收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 很奇怪但是比较厉害的病毒,顺便求解决方法
1 ...45678910111213... 17下一页
返回列表 发新帖
楼主: zarric.leung
 收起左侧

[病毒样本] 很奇怪但是比较厉害的病毒,顺便求解决方法

  [复制链接]
qzmxy2006
头像被屏蔽
发表于 2011-8-21 13:53:56 | 显示全部楼层
evilbat123 发表于 2011-8-21 13:51
一样 一样 就是网购的时候有点怕怕

不怎么网购 偶尔 用下  不接受不明文件  看好网址 应该没啥问题
回复

举报

evilbat123
发表于 2011-8-21 13:55:53 | 显示全部楼层
qzmxy2006 发表于 2011-8-21 13:53
不怎么网购 偶尔 用下  不接受不明文件  看好网址 应该没啥问题

等会加个小山卫士好了~~~
我去睡觉~~~~
回复

举报

XMonster
发表于 2011-8-21 14:28:23 | 显示全部楼层
SEP-Bloodhound.Sonar.9
回复

举报

zuo
发表于 2011-8-21 14:48:49 | 显示全部楼层
本帖最后由 zuo 于 2011-8-21 14:50 编辑

14:47:33:892;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\SessionInformation键值: ProgramCount数据: 1;
14:47:34:658;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count键值: HRZR_HVFPHG数据: 09 00 00 00 35 00 00 00 20 6E 27 35 CE 5F CC 01 ;
14:47:34:673;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Internet Explorer\Toolbar键值: Locked数据: 1;
14:47:34:689;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: FolderType数据: Documents;
14:47:34:736;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\DUIBags\ShellFolders\{F3364BA0-65B9-11CE-A9BA-00AA004AE837}键值: ExpandDetailsTasks数据: 0;
14:47:34:783;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\SessionInformation键值: ProgramCount数据: 1;
14:47:35:580;1528;C:\WINDOWS\explorer.exe;创建新进程;"C:\Documents and Settings\Administrator\桌面\yangben\yangben.exe" ;
14:47:35:580;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count键值: HRZR_EHACNGU数据: 09 00 00 00 55 00 00 00 C0 1D B4 35 CE 5F CC 01 ;
14:47:35:580;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count键值: HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\桌面\lnatora\lnatora.rkr数据: 09 00 00 00 07 00 00 00 C0 1D B4 35 CE 5F CC 01 ;
14:47:36:111;816;C:\Documents and Settings\Administrator\桌面\yangben\yangben.exe;创建新进程;00000034*;
14:47:36:127;816;C:\Documents and Settings\Administrator\桌面\yangben\yangben.exe;进程退出;;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count键值: HRZR_PGYFRFFVBA数据: 6E FE 62 0E 0A 00 00 00 ;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: MinPos1162x603(1).x数据: 4294967295;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: MinPos1162x603(1).y数据: 4294967295;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: MaxPos1162x603(1).x数据: 4294967295;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: MaxPos1162x603(1).y数据: 4294967295;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: WinPos1162x603(1).left数据: 22;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: WinPos1162x603(1).top数据: 0;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: WinPos1162x603(1).right数据: 822;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: WinPos1162x603(1).bottom数据: 573;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: Rev数据: 0;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: WFlags数据: 0;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: ShowCmd数据: 1;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: FFlags数据: 1;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: HotKey数据: 0;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: Buttons数据: 4294967295;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: Links数据: 0;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: Address数据: 4294967295;
14:47:36:940;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: Vid数据: {65F125E5-7BE1-4810-BA9D-D271C8432CE3};
14:47:36:955;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: Mode数据: 6;
14:47:36:955;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: ScrollPos1162x603(1).x数据: 0;
14:47:36:955;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: ScrollPos1162x603(1).y数据: 0;
14:47:36:955;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: Sort数据: 0;
14:47:36:955;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: SortDir数据: 1;
14:47:36:955;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: Col数据: 4294967295;
14:47:36:955;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell键值: ColInfo数据: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 06 00 28 00 10 00 34 00 48 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 B4 00 60 00 78 00 78 00 B4 00 B4 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;
14:47:37:080;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\SessionInformation键值: ProgramCount数据: 1;
14:47:37:362;1516;C:\WINDOWS\explorer.exe;删除文件;C:\Documents and Settings\Administrator\桌面\yangben\yangben.exe;
14:47:37:424;1516;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKLM\SOFTWARE\Classes\Interface\{0d28d94b-db5a-85bc-04a3-3265faa98f1a}键值: u数据: 134;
14:47:37:424;1516;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKLM\SOFTWARE\Classes\Interface\{0d28d94b-db5a-85bc-04a3-3265faa98f1a}键值: cid数据: 2066210782457380426;
14:47:37:612;1516;C:\WINDOWS\explorer.exe;创建注册表键;键: HKLM\SYSTEM\ControlSet001\Services\.mrxsmb;
14:47:37:612;1516;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKLM\SYSTEM\ControlSet001\Services\.mrxsmb键值: Type数据: 1;
14:47:37:612;1516;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKLM\SYSTEM\ControlSet001\Services\.mrxsmb键值: Start数据: 3;
14:47:37:612;1516;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKLM\SYSTEM\ControlSet001\Services\.mrxsmb键值: ImagePath数据: \*;
14:47:37:612;1516;C:\WINDOWS\explorer.exe;创建远程线程(G14);C:\WINDOWS\system32\winlogon.exe;
14:47:37:612;1516;C:\WINDOWS\explorer.exe;创建远程线程;C:\WINDOWS\system32\winlogon.exe;
14:47:37:643;1516;C:\WINDOWS\explorer.exe;加载驱动;C:\*;
14:47:37:705;1516;C:\*;删除注册表键;键: HKLM\SYSTEM\ControlSet001\Services\.mrxsmb\Enum;
14:47:37:705;1516;C:\*;删除注册表键;键: HKLM\SYSTEM\ControlSet001\Services\.mrxsmb;
14:47:37:721;1516;C:\*;删除注册表键;键: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_.MRXSMB\0000\Control;
14:47:37:721;1516;C:\*;删除注册表键;键: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_.MRXSMB\0000;
14:47:37:721;1516;C:\*;删除注册表键;键: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_.MRXSMB;
14:47:37:831;680;C:\WINDOWS\system32\services.exe;创建文件;C:\WINDOWS\1294158683:2763316402.exe;
14:47:37:862;680;C:\WINDOWS\system32\services.exe;修改文件;C:\WINDOWS\1294158683:2763316402.exe;
14:47:37:862;680;C:\WINDOWS\system32\services.exe;创建注册表键;键: HKLM\SYSTEM\ControlSet001\Services\5b4b234d;
14:47:37:877;680;C:\WINDOWS\system32\services.exe;设置注册表键值;键: HKLM\SYSTEM\ControlSet001\Services\5b4b234d键值: Type数据: 1;
14:47:37:877;680;C:\WINDOWS\system32\services.exe;设置注册表键值;键: HKLM\SYSTEM\ControlSet001\Services\5b4b234d键值: Start数据: 3;
14:47:37:877;680;C:\WINDOWS\system32\services.exe;设置注册表键值;键: HKLM\SYSTEM\ControlSet001\Services\5b4b234d键值: ImagePath数据: \systemroot\1294158683:2763316402.exe;
14:47:37:877;680;C:\WINDOWS\system32\services.exe;创建新进程;1294158683:2763316402.exe;
14:47:37:893;1516;C:\WINDOWS\explorer.exe;创建文件;C:\WINDOWS\$NtUninstallKB34809$\1531650893\L\lttnboqd;
14:47:38:065;1516;C:\WINDOWS\explorer.exe;修改文件;C:\WINDOWS\$NtUninstallKB34809$\1531650893\L\lttnboqd;
14:47:38:065;1516;C:\WINDOWS\explorer.exe;创建文件;C:\WINDOWS\$NtUninstallKB34809$\1531650893\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6};
14:47:38:065;1516;C:\WINDOWS\explorer.exe;修改文件;C:\WINDOWS\$NtUninstallKB34809$\1531650893\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6};
14:47:39:331;1516;C:\WINDOWS\explorer.exe;进程退出;;
14:47:40:581;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache键值: C:\WINDOWS\system32\SNDVOL32.EXE数据: Volume Control;
14:47:40:581;1528;C:\WINDOWS\explorer.exe;创建新进程;"C:\WINDOWS\system32\SNDVOL32.EXE" ;
14:47:40:832;584;C:\WINDOWS\system32\sndvol32.exe;创建注册表键;键: HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control;
14:47:40:832;584;C:\WINDOWS\system32\sndvol32.exe;创建注册表键;键: HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Creative Sound Blaster PCI;
14:47:40:832;584;C:\WINDOWS\system32\sndvol32.exe;创建注册表键;键: HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Creative Sound Blaster PCI\音量控制;
14:47:40:832;584;C:\WINDOWS\system32\sndvol32.exe;设置注册表键值;键: HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Creative Sound Blaster PCI\音量控制键值: LineStates数据: 00 00 00 00 F3 97 CF 91 A7 63 36 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E2 6C 62 5F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6F 8F F6 4E 08 54 10 62 68 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 35 75 DD 8B BF 7E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 85 8F A9 52 F3 97 CF 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 C6 89 91 98 F3 97 CF 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 A6 9E 4B 51 CE 98 F3 97 CF 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BF 7E EF 8D 93 8F 65 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 00 44 00 20 00 F3 97 91 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;
14:47:40:894;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\SessionInformation键值: ProgramCount数据: 2;
14:47:41:019;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\SessionInformation键值: ProgramCount数据: 3;
14:48:05:121;未知;未知;安装内联钩子;源地址:  0x804EF879 目标地址:  0xB1EB70F5;
14:48:09:013;1044;C:\WINDOWS\system32\svchost.exe;创建文件;C:\WINDOWS\system32\wbem\Logs\wmiprov.log;
14:48:09:028;1044;C:\WINDOWS\system32\svchost.exe;修改文件;C:\WINDOWS\system32\wbem\Logs\wmiprov.log;
14:49:57:121;1700;C:\WINDOWS\system32\wuauclt.exe;删除文件;C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb;
14:49:58:168;1700;C:\WINDOWS\system32\wuauclt.exe;进程退出;;
回复

举报

liulangzhecgr
发表于 2011-8-21 15:01:42 | 显示全部楼层
2011-8-21 14:55:53    创建新进程    允许
进程: c:\windows\explorer.exe
目标: e:\downloads\yangben\yangben.exe
命令行: "E:\Downloads\yangben\yangben.exe"
规则: [应用程序]*

2011-8-21 14:55:59    创建新进程    允许
进程: e:\downloads\yangben\yangben.exe
目标: c:\windows\explorer.exe
命令行: 00000034*
规则: [应用程序]*

2011-8-21 14:56:11    修改其他进程的内存    允许
进程: e:\downloads\yangben\yangben.exe
目标: c:\windows\explorer.exe
规则: [应用程序]*

2011-8-21 14:56:15    修改其他进程的线程    允许
进程: e:\downloads\yangben\yangben.exe
目标: c:\windows\explorer.exe
规则: [应用程序]*

2011-8-21 14:56:22    访问网络    允许
进程: c:\windows\explorer.exe
目标: TCP [本机 : 1181] ->  [95.64.46.44 : 80 (http)]
规则: [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

2011-8-21 14:56:31    删除文件    允许
进程: c:\windows\explorer.exe
目标: C:\Documents and Settings\Administrator\wevtapi.dll
规则: [文件组]所有执行文件 -> [文件]*; *.dll

2011-8-21 14:56:37    删除文件    允许
进程: c:\windows\explorer.exe
目标: C:\Documents and Settings\Administrator\taskmgr.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2011-8-21 14:56:40    访问网络    允许
进程: c:\windows\explorer.exe
目标: TCP [本机 : 1182] ->  [95.64.46.44 : 80 (http)]
规则: [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

2011-8-21 14:56:46    访问网络    允许
进程: c:\windows\explorer.exe
目标: TCP [本机 : 1183] ->  [95.64.46.44 : 80 (http)]
规则: [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

2011-8-21 14:56:51    创建文件夹    允许
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\$NtUninstallKB37923$
规则: [文件]*

2011-8-21 14:56:53    访问网络    允许
进程: c:\windows\explorer.exe
目标: TCP [本机 : 1184] ->  [95.64.46.44 : 80 (http)]
规则: [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

2011-8-21 14:56:58    创建文件    允许
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\$NtUninstallKB37923$\4291385429
规则: [文件]*

2011-8-21 14:57:01    创建文件夹    允许
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\$NtUninstallKB37923$\1251746112
规则: [文件]*

2011-8-21 14:57:03    访问网络    允许
进程: c:\windows\explorer.exe
目标: TCP [本机 : 1185] ->  [95.64.46.44 : 80 (http)]
规则: [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

2011-8-21 14:57:13    创建文件    允许
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\$NtUninstallKB37923$\:SummaryInformation
规则: [文件]*

2011-8-21 14:57:18    访问网络    允许
进程: c:\windows\explorer.exe
目标: TCP [本机 : 1186] ->  [95.64.46.44 : 80 (http)]
规则: [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

2011-8-21 14:57:21    修改文件夹权限    允许
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\$NtUninstallKB37923$
规则: [文件]*

2011-8-21 14:57:26    访问网络    允许
进程: c:\windows\explorer.exe
目标: TCP [本机 : 1187] ->  [95.64.46.44 : 80 (http)]
规则: [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

2011-8-21 14:57:34    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\AmdK8.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:57:36    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\AmdK8.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:57:40    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\cdrom.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:57:42    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\cdrom.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:57:44    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\redbook.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:57:49    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\redbook.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:57:51    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\serial.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:57:53    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\serial.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:57:55    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\i8042prt.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:57:57    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\i8042prt.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:57:59    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\ipsec.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:01    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\ipsec.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:02    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\tcpip.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:04    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\tcpip.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:06    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\netbt.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:07    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\netbt.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:11    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\afd.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:13    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\afd.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:16    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\rdbss.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:18    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\rdbss.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:21    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\mrxsmb.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:23    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\mrxsmb.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:25    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\ljjcefmg.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:27    修改文件权限    阻止
进程: c:\windows\explorer.exe
目标: C:\WINDOWS\system32\drivers\ljjcefmg.sys
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.sys

2011-8-21 14:58:29    访问网络    允许
进程: c:\windows\explorer.exe
目标: TCP [本机 : 1188] ->  [95.64.46.44 : 80 (http)]
规则: [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

2011-8-21 14:58:31    访问网络    允许
进程: c:\windows\explorer.exe
目标: TCP [本机 : 1189] ->  [95.64.46.44 : 80 (http)]
规则: [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

2011-8-21 14:58:33    访问网络    允许
进程: c:\windows\explorer.exe
目标: TCP [本机 : 1190] ->  [95.64.46.44 : 80 (http)]
规则: [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

2011-8-21 14:58:37    修改其他进程的内存    允许
进程: c:\windows\explorer.exe
目标: c:\windows\system32\winlogon.exe
规则: [应用程序]c:\windows\explorer.exe

2011-8-21 14:58:40    修改其他进程的内存    允许
进程: c:\windows\explorer.exe
目标: c:\windows\system32\winlogon.exe
规则: [应用程序]c:\windows\explorer.exe

2011-8-21 14:58:43    在其他进程中创建线程    允许
进程: c:\windows\explorer.exe
目标: c:\windows\system32\winlogon.exe
规则: [应用程序]c:\windows\explorer.exe

2011-8-21 14:58:45    挂起其他进程的线程    允许
进程: c:\windows\explorer.exe
目标: c:\windows\system32\winlogon.exe
规则: [应用程序]c:\windows\explorer.exe

2011-8-21 14:58:47    挂起其他进程的线程    允许
进程: c:\windows\explorer.exe
目标: c:\windows\system32\winlogon.exe
规则: [应用程序]c:\windows\explorer.exe

2011-8-21 14:58:50    挂起其他进程的线程    允许
进程: c:\windows\explorer.exe
目标: c:\windows\system32\winlogon.exe
规则: [应用程序]c:\windows\explorer.exe

2011-8-21 14:58:52    访问网络    允许
进程: c:\windows\explorer.exe
目标: TCP [本机 : 1191] ->  [95.64.46.44 : 80 (http)]
规则: [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

2011-8-21 14:58:53    访问网络    允许
进程: c:\windows\explorer.exe
目标: TCP [本机 : 1192] ->  [95.64.46.44 : 80 (http)]
规则: [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

2011-8-21 14:58:54    访问网络    允许
进程: c:\windows\explorer.exe
目标: TCP [本机 : 1193] ->  [95.64.46.44 : 80 (http)]
规则: [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

回复

举报

zarric.leung
 楼主| 发表于 2011-8-21 15:03:01 | 显示全部楼层
zuo 发表于 2011-8-21 14:48
14:47:33:892;1528;C:\WINDOWS\explorer.exe;设置注册表键值;键: HKCU\SessionInformation键值: ProgramCou ...

我去,好复杂,怎么分析那些行为危险呢。。。
PS:大家开始在俺的帖子里水了
回复

举报

hj5abc
发表于 2011-8-21 19:39:11 | 显示全部楼层
早上上报,avast!入库了..

\yangben.exe [L] Win32:Spyware-gen [Spy] (0)
回复

举报

郑伟用户
发表于 2011-8-21 19:50:44 | 显示全部楼层
zarric.leung 发表于 2011-8-21 11:04
山山很强悍啊,如果恰好关了杀软,已运行这个病毒咋办呢?

那就等悲剧
回复

举报

sanhu35
发表于 2011-8-21 21:23:00 | 显示全部楼层
dm34343667 发表于 2011-8-21 13:18
瑞星主防

提个意见 叫瑞星木马防御显示一下动作
回复

举报

states
发表于 2011-8-21 21:34:43 | 显示全部楼层
zarric.leung 发表于 2011-8-21 11:04
山山很强悍啊,如果恰好关了杀软,已运行这个病毒咋办呢?

看病毒是怎么用的是什么方法禁止程序运行,一般常用的有进程名、映像劫持、标题、禁止加驱等,只要 修改/恢复 一下就能运行起来了,之后就是修复了
回复

举报

下一页 »
1 ...45678910111213... 17下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-11-23 23:55 , Processed in 0.085658 second(s), 14 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表