惡意軟體-iLividSetup-r0-n

fireold

[mw_shl_code=css,true]已刪除 Generic.F55(Argon) 已刪除; C:\Users\lan\Downloads\iLividSetup-r0-n.exe
[/mw_shl_code]

230f4

EAV8收拾

442633310

过360TS，不知道怎么上报

神迹般存在

————————————————————
[mw_shl_code=css,true]24.03.2015 21.03.48;自定义扫描;未检测到威胁;0;0;0;今天, 2015/3/24, 7:45;0 秒;03/24/2015 21:03:48
[/mw_shl_code]
过卡巴，已上报！


————————————————————
[mw_shl_code=css,true]基本信息
文件名称：       
iLividSetup-r0-n.exe
MD5：        26eb52d130f5556b15bc50af8f90a002
文件类型：        Nsis
上传时间：        2015-03-24 21:05:47
出品公司：        Bandoo Media Inc
版本：        5.0.2.4813---5.0.2.4813
壳或编译器信息：        N/A
子文件信息：        详情
关键行为
行为描述：        设置特殊文件夹属性
详情信息：       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述：        隐藏指定窗口
详情信息：       
[Window,Class] = [,Button]
[Window,Class] = [,Static]
[Window,Class] = [ ,Static]
[Window,Class] = [,Internet Explorer_Server]
文件行为
行为描述：        写权限映射文件
详情信息：       
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\!PrivacIE!SharedMem!Counter
Local\UrlZonesSM_Administrator
MSCTF.MarshalInterface.FileMap.IPL..JFFGF
MSCTF.MarshalInterface.FileMap.IPL.B.IGFGF
MSCTF.MarshalInterface.FileMap.IPL.C.IGFGF
MSCTF.MarshalInterface.FileMap.IPL.D.IHFGF
MSCTF.MarshalInterface.FileMap.IPL.E.HIFGF
MSCTF.MarshalInterface.FileMap.IPL.F.GMFGF
MSCTF.MarshalInterface.FileMap.IPL.G.GNFGF
\WINDOWS\system32\zh-cn\jscript.dll.mui
\WINDOWS\system32\zh-cn\mshtml.dll.mui
MSCTF.Shared.SFM.IPL
行为描述：        创建可执行文件
详情信息：       
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\registry.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\UserInfo.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\UAC.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5\apphelp.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5\soffer.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5\Uninstall.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\nsDialogs.dll
行为描述：        修改文件内容
详情信息：       
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\modern-header.bmp---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\init_container[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\dnserrordiagoff_webOC[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\errorPageStrings[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[3]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\info_48[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\bullet[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\down[2]---> Offset = 0
行为描述：        设置特殊文件夹属性
详情信息：       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
网络行为
行为描述：        连接指定站点
详情信息：       
InternetConnectA: ServerName = www.secondofferdelivery.com, PORT = 80
行为描述：        建立到一个指定的套接字连接
详情信息：       
127.0.0.1:1032
行为描述：        打开HTTP请求
详情信息：       
HttpOpenRequestA: www.secondofferdelivery.com:80/w ... p;pver=&ptype=n, hConnect = 0x00000394
HttpOpenRequestA: www.secondofferdelivery.com:80/w ... p;pver=&ptype=n, hConnect = 0x0000037c
注册表行为
行为描述：        修改注册表
详情信息：       
\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\sample.exe\IsHostApp
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
行为描述：        删除注册表键值_IE连接设置
详情信息：       
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述：        创建互斥体
详情信息：       
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
oleacc-msaa-loaded
Local\!PrivacIE!SharedMemory!Mutex
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
MSCTF.Shared.MUTEX.AEH
MSCTF.Shared.MUTEX.IPL
行为描述：        隐藏指定窗口
详情信息：       
[Window,Class] = [,Button]
[Window,Class] = [,Static]
[Window,Class] = [ ,Static]
[Window,Class] = [,Internet Explorer_Server]
行为描述：        查找指定窗口
详情信息：       
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述：        获取系统权限
详情信息：       
SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
行为描述：        窗口信息
详情信息：       
Pid = 3060, Hwnd=0x10362, Text = , ClassName = Static.
Pid = 3060, Hwnd=0x10364, Text = , ClassName = Static.
Pid = 3060, Hwnd=0x10386, Text = Welcome to iLivid!, ClassName = Static.
Pid = 3060, Hwnd=0x10388, Text = Experience faster downloading and immediate viewing, with the best free download manager., ClassName = Static.
Pid = 3060, Hwnd=0x1038a, Text = By clicking "Next" you agree to install iLivid and agree to the, ClassName = Static.
Pid = 3060, Hwnd=0x10392, Text = End User License, ClassName = Button.
Pid = 3060, Hwnd=0x10398, Text = Agreement, ClassName = Button.
Pid = 3060, Hwnd=0x1039a, Text = and, ClassName = Static.
Pid = 3060, Hwnd=0x1039e, Text = Privacy Policy, ClassName = Button.
Pid = 3060, Hwnd=0x203a0, Text = . Requires installation of Movies App by Ask., ClassName = Static.
Pid = 3060, Hwnd=0x103a4, Text = ButtonsLine, ClassName = Static.
Pid = 3060, Hwnd=0x103a6, Text = Cancel, ClassName = Button.
Pid = 3060, Hwnd=0x103a8, Text = Next, ClassName = Button.
Pid = 3060, Hwnd=0x103aa, Text = Distributed by Bandoo Media Inc., ClassName = Static.
Pid = 3060, Hwnd=0x1034e, Text = iLivid Installation, ClassName = #32770.
行为描述：        打开图片文件
详情信息：       
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsl5.tmp\modern-header.bmp[/mw_shl_code]
运行截图

paul_guo

442633310 发表于 2015-3-24 20:45
过360TS，不知道怎么上报

http://www.360totalsecurity.com/en/suspicion/
很难找的

paul_guo

442633310 发表于 2015-3-24 20:45
过360TS，不知道怎么上报

另外360云鉴定杀之

XywCloud

Adware
SUD to BAV

开开心心卖手机

AVG杀！（蛋挞在我这防火墙经常失效已经被我换掉了）

为你心碎

AVAST

欧阳宣

开开心心卖手机 发表于 2015-3-24 21:46
AVG杀！（蛋挞在我这防火墙经常失效已经被我换掉了）

没事，以后我来测gd