

    127.0.0.1 updates3.kaspersky-labs.com

    127.0.0.1 us.mcafee.com

    127.0.0.1 v4.windowsupdate.microsoft.com

    127.0.0.1 v5.windowsupdate.microsoft.com

    127.0.0.1 viruslist.com

    127.0.0.1 windowsupdate.microsoft.com

    127.0.0.1 www.avp.com

    127.0.0.1 www.ca.com

    127.0.0.1 www.f-secure.com

    127.0.0.1 www.kasperksy-labs.com

    127.0.0.1 www.kaspersky.com

    127.0.0.1 www.mcafee.com

    127.0.0.1 www.my-etrust.com

    127.0.0.1 www.symantec.com

    127.0.0.1 www.viruslist.com

    Save the file and close the text editor.

    Additional Windows ME/XP Cleaning Instructions

    Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

    Users running other Windows versions can proceed with the succeeding procedure set(s).

    Running Trend Micro Antivirus

    Scan your system with Trend Micro antivirus and delete files detected as TSPY_LINEAGE.GEN. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.

    TECHNICAL DETAILS

    Memory Resident: Yes

    Installation and Autostart

    Upon execution, this Trojan drops a .DLL file in the Windows system folder. It also drops a copy of itself in the Windows folder and the Windows program files folder.

    Its filename may vary from one variant to another. Most variants have the following filenames:

    Internat.exe

    rundll32.exe

    svchost.exe

    winlogin.exe

    It adds a registry entry in the following registry path to ensure its automatic execution at every Windows startup:

    HKEY_LOCAL_MACHINE>Software>Microsoft>

    Windows>CurrentVersion>Run

    Information Theft

    This Trojan attempts to steal user passwords and account information of the game application Lineage and send the gathered information via SMTP to a potentially malicious user.

    (Note: The downloadable files from the said URL may change at any given time.)

    Process Termination

    This Trojan attempts to terminate the following processes, if they are actively running in a system:

    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)

    EGHOST.EXE

    IPARMOR.EXE

    KAVPFW.EXE

    MAILMON.EXE

    RavMon.exe

    Modifiying HOSTS File

    This Trojan modifies the HOSTS file to prevent a user from accessing the following antivirus-related Web sites:

    avp.com

    ca.com

    customer.symantec.com

    dispatch.mcafee.com

    download.mcafee.com

    downloads1.kaspersky-labs.com

    downloads2.kaspersky-labs.com

    downloads3.kaspersky-labs.com

    downloads4.kaspersky-labs.com

    downloads5.kaspersky-labs.com

    downloads-eu1.kaspersky-labs.com

    downloads-eu2l.kaspersky-labs.com

    downloads-us1.kaspersky-labs.com

    downloads-us1.kaspersky-labs.com

    downloads-us22.kaspersky-labs.com

    downloads-us2l.kaspersky-labs.com

    f-secure.com

    ftp.avp.ru

    ftp.kaspersky.com

    kaspersky.com

    kaspersky-labs.com

    liveupdate.symantec.com

    liveupdate.symantecliveupdate.com

    mast.mcafee.com

    mcafee.com

    my-etrust.com

    nai.com

    networkassociates.com

    rads.mcafee.com

    secure.nai.com

    securityresponse.symantec.com

    sophos.com

    symantec.com

    trendmicro.com

    update.symantec.com

    updates.symantec.com

    updates1.kaspersky-labs.com

    updates2.kaspersky-labs.com

    updates3.kaspersky-labs.com

    us.mcafee.com

    v4.windowsupdate.microsoft.com

    v5.windowsupdate.microsoft.com

    viruslist.com

    windowsupdate.microsoft.com

    www.avp.com

    www.ca.com

    www.f-secure.com

    www.kasperksy-labs.com

    www.kaspersky.com

    www.mcafee.com

    www.my-etrust.com

    www.symantec.com

    www.viruslist.com

    Analysis By: Jhoevine Cago Capicio

    解決方案:

    趨勢科技用戶

    請隨時更新您的病毒碼及掃描引擎。趨勢科技防毒軟體可清除並移除大多數類型的病毒。而對於特定類型的病毒如: 特洛伊木馬型病毒、JavaScript/VBScript病毒不易清除之病毒等,都可以輕易偵測並刪除。

    所有 Internet 使用者

    若要快速檢查您的 PC 是否還含有病毒, 請利用 線上掃毒(HouseCall) ─ 這是趨勢科技的線上掃毒程式。 這項工具可偵測出您的 PC 中潛藏的病毒。

    若要在病毒感染您的 PC 或網路之前就將病毒掃除, 維護您 PC 的健康, 請即刻採用可能的防毒解決方案。趨勢科技可針對家庭用戶、 企業用戶、及 ISP, 提供病毒防護與內容保全解決方案。

    這網頁說的挺詳細的.

    也建議你可以再發問前.先搜尋知識+的問題.

    你會發現不少人跟你問一樣的問題唷~

    以後先搜尋~沒有再發問~可以減少被扣點的呢~

    Source(s): 自己
  • 1 decade ago

    我已成功刪除病毒了, 你也可試試, 真的有效!!簡單又快速!

    轉寄:TSPY LINEAGE.GH如何解?

    這隻的主檔名叫svhost.exe或svhost32.exe

    (Windows正常檔案叫svchost, 別搞混了)

    開始之前先把你中毒的檔案砍掉(檔名大概都是*dll.dll)

    1.先按ctrl+alt+del看處理程序

    如果有看到svhost就強制結束(別點到正常的那幾個)

    2.搜尋svhost這個檔案並且全砍掉

    3.接下來從開始功能表=>執行 輸入regedit

    搜尋所有帶有svhost的機碼並且刪除(別砍成svchost的)

    重新開機就OK了

  • 1 decade ago

    你可以試試這個清除程式,

    費爾木馬強力清除助手 http://dl.filseclab.com/down/powerrmv.zip

    剛剛成功清除了 還不錯用

    1.手工徹底清除 PWSteal.Lemir.Gen 木馬的方法

    http://www.filseclab.com/cht/tech/pwsteal.lemir.ge...

    2.手工徹底清除 PWSteal.Lemir.Gen 木馬的方法(第二版)

    http://www.filseclab.com/cht/tech/PWSteal.Lemir.Ge...

    以上兩篇都要看喔!

  • 1 decade ago

    都可以讓我的電腦癱瘓了 還可能是誤判嗎 好像根本沒這個病毒一樣 其言可議

  • How do you think about the answers? You can sign in to vote the answer.
  • Anonymous
    2 decades ago

    To nicole

    看完你的答案,我還是不懂該怎麼做。

    請問你有意幫我們解決問題嗎?

    那可以幫我們翻譯一下英文的解決步驟嗎?

  • 2 decades ago

    這個是趨勢防毒軟體誤判的病毒

    沒事的啦!!

    Source(s): 在管理ServerProtect及OfficeScan的同事
Still have questions? Get your answers by asking now.