本帖最后由 darkwolf_99 于 2012-12-18 23:45 编辑
hx1997 发表于 2012-12-18 23:27 
死板 这是 EXE!!
 惯性思维了,大佬教训的是
Created: 2012/12/18 23:29:48
Summary: Program Guard: wgsdgsdgdsgsd.exe
Description: C:\Windows\explorer.exe -> C:\1\wgsdgsdgdsgsd.exe
Event type: Program Guard(9)
Event action: Allowed(2)
Created: 2012/12/18 23:30:05
Summary: Program Guard: wgsdgsdgdsgsd.exe -> fela.exe
Description: C:\1\wgsdgsdgdsgsd.exe wants to create executable file C:\Users\Evangeline\AppData\Roaming\Voqail\fela.exe
Event type: Suspicious file(13)
Event action: Allowed(2)
Created: 2012/12/18 23:30:27
Summary: Program Guard: wgsdgsdgdsgsd.exe -> fela.exe
Description: C:\1\wgsdgsdgdsgsd.exe(2712) wants to start C:\Users\Evangeline\AppData\Roaming\Voqail\fela.exe(2396)
Event type: Program Guard(9)
Event action: Allowed(2)
Created: 2012/12/18 23:30:35
Summary: Program Guard: fela.exe
Description: C:\Users\Evangeline\AppData\Roaming\Voqail\fela.exe -> C:\Users\Evangeline\AppData\Roaming\Voqail\fela.exe
Event type: Program Guard(9)
Event action: Allowed(2)
Created: 2012/12/18 23:30:42
Summary: Program Guard: wgsdgsdgdsgsd.exe -> tmp4df0ea02.bat
Description: C:\1\wgsdgsdgdsgsd.exe wants to create executable file C:\Users\Evangeline\AppData\Local\Temp\tmp4df0ea02.bat
Event type: Suspicious file(13)
Event action: Allowed(2)
Created: 2012/12/18 23:30:48
Summary: Program Guard: fela.exe -> dwm.exe
Description: C:\Users\Evangeline\AppData\Roaming\Voqail\fela.exe(2252) wants to open C:\Windows\System32\dwm.exe(1184)
Event type: Program Guard(9)
Event action: Blocked(3)
Created: 2012/12/18 23:30:48
Summary: Program Guard: kernel event
Description: OADriver: OB_OPERATION_HANDLE_CREATE, 2252 -> 1184, Mask: 147A - 1410
Event type: Kernel event(26)
Event action: None(1)
Processes:
PID: 1184 Name: dwm.exe
PID: 2252 Name: fela.exe
Created: 2012/12/18 23:30:55
Summary: Program Guard: wgsdgsdgdsgsd.exe -> tmp4df0ea02.bat
Description: C:\1\wgsdgsdgdsgsd.exe wants to modify executable file C:\Users\Evangeline\AppData\Local\Temp\tmp4df0ea02.bat
Event type: Suspicious file(13)
Event action: Allowed(2)
Created: 2012/12/18 23:30:56
Summary: Program Guard: cmd.exe
Description: C:\Windows\SysWOW64\cmd.exe was trusted automatically.
Event type: Program Guard(22)
Event action: Trusted(6)
Created: 2012/12/18 23:30:58
Summary: Program Guard: fela.exe -> explorer.exe
Description: C:\Users\Evangeline\AppData\Roaming\Voqail\fela.exe(2252) wants to open C:\Windows\explorer.exe(1224)
Event type: Program Guard(9)
Event action: Blocked(3)
Created: 2012/12/18 23:30:58
Summary: Program Guard: kernel event
Description: OADriver: OB_OPERATION_HANDLE_CREATE, 2252 -> 1224, Mask: 147A - 1410
Event type: Kernel event(26)
Event action: None(1)
Processes:
PID: 1224 Name: explorer.exe
PID: 2252 Name: fela.exe
Created: 2012/12/18 23:31:02
Summary: Program Guard: wgsdgsdgdsgsd.exe -> cmd.exe
Description: C:\1\wgsdgsdgdsgsd.exe(2712) wants to start C:\Windows\SysWOW64\cmd.exe(2080)
Event type: Program Guard(9)
Event action: Blocked(3)
Created: 2012/12/18 23:31:08
Summary: Program Guard: fela.exe -> VMwareTray.exe
Description: C:\Users\Evangeline\AppData\Roaming\Voqail\fela.exe(2252) wants to open C:\Program Files\VMware\VMware Tools\VMwareTray.exe(1396)
Event type: Program Guard(9)
Event action: Blocked(3)
Created: 2012/12/18 23:31:08
Summary: Program Guard: kernel event
Description: OADriver: OB_OPERATION_HANDLE_CREATE, 2252 -> 1396, Mask: 147A - 1410
Event type: Kernel event(26)
Event action: None(1)
Processes:
PID: 1396 Name: VMwareTray.exe
PID: 2252 Name: fela.exe
Created: 2012/12/18 23:31:12
Summary: Program Guard: fela.exe -> vmtoolsd.exe
Description: C:\Users\Evangeline\AppData\Roaming\Voqail\fela.exe(2252) wants to open C:\Program Files\VMware\VMware Tools\vmtoolsd.exe(1420)
Event type: Program Guard(9)
Event action: Blocked(3)
Created: 2012/12/18 23:31:12
Summary: Program Guard: kernel event
Description: OADriver: OB_OPERATION_HANDLE_CREATE, 2252 -> 1420, Mask: 147A - 1410
Event type: Kernel event(26)
Event action: None(1)
Processes:
PID: 1420 Name: vmtoolsd.exe
PID: 2252 Name: fela.exe
Created: 2012/12/18 23:31:18
Summary: Program Guard: fela.exe -> SpyShelter.exe
Description: C:\Users\Evangeline\AppData\Roaming\Voqail\fela.exe(2252) wants to open C:\Program Files (x86)\SpyShelter Firewall\SpyShelter.exe(1436)
Event type: Program Guard(9)
Event action: Blocked(3)
每个进程都要摸一遍,阻止摸所有进程,再继续
Created: 2012/12/18 23:31:41
Summary: Autorun detected: fela.exe
Description: C:\Users\Evangeline\AppData\Roaming\Voqail\fela.exe
Event type: Autorun(10)
Event action: Blocked(3)
然后是联网,全阻止
最后是
Created: 2012/12/18 23:31:44
Summary: Program Guard: kernel event
Description: OADriver: Registry, PID: 2252, Act: 8, Idn: 0, Mask: \REGISTRY\USER\S-1-5-21-2706782817-1821914486-2580403393-1000\Software\Microsoft\Windows\CurrentVersion\Run\Soevy - Deny (rule)
Event type: Kernel event(26)
Event action: None(1)
Processes:
PID: 2252 Name: fela.exe
Created: 2012/12/18 23:31:49
Summary: Program Guard: kernel event
Description: OADriver: OB_OPERATION_HANDLE_CREATE, 2252 -> 1184, Mask: 147A - 1410
Event type: Kernel event(26)
Event action: None(1)
Processes:
PID: 1184 Name: dwm.exe
PID: 2252 Name: fela.exe
fela.exe进程不停的试上面的动作,导致彪U,过了几分钟没反应,任务管理器结束进程,重启无异常
这种exe的应该更容易拦截些吧 |
楼主: firefox3
[复制链接]
楼主
真小气 我都没说什么
发表于 2012-12-18 23:36:59
我提醒一句就有人说我横
我错了 你永远都是真理
养老中
晚安