Factuu.exe（又一勒索）

显示全部楼层 · 发表于 2016-9-2 21:25:06

本帖最后由 ELOHIM 于 2016-9-2 21:30 编辑

SEP：扫描双不报。
WD：双Trojan: Win32/Zulsuhal.E!cl

显示全部楼层 · 发表于 2016-9-2 21:41:48

Avira
The pattern of 'TR/AD.AutoRun.doh [trojan]'
detected in file 'C:\Users\User\Downloads\scvhost.exe.
The pattern of 'TR/AD.AutoRun.doh [trojan]'
detected in file 'C:\Users\User\Downloads\Factuu.exe.

显示全部楼层 · 发表于 2016-9-2 22:47:37

gdata 扫描miss,用sandboxie打开主防拦截
AVA 25.8116
GD 25.7633

*** Process ***

Process: 10088
File name: rundll32.exe
Path: c:\windows\syswow64\rundll32.exe

Publisher: Microsoft Windows
Creation date: 05/14/16 13:26:58
Modification date: 10/29/14 01:40:50

Started by: xappllv.dll
Publisher: ShenZhen Thunder Networking Technologies Ltd.

*** Actions ***

The program has executed actions in the name of another program.
The program establishes a network connection.
An unknown process was accessed.
The program can be used to execute any program code.
The program can be used to execute any program code.

*** Quarantine ***

The following files were moved into quarantine:
c:\sandbox\琪\virus\user\all\thunder network\downloadlib\pub_store.dat
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcache\counters.dat
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcache\ie\anu93dhm\index_v2.1[1].dat
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcache\ie\anu93dhm\smartindex_v1.1[1].dat
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcache\ie\nnfn3mh1\gcollecttask_v1.2[1].dat
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcache\ie\s8d8frp9\tasklist_v2.1[1].dat
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcache\ie\zcjh0z4e\preresindex_v1.1[1].dat
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\code\cmdengine\2039\dcp6abf.tmp
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\code\cmdengine\2277\dcp6ad0.tmp
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\code\cmdengine\dcp6aae.tmp
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\code\cmdengine\dcp6abe.tmp
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\code\cmdengine\dcp6ae1.tmp
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\temp\index_v2.1.dat
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\temp\tasklist_v2.1.dat
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\xappcloud\cloudhistory_v1.1.dat
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\xappcloud\cloudinfo.dat
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\xappcloud\smartindex_v1.1.dat
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\xappdc\gcollecttask.dat
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\xappod\b1de1668_0f4d_47b2_8b18_3a32a1d69c6d_v1.2.od
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\xappres\preresindex_v1.1.dat

The following registry entries were deleted:

\registry\user\sandbox_琪_virus\user\current\software\microsoft\internet explorer\toolbar || locked
\registry\user\sandbox_琪_virus\user\current\software\microsoft\internet explorer\toolbar\shellbrowser || itbar7layout
\registry\user\sandbox_琪_virus\user\current\software\microsoft\windows\currentversion\explorer\ribbon || qatitems
\registry\user\sandbox_琪_virus\user\current\software\microsoft\windows\currentversion\ext\stats\004b0726-a010-4abf-8556-fcdb7f1fca1e\iexplore || count
\registry\user\sandbox_琪_virus\user\current\software\microsoft\windows\currentversion\ext\stats\004b0726-a010-4abf-8556-fcdb7f1fca1e\iexplore || time
\registry\user\sandbox_琪_virus\user\current\software\microsoft\windows\currentversion\ext\stats\004b0726-a010-4abf-8556-fcdb7f1fca1e\iexplore || type
\registry\user\sandbox_琪_virus\user\current\software\microsoft\windows\currentversion\ext\stats\d0498e0a-45b7-42ae-a9aa-aba463dbd3bf\iexplore || count
\registry\user\sandbox_琪_virus\user\current\software\microsoft\windows\currentversion\ext\stats\d0498e0a-45b7-42ae-a9aa-aba463dbd3bf\iexplore || time
\registry\user\sandbox_琪_virus\user\current\software\microsoft\windows\currentversion\ext\stats\d0498e0a-45b7-42ae-a9aa-aba463dbd3bf\iexplore || type
\registry\user\sandbox_琪_virus\user\current\software\microsoft\windows\currentversion\internet settings\connections || savedlegacysettings
\registry\user\sandbox_琪_virus\user\current\software\microsoft\windows\currentversion\internet settings || proxyserver
\registry\user\sandbox_琪_virus\user\current_classes\local settings\software\microsoft\windows\shell\bagmru || mrulistex
\registry\user\sandbox_琪_virus\user\current_classes\local settings\software\microsoft\windows\shell\bagmru || nodeslots
\registry\user\sandbox_琪_virus\user\current_classes\local settings\software\microsoft\windows\shell\bags\1305\shell || sniffedfoldertype

YGLRvuILKycnJiYnBywnKCcoJgYuJycnJyYGp0InJ3RyYmJwKycnJycmBqhycnJyYmKAKycnJycmBvhycgu5YtG+wgjpcvJycnLioCknJycnJgaqcqKgLCctJycnDNpywnLCYmLAKif4cnIsJ5fQKCcqJycnCb1ygmJicoLQLicnJiYnB49ygi4n6GJicKdycnDYcnJycmJicNlycnJyYmJwurJxWGOmcrJxWGOmcmJicNpykmJicpJw6nJyCbctJycnJyYGty8nh3LCcsJw7HJyYmJycnD8cnIoJyonDucoJ2dw7nKigJZy8gAA
Rules version: 5.0.118
OS: Windows 6.3 Service Pack 0.0 Build: 9600 - Workstation 64bit OS
dll version: 63860

RunDll32.exe "C:\Users\Public\Thunder Network\KanKan\Pusher\xappdisp.2.0.0.90.dll",NewTipsMain /src:explorer64
MD5: 8BFE805555CDAF6387912A34D7978DAA
"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\Public\Thunder Network\KanKan\Pusher\xappllv.dll",RunDllWithFix xappdisp.dll,NewTipsMain /src:explorer64
MD5:

显示全部楼层 · 发表于 2016-9-2 22:49:33

zq19861019 发表于 2016-9-2 22:47
gdata 扫描miss,用sandboxie打开主防拦截
AVA 25.8116
GD 25.7633

你现在用的是英文版还是中文的？

显示全部楼层 · 发表于 2016-9-2 22:50:45

杀软神马发表于 2016-9-2 22:49
你现在用的是英文版还是中文的？

英文啊

显示全部楼层 · 发表于 2016-9-2 22:53:58

zq19861019 发表于 2016-9-2 22:50
英文啊

中文还停留在 25.09吗？

显示全部楼层 · 发表于 2016-9-2 23:30:20

杀软神马发表于 2016-9-2 22:53
中文还停留在 25.09吗？

是的，我这里是25.2.0.2

显示全部楼层 · 发表于 2016-9-3 00:22:52

3801187 发表于 2016-9-2 18:45

请问中文版本何处能得到？

显示全部楼层 · 发表于 2016-9-3 02:59:34

BD扫描不报，实机作死双击ATC拦截

显示全部楼层 · 发表于 2016-9-3 03:02:03

linzh 发表于 2016-9-3 02:59
BD扫描不报，实机作死双击ATC拦截

万物杀怎会放过区区勒索小流氓

[病毒样本] Factuu.exe（又一勒索）

本帖子中包含更多资源

浏览过的版块