注入类样本

显示全部楼层 · 发表于 2013-9-21 20:36:44

360卫士杀了。
MSE杀了

显示全部楼层 · 发表于 2013-9-21 21:10:39

驭龙发表于 2013-9-21 18:14
当然给力了,基本上秒杀锁屏,就今天有两个过了,之前十几个全部被灭.

没有真正意义上的主动防御,但是有动 ...

改天试试。。。
WIN8上用的MSE。。。
看来还得升级下。。。

显示全部楼层 · 发表于 2013-9-22 07:29:38

Filename: 097db9712dec604a02453f98cb0ba5c7.exe
Threat name: Trojan.Gen
Full Path: 097db9712dec604a02453f98cb0ba5c7.exe

____________________________

Details
Unknown Community Usage, Unknown Age, Risk High

Origin
Downloaded from
http://qd.cache.baidupcs.com/fil ... &to=qc&fm=B,B,U,nc&expires=8h&rt=sh&r=766086614&logid=3255543600&sh=1&fn=097DB9712DEC604A02453F98CB0BA5C7.rar

Activity
Actions performed: Actions performed: 1

____________________________

On computers as of
Not Available

Last Used
2013-9-22 at 7:27:50

Startup Item
No

Launched
No

____________________________

Unknown
It is unknown how many users in the Norton Community have used this file.

Unknown
This file release is currently not known.

High
This file risk is high.

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.

____________________________

http://qd.cache.baidupcs.com/fil ... &to=qc&fm=B,B,U,nc&expires=8h&rt=sh&r=766086614&logid=3255543600&sh=1&fn=097DB9712DEC604A02453F98CB0BA5C7.rar

Downloaded File 097db9712dec604a02453f98cb0ba5c7.exe Threat name: Trojan.Gen
from baidupcs.com

Source: External Media

____________________________

File Actions

File: f:\norton样本\诺顿排除\ 097db9712dec604a02453f98cb0ba5c7.rar Removed
____________________________

File Thumbprint - SHA:
8a183ee09397972952f78d493b9fc8874c65a0d660911a559f49c2e423e44a92
File Thumbprint - MD5:
Not available

显示全部楼层 · 发表于 2013-9-23 09:05:12

。。。。。。。。。。。

显示全部楼层 · 发表于 2013-10-21 10:32:17

百度杀毒国际版云杀

显示全部楼层 · 发表于 2013-10-21 11:23:25

支持！！！！！！！！！

显示全部楼层 · 发表于 2013-10-28 23:52:08

我擦这动作逆天...

2013-10-28 23:44:35 创建新进程允许
进程: d:\windows\explorer.exe
目标: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
命令行: "D:\Documents and Settings\killleer\桌面\tested--3\097DB9712DEC604A02453F98CB0BA5C7.exe"
规则: [应用程序]d:\windows\explorer.exe

2013-10-28 23:44:46 读文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\桌面\tested--3\097DB9712DEC604A02453F98CB0BA5C7.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:44:47 创建新进程允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
命令行: "D:\Documents and Settings\killleer\桌面\tested--3\097DB9712DEC604A02453F98CB0BA5C7.exe"
规则: [应用程序]*

2013-10-28 23:44:49 读文件 (3) 允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\WINDOWS\WindowsShell.Manifest
规则: [文件组]所有执行文件 -> [文件]*; *.manifest

2013-10-28 23:44:51 读文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\桌面\tested--3\097DB9712DEC604A02453F98CB0BA5C7.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:44:53 创建文件夹允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Ucengy
规则: [文件]*

2013-10-28 23:44:55 创建文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Ucengy\elwy.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:44:56 读文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Ucengy\elwy.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:44:57 创建文件夹允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Olvuo
规则: [文件]*

2013-10-28 23:45:01 创建文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Olvuo\fuqio.uxd
规则: [文件组]所有执行文件 -> [文件]*; *.*

2013-10-28 23:45:02 读文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Olvuo\fuqio.uxd
规则: [文件组]所有执行文件 -> [文件]*; *.*

2013-10-28 23:45:04 创建文件夹允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Ihwoap
规则: [文件]*

2013-10-28 23:45:07 创建文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Ihwoap\umxe.uqf
规则: [文件组]所有执行文件 -> [文件]*; *.*

2013-10-28 23:45:08 读文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Ihwoap\umxe.uqf
规则: [文件组]所有执行文件 -> [文件]*; *.*

2013-10-28 23:45:10 读文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\桌面\tested--3\097DB9712DEC604A02453F98CB0BA5C7.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:45:11 读文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Ucengy\elwy.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:45:12 修改文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Ucengy\elwy.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:45:14 读文件 (2) 允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Ucengy\elwy.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:45:15 读文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Olvuo\fuqio.uxd
规则: [文件组]所有执行文件 -> [文件]*; *.*

2013-10-28 23:45:16 读文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Ihwoap\umxe.uqf
规则: [文件组]所有执行文件 -> [文件]*; *.*

2013-10-28 23:45:16 读文件允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Application Data\Ucengy\elwy.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:45:18 创建新进程允许
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: d:\documents and settings\killleer\application data\ucengy\elwy.exe
命令行: "D:\Documents and Settings\killleer\Application Data\Ucengy\elwy.exe"
规则: [应用程序]*

2013-10-28 23:45:24 读文件允许
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: D:\Documents and Settings\killleer\Application Data\Ucengy\elwy.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:45:26 创建新进程允许
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\documents and settings\killleer\application data\ucengy\elwy.exe
命令行: "D:\Documents and Settings\killleer\Application Data\Ucengy\elwy.exe"
规则: [应用程序]*

2013-10-28 23:45:27 读文件允许
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: D:\WINDOWS\WindowsShell.Manifest
规则: [文件组]所有执行文件 -> [文件]*; *.manifest

2013-10-28 23:45:33 创建文件阻止并结束进程
进程: d:\documents and settings\killleer\桌面\tested--3\097db9712dec604a02453f98cb0ba5c7.exe
目标: D:\Documents and Settings\killleer\Local Settings\Temp\tmp8a5834e0.bat
规则: [文件组]所有执行文件 -> [文件]*; *.bat

2013-10-28 23:45:35 读文件 (2) 允许
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: D:\WINDOWS\WindowsShell.Manifest
规则: [文件组]所有执行文件 -> [文件]*; *.manifest

2013-10-28 23:45:37 读文件允许
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: D:\Documents and Settings\killleer\Application Data\Ucengy\elwy.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:45:43 修改其他进程的内存阻止
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\windows\explorer.exe
规则: [应用程序]*

2013-10-28 23:45:49 读文件 (4) 阻止
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: D:\Program Files\VMware\VMware Tools\vmtoolsd.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:45:50 修改其他进程的内存阻止
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\program files\vmware\vmware tools\vmtoolsd.exe
规则: [应用程序]*

2013-10-28 23:46:06 修改其他进程的内存阻止
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\windows\system32\ctfmon.exe
规则: [应用程序]*

2013-10-28 23:46:11 读文件 (4) 阻止
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: D:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:46:14 修改其他进程的内存阻止
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\program files\vmware\vmware tools\tpautoconnect.exe
规则: [应用程序]*

2013-10-28 23:46:18 读文件阻止
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: D:\Program Files\Internet Explorer\IEXPLORE.EXE
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2013-10-28 23:46:26 修改其他进程的内存阻止
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\program files\internet explorer\iexplore.exe
规则: [应用程序]*

2013-10-28 23:46:28 修改其他进程的内存阻止
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\windows\system32\conime.exe
规则: [应用程序]*

2013-10-28 23:46:34 修改其他进程的内存 (3) 允许
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\windows\system32\notepad.exe
规则: [应用程序]*

2013-10-28 23:46:37 向其他进程复制句柄允许
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\windows\system32\notepad.exe
句柄: (Mutant) \BaseNamedObjects\{FB80C4C6-94AA-8DAB-7B52-FCC1872EE380}
规则: [应用程序]*

2013-10-28 23:46:42 修改其他进程的内存 (6) 允许
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\windows\system32\notepad.exe
规则: [应用程序]*

2013-10-28 23:46:43 向其他进程复制句柄允许
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\windows\system32\notepad.exe
句柄: (Event) 0x00000098
规则: [应用程序]*

2013-10-28 23:46:46 修改其他进程的内存 (3) 允许
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\windows\system32\notepad.exe
规则: [应用程序]*

2013-10-28 23:46:48 向其他进程复制句柄允许
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\windows\system32\notepad.exe
句柄: (Process) d:\documents and settings\killleer\application data\ucengy\elwy.exe
规则: [应用程序]*

2013-10-28 23:46:51 修改其他进程的内存 (4) 允许
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\windows\system32\notepad.exe
规则: [应用程序]*

2013-10-28 23:46:51 在其他进程中创建线程允许
进程: d:\documents and settings\killleer\application data\ucengy\elwy.exe
目标: d:\windows\system32\notepad.exe
规则: [应用程序]*

2013-10-28 23:47:48 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Olvuo\fuqio.uxd
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:49:08 修改文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Olvuo\fuqio.uxd
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:49:11 创建文件夹允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book
规则: [文件]*

2013-10-28 23:49:19 创建文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:49:21 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\WINDOWS\system32\wbem\Logs\wbemprox.log
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:49:23 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:49:24 修改文件阻止
进程: d:\windows\system32\notepad.exe
目标: D:\WINDOWS\system32\wbem\Logs\wbemprox.log
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:49:48 修改文件阻止
进程: d:\windows\system32\notepad.exe
目标: D:\WINDOWS\system32\wbem\Logs\wbemprox.log
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:49:56 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:50:03 修改文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:50:12 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Olvuo\fuqio.uxd
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:50:13 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:50:14 修改文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Olvuo\fuqio.uxd
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:50:16 修改文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:50:24 读文件 (2) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:50:25 修改文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:50:26 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:50:57 读文件 (2) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:51:31 读文件 (2) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Temporary Internet Files\Content.IE5\index.dat
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:51:33 读文件 (2) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Cookies\index.dat
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:51:35 读文件 (2) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\History\History.IE5\index.dat
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:51:55 创建文件夹允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities
规则: [文件]*

2013-10-28 23:51:58 创建文件夹允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}
规则: [文件]*

2013-10-28 23:51:59 创建文件夹允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft
规则: [文件]*

2013-10-28 23:52:00 创建文件夹允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express
规则: [文件]*

2013-10-28 23:52:06 创建文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\Folders.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:52:07 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\Folders.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:52:09 修改文件 (2) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\Folders.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:52:11 创建文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\收件箱.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:52:19 读文件 (2) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\收件箱.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:52:26 删除文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\收件箱.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:52:27 创建文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\收件箱.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:52:30 读文件 (2) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\收件箱.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:52:33 修改文件 (3) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\收件箱.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:52:38 读文件 (5) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:52:49 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:52:56 读文件 (2) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:52:57 修改文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:00 读文件 (3) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:22 修改文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\收件箱.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:23 创建文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\Offline.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:25 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\Offline.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:26 修改文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\Offline.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:27 创建文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\已发送邮件.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:29 读文件 (2) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\已发送邮件.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:30 删除文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\已发送邮件.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:31 创建文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\已发送邮件.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:32 读文件 (2) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\已发送邮件.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:35 修改文件 (3) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Application Data\Identities\{0D056DF4-CE72-40C6-B352-16E1093C1A10}\Microsoft\Outlook Express\已发送邮件.dbx
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:37 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:38 修改文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:40 创建文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Temp\MPS6.tmp
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:41 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Temp\MPS6.tmp
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:42 修改文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Temp\MPS6.tmp
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:44 读文件 (2) 允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Temp\MPS6.tmp
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:45 修改文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Temp\MPS6.tmp
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:46 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Temp\MPS6.tmp
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:48 创建文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab~
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:49 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Application Data\Microsoft\Address Book\killleer.wab~
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:51 读文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Temp\MPS6.tmp
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

2013-10-28 23:53:52 删除文件允许
进程: d:\windows\system32\notepad.exe
目标: D:\Documents and Settings\killleer\Local Settings\Temp\MPS6.tmp
规则: [应用程序]d:\windows\system32\notepad.exe -> [文件]*

[病毒样本] 注入类样本

本帖子中包含更多资源

本帖子中包含更多资源