流氓系列 fulfejlajfdg.exe

显示全部楼层 · 发表于 2015-9-26 13:48:32

蓝天二号发表于 2015-9-26 13:19
瑞星报高危病毒，，还真少见。。。。

这东西会安装瑞星,还会被瑞星报毒?

显示全部楼层 · 发表于 2015-9-26 14:19:41

狐狸糊涂发表于 2015-9-26 13:48
这东西会安装瑞星,还会被瑞星报毒?

推广百度的，百度不也照样报毒吗

显示全部楼层 · 发表于 2015-9-26 15:29:27

paul_guo 发表于 2015-9-26 13:16
文件名: fulfejlajfdg.exe
威胁名称: SONAR.Heuristic.120完整路径: d:\fulfejlajfdg.exe

什么系统呀？

显示全部楼层 · 发表于 2015-9-26 15:38:36

275751198 发表于 2015-9-26 14:19
推广百度的，百度不也照样报毒吗

没有用国产杀毒,还真不清楚,还以为不会杀呢.
现在用360安全卫士是防流氓和杀木马,
话说360优化,开机必需1分钟以上.这是不是神优化?

显示全部楼层 · 发表于 2015-9-26 16:19:02

自从用咖啡豆后没法测试了，月神只会报一部分，其余全都被阻止了...

显示全部楼层 · 发表于 2015-9-26 16:46:31

paul_guo 发表于 2015-9-26 13:15
ViRobot Trojan.Win32.R.Agent.2217070[h] 2014.3.20.0 20150925
DrWeb Trojan.DownLoader16.43536 7.0.1 ...

瑞星的查杀有时候还是可以的，报的名字是静默安装

显示全部楼层 · 发表于 2015-9-26 16:47:31

蓝天二号发表于 2015-9-26 13:07
蜘蛛的查杀是很震惊的。。

我感到很高兴，至少买了一年的蜘蛛

显示全部楼层 · 发表于 2015-9-26 17:41:29

2015-9-26 17:35:53 c:\windows\explorer.exe 创建新进程 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 允许 [应用程序]c:\windows\explorer.exe 命令行: "C:\Documents and Settings\Administrator\桌面\fulfejlajfdg.exe"
2015-9-26 17:35:54 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 修改文件 C:\WINDOWS\Debug\UserMode\userenv.log 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:35:55 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 访问网络 TCP [本机 : 2241] ->  [220.181.11.98 : 80 (http)] 允许 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:36:00 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 访问网络 TCP [本机 : 2242] ->  [180.149.135.224 : 80 (http)] 允许 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:36:01 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 访问网络 TCP [本机 : 2243] ->  [42.81.12.126 : 80 (http)] 允许 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:36:22 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 创建新进程 (4) c:\windows\system32\cmd.exe 阻止 [应用程序]* -> [子应用程序]『禁运』黑名单命令行: C:\WINDOWS\system32\cmd.exe /C copy /b "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\WINDOWS\Fonts\verdana.ttf" "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2015-9-26 17:36:25 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 创建新进程 c:\documents and settings\administrator\local settings\temp\sohuva_4.5.77.0-c204900003-nti-ng-tp-s.exe 允许 [应用程序]* 命令行: SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
2015-9-26 17:36:28 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 访问网络 TCP [本机 : 2254] ->  [180.149.135.224 : 80 (http)] 允许 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:36:28 c:\documents and settings\administrator\local settings\temp\sohuva_4.5.77.0-c204900003-nti-ng-tp-s.exe 修改文件 (2) C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:36:28 c:\documents and settings\administrator\local settings\temp\sohuva_4.5.77.0-c204900003-nti-ng-tp-s.exe 创建文件 C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:36:28 c:\documents and settings\administrator\local settings\temp\sohuva_4.5.77.0-c204900003-nti-ng-tp-s.exe 创建文件夹 C:\Documents and Settings\Administrator\Local Settings\Temp尰阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:36:28 c:\documents and settings\administrator\local settings\temp\sohuva_4.5.77.0-c204900003-nti-ng-tp-s.exe 修改文件 C:\WINDOWS\system32\wbem\Logs\wbemprox.log 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:36:28 c:\documents and settings\administrator\local settings\temp\sohuva_4.5.77.0-c204900003-nti-ng-tp-s.exe 创建文件夹 C:\Program Files\搜狐影音阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:36:28 c:\documents and settings\administrator\local settings\temp\sohuva_4.5.77.0-c204900003-nti-ng-tp-s.exe 修改文件 C:\WINDOWS\Debug\UserMode\userenv.log 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:36:38 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 创建新进程 c:\documents and settings\administrator\local settings\temp\v8._85416_20150820204011.exe 允许 [应用程序]* 命令行: V8._85416_20150820204011.exe
2015-9-26 17:36:38 c:\documents and settings\administrator\local settings\temp\v8._85416_20150820204011.exe 从其他进程复制句柄 c:\windows\explorer.exe 阻止 [应用程序]* 句柄: (Mutant) 0x0000006C
2015-9-26 17:36:38 c:\documents and settings\administrator\local settings\temp\v8._85416_20150820204011.exe 从其他进程复制句柄 c:\windows\explorer.exe 阻止 [应用程序]* 句柄: (Key) \REGISTRY\USER\S-1-5-21-1343024091-1383384898-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
2015-9-26 17:36:40 c:\documents and settings\administrator\local settings\temp\v8._85416_20150820204011.exe 创建文件夹 C:\Documents and Settings\Administrator\Application Data\Tencent\QQBrowser 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:36:40 c:\documents and settings\administrator\local settings\temp\v8._85416_20150820204011.exe 创建文件夹 C:\Program Files\Tencent\QQBrowser 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:36:43 c:\documents and settings\administrator\local settings\temp\v8._85416_20150820204011.exe 创建新进程 c:\documents and settings\administrator\local settings\temp\12aue0655\bin\qqbrowser.exe 允许 [应用程序]* 命令行: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12aue0655\bin\QQBrowser.exe" -module=Assistant.dll -installreport -name=QQBrowser_Setup_Hk_85416_3638.exe -parent=fulfejlajfdg.exe -occupy= -occupyparent= -method=3 -result=9 -type=1 -changedir=0 -fstartup=1 -deskicon=1 -de
2015-9-26 17:36:43 c:\documents and settings\administrator\local settings\temp\12aue0655\bin\qqbrowser.exe 创建文件夹 C:\Documents and Settings\Administrator\Application Data\Tencent\QQBrowser 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:36:43 c:\documents and settings\administrator\local settings\temp\12aue0655\bin\qqbrowser.exe 修改文件 C:\WINDOWS\Debug\UserMode\userenv.log 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:36:45 c:\documents and settings\administrator\local settings\temp\12aue0655\bin\qqbrowser.exe 访问网络 TCP [本机 : 2260] ->  [180.153.218.12 : 80 (http)] 允许 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:36:50 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 访问网络 TCP [本机 : 2283] ->  [219.238.235.122 : 80 (http)] 允许 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:36:55 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 创建新进程 c:\documents and settings\administrator\local settings\temp\uni1248517c.exe 允许 [应用程序]* 命令行: uni1248517c.exe
2015-9-26 17:36:57 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 访问网络 TCP [本机 : 2286] ->  [180.149.135.224 : 80 (http)] 允许 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:36:57 c:\documents and settings\administrator\local settings\temp\uni1248517c.exe 修改文件 C:\WINDOWS\Debug\UserMode\userenv.log 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:36:58 c:\documents and settings\administrator\local settings\temp\uni1248517c.exe 访问网络 TCP [本机 : 2287] ->  [211.103.159.73 : 80 (http)] 允许 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:36:59 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 访问网络 TCP [本机 : 2288] ->  [42.81.12.126 : 80 (http)] 允许 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:37:01 c:\documents and settings\administrator\local settings\temp\uni1248517c.exe 底层磁盘写操作 \Device\Ide\IdePort0 阻止并结束进程 [应用程序]*
2015-9-26 17:37:15 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 创建新进程 (4) c:\windows\system32\cmd.exe 阻止 [应用程序]* -> [子应用程序]『禁运』黑名单命令行: C:\WINDOWS\system32\cmd.exe /C copy /b "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe" + "C:\WINDOWS\Fonts\verdana.ttf" "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KeLe2014Beta3.6.2Promote0714_20090195130.exe"
2015-9-26 17:37:17 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 创建新进程 c:\documents and settings\administrator\local settings\temp\kele2014beta3.6.2promote0714_20090195130.exe 允许 [应用程序]* 命令行: KeLe2014Beta3.6.2Promote0714_20090195130.exe
2015-9-26 17:37:18 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 创建文件 C:\Documents and Settings\Administrator\桌面\Intenret Explorer.lnk 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:37:20 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 访问网络 TCP [本机 : 2293] ->  [180.149.135.224 : 80 (http)] 允许 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:37:21 c:\documents and settings\administrator\local settings\temp\kele2014beta3.6.2promote0714_20090195130.exe 创建新进程 c:\documents and settings\administrator\local settings\temp\nsg5b.tmp\ggexit.exe 允许 [应用程序]* 命令行: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5B.tmp\GGExit.exe" 5
2015-9-26 17:37:22 c:\documents and settings\administrator\local settings\temp\kele2014beta3.6.2promote0714_20090195130.exe 创建文件夹 C:\Program Files\Kele55 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:37:24 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 创建新进程 c:\documents and settings\administrator\local settings\temp\kinst_1_451.exe 允许 [应用程序]* 命令行: kinst_1_451.exe /S
2015-9-26 17:37:24 c:\documents and settings\administrator\local settings\temp\kele2014beta3.6.2promote0714_20090195130.exe 创建文件夹 C:\Documents and Settings\Administrator\Application Data\Kele55 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:37:24 c:\documents and settings\administrator\local settings\temp\kele2014beta3.6.2promote0714_20090195130.exe 创建文件夹 C:\Documents and Settings\Administrator\「开始」菜单\程序\可乐视频社区阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:37:24 c:\documents and settings\administrator\local settings\temp\kele2014beta3.6.2promote0714_20090195130.exe 创建文件 C:\Documents and Settings\Administrator\桌面\可乐视频社区.lnk 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:37:24 c:\documents and settings\administrator\local settings\temp\kele2014beta3.6.2promote0714_20090195130.exe 创建文件夹 C:\Program Files\Kele55 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:37:24 c:\documents and settings\administrator\local settings\temp\kele2014beta3.6.2promote0714_20090195130.exe 从其他进程复制句柄 c:\windows\explorer.exe 阻止 [应用程序]* 句柄: (Key) \REGISTRY\USER\S-1-5-21-1343024091-1383384898-1801674531-500_CLASSES
2015-9-26 17:37:24 c:\documents and settings\administrator\local settings\temp\kele2014beta3.6.2promote0714_20090195130.exe 从其他进程复制句柄 c:\windows\explorer.exe 阻止 [应用程序]* 句柄: (Semaphore) \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
2015-9-26 17:37:27 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 访问网络 TCP [本机 : 2364] ->  [42.81.12.126 : 80 (http)] 允许 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:37:27 c:\documents and settings\administrator\local settings\temp\kinst_1_451.exe 创建注册表项 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E} 阻止 [注册表组]重要设置 -> [注册表]*\Software\Classes\CLSID\*
2015-9-26 17:37:27 c:\documents and settings\administrator\local settings\temp\kinst_1_451.exe 创建注册表项 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278} 阻止 [注册表组]重要设置 -> [注册表]*\Software\Classes\CLSID\*
2015-9-26 17:37:27 c:\documents and settings\administrator\local settings\temp\kinst_1_451.exe 修改文件 C:\WINDOWS\system32\wbem\Logs\wbemprox.log 阻止 [文件组]只读磁盘 -> [文件]c:\*
2015-9-26 17:37:27 c:\documents and settings\administrator\local settings\temp\kinst_1_451.exe 创建注册表项 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E} 阻止 [注册表组]重要设置 -> [注册表]*\Software\Classes\CLSID\*
2015-9-26 17:37:27 c:\documents and settings\administrator\local settings\temp\kinst_1_451.exe 创建注册表项 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278} 阻止 [注册表组]重要设置 -> [注册表]*\Software\Classes\CLSID\*
2015-9-26 17:37:28 c:\documents and settings\administrator\local settings\temp\kinst_1_451.exe 访问网络 TCP [本机 : 2365] ->  [221.228.204.20 : 80 (http)] 允许 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:37:34 c:\documents and settings\administrator\local settings\temp\kinst_1_451.exe 访问网络 TCP [本机 : 2371] ->  [119.147.146.84 : 80 (http)] 阻止 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:37:35 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 创建新进程 c:\documents and settings\administrator\local settings\temp\b5t_cl15242.exe 阻止 [应用程序]* 命令行: b5t_cl15242.exe
2015-9-26 17:37:36 c:\documents and settings\administrator\local settings\temp\kinst_1_451.exe 访问网络 TCP [本机 : 2390] ->  [116.211.85.76 : 80 (http)] 阻止 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:37:37 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 访问网络 TCP [本机 : 2391] ->  [180.149.135.224 : 80 (http)] 阻止 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:37:38 c:\documents and settings\administrator\local settings\temp\kinst_1_451.exe 访问网络 TCP [本机 : 2392] ->  [116.211.83.31 : 80 (http)] 阻止 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:37:38 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 创建新进程 (5) c:\windows\system32\cmd.exe 阻止 [应用程序]* -> [子应用程序]『禁运』黑名单命令行: C:\WINDOWS\system32\cmd.exe /C copy /b "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tribute.exe" + "C:\WINDOWS\Fonts\verdana.ttf" "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tribute.exe"
2015-9-26 17:37:38 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 访问网络 TCP [本机 : 2393] ->  [101.227.143.40 : 80 (http)] 阻止 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:37:39 c:\documents and settings\administrator\local settings\temp\kinst_1_451.exe 访问网络 TCP [本机 : 2395] ->  [221.228.204.20 : 80 (http)] 阻止 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:37:39 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 访问网络 TCP [本机 : 2401] ->  [101.227.143.33 : 80 (http)] 阻止 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:37:41 c:\documents and settings\administrator\local settings\temp\kinst_1_451.exe 访问网络 TCP [本机 : 2402] ->  [119.147.146.84 : 80 (http)] 阻止并结束进程 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]
2015-9-26 17:37:43 c:\documents and settings\administrator\桌面\fulfejlajfdg.exe 访问网络 TCP [本机 : 2408] ->  [101.227.143.47 : 80 (http)] 阻止并结束进程 [网络]TCP [本机 : 任意端口] -> [任意地址 : 80]

下了一点大BD才拦截

显示全部楼层 · 发表于 2015-9-26 20:35:48

3801187 发表于 2015-9-26 17:41
2015-9-26 17:35:53 c:\windows\explorer.exe 创建新进程 c:\documents and settings\administrator\桌面\f ...

请问，上面的日志内容是怎么调出来的呢？

显示全部楼层 · 发表于 2015-9-26 21:15:33

ericdj 发表于 2015-9-26 20:35
请问，上面的日志内容是怎么调出来的呢？

知道MD么

[可疑文件] 流氓系列 fulfejlajfdg.exe

本帖子中包含更多资源