‹‹ 上一主題 | 下一主題 ››
發新話題
打印

[測試] 修改"圖示"的惡作劇程式,測試你的RD

Roger

Analyst Expert

Rank: 8Rank: 8

帖子
2376 
精華
1 
威望
5383  
黃金
9635  
註冊時間
2007-3-14 
1# 發表於 2007-10-1 10:52  只看該作者

修改"圖示"的惡作劇程式,測試你的RD

我的EQ,RD的規則,防不住他修改圖示!






以下是ubuntu版主的測試,看起來,動到很多登錄檔!
引用:
WinRAR.exe ISOLATE on access to F:\virus\感染.rar (File)
感染.exe ISOLATE on start from explorer.exe
感染.exe DENY C0B5 message to explorer.exe (Process)
感染.exe DENY C0B6 message to explorer.exe (Process)
感染.exe DENY C0B6 message to ctfmon.exe (Process)
感染.exe DENY access to C:\WINDOWS\system32\0401032.ico (File)
感染.exe DENY access to C:\WINDOWS\system32\0401128.ico (File)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\1 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\2 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\5 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\6 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\7 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\8 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\9 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\10 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\11 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\12 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\13 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\14 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\15 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\16 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\17 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\18 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\19 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\20 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\21 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\22 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\23 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\24 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\25 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\26 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\27 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\28 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\30 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\31 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\32 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\33 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\34 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\35 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\36 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\37 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\38 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\39 (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\40 (Registry)
感染.exe READONLY access to HKU\S-1-5-21-73586283-2111687655-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} (Registry)
感染.exe REDIRECT access to HKU\S-1-5-21-73586283-2111687655-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\DefaultIcon\ (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Classes\inifile\DefaultIcon\ (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Classes\txtfile\DefaultIcon\ (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Classes\giffile\DefaultIcon\ (Registry)
感染.exe REDIRECT access to HKLM\SOFTWARE\Classes\jpegfile\DefaultIcon\ (Registry)
感染.exe REDIRECT access to HKU\S-1-5-21-73586283-2111687655-1957994488-1003\Control Panel\Desktop\WindowMetrics\Shell Icon Size (Registry)
感染.exe DENY 1A message to csrss.exe (Process)
感染.exe REDIRECT access to HKLM\SOFTWARE\Classes\htmlfile\DefaultIcon\ (Registry)
感染.exe DENY C0B5 message to explorer.exe (Process)
附件: 您所在的用戶組無法下載或查看附件

TOP

peter_yu

AV Expert

Rank: 8Rank: 8

帖子
641 
精華
0 
威望
1029  
黃金
1756  
註冊時間
2007-2-17 
2# 發表於 2007-10-1 13:13  只看該作者
擋住了沒事  ICO 完全沒事    除了滑鼠游標被限制 ...............................................................................................

[ 本帖最後由 peter_yu 於 2007-10-1 13:15 編輯 ]

TOP

peter_yu

AV Expert

Rank: 8Rank: 8

帖子
641 
精華
0 
威望
1029  
黃金
1756  
註冊時間
2007-2-17 
3# 發表於 2007-10-1 13:35  只看該作者
會生成  .FNE .FNR .ICO

Blocked termination of taskmgr.exe performed by 感染.exe--->  還會不許用 taskmgr.exe


13:23:59 01 Oct 2007 |  Allowed process execution of 感染.exe | c:\14\vvv\感染.exe | "c:\14\vvv\感染.exe"  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked create key by 感染.exe | HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell icons |  |
13:24:20 01 Oct 2007 |  Blocked set value by 感染.exe | HKLM\Software\Classes\Jpegfile\Defaulticon |  |
13:24:21 01 Oct 2007 |  Blocked set value by 感染.exe | HKLM\Software\Classes\Htmlfile\Defaulticon |  |
13:24:29 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:29 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:29 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:29 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:30 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:30 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:30 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:30 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:30 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:30 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:30 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:30 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:30 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:31 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:31 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:31 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:31 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:31 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:31 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:31 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:31 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:31 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:32 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:32 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:32 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:32 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:32 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:32 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:32 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:32 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:32 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:33 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:33 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:33 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:33 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:33 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:33 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:33 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:33 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:33 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:34 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:34 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:34 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:34 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:34 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:34 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:34 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:34 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:34 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:34 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:35 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:35 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:35 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:35 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:35 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:35 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:35 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:35 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:35 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:36 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:36 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:36 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:36 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:36 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:36 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:36 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:36 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:36 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:37 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:37 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:37 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:37 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:37 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:37 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:37 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:37 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:37 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:38 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:38 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:38 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:38 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:38 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:38 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:38 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:38 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:38 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:39 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:39 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:39 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:39 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:39 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:39 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:39 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:39 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:39 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:40 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:40 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:40 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:40 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |
13:24:40 01 Oct 2007 |  Blocked termination of taskmgr.exe performed by 感染.exe | c:\14\vvv\感染.exe | c:\windows\system32\taskmgr.exe |

TOP

peter_yu

AV Expert

Rank: 8Rank: 8

帖子
641 
精華
0 
威望
1029  
黃金
1756  
註冊時間
2007-2-17 
4# 發表於 2007-10-1 13:50  只看該作者
限制滑鼠移動的解法  不需重新開機

1. 結束 ---> 感染.exe
2. 結束 ---> explorer.exe  再次執行  explorer.exe  滑鼠自由的移動

TOP

asusp4b533

LieroX - NewBie

Moderator

Rank: 7Rank: 7Rank: 7

帖子
1146 
精華
1 
威望
4561  
黃金
5976  
註冊時間
2007-8-13 
5# 發表於 2007-10-1 21:46  只看該作者
我的 eq成功攔截,在第一步攔截,程式根本無法執行

TOP

peter_yu

AV Expert

Rank: 8Rank: 8

帖子
641 
精華
0 
威望
1029  
黃金
1756  
註冊時間
2007-2-17 
6# 發表於 2007-10-1 23:10  只看該作者
引用:
原帖由 asusp4b533 於 2007-10-1 21:46 發表
我的 eq成功攔截,在第一步攔截,程式根本無法執行
不運行哪還測什麼攔截呢???  不能以一個動態程序庫判定是惡意吧???

這動態程序庫是用這語言寫後執行必須的    就似 DELPHI   C++   RTL 一樣

TOP

baerzake

Analyst Expert

Rank: 8Rank: 8

帖子
18 
精華
0 
威望
38  
黃金
38  
註冊時間
2007-7-15 
7# 發表於 2007-10-2 13:10  只看該作者
可以防的,楼主防不住是EQ的规则不够严

TOP

Roger

Analyst Expert

Rank: 8Rank: 8

帖子
2376 
精華
1 
威望
5383  
黃金
9635  
註冊時間
2007-3-14 
8# 發表於 2007-10-3 08:54  只看該作者














看上圖,只剩下"滑鼠游標被鎖住"無法攔截,

RD攔截成功

可以導入附件的規則!

以下是EQ的RD防禦規則:

引用:
組名稱:修改圖示

1.登錄檔路徑:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons
   
   登錄檔名稱:*

詢問並且阻止 "建立","修改"登錄檔

2.登錄檔路徑:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
                     CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon

   登錄檔名稱:*

詢問並且阻止 "建立","修改"登錄檔

3.登錄檔路徑:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
                     CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\DefaultIcon

   登錄檔名稱:*

詢問並且阻止 "建立","修改"登錄檔

4.登錄檔路徑:HKEY_CLASSES_ROOT\*file\DefaultIcon

   登錄檔名稱:*

詢問並且阻止 "建立","修改"登錄檔

5.登錄檔路徑:HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics

   登錄檔名稱:Shell Icon Size

詢問並且阻止 "建立","修改"登錄檔
[ 本帖最後由 Roger 於 2007-10-3 09:00 編輯 ]
附件: 您所在的用戶組無法下載或查看附件

TOP

baerzake

Analyst Expert

Rank: 8Rank: 8

帖子
18 
精華
0 
威望
38  
黃金
38  
註冊時間
2007-7-15 
9# 發表於 2007-10-3 08:59  只看該作者
不错,恭喜楼主

TOP

Roger

Analyst Expert

Rank: 8Rank: 8

帖子
2376 
精華
1 
威望
5383  
黃金
9635  
註冊時間
2007-3-14 
10# 發表於 2007-10-3 20:45  只看該作者
再給一隻類似的,EQ攔截成功!

我發現,只要4和5,就可以防住這種修改圖示的了
引用:
4.登錄檔路徑:HKEY_CLASSES_ROOT\*file\DefaultIcon

   登錄檔名稱:*

詢問並且阻止 "建立","修改"登錄檔

5.登錄檔路徑:HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics

   登錄檔名稱:Shell Icon Size

詢問並且阻止 "建立","修改"登錄檔













附件: 您所在的用戶組無法下載或查看附件

TOP

peter_yu

AV Expert

Rank: 8Rank: 8

帖子
641 
精華
0 
威望
1029  
黃金
1756  
註冊時間
2007-2-17 
11# 發表於 2007-10-3 21:10  只看該作者
規則太死板  善用通配符
我建議如此改法 Shell 很重要

不論
Shell 前後如何配 下面多少子鍵值 全部都可以攔截無誤

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\*Shell**

TOP

asusp4b533

LieroX - NewBie

Moderator

Rank: 7Rank: 7Rank: 7

帖子
1146 
精華
1 
威望
4561  
黃金
5976  
註冊時間
2007-8-13 
12# 發表於 2007-10-4 09:09  只看該作者

回復 #11 peter_yu 的帖子

感謝指導

TOP

man1221995

金牌會員

Rank: 6Rank: 6

帖子
369 
精華
0 
威望
2358  
黃金
617  
註冊時間
2007-11-14 
13# 發表於 2007-11-15 22:18  只看該作者
avast  :  Win32:Getos [Trj]=木馬

TOP

man1221995

金牌會員

Rank: 6Rank: 6

帖子
369 
精華
0 
威望
2358  
黃金
617  
註冊時間
2007-11-14 
14# 發表於 2007-11-17 14:51  只看該作者
熊??香.part1.rar
  熊??香.part2.rar 都唔得

TOP

luap

中級會員

Rank: 3Rank: 3

帖子
46 
精華
0 
威望
94  
黃金
50  
註冊時間
2007-11-14 
15# 發表於 2007-11-23 22:25  只看該作者
第一次碰HIPS軟體
各位大大要多多指教
下載下來....
用用看!...

TOP

fanks

ㄚ光

病毒研究室成員

Rank: 7Rank: 7Rank: 7

帖子
174 
精華
0 
威望
1914  
黃金
493  
註冊時間
2007-12-4 
16# 發表於 2008-1-2 10:31  只看該作者
中了這種惡作劇程式,要處理也是挺麻煩的

TOP

fanks

ㄚ光

病毒研究室成員

Rank: 7Rank: 7Rank: 7

帖子
174 
精華
0 
威望
1914  
黃金
493  
註冊時間
2007-12-4 
17# 發表於 2008-1-4 08:48  只看該作者
下載回來測試發現諾頓居然被過~真是糟糕

TOP

domino

~Domino~

金牌會員

Rank: 6Rank: 6

帖子
343 
精華
0 
威望
2062  
黃金
5050  
註冊時間
2007-12-30 
18# 發表於 2008-1-4 19:46  只看該作者
這不算是修改EXE ~ 只是把ICO 圖示重心導向而已.
針對注冊表修改而已

[ 本帖最後由 domino 於 2008-1-4 19:47 編輯 ]
對於我轉貼的文章有意見的網友~建議您閱讀此文章.

TOP

charles1394

高級會員

Rank: 4

帖子
172 
精華
0 
威望
926  
黃金
987  
來自
台灣 
註冊時間
2007-12-17 
19# 發表於 2008-1-17 08:55  只看該作者
下載來試試看,感謝分享!!!

看來要完全測試必須冒著系統被入侵的危險啊。
測試軟體粉好玩

TOP

‹‹ 上一主題 | 下一主題 ››
發新話題