【求助】IE劫持、开机弹窗的流氓程序找不出

显示全部楼层 · 发表于 2015-7-23 23:39:20

本帖最后由 hacker22 于 2015-7-23 23:40 编辑

杀软扫扫就好了，没事，老病毒了！
只是屏蔽的关闭键，不高明，在任务管理器结束进程树，定位文件夹，清除就好啦。

显示全部楼层 · 发表于 2015-7-24 00:14:15

hacker22 发表于 2015-7-23 23:39
杀软扫扫就好了，没事，老病毒了！
只是屏蔽的关闭键，不高明，在任务管理器结束进程树，定位文件夹，清除 ...

谢谢 hacker22 回复。

限于水平，自己始终未找出后台控制程序。

至于该程序释放在系统temp内的2个dll文件，可以强删，但不解决根本问题，开机联网后就会发作的。

bdrwei_12位随机名字.dll会调用rundll32.exe访问“hxxp://lv.pp02.com”,貌似运行或者下载什么，在电脑的正常使用中，这个进程会消失；

nbk随机名.dll常驻;

至于劫持IE修改主页地址为 “hxxp://www.72lp.com”（搜了下，似一个导航网址），就不知道是怎么个过程，我真找不到大神居住地去做个分析。

显示全部楼层 · 发表于 2015-7-24 07:42:14

检查可疑驱动

显示全部楼层 · 发表于 2015-7-24 12:26:49

360全盘扫描

显示全部楼层 · 发表于 2015-7-28 17:22:17

本帖最后由 4O4 于 2015-7-28 17:35 编辑

看到本版附有6个在线分析，需要注册的直接跳过，试了试那个胡狼人头像的在线分析，提交2个样本文件后，看着分析真是找不到北～有大神愿意看看么？（详见后帖）

*******************这个是VirSCAN.org的*************************

NBK*.tmp

文件信息

安全评分 :80
基本信息
MD5: d4ceeadd3472785a918a9ad2eb8b39e0
文件类型: DLL
出品公司:
版本: 1.2.5.0---1.2.5
壳或编译器信息: PACKER:UPX 0.80 - 1.24 DLL -> Markus & Laszlo [Overlay]
子文件信息: upx_c_64498f32dumpFile / c3265c380658685da83cde8e4703577b / DLL

关键行为

行为描述: 写权限映射文件
详情信息: CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
Local\UrlZonesSM_Administrator
\WINDOWS\system32\zh-cn\jscript.dll.mui

行为描述: 设置特殊文件夹属性
详情信息: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies

行为描述: 按名称获取主机地址
详情信息: u.pp02.com
文件行为
行为描述: 写权限映射文件
详情信息: CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
Local\UrlZonesSM_Administrator
\WINDOWS\system32\zh-cn\jscript.dll.mui

行为描述: 设置特殊文件夹属性
详情信息: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies

网络行为

行为描述: 连接指定站点
详情信息: InternetConnectA: ServerName = 219.133.40.1, PORT = 8000

行为描述: 建立到一个指定的套接字连接
详情信息: 127.0.0.1:1034

行为描述: 读取网络文件
详情信息: hFile = 0x000002b4, BytesToRead =4096, BytesRead = 4096.

行为描述: 打开HTTP请求
详情信息: HttpOpenRequestA: 219.133.40.1:8000/tongji.asp?p=005900500072008300850084007f008a00850088007200920057008b008a00850063008500840069007b0088008c007b00880044007b008e007b0092004c004c004d004c004a004e00920059005000720057008400770082008f0090007b005900850084008a008800

行为描述: 按名称获取主机地址
详情信息: u.pp02.com

注册表行为

行为描述: 修改注册表
详情信息: \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

行为描述: 删除注册表键值_IE连接设置
详情信息: \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

其他行为

行为描述: 创建互斥体
详情信息: CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
u.pp02.comDllRequest9000
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile

行为描述: 获取系统权限
详情信息: SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE

````````````````````````````````````````````````````````````````````````

显示全部楼层 · 发表于 2015-7-28 17:24:32

[#############################################################################]
Analysis Report for NBKC.tmp
               MD5: 9a8657a61daeafd7053017103ab53cd6
[#############################################################################]

[=============================================================================]
Table of Contents
[=============================================================================]

- General information
- dll_analysis.exe
  a) Registry Activities
  b) File Activities
  c) Process Activities
  d) Other Activities
- dwwin.exe
   a) Registry Activities
   b) File Activities

[#############################################################################]
1. General Information
[#############################################################################]
[=============================================================================]
Information about Anubis' invocation
[=============================================================================]
      Time needed:       304 s
      Report created:    07/27/15, 01:14:20 UTC
      Termination reason: Timeout
      Program version: 1.76.3886

[=============================================================================]
Popups
[=============================================================================]
      Process:       csrss.exe
      Window Name:    dll_analysis.exe - Bad Image
      Displayed Times: 1
      Window Text:
OK
The application or DLL C:\Program Files\Common Files\d1.tmp.dll is not a valid Windows image. Please check this against your installation diskette.

[#############################################################################]
2. dll_analysis.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
      Analysis Reason: Primary Analysis Subject
      Filename:       dll_analysis.exe
      MD5:          9a8657a61daeafd7053017103ab53cd6
      SHA-1:          fc8b94e5f708f992e88fce3d6071361046250250
      File Size:    303104 Bytes
      Command Line: "C:\\dll_analysis.exe" -d C:\NBKC.tmp.exe
      Process-status
      at analysis end: alive
      Exit Code:    0

[=============================================================================]
Load-time Dlls
[=============================================================================]
      Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
            Base Address: [0x7C900000 ], Size: [0x000AF000 ]
      Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
            Base Address: [0x7C800000 ], Size: [0x000F6000 ]
      Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
            Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
      Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
            Base Address: [0x77E70000 ], Size: [0x00092000 ]
      Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
            Base Address: [0x77FE0000 ], Size: [0x00011000 ]
      Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
            Base Address: [0x77F60000 ], Size: [0x00076000 ]
      Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
            Base Address: [0x77F10000 ], Size: [0x00049000 ]
      Module Name: [ C:\WINDOWS\system32\USER32.dll ],
            Base Address: [0x7E410000 ], Size: [0x00091000 ]
      Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
            Base Address: [0x77C10000 ], Size: [0x00058000 ]

[=============================================================================]
Run-time Dlls
[=============================================================================]
      Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
            Base Address: [0x5B860000 ], Size: [0x00055000 ]
      Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
            Base Address: [0x5D090000 ], Size: [0x0009A000 ]
      Module Name: [ C:\WINDOWS\system32\faultrep.dll ],
            Base Address: [0x69450000 ], Size: [0x00016000 ]
      Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
            Base Address: [0x76360000 ], Size: [0x00010000 ]
      Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
            Base Address: [0x769C0000 ], Size: [0x000B4000 ]
      Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ],
            Base Address: [0x76F50000 ], Size: [0x00008000 ]
      Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
            Base Address: [0x773D0000 ], Size: [0x00103000 ]
      Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],
            Base Address: [0x77920000 ], Size: [0x000F3000 ]
      Module Name: [ C:\WINDOWS\system32\apphelp.dll ],
            Base Address: [0x77B40000 ], Size: [0x00022000 ]
      Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
            Base Address: [0x77C00000 ], Size: [0x00008000 ]
      Module Name: [ C:\WINDOWS\system32\shell32.dll ],
            Base Address: [0x7C9C0000 ], Size: [0x00817000 ]

[=============================================================================]
Program output
[=============================================================================]
      Stdout:
Renaming input file to .\d1.tmp.dll

      Stderr:
Failed to load Dll - Error 193:

[=============================================================================]
2.a) dll_analysis.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Key: [ HKLM\SYSTEM\Setup ],
         Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
      Key: [ HKLM\SYSTEM\Setup ],
         Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
      Key: [ HKLM\SYSTEM\Setup ],
         Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
      Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
         Value Name: [ Installed ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
         Value Name: [ AllOrNone ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
         Value Name: [ DoReport ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
         Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
         Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
         Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ],
         Value Name: [ ShowUI ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
         Value Name: [ Auto ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ],
         Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows ],
         Value Name: [ AppInit_DLLs ], Value: [  ], 1 time
      Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
         Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
      Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
         Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
         Value Name: [ LogLevel ], Value: [ 0 ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
         Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
         Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
         Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
         Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
         Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
         Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
         Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
         Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
         Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
         Value Name: [ ItemSize ], Value: [ 779 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
         Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
         Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
         Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
         Value Name: [ ItemSize ], Value: [ 517 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
         Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
         Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
         Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
         Value Name: [ ItemSize ], Value: [ 918 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
         Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
         Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
         Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
         Value Name: [ ItemSize ], Value: [ 229 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
         Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
         Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
         Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
         Value Name: [ ItemSize ], Value: [ 370 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
         Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
         Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
         Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
      Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
         Value Name: [ ComputerName ], Value: [ PC ], 2 times
      Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
         Value Name: [ ProductType ], Value: [ WinNT ], 1 time
      Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
         Value Name: [ TSAppCompat ], Value: [ 0 ], 1 time
      Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
         Value Name: [ Domain ], Value: [  ], 1 time
      Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
         Value Name: [ Hostname ], Value: [ pc ], 1 time
      Key: [ HKLM\System\Setup ],
         Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times
      Key: [ HKLM\System\WPA\PnP ],
         Value Name: [ seed ], Value: [ 1274198464 ], 1 time
      Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
         Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
      Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
         Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
      Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
         Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time

[=============================================================================]
2.b) dll_analysis.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\b385_appcompat.txt ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File Name: [ C:\WINDOWS\system32\winsock.dll ]
      File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\b385_appcompat.txt ]
      File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Renamed:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Old File Name: [ C:\NBKC.tmp.exe ], New File Name: [ C:\Program Files\Common Files\d1.tmp.dll ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
      File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File Name: [ C:\Program Files\Common Files\d1.tmp.dll ]
      File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
      File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
      File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
      File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]
      File Name: [ C:\WINDOWS\system32\WINSTA.dll ]
      File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ]
      File Name: [ C:\WINDOWS\system32\advapi32.dll ]
      File Name: [ C:\WINDOWS\system32\apphelp.dll ]
      File Name: [ C:\WINDOWS\system32\comctl32.dll ]
      File Name: [ C:\WINDOWS\system32\dwwin.exe ]
      File Name: [ C:\WINDOWS\system32\faultrep.dll ]
      File Name: [ C:\WINDOWS\system32\gdi32.dll ]
      File Name: [ C:\WINDOWS\system32\kernel32.dll ]
      File Name: [ C:\WINDOWS\system32\ntdll.dll ]
      File Name: [ C:\WINDOWS\system32\ole32.dll ]
      File Name: [ C:\WINDOWS\system32\oleaut32.dll ]
      File Name: [ C:\WINDOWS\system32\shell32.dll ]
      File Name: [ C:\WINDOWS\system32\user32.dll ]
      File Name: [ C:\WINDOWS\system32\wininet.dll ]
      File Name: [ C:\WINDOWS\system32\winsock.dll ]
      File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[=============================================================================]
2.c) dll_analysis.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Executable: [ C:\WINDOWS\system32\dwwin.exe ], Command Line: [  ]
      Executable: [  ], Command Line: [ C:\WINDOWS\system32\dwwin.exe -x -s 160 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Affected Process: [ C:\WINDOWS\system32\dwwin.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Process: [ C:\WINDOWS\system32\dwwin.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Process: [ C:\WINDOWS\system32\dwwin.exe ]

[=============================================================================]
2.d) dll_analysis.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x408768 ], 1 time

[#############################################################################]
3. dwwin.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
      Analysis Reason: Started by dll_analysis.exe
      Filename:       dwwin.exe
      Process-status
      at analysis end: alive
      Exit Code:    0

[=============================================================================]
Load-time Dlls
[=============================================================================]
      Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
            Base Address: [0x7C900000 ], Size: [0x000AF000 ]
      Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
            Base Address: [0x7C800000 ], Size: [0x000F6000 ]
      Module Name: [ C:\WINDOWS\system32\ADVAPI32.DLL ],
            Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
      Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
            Base Address: [0x77E70000 ], Size: [0x00092000 ]
      Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
            Base Address: [0x77FE0000 ], Size: [0x00011000 ]
      Module Name: [ C:\WINDOWS\system32\COMCTL32.DLL ],
            Base Address: [0x5D090000 ], Size: [0x0009A000 ]
      Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
            Base Address: [0x77F10000 ], Size: [0x00049000 ]
      Module Name: [ C:\WINDOWS\system32\USER32.dll ],
            Base Address: [0x7E410000 ], Size: [0x00091000 ]
      Module Name: [ C:\WINDOWS\system32\OLEAUT32.DLL ],
            Base Address: [0x77120000 ], Size: [0x0008B000 ]
      Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
            Base Address: [0x77C10000 ], Size: [0x00058000 ]
      Module Name: [ C:\WINDOWS\system32\ole32.dll ],
            Base Address: [0x774E0000 ], Size: [0x0013D000 ]
      Module Name: [ C:\WINDOWS\system32\SHELL32.DLL ],
            Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
      Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
            Base Address: [0x77F60000 ], Size: [0x00076000 ]
      Module Name: [ C:\WINDOWS\system32\URLMON.DLL ],
            Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]
      Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
            Base Address: [0x77C00000 ], Size: [0x00008000 ]
      Module Name: [ C:\WINDOWS\system32\WININET.DLL ],
            Base Address: [0x771B0000 ], Size: [0x000AA000 ]
      Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
            Base Address: [0x77A80000 ], Size: [0x00095000 ]
      Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
            Base Address: [0x77B20000 ], Size: [0x00012000 ]
      Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
            Base Address: [0x5CB70000 ], Size: [0x00026000 ]
      Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
            Base Address: [0x6F880000 ], Size: [0x001CA000 ]
      Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
            Base Address: [0x76B40000 ], Size: [0x0002D000 ]
      Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
            Base Address: [0x77BE0000 ], Size: [0x00015000 ]
      Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
            Base Address: [0x769C0000 ], Size: [0x000B4000 ]
      Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
            Base Address: [0x5AD70000 ], Size: [0x00038000 ]
      Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
            Base Address: [0x773D0000 ], Size: [0x00103000 ]

[=============================================================================]
3.a) dwwin.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
         Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
      Key: [ HKLM\SYSTEM\Setup ],
         Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
      Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
         Value Name: [ Installed ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows ],
         Value Name: [ AppInit_DLLs ], Value: [  ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
         Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
      Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
         Value Name: [ TSAppCompat ], Value: [ 0 ], 3 times
      Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
         Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time

[=============================================================================]
3.b) dwwin.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File: [ C:\WINDOWS\system32 ], Control Code: [ 0x00090028 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ]
      File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
      File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
      File Name: [ C:\WINDOWS\system32\COMCTL32.DLL ]
      File Name: [ C:\WINDOWS\system32\MSACM32.dll ]
      File Name: [ C:\WINDOWS\system32\SHELL32.DLL ]
      File Name: [ C:\WINDOWS\system32\ShimEng.dll ]
      File Name: [ C:\WINDOWS\system32\URLMON.DLL ]
      File Name: [ C:\WINDOWS\system32\UxTheme.dll ]
      File Name: [ C:\WINDOWS\system32\WINMM.dll ]
      File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[#############################################################################]
                     International Secure Systems Lab
                        http://www.iseclab.org

Vienna University of Technology    Eurecom France          UC Santa Barbara
http://www.tuwien.ac.at       http://www.eurecom.fr  http://www.cs.ucsb.edu

                        Contact: anubis@iseclab.org

显示全部楼层 · 发表于 2015-7-28 17:25:49

[#############################################################################]
Analysis Report for bdrwei_B8AC6FDDC8AF.dll
               MD5: 9a8657a61daeafd7053017103ab53cd6
[#############################################################################]

[=============================================================================]
Table of Contents
[=============================================================================]

- General information
- dll_analysis.exe
  a) Registry Activities
  b) File Activities
  c) Process Activities
  d) Other Activities
- regsvr32.exe
   a) Registry Activities
   b) File Activities

[#############################################################################]
1. General Information
[#############################################################################]
[=============================================================================]
Information about Anubis' invocation
[=============================================================================]
      Time needed:       123 s
      Report created:    07/27/15, 01:31:06 UTC
      Termination reason: All tracked processes have exited
      Program version: 1.76.3886

[#############################################################################]
2. dll_analysis.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
      Analysis Reason: Primary Analysis Subject
      Filename:       dll_analysis.exe
      MD5:          9a8657a61daeafd7053017103ab53cd6
      SHA-1:          fc8b94e5f708f992e88fce3d6071361046250250
      File Size:    303104 Bytes
      Command Line: "C:\\dll_analysis.exe" -d C:\bdrwei_B8A.exe
      Process-status
      at analysis end: dead
      Exit Code:    0

[=============================================================================]
Load-time Dlls
[=============================================================================]
      Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
            Base Address: [0x7C900000 ], Size: [0x000AF000 ]
      Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
            Base Address: [0x7C800000 ], Size: [0x000F6000 ]
      Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
            Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
      Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
            Base Address: [0x77E70000 ], Size: [0x00092000 ]
      Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
            Base Address: [0x77FE0000 ], Size: [0x00011000 ]
      Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
            Base Address: [0x77F60000 ], Size: [0x00076000 ]
      Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
            Base Address: [0x77F10000 ], Size: [0x00049000 ]
      Module Name: [ C:\WINDOWS\system32\USER32.dll ],
            Base Address: [0x7E410000 ], Size: [0x00091000 ]
      Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
            Base Address: [0x77C10000 ], Size: [0x00058000 ]

[=============================================================================]
Run-time Dlls
[=============================================================================]
      Module Name: [ C:\Program Files\Common Files\d1.tmp.dll ],
            Base Address: [0x10000000 ], Size: [0x00071000 ]
      Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
            Base Address: [0x5B860000 ], Size: [0x00055000 ]
      Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
            Base Address: [0x5D090000 ], Size: [0x0009A000 ]
      Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
            Base Address: [0x71AA0000 ], Size: [0x00008000 ]
      Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
            Base Address: [0x71AB0000 ], Size: [0x00017000 ]
      Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
            Base Address: [0x77120000 ], Size: [0x0008B000 ]
      Module Name: [ C:\WINDOWS\system32\WININET.dll ],
            Base Address: [0x771B0000 ], Size: [0x000AA000 ]
      Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
            Base Address: [0x773D0000 ], Size: [0x00103000 ]
      Module Name: [ C:\WINDOWS\system32\ole32.dll ],
            Base Address: [0x774E0000 ], Size: [0x0013D000 ]
      Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
            Base Address: [0x77A80000 ], Size: [0x00095000 ]
      Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
            Base Address: [0x77B20000 ], Size: [0x00012000 ]
      Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
            Base Address: [0x77B40000 ], Size: [0x00022000 ]
      Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
            Base Address: [0x77C00000 ], Size: [0x00008000 ]
      Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
            Base Address: [0x7C9C0000 ], Size: [0x00817000 ]

[=============================================================================]
Program output
[=============================================================================]
      Stdout:
Renaming input file to .\d1.tmp.dll
found DllCmd at 0x1004e690
found dll entry point at 0x1006fab0
Dll is not a BHO
Invoking regsvr32
calling DllMain
{

}
done
calling DllCmd at 0x1004e690
{

}
done (return value 0x0)
skip dll entry point at 0x1006fab0
done.

[=============================================================================]
2.a) dll_analysis.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Keys Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION ],
         Value Name: [ rundll32.exe ], New Value: [ 11001 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
         Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
      Key: [ HKLM\SYSTEM\Setup ],
         Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
      Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
         Value Name: [ Installed ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows ],
         Value Name: [ AppInit_DLLs ], Value: [  ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
         Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
         Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
         Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
         Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
         Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
         Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
         Value Name: [ ItemSize ], Value: [ 779 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
         Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
         Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
         Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
         Value Name: [ ItemSize ], Value: [ 517 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
         Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
         Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
         Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
         Value Name: [ ItemSize ], Value: [ 918 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
         Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
         Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
         Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
         Value Name: [ ItemSize ], Value: [ 229 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
         Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
         Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
         Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
         Value Name: [ ItemSize ], Value: [ 370 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
         Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
         Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
         Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
      Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
         Value Name: [ TSAppCompat ], Value: [ 0 ], 1 time
      Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
         Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time

[=============================================================================]
2.b) dll_analysis.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Renamed:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Old File Name: [ C:\bdrwei_B8A.exe ], New File Name: [ C:\Program Files\Common Files\d1.tmp.dll ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File Name: [ C:\Program Files\Common Files\d1.tmp.dll ]
      File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
      File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
      File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
      File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
      File Name: [ C:\WINDOWS\system32\WININET.dll ]
      File Name: [ C:\WINDOWS\system32\WS2HELP.dll ]
      File Name: [ C:\WINDOWS\system32\WS2_32.dll ]
      File Name: [ C:\WINDOWS\system32\comctl32.dll ]
      File Name: [ C:\WINDOWS\system32\regsvr32.exe ]
      File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[=============================================================================]
2.c) dll_analysis.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Executable: [ C:\WINDOWS\system32\regsvr32.exe ], Command Line: [  ]
      Executable: [  ], Command Line: [ regsvr32.exe /c /s .\d1.tmp.dll ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Affected Process: [ C:\WINDOWS\system32\regsvr32.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Process: [ C:\WINDOWS\system32\regsvr32.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Process: [ C:\WINDOWS\system32\regsvr32.exe ]

[=============================================================================]
2.d) dll_analysis.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Mutexes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Mutex: [ DBWinMutex ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Description: [ Exception 0x40010006 at 0x7c812aeb ], 1 time

[#############################################################################]
3. regsvr32.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
      Analysis Reason: Started by dll_analysis.exe
      Filename:       regsvr32.exe
      MD5:          fbdb9d0935b9907b809b381fddf1627f
      SHA-1:          14d7e5daa80a19fe18a8098e2fc56fe3aac52bd9
      File Size:    11776 Bytes
      Command Line: regsvr32.exe /c /s .\d1.tmp.dll
      Process-status
      at analysis end: dead
      Exit Code:    4

[=============================================================================]
Load-time Dlls
[=============================================================================]
      Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
            Base Address: [0x7C900000 ], Size: [0x000AF000 ]
      Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
            Base Address: [0x7C800000 ], Size: [0x000F6000 ]
      Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
            Base Address: [0x77C10000 ], Size: [0x00058000 ]
      Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
            Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
      Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
            Base Address: [0x77E70000 ], Size: [0x00092000 ]
      Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
            Base Address: [0x77FE0000 ], Size: [0x00011000 ]
      Module Name: [ C:\WINDOWS\system32\USER32.dll ],
            Base Address: [0x7E410000 ], Size: [0x00091000 ]
      Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
            Base Address: [0x77F10000 ], Size: [0x00049000 ]
      Module Name: [ C:\WINDOWS\system32\ole32.dll ],
            Base Address: [0x774E0000 ], Size: [0x0013D000 ]
      Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
            Base Address: [0x5CB70000 ], Size: [0x00026000 ]
      Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
            Base Address: [0x6F880000 ], Size: [0x001CA000 ]
      Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
            Base Address: [0x76B40000 ], Size: [0x0002D000 ]
      Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
            Base Address: [0x77120000 ], Size: [0x0008B000 ]
      Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
            Base Address: [0x77BE0000 ], Size: [0x00015000 ]
      Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
            Base Address: [0x77C00000 ], Size: [0x00008000 ]
      Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
            Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
      Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
            Base Address: [0x77F60000 ], Size: [0x00076000 ]
      Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
            Base Address: [0x769C0000 ], Size: [0x000B4000 ]
      Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
            Base Address: [0x5AD70000 ], Size: [0x00038000 ]
      Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
            Base Address: [0x773D0000 ], Size: [0x00103000 ]
      Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
            Base Address: [0x5D090000 ], Size: [0x0009A000 ]

[=============================================================================]
Run-time Dlls
[=============================================================================]
      Module Name: [ C:\Program Files\Common Files\d1.tmp.dll ],
            Base Address: [0x10000000 ], Size: [0x00071000 ]
      Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
            Base Address: [0x5B860000 ], Size: [0x00055000 ]
      Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
            Base Address: [0x71AA0000 ], Size: [0x00008000 ]
      Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
            Base Address: [0x71AB0000 ], Size: [0x00017000 ]
      Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
            Base Address: [0x74720000 ], Size: [0x0004C000 ]
      Module Name: [ C:\WINDOWS\system32\WININET.dll ],
            Base Address: [0x771B0000 ], Size: [0x000AA000 ]
      Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
            Base Address: [0x77A80000 ], Size: [0x00095000 ]
      Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
            Base Address: [0x77B20000 ], Size: [0x00012000 ]

[=============================================================================]
3.a) regsvr32.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      Key: [ HKLM\SOFTWARE\CLASSES\.DLL ],
         Value Name: [  ], Value: [ dllfile ], 1 time
      Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
         Value Name: [ CUAS ], Value: [ 0 ], 1 time
      Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
         Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
      Key: [ HKLM\SYSTEM\Setup ],
         Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
      Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
         Value Name: [ Installed ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
         Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
         Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
         Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
         Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
         Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
         Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
         Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
         Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
         Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
         Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
         Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
         Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
         Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
         Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
         Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
         Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
         Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
         Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
         Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
         Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
         Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
         Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
         Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
         Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
         Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
         Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
         Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
         Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
         Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
         Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
         Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
         Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
         Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
         Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
         Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
         Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
         Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
         Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
         Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
      Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
         Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ midimapper ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ msacm.iac2 ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ msacm.imaadpcm ], Value: [ imaadp32.acm ], 3 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ msacm.l3acm ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ msacm.msadpcm ], Value: [ msadp32.acm ], 3 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ msacm.msaudio1 ], Value: [ msaud32.acm ], 3 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ msacm.msg711 ], Value: [  ], 3 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ msacm.msg723 ], Value: [  ], 3 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ msacm.msgsm610 ], Value: [  ], 3 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ msacm.sl_anet ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ msacm.trspch ], Value: [  ], 3 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.I420 ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.M261 ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.M263 ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.cvid ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.iv31 ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.iv32 ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.iv41 ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.iv50 ], Value: [  ], 1 time
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.iyuv ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.mrle ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.msvc ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.uyvy ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.yuy2 ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.yvu9 ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ vidc.yvyu ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
         Value Name: [ wavemapper ], Value: [  ], 2 times
      Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows ],
         Value Name: [ AppInit_DLLs ], Value: [  ], 1 time
      Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
         Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
      Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
         Value Name: [ wheel ], Value: [ 1 ], 1 time
      Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
         Value Name: [ ProductType ], Value: [ WinNT ], 1 time
      Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
         Value Name: [ TSAppCompat ], Value: [ 0 ], 1 time
      Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
         Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
      Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
         Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
      Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ],
         Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time
      Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
         Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
      Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
         Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time

[=============================================================================]
3.b) regsvr32.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
      File Name: [ C:\Program Files\Common Files\d1.tmp.dll ]
      File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ]
      File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
      File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
      File Name: [ C:\WINDOWS\system32\MSACM32.dll ]
      File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
      File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
      File Name: [ C:\WINDOWS\system32\ShimEng.dll ]
      File Name: [ C:\WINDOWS\system32\UxTheme.dll ]
      File Name: [ C:\WINDOWS\system32\WININET.dll ]
      File Name: [ C:\WINDOWS\system32\WINMM.dll ]
      File Name: [ C:\WINDOWS\system32\WS2HELP.dll ]
      File Name: [ C:\WINDOWS\system32\WS2_32.dll ]
      File Name: [ C:\WINDOWS\system32\comctl32.dll ]
      File Name: [ C:\WINDOWS\system32\imm32.dll ]
      File Name: [ C:\WINDOWS\system32\rpcss.dll ]
      File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[#############################################################################]
                     International Secure Systems Lab
                        http://www.iseclab.org

Vienna University of Technology    Eurecom France          UC Santa Barbara
http://www.tuwien.ac.at       http://www.eurecom.fr  http://www.cs.ucsb.edu

                        Contact: anubis@iseclab.org

显示全部楼层 · 发表于 2015-7-28 18:01:56

假如自己手杀的话，按图索骥就可以了。

现在唯一需要确定的是，哪个家伙释放或调用这2个文件（都是开机就出现在系统temp文件夹内）？

朋友的电脑说白了也是个全家桶，平时帮忙维护时，没少摘机主说不清怎么来的各国内各著名厂家产品，记忆中比较隐蔽的是某山的防火墙，无卸载、无托盘图标、无后台进程，仅以数个模块插在某些系统进程中。

另外比较反感国内各行的插件，各搞各的，弄一堆后台进程及IE插件随机启动，每年大赚特赚，就不能统一开发成一个？

感觉就是跟IE起来的，因为各行插件的原因，后台有2个IE进程（且是父子进程），可是我查遍了IE插件，没发现可疑的。要是自己的机器倒也好说，直接卸掉各行插件再查，可惜人家电脑办公都忙不迭，哪有时间给我细玩？

-----------------------------------------------------------------------------------------

题外话：
其实不是自己闲着无聊追着不放，只是想揪出流氓程序，至于怎么提交再说。

借用湖北荆州商场自动扶梯事件，暂为管事的点个赞，因为这两天在商场，看到有人在检查扶梯。“每一条安全规则都是用血写成的”，这句话给自己印象太过深刻，以至于莫名其妙有点软件洁癖，只是自己水平太差，有心而无力～

显示全部楼层 · 发表于 2015-7-28 21:40:20

据vm001说，是鬼影，可以试试检查mbr,vbr

显示全部楼层 · 发表于 2015-7-28 22:27:20

KIS missed all
上报KIS

简单地分析了一下，NBK5.tmp的行为基本属于流氓软件，他会在运行后先保护上自己的文件，然后连上一个一个名为u.pp02.com的网站（未测试该网站）。对于修改注册表，确实是有的，而且就是修改IE键值，它会删除注册表键值_IE连接设置：\REGISTRY\USER\S-1-5-21-148247650-11645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Intern...这就实现了替换主页的目的，最后它会强制获得管理员权限，以此实现流氓行为。

第二个： bdrwei_B8AC6FDDC8AF.dll，这个可能是前面那个文件的辅助体，协助获取管理员权限，然后创建一个钩子（HOOK）文件。

建议用各大国内杀软的急救箱杀下毒，或者进安全模式杀毒，前提是这个钩子不会自动运行（开机启动）。

[可疑文件] 【求助】IE劫持、开机弹窗的流氓程序找不出