强势回归：nsf63tmp.exe[MD5: E57DB6]--(6/42)

显示全部楼层 · 发表于 2010-8-8 11:31:33

deepguard拦截.

显示全部楼层 · 发表于 2010-8-8 11:40:01

2010-8-8 11:35:15 创建新进程允许
进程: c:\windows\explorer.exe
目标: c:\documents and settings\owner\my documents\nsf63tmp.exe
命令行: "C:\Documents and Settings\Owner\My Documents\nsf63tmp.exe"
规则: [应用程序]c:\windows\explorer.exe

2010-8-8 11:35:18 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Temp\nsn17.tmp
规则: [文件]*

2010-8-8 11:35:20 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Temp\nsw18.tmp
规则: [文件]*

2010-8-8 11:35:21 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Temp\nsd19.tmp
规则: [文件]*

2010-8-8 11:35:22 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Temp\nsu1A.tmp
规则: [文件]*

2010-8-8 11:35:24 创建文件夹允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\WINDOWS\system32\nsu1Atmp
规则: [文件]*

2010-8-8 11:35:26 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Temp\nse1B.tmp
规则: [文件]*

2010-8-8 11:35:27 创建文件夹允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Temp\nse1B.tmp
规则: [文件]*

2010-8-8 11:35:28 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Temp\nse1B.tmp\System.dll
规则: [文件组]所有执行文件 -> [文件]*; *.dll

2010-8-8 11:35:30 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\WINDOWS\system32\nsu1Atmp\nsw18tmp.exe
规则: [文件组]系统执行文件 -> [文件]c:\windows\*; *.exe

2010-8-8 11:35:34 修改注册表值阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
值: \??\C:\WINDOWS\system32\nsu1Atmp !\??\C:\WINDOWS\system32\nsd19tmp
规则: [注册表组]自动运行程序所在位置 -> [注册表]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager; PendingFileRenameOperations

2010-8-8 11:35:36 创建文件夹允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp
规则: [文件]*

2010-8-8 11:35:37 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\tb.gif
规则: [文件]*

2010-8-8 11:35:39 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\xyx.pat
规则: [文件]*

2010-8-8 11:35:41 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\ie.pat
规则: [文件]*

2010-8-8 11:35:42 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\tt.pat
规则: [文件]*

2010-8-8 11:35:44 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\ff.pat
规则: [文件]*

2010-8-8 11:35:45 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\360se.pat
规则: [文件]*

2010-8-8 11:35:47 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\sg.pat
规则: [文件]*

2010-8-8 11:35:50 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\jia.reg
规则: [文件]*

2010-8-8 11:35:52 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\safeme.js
规则: [文件组]所有执行文件 -> [文件]*; *.js

2010-8-8 11:35:53 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\rang.vbs
规则: [文件组]所有执行文件 -> [文件]*; *.vbs

2010-8-8 11:35:55 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Temp\nse1B.tmp\VPatch.dll
规则: [文件组]所有执行文件 -> [文件]*; *.dll

2010-8-8 11:35:57 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\xyx.gif
规则: [文件]*

2010-8-8 11:35:59 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\ie.gif
规则: [文件]*

2010-8-8 11:36:01 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\tt.gif
规则: [文件]*

2010-8-8 11:36:03 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\ff.gif
规则: [文件]*

2010-8-8 11:36:04 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\360se.gif
规则: [文件]*

2010-8-8 11:36:06 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\sg.gif
规则: [文件]*

2010-8-8 11:36:08 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\safelog.js
规则: [文件]?:\

2010-8-8 11:36:11 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Favorites\链接\88yy在线小游戏.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-8-8 11:36:14 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Favorites\链接\艾迪深度搜索.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-8-8 11:36:16 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Favorites\链接\十一街单机游戏.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-8-8 11:36:17 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Favorites\链接\淘宝特卖.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-8-8 11:36:18 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Favorites\链接\团购_秒杀网.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-8-8 11:36:19 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Favorites\链接\在线言情小说阅读.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-8-8 11:36:20 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Favorites\88yy在线小游戏.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-8-8 11:36:21 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Favorites\艾迪深度搜索.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-8-8 11:36:22 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Favorites\十一街单机游戏.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-8-8 11:36:23 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Favorites\淘宝特卖.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-8-8 11:36:24 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Favorites\团购_秒杀网.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-8-8 11:36:25 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Favorites\在线言情小说阅读.url
规则: [文件组]临时目录 -> [文件]*; *.url

2010-8-8 11:36:27 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Temp\nse1B.tmp\ShellLink.dll
规则: [文件组]所有执行文件 -> [文件]*; *.dll

2010-8-8 11:36:34 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\All Users\桌面\Mozilla Firefox.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2010-8-8 11:36:38 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2010-8-8 11:36:40 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2010-8-8 11:36:48 修改注册表值阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
值: 0x00000001(1)
规则: [注册表组]系统设置 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\*

2010-8-8 11:36:54 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\All Users\桌面\网上淘宝.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2010-8-8 11:36:57 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\All Users\桌面\在线小游戏.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2010-8-8 11:37:00 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Temp\nse1B.tmp\nsExec.dll
规则: [文件组]所有执行文件 -> [文件]*; *.dll

2010-8-8 11:37:02 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Temp\nse1B.tmp\ns1C.tmp
规则: [文件]*

2010-8-8 11:37:07 创建新进程阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: c:\documents and settings\owner\local settings\temp\nse1b.tmp\ns1c.tmp
命令行: "C:\DOCUME~1\Owner\LOCALS~1\Temp\nse1B.tmp\ns1C.tmp" cmd.exe /c taskkill.exe /f /im zhudongfangyu.exe
规则: [应用程序]*

2010-8-8 11:37:11 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\All Users\桌面\IESafe.lnk
规则: [文件组]临时目录 -> [文件]*; *.lnk

2010-8-8 11:37:15 创建文件允许
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Temp\nse1B.tmp\ns1D.tmp
规则: [文件]*

2010-8-8 11:37:19 创建新进程阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: c:\documents and settings\owner\local settings\temp\nse1b.tmp\ns1d.tmp
命令行: "C:\DOCUME~1\Owner\LOCALS~1\Temp\nse1B.tmp\ns1D.tmp" cmd.exe /c wscript.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\Temp\safeme.js"
规则: [应用程序]*

2010-8-8 11:37:24 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\All Users\桌面\Internet Explorer.exe
规则: [文件组]所有执行文件 -> [文件]*; *.exe

2010-8-8 11:37:26 创建文件阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: C:\Documents and Settings\Owner\Local Settings\Temp\nse1B.tmp\ns1E.tmp
规则: [文件]*

2010-8-8 11:37:43 向其他进程发送消息阻止
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: c:\program files\mozilla firefox\firefox.exe
消息: WM_DDE_EXECUTE
规则: [应用程序]*

2010-8-8 11:37:58 创建新进程阻止并结束进程
进程: c:\documents and settings\owner\my documents\nsf63tmp.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 6 & del "C:\Documents and Settings\Owner\My Documents\nsf63tmp.exe"
规则: [应用程序]*

显示全部楼层 · 发表于 2010-8-8 11:40:35

to eset

显示全部楼层 · 发表于 2010-8-8 12:06:35

to mp

显示全部楼层 · 发表于 2010-8-8 12:16:25

回复 1楼 O(∩_∩)O哈哈~ 的帖子

上报赛门铁克

[病毒样本] 强势回归：nsf63tmp.exe[MD5: E57DB6]--(6/42)

浏览过的版块