微点交流论坛
» 游客:  注册 | 登录 | 帮助

 

作者:
标题: 蠕虫程序Worm.Win32.AutoRun.vku
pioneer
超级版主




积分 4563
发帖 4545
注册 2007-7-16
来自 BJ
#1  蠕虫程序Worm.Win32.AutoRun.vku

蠕虫程序

Worm.Win32.AutoRun.vku

捕获时间

2011-04-14

危害等级



病毒症状

  该样本是使用“VC++”编写的“蠕虫程序”,由微点主动防御软件自动捕获, 采用“UPX”加壳方式,企图躲避特征码扫描,加壳后长度为“83,210”字节,图标为“”,使用“exe”扩展名,通过文件捆绑、网页挂马、下载器下载等方式进行传播。病毒主要目的是盗取用户信息,创建流氓广告图标,点击后获取网络流量。

感染对象

Windows 2000/Windows XP/Windows 2003/Windows Vista/ Windows 7

传播途径

文件捆绑、网页挂马、下载器下载

防范措施

已安装使用微点主动防御软件的用户,无须任何设置,微点主动防御将自动保护您的系统免受该病毒的入侵和破坏。无论您是否已经升级到最新版本,微点主动防御都能够有效清除该病毒。如果您没有将微点主动防御软件升级到最新版,微点主动防御软件在发现该病毒后将报警提示您发现“未知间谍”,请直接选择删除处理(如图1)



图1 微点主动防御软件自动捕获未知病毒(未升级)



如果您已经将微点主动防御软件升级到最新版本,微点将报警提示您发现木马"Worm.Win32.AutoRun.vku”,请直接选择删除(如图2)。



图2   微点主动防御软件升级后截获已知病毒



未安装微点主动防御软件的手动解决办法:

1.手动删除文件
删除 %SystemRoot%\system32\jnirelupeq\explorer.exe
删除 %SystemRoot%\system32\xecpibaiia\smss.exe
删除 %SystemDriver%\gwyivodjab.txt(随机名)
删除 %SystemDriver%\hccguiacas.jpg(随机名)
删除 %SystemDriver%\tvaaixmniw.gif(随机名)
删除 %SystemDriver%\fyisyelrhy.doc(随机名)
删除 %SystemDriver%\qrkgwteuwg.bmp(随机名)
删除 %SystemDriver%\Program Files\Common Files\BOSC.dll
删除 %SystemDriver%\q9q.dll
删除 %SystemRoot%\System32\drivers\kpscc.sys
删除 X:\ My Documamts.exe(各个磁盘根目录)

2.手动删除注册表

删除  HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Dmusic
名称:ImagePath      
数据:\??\C:\WINDOWS\System32\drivers\kpscc.sys

删除  HKEY_LOCAL_MACHINE\SOFTWARE\Thunder Network\ThunderOem\thunder_backwnd
名称:Path      
数据:C:\q9q.dll

删除 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\EXPLORER\run
名称:xecpibaiia
数据:C:\WINDOWS\System32\xecpibaiia\smss.exe

删除 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\EXPLORER\run
名称:jnirelupeq
数据:C:\WINDOWS\System32\jnirelupeq\explorer.exe

删除 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\下大量被劫持项

删除 HKEY_CLASSES_ROOT\exefile
名称:NeverShowExt
数据:1

删除 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
名称:ModRiskFileTypes
数据:.exe

查找与CLSID {F986CC17-37C0-4585-B7D9-15F2161F0584}相关的项删除。

3.手动导入正确的注册表

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SD360
HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\SD360
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SD360
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\RisingRavExt
HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\RisingRavExt
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\RisingRavExt

4.下载微点流氓桌面清除工具和微点文件夹病毒清除工具进行查杀。

变量声明:

%SystemDriver%       系统所在分区,通常为“C:\”
%SystemRoot%        WINDODWS所在目录,通常为“C:\Windows”
%Documents and Settings%  用户文档目录,通常为“C:\Documents and Settings”
%Temp%           临时文件夹,通常为“C:\Documents and Settings\当前用户名称\Local Settings\Temp”
%ProgramFiles%       系统程序默认安装目录,通常为:“C:\ProgramFiles”

※文章所有权归【pioneer】与【东方微点论坛】共同所有,转载请注明出处!※
2011-4-14 14:55
查看资料  发短消息   编辑帖子
pioneer
超级版主




积分 4563
发帖 4545
注册 2007-7-16
来自 BJ
#2  

病毒分析:

1.建立进程快照查找avp.exe等杀软进程,如果查找到,先判断"C:\RECYCLER"文件夹和"C:\Recovery"文件夹以及"C:\System Volume Information"文件夹的属性是否为系统只读属性,如果是,继续执行后面的程序。

2.如果没有查找到,遍历用户磁盘根目录信息。然后建立线程函数,目的是将"cmd.exe","netsh.exe","conime.exe","regedit.exe","wscript.exe","regsvr32.exe","rundll32.exe","wmiprvse.exe","ipconfig.exe"等进程终止结束掉。

3. 如果有已命名互斥体对象"ca6f06b7575bf3a0b24462db96e36efe1"和"ca6f06b7575bf3a0b24462db96e36efe2"创建一个新句柄,主要是防止程序多次运行。如果没有该已命名互斥体对象,就继续往下执行。

4.创建文件夹目录:“C:\WINDOWS\system32\xecpibaiia”和“C:\WINDOWS\system32\jnirelupeq”休眠1s时间,然后遍历文件查找" C:\WINDOWS\system32\jnirelupeq\explorer.exe ",
如果找到,将该文件转换成本地时间以及dos时间和日期,并设置" C:\WINDOWS\system32\jnirelupeq\explorer.exe "正常属性,着删除" C:\WINDOWS\system32\jnirelupeq\explorer.exe "文件。
如果没有找到 ,遍历文件查找" C:\WINDOWS\system32\xecpibaiia\smss.exe ",如果找到,将文件转换成本地时间和dos时间,并设置" C:\WINDOWS\system32\xecpibaiia\smss.exe "正常属性,删除" C:\WINDOWS\system32\xecpibaiia\smss.exe "文件。

5.休眠一定时间,然后将病毒自身以替换的方式拷贝并重新命名为:“C:\WINDOWS\system32\xecpibaiia\smss.exe”和“C:\WINDOWS\system32\jnirelupeq\explorer.exe”,紧接着分别启动这两个相应的进程。

6.建立互斥体变量“ca6f06b7575bf3a0b24462db96e36efe1”防止程序多次运行。然后提升当前用户进程权限为"SeDebugPrivilege",并建立线程函数,线程函数主要是休眠3s时间,遍历文件查找"C:\Program Files\Internet Explorer\iexplore.exe",找到以后将该文件转换成本地时间以及dos时间和日期,创建文件:“C:\gwyivodjab.txt”, “C:\hccguiacas.jpg”, “C:\tvaaixmniw.gif”, “C:\fyisyelrhy.doc”, “C:\qrkgwteuwg.bmp”并设置相应的正常文件属性,这5个文件都是随机的名称。如果没有找到,就在其他D:盘符建立5个随机名称的文件。创建文件夹:“C:\VSPS”并在将病毒自身以替换的方式拷贝并重新命名为:“C:\VSPS\VSPS.exe”并设置文件和文件夹的属性为系统隐藏属性。紧接着建立进程快照,查找进程名为:"RsTray.exe","360tray.exe",找到以后退出主程序。如没有找到,先删除"C:\Program Files\Common Files\BOSC.dll"文件,然后在同一样的目录下建立"C:\Program Files\Common Files\BOSC.dll"文件,并加载之。以"InstallHook"为参数建立全局的键盘和鼠标钩子。以"HideProcess"参数隐藏相应的进程。并将该Dll文件设置为系统隐藏属性。

7. 建立互斥体变量“ca6f06b7575bf3a0b24462db96e36efe2”防止程序多次运行。然后提升当前用户进程权限为"SeDebugPrivilege",并建立线程函数,线程函数主要是将"cmd.exe","netsh.exe","conime.exe","regedit.exe","wscript.exe","regsvr32.exe","rundll32.exe","wmiprvse.exe","ipconfig.exe"等进程终止结束掉。然后将病毒自身设置为系统隐藏属性,休眠3s时间,遍历文件查找"C:\WINDOWS\System32\reg.exe","C:\WINDOWS\System32\wscript.exe","C:\WINDOWS\regedit.exe"等文件,如果找到,将该文件转换成本地时间以及dos时间和日期,然后读取这3个相应文件之后没有释放该文件的句柄,目的是使用户不能使用这3个文件。如果没有找到就退出程序。设置注册表信息:HKEY_LOCAL_MACHINE\SOFTWARE\TENCENT\QQ2009,键值为:Install,遍历文件查找" "C:\Program Files\Tencent\QQ\Bin\Shareds.dll",如果找到,将该文件转换成本地时间以及dos时间和日期,如果没有找到,将
  "C:\q9q.dll"文件设置为系统隐藏属性,然后删除,休眠300ms时间,紧接着创建"C:\q9q.dll"文件,休眠300ms时间,遍历文件查找" C:\q9q.dll "如果找到,将该文件转换成本地时间以及dos时间和日期,然后将"C:\Program Files\Tencent\QQ\Bin\TaskTray.dll"以移动方式并重新命名到"C:\Program Files\Tencent\QQ\Bin\Shareds.dll",休眠300ms时间,紧接着将刚刚创建的"C:\q9q.dll"文件以移动的方式并重新命名到"C:\Program Files\Tencent\QQ\Bin\TaskTray.dll",休眠2s时间,遍历文件查找" C:\q9q.dll "如果找到,将该文件转换成本地时间以及dos时间和日期。如果没有找到,设置注册表信息:HKEY_LOCAL_MACHINE\SOFTWARE\TENCENT\QQ,键值为:Install,以及HKEY_LOCAL_MACHINE\SOFTWARE\Thunder Network\ThunderOem\thunder_backwnd  名称:path  ,数据:"C:\q9q.dll",将"C:\Program Files\"文件夹设置系统隐藏属性。还有将“C:\Documents and Settings\All Users\「开始」菜单\程序\启动\xinabini.exe”文件设置为系统隐藏属性,以及“C:\Documents and Settings\当前用户\「开始」菜单\程序\启动\pbkxjkmeqm.exe”文件设置为系统隐藏属性。

8.获取“C:\WINDOWS\system32\drivers”目录信息。遍历查找"C:\WINDOWS\System32\drivers\kpscc.sys"文件,如果没有,就建立驱动文件。并建立相应的服务注册表信息:
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Dmusic
名称:ImagePath      
数据:\??\C:\WINDOWS\System32\drivers\kpscc.sys

9.然后建立管道"\\.\MYFL",与驱动进行通信,终止结束相关的杀软进程。并在注册表项HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options下建立大量新键值劫持大量安全软件,使其不能运动。并分别再次以外部命令的方式启动" C:\WINDOWS\system32\xecpibaiia\smss.exe " 进程和“C:\WINDOWS\system32\ jnirelupeq\explorer.exe”进程。

10.该病毒将"C:\WINDOWS\system32\drivers\etc\hosts"文件,"C:\recycler\winlogon.exe"文件,"C:\WINDOWS\System32\RavExt.dll"文件,"C:\WINDOWS\System32\bsmain.exe"文件通过移动的方式,重新启动删除这些文件。
删除应用于360和瑞星杀软的右键菜单项于注册表的项:
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SD360
HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\SD360
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SD360
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\RisingRavExt
HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\RisingRavExt
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\RisingRavExt

11.修改注册表键值:目的是使隐藏文件和文件夹不可见.
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
名称:ShowSuperHidden
数据:0
修改注册表键值:目的是使桌面IE图标不可用。
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
名称: {871C5380-42A0-1069-A2EA-08002B30309D}
数据:1
创建注册表信息:目的是使用户不可使用Windows经典桌面主题
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu
名称:{871C5380-42A0-1069-A2EA-08002B30309D}
数据:1

12.删除" C:\Documents and Settings\当前用户\桌面\360杀毒.lnk"快捷方式,删除" C:\Documents and Settings\当前用户\桌面\360保险箱.lnk"快捷方式,删除" C:\Documents and Settings\当前用户\桌面\360安全卫士.lnk"快捷方式,删除" C:\Documents and Settings\当前用户\桌面\360软件管家.lnk"快捷方式,删除" C:\Documents and Settings\当前用户\桌面\QQ浏览器 5.lnk"快捷方式,
删除" C:\Documents and Settings\All Users\「开始」菜单\QQ浏览器5.lnk"快捷方式"快捷方式,删除" C:\Documents and Settings\All Users\「开始」菜单\360安全浏览器 3.lnk"快捷方式"快捷方式,删除" C:\Documents and Settings\当前用户\桌面\修复360安全卫士.url"快捷方式,删除" C:\Documents and Settings\All Users\桌面\修复瑞星软件.lnk"快捷方式,删除" C:\Documents and Settings\All Users\桌面\瑞星杀毒软件.lnk"快捷方式,删除" C:\Documents and Settings\All Users\桌面\瑞星个人防火墙.lnk"快捷方式,删除" C:\Documents and Settings\All Users\桌面\360安全浏览器 3.lnk"快捷方式,

13.设置"C:\Documents and Settings\All Users\「开始」菜单\程序\360杀毒"文件的系统隐藏属性,设置"C:\Documents and Settings\当前用户\「开始」菜单\程序\360保险箱"文件系统隐藏属性,设置"C:\Documents and Settings\当前用户\「开始」菜单\程序\360安全卫士"文件的系统隐藏属性,设置"C:\Program Files\Kaspersky Lab"文件的系统隐藏属性,设置" C:\Documents and Settings\All Users\「开始」菜单\程序\瑞星个人防火墙"文件的系统隐藏属性,设置" C:\Documents and Settings\All Users\「开始」菜单\程序\瑞星个人防火墙"文件的系统隐藏属性,设置" C:\Documents and Settings\All Users\「开始」菜单\程序\瑞星杀毒软件"文件的系统隐藏属性,设置"C:\Documents and Settings\当前用户\「开始」菜单\程序\腾讯软件\QQ浏览器 5"文件系统隐藏属性,设置"C:\Documents and Settings\All Users\「开始」菜单\程序\360安全浏览器 3"文件系统隐藏属性,设置"C:\Documents and Settings\当前用户\「开始」菜单\程序\卡巴斯基反病毒软件 7.0"文件系统隐藏属性,设置"C:\Documents and Settings\当前用户\「开始」菜单\程序\卡巴斯基反病毒软件 2010"文件系统隐藏属性,设置"C:\Documents and Settings\当前用户\「开始」菜单\程序\卡巴斯基反病毒软件 2009"文件系统隐藏属性,设置"C:\Documents and Settings\ All Users \「开始」菜单\程序\卡巴斯基反病毒软件 2010"文件系统隐藏属性,设置"C:\Documents and Settings\ All Users \「开始」菜单\程序\卡巴斯基反病毒软件 7.0"文件系统隐藏属性,设置"C:\Documents and Settings\ All Users \「开始」菜单\程序\卡巴斯基反病毒软件 2009"文件系统隐藏属性,设置" C:\Documents and Settings\当前用户\桌面\卡巴斯基反病毒软件 2009.lnk"快捷方式的系统隐藏属性,设置" C:\Documents and Settings\当前用户\桌面\卡巴斯基反病毒软件 2010.lnk"快捷方式的系统隐藏属性,设置" C:\Documents and Settings\ All Users \桌面\卡巴斯基反病毒软件 2009.lnk"快捷方式的系统隐藏属性,设置" C:\Documents and Settings\ All Users \桌面\卡巴斯基反病毒软件 2010.lnk"快捷方式的系统隐藏属性。

14.建立注册表信息:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}
名称:InfoTip    数据:@shdoclc.dll,-881
名称:LocalizedString  数据:@shdoclc.dll,-880

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\OpenHomePage\Command
名称:默认
数据:iexplore.exe http://www.sfc006.com/?Activex

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\属性(&R)\Command
名称:默认
数据:rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0
  
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\OpenHomePage
名称:默认     数据:打开主页
名称:MUIVerb  数据:@shdoclc.dll,-10241
  
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\Shellex\ContextMenuHandlers\ieframe
名称:默认
数据:{871C5380-42A0-1069-A2EA-08002B30309D}
  
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\ShellFolder
名称:Attributes   
数据:0
  
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell
名称:OpenHomePage
数据:默认
  
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InProcServer32
名称:默认        数据:%SystemRoot%\system32\shdocvw.dll
名称:ThreadingModel        数据:Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\DefaultIcon
名称:默认
数据:shdoclc.dll,-190

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InfoTip
名称:默认
数据:@shdoclc.dll,-881

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\LocalizedString
名称:默认
数据:@shdoclc.dll,-880

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InProcServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
名称:{871C5380-42A0-1069-A2EA-08002B30309D}
数据:1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu
名称:{871C5380-42A0-1069-A2EA-08002B30309D}.default
数据:0

15.遍历文件,查找" C:\Documents and Settings\当前用户\桌面\Internet Explorer.lnk","C:\Documents and Settings\当前用户\桌面\改变你的一生.url"、" C:\Documents and Settings\当前用户\桌面\淘宝购物A.url"," C:\Documents and Settings\All Users\桌面\免费电影C.url "等快捷方式,更改其创建时间,并设置为系统隐藏属性。

16.遍历各个磁盘根目录,在各个目录下将病毒自身以拷贝的方式创建“My Documamts.exe”文件。然后伪装成文件夹的形式,诱导用户点击该病毒文件。

17.删除注册表项信息:目的是使用户无法进入到安全模式:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

病毒创建文件:

%SystemRoot%\system32\jnirelupeq\explorer.exe
%SystemRoot%\system32\xecpibaiia\smss.exe
%SystemDriver%\gwyivodjab.txt(随机名)
%SystemDriver%\hccguiacas.jpg(随机名)
%SystemDriver%\tvaaixmniw.gif(随机名)
%SystemDriver%\fyisyelrhy.doc(随机名)
%SystemDriver%\qrkgwteuwg.bmp(随机名)
%SystemDriver%\Program Files\Common Files\BOSC.dll
%SystemDriver%\q9q.dll
%SystemRoot%\System32\drivers\kpscc.sys
X:\ My Documamts.exe(各个磁盘根目录)
%ProgramFiles%\Tencent\QQ\Bin\Shareds.dll
%ProgramFiles%\Tencent\QQ\Bin\TaskTray.dll
%SystemRoot%\system32\drivers\etc\hosts
%SystemDriver%\recycler\winlogon.exe
%SystemRoot%\System32\RavExt.dll
%SystemRoot%\System32\bsmain.exe

病毒创建注册表:

HKEY_LOCAL_MACHINE\SOFTWARE\Thunder Network\ThunderOem\thunder_backwnd
名称:path
数据:"C:\q9q.dll
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Dmusic
名称:ImagePath      
数据:\??\C:\WINDOWS\System32\drivers\kpscc.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\EXPLORER\run
名称:xecpibaiia
数据:C:\WINDOWS\System32\xecpibaiia\smss.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\EXPLORER\run
名称:jnirelupeq
数据:C:\WINDOWS\System32\jnirelupeq\explorer.exe

HKEY_CLASSES_ROOT\exefile
名称:NeverShowExt
数据:1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
名称:ModRiskFileTypes
数据:.exe

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StorageDevicePolicies
名称:WriteProtect
数据:0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu
名称:{871C5380-42A0-1069-A2EA-08002B30309D}
数据:1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray..exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravcopy.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastU3.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanU3.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvU3Launcher.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCMgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SelfUpdate.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCRTP.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zjb.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ QQDoctorMain.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ RavTask.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ atpup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ mmsk.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ WoptiClean.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ QQKav.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ EGHOST.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ QQDoctor.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ RegClean.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ FYFireWall.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ iparmo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ adam.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KWSMain.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ IceSword.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ 360rpt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ AgentSvr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ AppSvc32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ autoruns.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ avgrssvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ DSMain.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ 360sd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ kwstray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ knsd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ AvMonitor.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ CCenter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ ccSvcHst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ FileDsty.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ FTCleanerShell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ HijackThis.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Iparmor.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ isPwdSvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KSWebShield.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ kabaload.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KaScrScn.SCR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KASMain.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KASTask.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ AntiU.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KAV32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KAVDX.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KAVPFW.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KAVSetup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ ArSwp2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KISLnchr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KMailMon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KMFilter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KPFW32X.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KPFWSvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KRegEx.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KsLoader.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KVCenter.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ ArSwp3.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KvDetect.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KvfwMcl.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KVMonXP.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KVMonXP_1.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ kvol.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ kvolself.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KVScan.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KVSrvXP.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KVStub.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ kvupload.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ kvwsc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KvXP.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KvXP_1.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KWatch.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KWatch9x.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KWatchX.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ loaddll.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ MagicSet.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ PFW.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ mcconsol.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ QQPCTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ nod32krn.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ PFWLiveUpdate.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ QHSET.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ RavStub.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Ras.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ rfwcfg.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ RfwMain.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ RsAgent.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Rsaupd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ safelive.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ knsdave.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ irsetup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ scan32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ shcfg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ SmartUp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ SREng.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ symlcsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ SysSafe.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ TrojanDetector.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Trojanwall.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KWSUpd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ UIHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ UmxAgent.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ UmxAttachment.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ 360sdrun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ UmxCfg.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ UmxFwHlp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ UmxPol.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ UpLive.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ upiea.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ AST.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ ArSwp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ USBCleaner.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSC.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngPS.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XDelBox.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knsdtray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ kissvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ appdllman.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ sos.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ UFO.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ TNT.Exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ niu.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ XP.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Wsyscheck.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ TxoMoU.Exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ AoYun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ auto.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ AutoRun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ av.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ zxsweep.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ cross.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Discovery.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ guangd.ex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ kernelwind32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ logogo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ kwatch.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ QQDoctorRtp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ NAVSetup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ pagefile.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ pagefile.pif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ rfwProxy.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ SDGames.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ servet.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ KAVStart.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ mmqczj.ex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ TrojDie.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ RavMonD.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Rav.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ RavMon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ RsTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ ScanFrm.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ rsnetsvr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ arswp2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ arswp3.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ zhudongfangyu.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ 799d.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ stormii.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ tmp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ jisu.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ filmst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ qheart.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ qsetup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ sxgame.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ wbapp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ pfserver.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ QQPCSmashFile.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ avp.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ avp.exe

病毒删除注册表:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SD360

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\SD360

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SD360

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\RisingRavExt

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\RisingRavExt

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\RisingRavExt


病毒修改注册表:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
名称:ShowSuperHidden
数据:0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
名称: {871C5380-42A0-1069-A2EA-08002B30309D}
数据:0

病毒访问网络:

URL=http://www.vo***77.com

[ Last edited by pioneer on 2011-4-14 at 15:13 ]

※文章所有权归【pioneer】与【东方微点论坛】共同所有,转载请注明出处!※
2011-4-14 15:07
查看资料  发短消息   编辑帖子



论坛跳转:

可打印版本 | 推荐 | 订阅 | 收藏


[ 联系我们 - 东方微点 ]


北京东方微点信息技术有限责任公司 福建东方微点信息安全有限责任公司

闽ICP备05030815号