感染系统文件的小马（流氓桌面图标病毒）

显示全部楼层 · 发表于 2011-3-25 19:47:19

本帖最后由小飞侠.net 于 2011-3-27 16:15 编辑

数字又被kill啦，进程被强行结束，如下图：

样本来源：
ht ~~~//www.suopao.org/read-htm-tid-553193.html
下载：
ht~~~//x5.suopao.org/sp/%B1%E4%C ... E2%B9%D2134151@.rar

文件名: D:\Beta\V2011BetaDoc0325\betadoc\003\变态超强外-挂134151@.rar
文件大小: 196502 字节 (191.90 KB)--占用CPU高，替换系统文件，Kill数字卫士7.7正式版的进程。时间机器旧版本又被穿了~~还原后无效，如图1！
修改日期: 2011-03-25 16:05
MD5: 54076a844218e30d2b5d9603c64ecd68
SHA1: 5049f68563e7f73c6d1eb3fe278936d52a0efad5
SHA256: 3f6d0f79884136dfe649d338ec2d89efca21105041c4534b388b16eaaef22ed0
CRC32: 54651f9b

还原后。。。

自我保护部分文件被删除。。。

显示全部楼层 · 发表于 2011-3-25 19:48:06

360wd safe
rising kill

显示全部楼层 · 发表于 2011-3-25 19:49:54

金山本地KILL

显示全部楼层 · 发表于 2011-3-25 19:57:59

2011-3-25 19:51:37 创建新进程允许
进程: c:\windows\explorer.exe
目标: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
命令行: "d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe"
规则: [应用程序组]威胁提示Ⅰ -> [应用程序]* -> [子应用程序]d:\我的文档\*

2011-3-25 19:51:39 创建文件允许
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temp\p19.exe
规则: [文件组]Documents and Settings_阻止 -> [文件]?:\documents and settings\*; *.exe

2011-3-25 19:51:39 修改文件阻止
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: \Device\NamedPipe\wkssvc
规则: [应用程序组]威胁提示Ⅰ -> [应用程序]* -> [文件]\device\namedpipe\*

2011-3-25 19:51:40 修改注册表值阻止
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
值: d:\我的文档
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:51:41 修改注册表值阻止
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents
值: C:\Documents and Settings\All Users\Documents
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:51:41 修改注册表值阻止
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
值: C:\Documents and Settings\Administrator\桌面
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:51:42 修改注册表值阻止
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop
值: C:\Documents and Settings\All Users\桌面
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:51:43 修改注册表值阻止
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
值: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:51:43 修改注册表值阻止
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
值: C:\Documents and Settings\Administrator\Cookies
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:51:45 创建新进程允许
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: c:\documents and settings\administrator\local settings\temp\p19.exe
命令行: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p19.exe"
规则: [应用程序组]威胁提示Ⅰ -> [应用程序]* -> [子应用程序]?:\documents and settings\*\local settings\temp\*

2011-3-25 19:51:46 创建文件允许
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temp\1300.exe
规则: [文件组]Documents and Settings_阻止 -> [文件]?:\documents and settings\*; *.exe

2011-3-25 19:51:48 创建新进程允许
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: c:\documents and settings\administrator\local settings\temp\1300.exe
命令行: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1300.exe"
规则: [应用程序组]威胁提示Ⅰ -> [应用程序]* -> [子应用程序]?:\documents and settings\*\local settings\temp\*

2011-3-25 19:51:49 创建文件允许
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temp\07.exe
规则: [文件组]Documents and Settings_阻止 -> [文件]?:\documents and settings\*; *.exe

2011-3-25 19:51:50 创建文件允许
进程: c:\documents and settings\administrator\local settings\temp\1300.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temp\M8eUqQrQxFRDeit.exe
规则: [文件组]Documents and Settings_阻止 -> [文件]?:\documents and settings\*; *.exe

2011-3-25 19:51:51 创建新进程允许
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: c:\documents and settings\administrator\local settings\temp\07.exe
命令行: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\07.exe"
规则: [应用程序组]威胁提示Ⅰ -> [应用程序]* -> [子应用程序]?:\documents and settings\*\local settings\temp\*

2011-3-25 19:51:54 创建文件允许
进程: c:\documents and settings\administrator\local settings\temp\1300.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temp\M8eUqQrQxFRDeit.exe.bat
规则: [文件组]Documents and Settings_阻止 -> [文件]?:\documents and settings\*; *.bat

2011-3-25 19:51:55 创建文件允许
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temp\0.15.exe
规则: [文件组]Documents and Settings_阻止 -> [文件]?:\documents and settings\*; *.exe

2011-3-25 19:51:57 创建新进程允许
进程: c:\documents and settings\administrator\local settings\temp\07.exe
目标: c:\documents and settings\administrator\local settings\temp\07.exe
命令行: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\07.exe
规则: [应用程序组]威胁提示Ⅰ -> [应用程序]* -> [子应用程序]?:\documents and settings\*\local settings\temp\*

2011-3-25 19:51:57 修改文件阻止
进程: c:\documents and settings\administrator\local settings\temp\1300.exe
目标: \Device\NamedPipe\wkssvc
规则: [应用程序组]威胁提示Ⅰ -> [应用程序]* -> [文件]\device\namedpipe\*

2011-3-25 19:52:02 修改注册表值阻止
进程: c:\documents and settings\administrator\local settings\temp\1300.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
值: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:52:03 创建新进程允许
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: c:\documents and settings\administrator\local settings\temp\0.15.exe
命令行: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.15.exe"
规则: [应用程序组]威胁提示Ⅰ -> [应用程序]* -> [子应用程序]?:\documents and settings\*\local settings\temp\*

2011-3-25 19:52:03 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\07.exe
目标: C:\277.txt
规则: [文件组]文件阻止及保护 -> [文件]?:\

2011-3-25 19:52:04 修改注册表值阻止
进程: c:\documents and settings\administrator\local settings\temp\1300.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
值: C:\Documents and Settings\Administrator\Cookies
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:52:06 创建文件允许
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temp\Loader_forqiqi_9179.exe
规则: [文件组]Documents and Settings_阻止 -> [文件]?:\documents and settings\*; *.exe

2011-3-25 19:52:07 创建新进程阻止
进程: c:\documents and settings\administrator\local settings\temp\1300.exe
目标: c:\windows\system32\cmd.exe
命令行: cmd /c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\M8eUqQrQxFRDeit.exe.bat" "
规则: [应用程序组]系统程序 -> [应用程序]* -> [子应用程序]c:\windows\system32\cmd.exe

2011-3-25 19:52:08 创建新进程允许
进程: d:\我的文档\viurs test\变态超强外-挂134151@\变态超强外-挂1343.exe
目标: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
命令行: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Loader_forqiqi_9179.exe"
规则: [应用程序组]威胁提示Ⅰ -> [应用程序]* -> [子应用程序]?:\documents and settings\*\local settings\temp\*

2011-3-25 19:52:09 创建文件允许
进程: c:\documents and settings\administrator\local settings\temp\1300.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temp\1300.exe.bat
规则: [文件组]Documents and Settings_阻止 -> [文件]?:\documents and settings\*; *.bat

2011-3-25 19:52:10 修改注册表值阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
值: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:52:11 创建文件允许
进程: c:\documents and settings\administrator\local settings\temp\0.15.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temp\4336484.dll
规则: [文件组]Documents and Settings_阻止 -> [文件]?:\documents and settings\*; *.dll

2011-3-25 19:52:12 修改注册表值阻止
进程: c:\documents and settings\administrator\local settings\temp\1300.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
值: d:\我的文档
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:52:14 修改注册表值阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
值: C:\Documents and Settings\Administrator\Cookies
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:52:15 创建新进程阻止
进程: c:\documents and settings\administrator\local settings\temp\0.15.exe
目标: c:\windows\system32\rundll32.exe
命令行: rundll32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4336484.dll testall
规则: [应用程序组]威胁提示Ⅰ -> [应用程序]* -> [子应用程序]c:\windows\*

2011-3-25 19:52:16 修改注册表值阻止
进程: c:\documents and settings\administrator\local settings\temp\1300.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents
值: C:\Documents and Settings\All Users\Documents
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:52:17 修改注册表值阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
值: C:\Documents and Settings\Administrator\Local Settings\History
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:52:18 修改注册表值阻止
进程: c:\documents and settings\administrator\local settings\temp\1300.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
值: C:\Documents and Settings\Administrator\桌面
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:52:19 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\0.15.exe
目标: C:\WINDOWS\system32\4343312.exe
规则: [文件组]系统核心目录Ⅰ -> [文件]c:\windows\*; *.exe

2011-3-25 19:52:19 修改注册表值阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
值: C:\Documents and Settings\All Users\Application Data
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:52:19 修改文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: \Device\NamedPipe\ROUTER
规则: [应用程序组]威胁提示Ⅰ -> [应用程序]* -> [文件]\device\namedpipe\*

2011-3-25 19:52:20 修改注册表值阻止
进程: c:\documents and settings\administrator\local settings\temp\1300.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop
值: C:\Documents and Settings\All Users\桌面
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:52:20 修改文件阻止
进程: c:\documents and settings\administrator\local settings\temp\0.15.exe
目标: \Device\NamedPipe\wkssvc
规则: [应用程序组]威胁提示Ⅰ -> [应用程序]* -> [文件]\device\namedpipe\*

2011-3-25 19:52:20 修改文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: \Device\NamedPipe\ROUTER
规则: [应用程序组]威胁提示Ⅰ -> [应用程序]* -> [文件]\device\namedpipe\*

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\0.15.exe
目标: C:\WINDOWS\system32\drivers\pcidump.sys
规则: [文件组]系统核心目录Ⅰ -> [文件]c:\windows\system32\drivers\*

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179[1].exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179[2].exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179[3].exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179[4].exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179[5].exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179[6].exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179[7].exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179[8].exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179[9].exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179[10].exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179[11].exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MO.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3Y.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPE.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DA.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZN.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53V.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQ.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQ.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UD.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7W.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\PPTV(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28T.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\V(pplive)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESE.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\)_forqiqi_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\i_9179CAFUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TF.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\FUNEL5CAIBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWK.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\IBM0MOCAQU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\QU5W3YCARQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZP.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\RQWEZ8CAH95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\H95KPECAOUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOK.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\OUI9DACAMX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAM.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\MX2IZNCARLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLB.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\RLOMR0CAVDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3ML.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\VDA53VCADRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3MLCA62PVDQ.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\DRIPTQCA2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3MLCA62PVDQCAO91E7F.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\2CH5BQCADVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3MLCA62PVDQCAO91E7FCADY9794.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\DVD6UDCAMXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3MLCA62PVDQCAO91E7FCADY9794CA8LH5SY.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\MXCD7WCACXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3MLCA62PVDQCAO91E7FCADY9794CA8LH5SYCAP9R36G.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\CXEGE9CAK0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3MLCA62PVDQCAO91E7FCADY9794CA8LH5SYCAP9R36GCAH60U05.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\K0N28TCAM7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3MLCA62PVDQCAO91E7FCADY9794CA8LH5SYCAP9R36GCAH60U05CA1N8XT6.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\M7DESECACZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3MLCA62PVDQCAO91E7FCADY9794CA8LH5SYCAP9R36GCAH60U05CA1N8XT6CA6OA492.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\CZG4P0CAC3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3MLCA62PVDQCAO91E7FCADY9794CA8LH5SYCAP9R36GCAH60U05CA1N8XT6CA6OA492CAG8ZYDA.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\C3B7TFCAEK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3MLCA62PVDQCAO91E7FCADY9794CA8LH5SYCAP9R36GCAH60U05CA1N8XT6CA6OA492CAG8ZYDACA8K1WUN.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\EK0CWKCAP75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3MLCA62PVDQCAO91E7FCADY9794CA8LH5SYCAP9R36GCAH60U05CA1N8XT6CA6OA492CAG8ZYDACA8K1WUNCAPL87X8.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\P75HE7CA9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3MLCA62PVDQCAO91E7FCADY9794CA8LH5SYCAP9R36GCAH60U05CA1N8XT6CA6OA492CAG8ZYDACA8K1WUNCAPL87X8CAB2LV5K.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:21 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\loader_forqiqi_9179.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C22CKD2B\9MY6ZPCA7RVZC5CA881SOKCAB06QAMCAMT8ZLBCAXTJ3MLCA62PVDQCAO91E7FCADY9794CA8LH5SYCAP9R36GCAH60U05CA1N8XT6CA6OA492CAG8ZYDACA8K1WUNCAPL87X8CAB2LV5KCA5BFAT2.exe
规则: [文件组]IE Cache -> [文件]*\temporary internet files\*; *.exe

2011-3-25 19:52:22 创建新进程阻止
进程: c:\documents and settings\administrator\local settings\temp\1300.exe
目标: c:\windows\system32\cmd.exe
命令行: cmd /c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1300.exe.bat" "
规则: [应用程序组]系统程序 -> [应用程序]* -> [子应用程序]c:\windows\system32\cmd.exe

2011-3-25 19:52:22 修改注册表值阻止
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCIDump\ImagePath
值: \??\C:\WINDOWS\system32\drivers\pcidump.sys
规则: [注册表组]系统服务 -> [注册表]HKEY_LOCAL_MACHINE\SYSTEM\*controlset*\Services\*; imagepath

2011-3-25 19:52:22 删除注册表项阻止
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCIDump
规则: [注册表组]系统服务 -> [注册表]HKEY_LOCAL_MACHINE\SYSTEM\*controlset*\Services

2011-3-25 19:52:22 修改注册表值阻止
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCIDump\ImagePath
值: \??\C:\WINDOWS\system32\drivers\pcidump.sys
规则: [注册表组]系统服务 -> [注册表]HKEY_LOCAL_MACHINE\SYSTEM\*controlset*\Services\*; imagepath

2011-3-25 19:52:22 删除注册表项阻止
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCIDump
规则: [注册表组]系统服务 -> [注册表]HKEY_LOCAL_MACHINE\SYSTEM\*controlset*\Services

2011-3-25 19:52:33 修改文件允许
进程: c:\documents and settings\administrator\local settings\temp\0.15.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temp\0.15.exe
规则: [文件组]Documents and Settings_阻止 -> [文件]?:\documents and settings\*; *.exe

2011-3-25 19:52:34 创建文件阻止
进程: c:\documents and settings\administrator\local settings\temp\0.15.exe
目标: C:\WINDOWS\system32\scvhost.exe
规则: [文件组]系统核心目录Ⅰ -> [文件]c:\windows\*; *.exe

2011-3-25 19:52:37 创建文件允许
进程: c:\documents and settings\administrator\local settings\temp\0.15.exe
目标: D:\我的文档\viurs test\变态超强外-挂134151@\kl78a.bat
规则: [文件组]Documents and Settings_阻止 -> [文件]d:\我的文档\*; *.bat

2011-3-25 19:52:38 修改注册表值阻止
进程: c:\documents and settings\administrator\local settings\temp\0.15.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
值: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:52:39 修改注册表值阻止
进程: c:\documents and settings\administrator\local settings\temp\0.15.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
值: C:\Documents and Settings\Administrator\Cookies
规则: [注册表组]资源管理器相关设置 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2011-3-25 19:52:40 创建新进程阻止
进程: c:\documents and settings\administrator\local settings\temp\0.15.exe
目标: c:\windows\system32\cmd.exe
命令行: cmd /c ""d:\我的文档\viurs test\变态超强外-挂134151@\kl78a.bat" "
规则: [应用程序组]系统程序 -> [应用程序]* -> [子应用程序]c:\windows\system32\cmd.exe

动作真多
..

显示全部楼层 · 发表于 2011-3-25 19:59:40

http://bbs.kafan.cn/forum-attach ... Q1fDUwMTI0OA==.html Win32/TrojanDropper.Agent.OJT 特洛伊木马连接中断 - 已隔离通过应用程序访问 web 时检测到威胁: C:\Program Files\Common Files\Thunder Network\tp\Ver1\1.1.2.58_1111\ThunderPlatform.exe.
http://bbs.kafan.cn/forum-attach ... Q1fDUwMTI0OA==.html > RAR > 变态超强外-挂1343.exe Win32/TrojanDropper.Agent.OJT 特洛伊木马

显示全部楼层 · 发表于 2011-3-25 20:02:21

ppy0606 发表于 2011-3-25 19:57
2011-3-25 19:51:37 创建新进程允许
进程: c:\windows\explorer.exe
目标: d:\我的文档\viurs tes ...

恩，一和外+挂有关的就有可能是盗号的。

显示全部楼层 · 发表于 2011-3-25 20:04:23

回复 6楼小飞侠.net 的帖子

很是DT啊...

还配个文档说关闭杀软

显示全部楼层 · 发表于 2011-3-25 20:11:56

微点报

显示全部楼层 · 发表于 2011-3-25 20:17:45

eset kill
C:\Users\微亿毫\Desktop\变态超强外-挂134151@.rar > RAR > 变态超强外-挂1343.exe - Win32/TrojanDropper.Agent.OJT 特洛伊木马

显示全部楼层 · 发表于 2011-3-25 20:26:40

2011-03-25 20:03:46 运行应用程序    操作:允许
进程路径:F:\virus\__134151@\变态超强外-挂1343.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\p19.exe
触发规则:所有程序规则->其它程序设置->*\Temp\*

2011-03-25 20:03:47 运行应用程序    操作:允许
进程路径:F:\virus\__134151@\变态超强外-挂1343.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\1300.exe
触发规则:所有程序规则->其它程序设置->*\Temp\*

2011-03-25 20:03:47 运行应用程序    操作:允许
进程路径:F:\virus\__134151@\变态超强外-挂1343.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\07.exe
触发规则:所有程序规则->其它程序设置->*\Temp\*

2011-03-25 20:03:48 运行应用程序    操作:允许
进程路径:F:\virus\__134151@\变态超强外-挂1343.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\0.15.exe
触发规则:所有程序规则->其它程序设置->*\Temp\*

2011-03-25 20:03:48 运行应用程序    操作:允许
进程路径:F:\virus\__134151@\变态超强外-挂1343.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\Loader_forqiqi_9179.exe
触发规则:所有程序规则->其它程序设置->*\Temp\*

2011-03-25 20:03:49 创建注册表值    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\p19.exe
注册表路径:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
注册表名称:RunmeAtStartup
触发规则:所有程序规则->自动运行->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*

2011-03-25 20:03:50 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\p19.exe
文件路径:C:\WINDOWS\system32\xvhost.sb
触发规则:应用程序规则->TEMP临时目录->*\Temp\*->%WinDir%\system32\*

2011-03-25 20:03:51 运行应用程序    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\1300.exe
文件路径:C:\WINDOWS\system32\cmd.exe
命令行:/c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kkm5JM22PYbeH22.exe.bat" "
触发规则:所有程序规则->系统程序设置->%windir%\system32\cmd.exe

2011-03-25 20:03:51 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\cmd.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
触发规则:所有程序规则->其它程序设置->*\Temp\*

2011-03-25 20:03:52 运行应用程序    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\07.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\07.exe
触发规则:应用程序规则->TEMP临时目录->*\Temp\*->*\Temp\*.exe

2011-03-25 20:03:53 运行应用程序    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\1300.exe
文件路径:C:\WINDOWS\system32\cmd.exe
命令行:/c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1300.exe.bat" "
触发规则:所有程序规则->系统程序设置->%windir%\system32\cmd.exe

2011-03-25 20:03:53 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\20110325
触发规则:应用程序规则->TEMP临时目录->*\Temp\*->%windir%\*

2011-03-25 20:03:53 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*

2011-03-25 20:03:53 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*

2011-03-25 20:03:53 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\script.exe
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*

2011-03-25 20:03:53 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\script.vbs
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*

2011-03-25 20:03:53 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\reg.bat
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*

2011-03-25 20:03:53 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\regBHO.reg
触发规则:所有程序规则->白名单与黑名单->*\*.reg

2011-03-25 20:03:53 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\XlKankan.dll
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*

2011-03-25 20:03:53 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\tao.ico
触发规则:应用程序规则->TEMP临时目录->*\Temp\*->%windir%\*

2011-03-25 20:03:53 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\20110325\255TAuUST2KbF25q
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*

2011-03-25 20:03:53 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\20110325\255TAuUST2KbF25q\smss.exe
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*

2011-03-25 20:03:56 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\07.exe
文件路径:C:\WINDOWS\Medie\
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*\

2011-03-25 20:03:56 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\07.exe
文件路径:C:\WINDOWS\Medie\csrcs.exe
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*

2011-03-25 20:04:02 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\p19.exe
文件路径:C:\WINDOWS\system32\bhoajessc.exe
触发规则:应用程序规则->TEMP临时目录->*\Temp\*->%WinDir%\system32\*

2011-03-25 20:04:02 创建文件    操作:允许
进程路径:C:\WINDOWS\system32\bhoajessc.exe
文件路径:C:\WINDOWS\system32\killdll.dll
触发规则:所有程序规则->WINDOWS文件设置->%windir%\system32\*.dll

2011-03-25 20:04:02 运行应用程序    操作:阻止
进程路径:C:\WINDOWS\system32\bhoajessc.exe
文件路径:C:\WINDOWS\system32\rundll32.exe
命令行:C:\WINDOWS\system32\\killdll.dll killall
触发规则:所有程序规则->Rundll32设置->*\rundll32.exe

2011-03-25 20:04:09 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\script.exe.bat
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*

2011-03-25 20:04:10 运行应用程序    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\system32\cmd.exe
命令行:/c ""C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\script.exe.bat" "
触发规则:所有程序规则->系统程序设置->%windir%\system32\cmd.exe

2011-03-25 20:04:11 删除文件    操作:允许
进程路径:C:\WINDOWS\system32\cmd.exe
文件路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\script.exe.bat
触发规则:应用程序规则->WINDOWS文件设置->%windir%\system32\cmd.exe->*\*.bat

2011-03-25 20:04:12 创建文件    操作:允许
进程路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\script.exe
文件路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\Script.vbs.bat
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*

2011-03-25 20:04:12 运行应用程序    操作:允许
进程路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\script.exe
文件路径:C:\WINDOWS\system32\cmd.exe
命令行:/c ""C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\Script.vbs.bat" "
触发规则:所有程序规则->系统程序设置->%windir%\system32\cmd.exe

2011-03-25 20:04:13 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\bhoajessc.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temp\~Frm.exe
触发规则:所有程序规则->其它程序设置->*\Temp\*

2011-03-25 20:04:13 运行应用程序    操作:允许
进程路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\script.exe
文件路径:C:\WINDOWS\system32\cmd.exe
命令行:/c ""C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\reg.bat" "
触发规则:所有程序规则->系统程序设置->%windir%\system32\cmd.exe

2011-03-25 20:04:15 创建注册表值    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\~Frm.exe
注册表路径:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
注册表名称:updater
触发规则:所有程序规则->自动运行->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*

2011-03-25 20:04:16 删除文件    操作:阻止
进程路径:C:\WINDOWS\system32\bhoajessc.exe
文件路径:C:\WINDOWS\system32\killdll.dll
触发规则:所有程序规则->WINDOWS文件设置->%windir%\system32\*.dll

2011-03-25 20:04:16 创建文件    操作:允许
进程路径:C:\WINDOWS\system32\bhoajessc.exe
文件路径:C:\WINDOWS\system32\updater.exe
触发规则:所有程序规则->WINDOWS文件设置->%windir%\system32\*.exe

2011-03-25 20:04:17 创建文件    操作:允许
进程路径:C:\WINDOWS\system32\bhoajessc.exe
文件路径:C:\WINDOWS\system32\updater.exe
触发规则:所有程序规则->WINDOWS文件设置->%windir%\system32\*.exe

2011-03-25 20:04:17 创建文件    操作:允许
进程路径:C:\WINDOWS\system32\bhoajessc.exe
文件路径:C:\WINDOWS\system32\drivers\pcidump.sys
触发规则:所有程序规则->驱动文件保护设置->%WinDir%\system32\drivers\*.sys

2011-03-25 20:04:17 创建文件    操作:允许
进程路径:C:\WINDOWS\system32\xcopy.exe
文件路径:C:\WINDOWS\system32\XlKankan.dll
触发规则:所有程序规则->WINDOWS文件设置->%windir%\system32\*.dll

2011-03-25 20:04:17 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\cmd.exe
文件路径:C:\WINDOWS\system32\wscript.exe
命令行:"C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\script.vbs"
触发规则:所有程序规则->系统程序设置->%windir%\system32\*script.exe

2011-03-25 20:04:17 删除文件    操作:阻止并结束进程
进程路径:C:\WINDOWS\system32\cmd.exe
文件路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\XlKankan.dll
触发规则:应用程序规则->WINDOWS文件设置->%windir%\system32\cmd.exe->%windir%\*

2011-03-25 20:04:17 删除文件    操作:允许
进程路径:C:\WINDOWS\system32\cmd.exe
文件路径:C:\WINDOWS\20110325\BJ8I58ov8CL58kgR\script\Script.vbs.bat
触发规则:应用程序规则->WINDOWS文件设置->%windir%\system32\cmd.exe->*\*.bat

2011-03-25 20:04:19 创建文件    操作:允许
进程路径:C:\WINDOWS\Medie\csrcs.exe
文件路径:C:\WINDOWS\Medir\
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*\

2011-03-25 20:04:20 创建文件    操作:阻止
进程路径:C:\WINDOWS\Medie\csrcs.exe
文件路径:C:\WINDOWS\Medir\13553238.pif
触发规则:所有程序规则->WINDOWS文件设置->%windir%\*.pif

2011-03-25 20:04:20 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\20110325\255TAuUST2KbF25q\smss.exe.bat
触发规则:所有程序规则->WINDOWS全局设置->%windir%\*

2011-03-25 20:04:21 创建文件    操作:阻止
进程路径:C:\WINDOWS\Medie\csrcs.exe
文件路径:C:\WINDOWS\Medir\13553909.pif
触发规则:所有程序规则->WINDOWS文件设置->%windir%\*.pif

2011-03-25 20:04:21 运行应用程序    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\system32\cmd.exe
命令行:/c ""C:\WINDOWS\20110325\255TAuUST2KbF25q\smss.exe.bat" "
触发规则:所有程序规则->系统程序设置->%windir%\system32\cmd.exe

2011-03-25 20:04:21 删除文件    操作:允许
进程路径:C:\WINDOWS\system32\cmd.exe
文件路径:C:\WINDOWS\20110325\255TAuUST2KbF25q\smss.exe.bat
触发规则:应用程序规则->WINDOWS文件设置->%windir%\system32\cmd.exe->*\*.bat

2011-03-25 20:04:25 访问服务管理器    操作:阻止
进程路径:C:\WINDOWS\system32\bhoajessc.exe
触发规则:应用程序规则->访问服务管理器->%windir%\*

2011-03-25 20:04:28 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\bhoajessc.exe
文件路径:C:\WINDOWS\system32\cmd.exe
命令行:/c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_undelme.bat
触发规则:所有程序规则->系统程序设置->%windir%\system32\cmd.exe

2011-03-25 20:04:29 创建文件    操作:使用任务隔离区操作
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\Documents and Settings\All Users\桌面\Internet Explorer.tt
触发规则:所有程序规则->Documents and Settings设置（二）->*\Int*Exp*

2011-03-25 20:04:29 运行应用程序    操作:阻止
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\attrib.exe
命令行:"C:\Documents and Settings\All Users\桌面\Internet Explorer.tt" +r +s
触发规则:所有程序规则->系统程序设置->*\attrib.exe

2011-03-25 20:04:30 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\桌面\Internet Explorer.tt" /e /c /r Administrators
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:30 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\桌面\Internet Explorer.tt" /e /c Administrators:CI
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:31 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\桌面\Internet Explorer.tt" /e /c /r Administrator
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:31 修改注册表内容    操作:阻止
进程路径:C:\WINDOWS\system32\wbem\wmiprvse.exe
注册表路径:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{748AF493-3CDF-43B5-BB7C-3C0015CB8258}
注册表名称:NameServer
更改后:119.84.84.11,61.128.128.68
触发规则:所有程序规则->网络保护->HKEY_LOCAL_MACHINE\SYSTEM\*controlset*\Services\Tcpip\Parameters\Interfaces*

2011-03-25 20:04:31 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\桌面\Internet Explorer.tt" /e /c /r users
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:32 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\桌面\Internet Explorer.tt" /e /c /r system
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:33 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\桌面\Internet Explorer.tt" /e /c /r everyone
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:33 运行应用程序    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\kkm5JM22PYbeH22.exe
文件路径:C:\WINDOWS\system32\cmd.exe
命令行:/c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kkm5JM22PYbeH22.exe.bat" "
触发规则:所有程序规则->系统程序设置->%windir%\system32\cmd.exe

2011-03-25 20:04:34 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\桌面\Internet Explorer.tt" /e /c /r user
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:35 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\桌面\Internet Explorer.tt" /e /c /r "Power Users"
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:35 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\桌面\Internet Explorer.tt" /e /c /r "Administrator"
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:36 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\p19.exe
文件路径:C:\WINDOWS\system32\effbhblpc.exe
触发规则:应用程序规则->TEMP临时目录->*\Temp\*->%WinDir%\system32\*

2011-03-25 20:04:38 创建文件    操作:使用任务隔离区操作
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\Documents and Settings\All Users\「开始」菜单\程序\Internet Explorer.css
触发规则:所有程序规则->Documents and Settings设置（二）->*\Int*Exp*

2011-03-25 20:04:38 运行应用程序    操作:阻止
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\attrib.exe
命令行:"C:\Documents and Settings\All Users\「开始」菜单\程序\Internet Explorer.css" +r +s
触发规则:所有程序规则->系统程序设置->*\attrib.exe

2011-03-25 20:04:39 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\「开始」菜单\程序\Internet Explorer.css" /e /c /r Administrators
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:39 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\「开始」菜单\程序\Internet Explorer.css" /e /c Administrators:CI
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:40 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\「开始」菜单\程序\Internet Explorer.css" /e /c /r Administrator
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:41 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\「开始」菜单\程序\Internet Explorer.css" /e /c /r users
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:41 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\「开始」菜单\程序\Internet Explorer.css" /e /c /r system
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:42 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\「开始」菜单\程序\Internet Explorer.css" /e /c /r everyone
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:42 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\「开始」菜单\程序\Internet Explorer.css" /e /c /r user
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:43 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\「开始」菜单\程序\Internet Explorer.css" /e /c /r "Power Users"
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:44 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\All Users\「开始」菜单\程序\Internet Explorer.css" /e /c /r "Administrator"
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:44 创建文件    操作:阻止
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css
触发规则:所有程序规则->Documents and Settings设置（一）->?:\Documents and Settings\*\Application Data\Microsoft\Internet Explorer\Quick Launch\*Internet*Explorer*

2011-03-25 20:04:45 运行应用程序    操作:阻止
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\attrib.exe
命令行:"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" +r +s
触发规则:所有程序规则->系统程序设置->*\attrib.exe

2011-03-25 20:04:45 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r Administrators
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:46 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c Administrators:CI
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:46 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r Administrator
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:47 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r users
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:47 创建文件    操作:阻止
进程路径:C:\WINDOWS\20110325\255TAuUST2KbF25q\smss.exe
文件路径:C:\Documents and Settings\All Users\「开始」菜单\程序\启动\ .jse
触发规则:所有程序规则->Documents and Settings设置（二）->?:\Documents and Settings\*\*菜单\程序\启动\*

2011-03-25 20:04:48 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r system
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:48 运行应用程序    操作:阻止
进程路径:C:\WINDOWS\20110325\255TAuUST2KbF25q\smss.exe
文件路径:C:\WINDOWS\system32\reg.exe
命令行:add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "flashget" /d "c:\windows\20110325\255tauust2kbf25q\smss.exe " /f
触发规则:所有程序规则->系统程序设置->*\reg.exe

2011-03-25 20:04:48 创建文件    操作:阻止
进程路径:C:\WINDOWS\20110325\255TAuUST2KbF25q\smss.exe
文件路径:C:\Documents and Settings\All Users\「开始」菜单\程序\启动\ .jse
触发规则:所有程序规则->Documents and Settings设置（二）->?:\Documents and Settings\*\*菜单\程序\启动\*

2011-03-25 20:04:48 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r everyone
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:49 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r user
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:50 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r "Power Users"
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:50 运行应用程序    操作:阻止
进程路径:C:\Documents and Settings\Administrator\Local Settings\Temp\0.15.exe
文件路径:C:\WINDOWS\system32\rundll32.exe
命令行:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\13527932.dll testall
触发规则:所有程序规则->Rundll32设置->*\rundll32.exe

2011-03-25 20:04:50 运行应用程序    操作:允许
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\WINDOWS\system32\cacls.exe
命令行:"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r "Administrator"
触发规则:所有程序规则->系统程序设置->*\cacls.exe

2011-03-25 20:04:50 创建文件    操作:使用任务隔离区操作
进程路径:C:\WINDOWS\system32\wscript.exe
文件路径:C:\Documents and Settings\All Users\桌面\购物淘宝.bt
触发规则:所有程序规则->Documents and Settings设置（二）->?:\Documents and Settings\*\桌面\*

[病毒样本] 感染系统文件的小马（流氓桌面图标病毒）

本帖子中包含更多资源

浏览过的版块