alisafe.exe大家看看是误报么？

显示全部楼层 · 发表于 2009-10-22 11:31:34

VirSCAN.org Scanned Report :
Scanned time : 2009/10/22 11:10:41 (CST)
Scanner results: 5%的杀软(2/37)报告发现病毒
File Name    : AliSafe.exe
File Size    : 1168728 byte
File Type    : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5          : aa629f628d126666bc1e0f00dce71f3a
SHA1          : ee330d06bdc955c22225de9f096147950d1f55fa
Online report  : http://virscan.org/report/4fa0b9ed9fadc2e310955053182759b6.html

Scanner       Engine Ver    Sig Ver          Sig Date Time Scan result
a-squared    4.5.0.8       20091022000136 2009-10-22  8.54 -
安博士V3    2009.10.21.00 2009.10.21       2009-10-21  0.93 -
AntiVir       8.2.1.42       7.1.6.134       2009-10-21  0.24 HEUR/Crypted
安天          2.0.18       20091021.3035331  2009-10-21  0.12 -
Arcavir       2009          200910201017    2009-10-20  0.09 -
Authentium    5.1.1          200910211735    2009-10-21  2.09 -
AVAST!       4.7.4          091021-0       2009-10-21  0.13 -
AVG          8.5.288       270.14.25/2450 2009-10-22  1.78 -
BitDefender 7.81008.4438635 7.28480          2009-10-22  3.92 -
CA (VET)    9.0.0.143    35.1.7077       2009-10-22  7.56 -
ClamAV       0.95.2       9920             2009-10-21  0.00 -
Comodo       3.12          2685             2009-10-22  5.73 -
CP Secure    1.3.0.5       2009.10.21       2009-10-21  0.37 -
Dr.Web       4.44.0.9170    2009.10.21       2009-10-21  5.93 -
F-Prot       4.4.4.56       20091021       2009-10-21  1.87 -
F-Secure    7.02.73807    2009.10.22.02    2009-10-22  13.01  -
飞塔          2.81-3.120    10.972          2009-10-21  0.26 -
GData       19.8520/19.518  20091022       2009-10-22  5.55 -
ViRobot       20091021       2009.10.21       2009-10-21  0.41 -
Ikarus       T3.1.01.72    2009.10.22.74224  2009-10-22  4.21 Backdoor.Win32.Hupigon
江民杀毒    11.0.800       2009.10.20       2009-10-20  3.79 -
卡巴斯基    5.5.10       2009.10.22       2009-10-22  0.17 -
金山毒霸    2009.2.5.15    2009.10.21.16    2009-10-21  0.52 -
迈克菲       5.3.00       5778             2009-10-21  11.71  -
Microsoft    1.5101       2009.10.21       2009-10-21  8.50 -
Norman       6.01.09       6.01.00          2009-10-21  4.00 -
熊猫卫士    9.05.01       2009.10.20       2009-10-20  0.62 -
趋势科技    8.700-1004    6.568.01       2009-10-21  0.07 -
Quick Heal    10.00          2009.10.21       2009-10-21  1.81 -
瑞星          20.0          21.52.30.00    2009-10-22  0.96 -
Sophos       3.00.1       4.46             2009-10-22  2.69 -
Sunbelt       5462          5462             2009-10-21  2.10 -
赛门铁克    1.3.0.24       20091021.002    2009-10-21  0.21 -
nProtect    20091021.02    5952698          2009-10-21  7.97 -
The Hacker    6.5.0.2       v00050          2009-10-21  0.88 -
VBA32       3.12.10.11    20091021.1834    2009-10-21  2.20 -
VirusBuster 4.5.11.10    10.112.75/2012369 2009-10-21  2.86 -

virus total

File AliSafe.exe received on 2009.10.22 03:21:28 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 3/41 (7.32%)

Loading server information...
Your file is queued in position: 4.
Estimated start time is between 70 and 100 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.

Compact
Print results

Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position:
) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus	Version	Last Update	Result
a-squared	4.5.0.41	2009.10.22	-
AhnLab-V3	5.0.0.2	2009.10.21	-
AntiVir	7.9.1.42	2009.10.21	HEUR/Crypted
Antiy-AVL	2.0.3.7	2009.10.21	-
Authentium	5.1.2.4	2009.10.21	-
Avast	4.8.1351.0	2009.10.21	-
AVG	8.5.0.420	2009.10.21	-
BitDefender	7.2	2009.10.22	-
CAT-QuickHeal	10.00	2009.10.21	-
ClamAV	0.94.1	2009.10.22	-
Comodo	2685	2009.10.22	-
DrWeb	5.0.0.12182	2009.10.22	-
eSafe	7.0.17.0	2009.10.21	-
eTrust-Vet	35.1.7078	2009.10.21	-
F-Prot	4.5.1.85	2009.10.21	-
F-Secure	9.0.15300.0	2009.10.20	-
Fortinet	3.120.0.0	2009.10.22	-
GData	19	2009.10.22	-
Ikarus	T3.1.1.72.0	2009.10.22	Backdoor.Win32.Hupigon
Jiangmin	11.0.800	2009.10.21	-
K7AntiVirus	7.10.876	2009.10.21	-
Kaspersky	7.0.0.125	2009.10.22	-
McAfee	5778	2009.10.21	-
McAfee+Artemis	5778	2009.10.21	-
McAfee-GW-Edition	6.8.5	2009.10.22	Heuristic.Crypted
Microsoft	1.5101	2009.10.21	-
NOD32	4530	2009.10.21	-
Norman	6.03.02	2009.10.21	-
nProtect	2009.1.8.0	2009.10.21	-
Panda	10.0.2.2	2009.10.21	-
PCTools	4.4.2.0	2009.10.19	-
Prevx	3.0	2009.10.22	-
Rising	21.52.30.00	2009.10.22	-
Sophos	4.46.0	2009.10.22	-
Sunbelt	3.2.1858.2	2009.10.22	-
Symantec	1.4.4.12	2009.10.22	-
TheHacker	6.5.0.2.050	2009.10.22	-
TrendMicro	8.950.0.1094	2009.10.21	-
VBA32	3.12.10.11	2009.10.22	-
ViRobot	2009.10.21.1999	2009.10.21	-
VirusBuster	4.6.5.0	2009.10.21	-

Additional information

File size: 1168728 bytes

MD5...: aa629f628d126666bc1e0f00dce71f3a

SHA1..: ee330d06bdc955c22225de9f096147950d1f55fa

SHA256: d8b69b2e0fe59f5007dd6608be9c518008f36ecdeafea3509ecf42a3f5324843

ssdeep: 12288:mX0CBw45i6YZ46cLOy+EFVfXZ7c7iivbNyGeA:mkCBN5i6YZHcLBDFVy7d
vbNyGeA

PEiD..: -

PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xee243
timedatestamp.....: 0x4aaf515f (Tue Sep 15 08:33:35 2009)
machinetype.......: 0x14c (I386)

( 11 sections )
name       viradd virsiz rawdsiz  ntrpy  md5
.text    0x1000 0x29460    0x0 0.00  d41d8cd98f00b204e9800998ecf8427e
.rdata    0x2b000 0x80a2    0x0 0.00  d41d8cd98f00b204e9800998ecf8427e
.data    0x34000 0x73ca4    0x0 0.00  d41d8cd98f00b204e9800998ecf8427e
.vmp0    0xa8000 0x8fa5    0x0 0.00  d41d8cd98f00b204e9800998ecf8427e
.reloc    0xb1000    0x210    0x0 0.00  d41d8cd98f00b204e9800998ecf8427e
.text1    0xb2000 0x50000 0x42000 6.38  9528e5c7bc9d2255669255ebe1b99644
.adata 0x102000 0x10000 0xd000 0.00  938d6d97628275a512e07c66be5ccecf
.data1 0x112000 0x10000 0xa000 3.04  e6a5f51ec2f3637f359d606e3b00dbf1
.reloc1 0x122000 0x10000 0x4000 6.22  1fb327fe0414d43a618d2a3aa3057ea5
.pdata 0x132000 0x50000 0x4e000 8.00  bc06e9c7836d1f248a2e483179f5be04
.rsrc    0x182000 0x70000 0x70000 5.14  01553a7780d3f7b15210eb2243a4bbdf

( 3 imports )
>KERNEL32.dll: GlobalUnlock, GlobalLock, GlobalAlloc, GetTickCount,WideCharToMultiByte, IsBadReadPtr, GlobalAddAtomA, GlobalAddAtomW,GetModuleHandleA, GlobalFree, GlobalGetAtomNameA, GlobalDeleteAtom,GlobalGetAtomNameW, FreeConsole, GetEnvironmentVariableA,VirtualProtect, VirtualAlloc, GetProcAddress, GetLastError,LoadLibraryA, SetLastError, SetThreadPriority, GetCurrentThread,CreateProcessA, GetCommandLineA, GetStartupInfoA,SetEnvironmentVariableA, ReleaseMutex, WaitForSingleObject,CreateMutexA, OpenMutexA, GetCurrentThreadId, CloseHandle, ReadFile,GetFileSize, CreateFileA, FindClose, FindFirstFileA, FindFirstFileW,VirtualQueryEx, GetExitCodeProcess, ReadProcessMemory,ContinueDebugEvent, SetThreadContext, GetThreadContext,WaitForDebugEvent, SuspendThread, CreateThread, ResumeThread,CreateProcessW, GetCommandLineW, GetStartupInfoW, MapViewOfFile,DuplicateHandle, GetCurrentProcess, CreateFileMappingA,VirtualProtectEx, WriteProcessMemory, ExitProcess, CompareStringA,FlushFileBuffers, LCMapStringW, LCMapStringA, SetStdHandle, GetOEMCP,GetACP, GetCPInfo, GetStringTypeW, GetStringTypeA, CompareStringW,MultiByteToWideChar, SetFilePointer, HeapReAlloc, WriteFile,VirtualFree, HeapCreate, HeapDestroy, GetFileType, GetStdHandle,SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings,FreeEnvironmentStringsW, FreeEnvironmentStringsA,UnhandledExceptionFilter, HeapFree, HeapAlloc, GetVersion,GetLocalTime, GetSystemTime, GetTimeZoneInformation, RtlUnwind,TerminateProcess, Sleep, EnterCriticalSection, LeaveCriticalSection,GetVersionExA, InitializeCriticalSection, GetCurrentProcessId,GetModuleFileNameW, GetShortPathNameW, GetModuleFileNameA,DebugActiveProcess, GetShortPathNameA
> USER32.dll:GetDesktopWindow, MoveWindow, SetPropA, EnumThreadWindows, GetPropA,GetMessageA, BeginPaint, EndPaint, KillTimer, GetAsyncKeyState,GetSystemMetrics, SetTimer, SetWindowTextA, GetDlgItem,CreateDialogIndirectParamA, ShowWindow, UpdateWindow, LoadStringA,LoadStringW, FindWindowA, WaitForInputIdle, DestroyWindow, MessageBoxA,InSendMessage, UnpackDDElParam, FreeDDElParam, DefWindowProcA,LoadCursorA, RegisterClassW, CreateWindowExW, RegisterClassA,CreateWindowExA, GetWindowThreadProcessId, SendMessageA, PeekMessageA,TranslateMessage, DispatchMessageA, EnumWindows, IsWindowUnicode,PackDDElParam, PostMessageW, PostMessageA, IsWindow, SendMessageW
>GDI32.dll: DeleteDC, RealizePalette, SelectPalette, CreateDCA,CreatePalette, DeleteObject, BitBlt, SelectObject, CreateCompatibleDC,CreateDIBitmap

( 0 exports )

RDS...: NSRL Reference Data Set
-

trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

pdfid.: -

packers (Kaspersky): Armadillo

sigcheck:
publisher....: n/a
copyright....: Copyright 2009
product......: HostsCheck Module
description..: HostsCheck Module
original name: HostsCheck.exe
internal name: HostsCheck
file version.: 1, 0, 0, 1
comments.....: n/a
signers......: Alisoft(Shanghai) Co., Ltd.
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 6:32 AM 9/22/2009
verified.....: -

显示全部楼层 · 发表于 2009-10-22 11:49:50

注册表写入
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}\Implemented Categories
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}\Implemented Categories\{C501EDBE-9E70-11D1-9053-00C04FD9189D}
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}\InprocServer32
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}\ProgID
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}\Programmable
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}\ToolBoxBitmap32
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}\VersionIndependentProgID
LM\Software\Microsoft\RFC1156Agent
LM\Software\Microsoft\RFC1156Agent\CurrentVersion
LM\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters
注册表键值更改
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}\ REG_SZ 22 "RandomBars"
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}\InprocServer32\ REG_SZ 64 "C:\WINDOWS\system32\dxtmsft.dll"
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}\InprocServer32\ThreadingModel REG_SZ 10 "Both"
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}\ProgID\ REG_SZ 80 "DXImageTransform.Microsoft.RandomBars.1"
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}\ToolBoxBitmap32\ REG_SZ 72 "C:\WINDOWS\system32\dxtmsft.dll,235"
LM\Software\Classes\ClsId\{04EF64E2-CFC2-86A5-0B76-4503AE5EEE94}\VersionIndependentProgID\ REG_SZ 76 "DXImageTransform.Microsoft.RandomBars"
LM\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs REG_DWORD 4 0x3a98
开启线程
0x348 svchost.exe 0xf8 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
创建事件
0x67c C:\TEST\sample.exe 0x77de5f48 Global\SvcctrlStartEvent_A3752DX
评定:可疑程序,更像一个工具条.

[ 本帖最后由 coldwinter 于 2009-10-22 11:51 编辑 ]

显示全部楼层 · 发表于 2009-10-22 12:51:58

Avira AntiVir
AliSafe.rar
  [0] Archive type: RAR
--> AliSafe.exe
   [DETECTION] Contains HEUR/Crypted suspicious code
[NOTE]    A backup was created as '4b006dd4.qua'  ( QUARANTINE )
[NOTE]    The file was deleted!

显示全部楼层 · 发表于 2009-10-22 22:11:52

McAfee 报了可疑月神。。

显示全部楼层 · 发表于 2009-10-22 22:45:44

To KL

显示全部楼层 · 发表于 2009-10-23 23:38:18

AliSafe.exe_

以上文件不包含恶意代码。

显示全部楼层 · 发表于 2009-10-24 00:48:31

用图说话

[误报文件] alisafe.exe大家看看是误报么？

本帖子中包含更多资源

本帖子中包含更多资源