» 游客:  注册 | 登录 | 帮助  微点交流论坛 » 主动防御 » 发现未知木马，正在发邮件    13   2/2   <   1   2  作者: 标题: 发现未知木马，正在发邮件 newduba 高级用户 积分 607 发帖 605 注册 2007-5-18 #11   MSPMSNSV.DLL 这个我也在几台机器看到了进程，感觉可疑； 后来留下文件去测试了发现居然没有问题， 而且通过了微软数字签名的认证。 最后只能够判断是MSPMSNSV.DLL被劫持了， 用超级巡警扫描解决了问题， MSPMSNSV.DLL本身是无辜的：） ※ ※ ※ 本文纯属【newduba】个人意见，与【 微点交流论坛 】立场无关※ ※ ※ 微点主动防御2.0+MSE4.0 2008-11-6 14:55 ccfish 中级用户 积分 424 发帖 423 注册 2006-8-21 来自 中关村 #12   关键是我系统防得好，只发现这两个文件．．． system32目录下： dts3211.exe（不知道怎么回事，隔离区没有） taskmagr.exe wmdmpmsvc.dll 可疑程序加载的注册表项：   Quote: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN] "Type"=dword:00000010 "Start"=dword:00000004 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\   74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\   00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\   6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 "DisplayName"="Portable Media Serial Number Service" "ObjectName"="LocalSystem" "Description"=hex(2):52,00,65,00,74,00,72,00,69,00,65,00,76,00,65,00,73,00,20,\   00,74,00,68,00,65,00,20,00,73,00,65,00,72,00,69,00,61,00,6c,00,20,00,6e,00,\   75,00,6d,00,62,00,65,00,72,00,20,00,6f,00,66,00,20,00,61,00,6e,00,79,00,20,\   00,70,00,6f,00,72,00,74,00,61,00,62,00,6c,00,65,00,20,00,6d,00,65,00,64,00,\   69,00,61,00,20,00,70,00,6c,00,61,00,79,00,65,00,72,00,20,00,63,00,6f,00,6e,\   00,6e,00,65,00,63,00,74,00,65,00,64,00,20,00,74,00,6f,00,20,00,74,00,68,00,\   69,00,73,00,20,00,63,00,6f,00,6d,00,70,00,75,00,74,00,65,00,72,00,2e,00,20,\   00,49,00,66,00,20,00,74,00,68,00,69,00,73,00,20,00,73,00,65,00,72,00,76,00,\   69,00,63,00,65,00,20,00,69,00,73,00,20,00,73,00,74,00,6f,00,70,00,70,00,65,\   00,64,00,2c,00,20,00,70,00,72,00,6f,00,74,00,65,00,63,00,74,00,65,00,64,00,\   20,00,63,00,6f,00,6e,00,74,00,65,00,6e,00,74,00,20,00,6d,00,69,00,67,00,68,\   00,74,00,20,00,6e,00,6f,00,74,00,20,00,62,00,65,00,20,00,64,00,6f,00,77,00,\   6e,00,20,00,6c,00,6f,00,61,00,64,00,65,00,64,00,20,00,74,00,6f,00,20,00,74,\   00,68,00,65,00,20,00,64,00,65,00,76,00,69,00,63,00,65,00,2e,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Parameters] "ServiceDll"=hex(2):25,00,53,00,59,00,53,00,54,00,45,00,4d,00,52,00,4f,00,4f,\   00,54,00,25,00,5c,00,53,00,59,00,53,00,54,00,45,00,4d,00,33,00,32,00,5c,00,\   4d,00,53,00,50,00,4d,00,53,00,4e,00,53,00,56,00,2e,00,44,00,4c,00,4c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Security] "Security"=hex:01,00,14,80,b8,00,00,00,c4,00,00,00,14,00,00,00,30,00,00,00,02,\   00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\   00,00,02,00,88,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\   05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\   20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\   00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\   00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,\   00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,\   01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Enum] "0"="Root\\LEGACY_WMDMPMSN\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 ※ ※ ※ 本文纯属【ccfish】个人意见，与【 微点交流论坛 】立场无关※ ※ ※ 抓到黑客,直接打死~ 2008-11-6 20:51 feya 新手上路 积分 2 发帖 2 注册 2008-11-6 #13   刚从装完系统，这丫又开始来烦了，又开始改我的dmserver.dll文件名取而代之，感觉Flashget196安装文件夹下的updates.exe很有嫌疑 ※ ※ ※ 本文纯属【feya】个人意见，与【 微点交流论坛 】立场无关※ ※ ※ 2008-11-9 20:57  13   2/2   <   1   2  论坛跳转: 微点软件公测区 安全快报  > 病毒快报  > 漏洞快报 微点产品在线技术支持  > 微点主动防御软件  > 预升级反馈专区  > 微点杀毒软件 微点用户交流区  > 微点新闻  > 微点软件使用交流  > 微点茶室 安全技术交流区  > 主动防御  > 反病毒  > 防火墙 综合区  > 电脑&数码  > 体育&娱乐&休闲  > 灌水区 版务管理 内部使用专区  可打印版本 | 推荐 | 订阅 | 收藏 [ 联系我们 - 东方微点 ] 北京东方微点信息技术有限责任公司 福建东方微点信息安全有限责任公司 闽ICP备05030815号