Sign in to follow this  
UDady

Bypass OA's autoruns protaction

Recommended Posts

OA autoruns can't block it

 

VT:https://www.virustotal.com/file/5f76a7cb629c366001e4cddd53c68bb2a4c38bbe756f9a6cf7b04817ff946626/analysis/1355570309/

 

Whenever I start XP i will see this

 

Created:      2012-12-16 17:57:56
Summary:      Program Guard: 999.dll -> IEXPLORE.EXE
Description:  C:\Documents and Settings\Administrator\桌面\999.dll(0) wants to start C:\Program Files\Internet Explorer\IEXPLORE.EXE(0)
Event type:   Program Guard(9)
Event action: Blocked(3)

 

System Repair Engineer 2.8.4.1331
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 3 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
  


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Component Publisher]
    <Process Hacker 2><"C:\Program Files\Process Hacker 2\ProcessHacker.exe" -hide>  [wj32]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Component Publisher]
    <PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Windows Component Publisher]
    <PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Windows Component Publisher]
    <VMware User Process><"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr>  [(Verified)VMware, Inc.]
    <@OnlineArmor GUI><"C:\Program Files\Online Armor\OAui.exe">  [(Verified)Emsisoft GmbH]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{4F07DA45-8170-4859-9B5F-037EF2970034}><C:\PROGRA~1\ONLINE~2\oaevent.dll>  [(Verified)Emsisoft GmbH]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <WebCheck><%SystemRoot%\system32\webcheck.dll>  [(Verified)Microsoft Windows Component Publisher]
    <SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
    <WinlogonNotify: dimsntfy><%SystemRoot%\System32\dimsntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TPSvc]
    <WinlogonNotify: TPSvc><TPSvc.dll>  [(Verified)Cortado AG]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\VMUpgradeAtShutdown]
    <WinlogonNotify: VMUpgradeAtShutdown><VMUpgradeAtShutdownWXP.dll>  [(Verified)VMware, Inc.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    <Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    <Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\WINDOWS\System32\logon.scr>  [(Verified)Microsoft Windows Component Publisher]

==================================
启动文件夹
[runctf]
  <C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\runctf.lnk --> C:\WINDOWS\system32\rundll32.exe [Microsoft Corporation]><N>


==================================
服务
[Human Interface Device Access / HidServ][stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Online Armor Helper Service / OAcat][Running/Auto Start]
  <"C:\Program Files\Online Armor\OAcat.exe"><Emsisoft GmbH>
[Online Armor / SvcOnlineArmor][Running/Auto Start]
  <C:\Program Files\Online Armor\oasrv.exe><Emsisoft GmbH>
[TP AutoConnect Service / TPAutoConnSvc][Running/Manual Start]
  <"C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe"><Cortado AG>
[TP VC Gateway Service / TPVCGateway][stopped/Manual Start]
  <"C:\Program Files\VMware\VMware Tools\TPVCGateway.exe"><Cortado AG>
[VMware Tools / VMTools][Running/Auto Start]
  <"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"><VMware, Inc.>
[VMware 物理磁盘助手服务 / VMware Physical Disk Helper Service][Running/Auto Start]
  <"C:\Program Files\VMware\VMware Tools\vmacthlp.exe"><VMware, Inc.>

==================================
驱动程序
[Creative AudioPCI (ES1371,ES1373) (WDM) / es1371][Running/Manual Start]
  <system32\drivers\es1371mp.sys><Creative Technology Ltd.>
[OADriver / OADevice][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\OADriver.sys><N/A>
[Online Armor helper driver / oahlpXX][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\oahlp32.sys><N/A>
[OAmon / OAmon][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\OAmon.sys><Emsisoft>
[OAnet / OAnet][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\OAnet.sys><Emsisoft>
[AMD PCNET Compatable Adapter Driver / PCnet][stopped/Manual Start]
  <system32\DRIVERS\pcntpci5.sys><AMD Inc.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[secdrv / Secdrv][stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[VMware VMCI Bus Driver / vmci][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\vmci.sys><VMware, Inc.>
[VMware Host Guest Client 重新定向器 / vmhgfs][Running/System Start]
  <system32\drivers\vmhgfs.sys><VMware, Inc.>
[内存控制驱动程序 / VMMEMCTL][Running/Auto Start]
  <\??\C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys><VMware, Inc.>
[VMware Pointing Device / vmmouse][Running/Manual Start]
  <system32\DRIVERS\vmmouse.sys><VMware, Inc.>
[VMware Storage Controller Driver / vmscsi][Running/Boot Start]
  <\SystemRoot\system32\drivers\vmscsi.sys><VMware, Inc.>
[VMware USB Pointing Device / vmusbmouse][Running/Manual Start]
  <system32\DRIVERS\vmusbmouse.sys><VMware, Inc.>
[VMware Ethernet Adapter Driver / vmxnet][Running/Manual Start]
  <system32\DRIVERS\vmxnet.sys><VMware, Inc.>
[vmx_svga / vmx_svga][Running/Manual Start]
  <system32\DRIVERS\vmx_svga.sys><VMware, Inc.>
[vSockets Driver / vsock][Running/Boot Start]
  <\SystemRoot\system32\drivers\vsock.sys><VMware, Inc.>
[KProcessHacker2 / KProcessHacker2][Running/Disabled]
  <\??\C:\Program Files\Process Hacker 2\kprocesshacker.sys><wj32>

 

 

Share this post


Link to post
Share on other sites

I have removed the malware file from your post as posting malware or links to malware in the public forums is strictly prohibited. I suggest you have another look at our forum rules here:

 

http://support.emsisoft.com/index.php?app=forums&module=extras&section=boardrules

 

Consider this your first and only warning. 

 

Regarding the bypass:

 

The Autorun feature in Online Armor only covers registry entries. The autorun entry that was added in your example though was added to the Startup folder of your Start menu that isn't watched by Online Armor in its default settings. If you want Online Armor to watch for these kinds of autoruns you can create appropriate File Guard rules yourself.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.