autorun病毒(PegeFile.pif/Trojan.PSW.Win32.Agent.mk)

autorun病毒(PegeFile.pif/Trojan.PSW.Win32.Agent.mk)
2007-06-19 18:06
病毒名字: Trojan.PSW.Win32.Agent.mk(Rising)
样本名: PegeFile.pif
加壳:UPX ( 原帖地址) 请保留,因为此页内容可能会修改
文件大小:16,945 字节
MD5:A3AEB72FCDEEB46C04936564419C7275
SHA1:0F1719C33EA1E8E0B492A00BD3049BC20FB49A26
简单写了,这个病毒其实是一个 Download 病毒,运行后会继续下载其他的病毒!( Rising命名错误
病毒运行后首先释放自己和库文件到:
C:\Program Files\Internet Explorer\PLUGINS\ NewTemp.bak
C:\Program Files\Internet Explorer\PLUGINS\ NewTemp.dll
向所有分区释放:
X:\ PegeFile.pif
X:\ autorun.inf

病毒将库文件注入到 explorer.exe 进程,伺机作案。
若是可以链接网络,它会下载以下病毒到用户的机器上,(很多。。。)

C:\DOCUME~1\TestUser\LOCALS~1\Temp\2.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\1.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\mhso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\mhso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\3.exe
C:\WINDOWS\system32\ztinetzt.exe
C:\WINDOWS\system32\ztinetzt.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\4.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\rxso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\rxso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\5.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\6.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\qjso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\qjso0.dll
C:\WINDOWS\system32\Ravasktao.exe
C:\WINDOWS\system32\Ravasktao.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\7.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\tlso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\tlso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\8.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\daso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\daso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\7.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\8.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\9.exe
C:\Program Files\Internet Explorer\PLUGINS\System64.Jmp
C:\Program Files\Internet Explorer\PLUGINS\System64.Sys
C:\DOCUME~1\TestUser\LOCALS~1\Temp\10.exe
C:\WINDOWS\system32\Drivers\usbinte.sys
C:\WINDOWS\system32\visin.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\11.exe
C:\WINDOWS\system32\mydata.exe
C:\WINDOWS\system32\moyu103.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\13.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\wlso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\wlso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\14.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\wgso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\wgso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\15.exe
C:\WINDOWS\system32\wuclmi.exe
C:\WINDOWS\system32\wincfg.exe
C:\WINDOWS\system32\mvdbc.exe
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\npf_mgm.exe
C:\WINDOWS\system32\daemon_mgm.exe
C:\WINDOWS\system32\NetMonInstaller.exe
C:\WINDOWS\system32\rpcapd.exe
C:\WINDOWS\system32\capinstall.exe

修改注册表:
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
" wosa" = %TEMP%WOSO.EXE
" mhsa" = %TEMP%MHSO.EXE
" Microsoft Autorun14" = %SYSTEM%\ZTINETZT.EXE
" rxsa" = %TEMP%RXSO.EXE
" qjsa" = %TEMP%QJSO.EXE
" Microsoft Autorun9" = %SYSTEM%\RAVASKTAO.EXE
" tlsa" = %TEMP%TLSO.EXE
" dasa" = %TEMP%DASO.EXE
" wlsa" = %TEMP%WLSO.EXE
" wgsa" = %TEMP%WGSO.EXE
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
" visin" = %SYSTEM%\VISIN.EXE
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
"{ 0EA66AD2-CF26-2E23-532B-B292E22F3266}" =
"{ 754FB7D8-B8FE-4810-B363-A788CD060F1F}" =
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ nm
(Display Name)Network Monitor Driver = (IMAGEPATH)SYSTEM32\DRIVERS\NMNT.SYS
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF
(Display Name)NetGroup Packet Filter Driver = (IMAGEPATH)SYSTEM32\DRIVERS\NPF.SYS
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd
(Display Name)Remote Packet Capture Protocol v.0 (experimental) = (IMAGEPATH)"%PROGRAMFILES%\WINPCAP\RPCAPD.EXE" -D -F "%PROGRAMFILES%\WINPCAP\RPCAPD.INI"
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm.sys
     HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ 0EA66AD2-CF26-2E23-532B-B292E22F3266}
     HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ 425882B0-B0BF-11CE-B59F-00AA006CB37D}
     HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ 754FB7D8-B8FE-4810-B363-A788CD060F1F}
     HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ 944AD531-B09D-11CE-B59C-00AA006CB37D}
     HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ D413C502-3FAA-11D0-B254-444553540000}


2007-06-24 22:56
安装信得过的杀毒软件,
首先断开网络
然后全盘杀毒或者 逐一删除上文中 橙色 标记的文件和注册表键值
 
 
 
 
 
 
 
 
 
 
病毒名字:Trojan.PSW.Win32.Agent.mk(瑞星报毒名称)
  样本名: PegeFile.pif
  以下解决步骤参考网友ixigua的分析:
  一:1.到down.45it.com下载费尔木马强制删除器工具.zip,解压缩打开PowerRmv.exe,在文件名处依次输入
C:\Program Files\Internet Explorer\PLUGINS\NewTemp.bak
C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll
以及所有分区下的PegeFile.pifautorun.inf文件
,并勾选"抑制文件再次生成"最后点击清除来删除该文件。
  二:ctrl+alt+del打开任务管理器,结束explorer.exe 进程然后删除以下文件(参考步骤一)
C:\DOCUME~1\TestUser\LOCALS~1\Temp\2.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\1.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\mhso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\mhso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\3.exe
C:\WINDOWS\system32\ztinetzt.exe
C:\WINDOWS\system32\ztinetzt.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\4.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\rxso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\rxso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\5.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\6.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\qjso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\qjso0.dll
C:\WINDOWS\system32\Ravasktao.exe
C:\WINDOWS\system32\Ravasktao.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\7.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\tlso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\tlso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\8.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\daso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\daso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\7.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\8.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\9.exe
C:\Program Files\Internet Explorer\PLUGINS\System64.Jmp
C:\Program Files\Internet Explorer\PLUGINS\System64.Sys
C:\DOCUME~1\TestUser\LOCALS~1\Temp\10.exe
C:\WINDOWS\system32\Drivers\usbinte.sys
C:\WINDOWS\system32\visin.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\11.exe
C:\WINDOWS\system32\mydata.exe
C:\WINDOWS\system32\moyu103.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\13.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\wlso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\wlso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\14.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\wgso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\wgso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\15.exe
C:\WINDOWS\system32\wuclmi.exe
C:\WINDOWS\system32\wincfg.exe
C:\WINDOWS\system32\mvdbc.exe
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\npf_mgm.exe
C:\WINDOWS\system32\daemon_mgm.exe
C:\WINDOWS\system32\NetMonInstaller.exe
C:\WINDOWS\system32\rpcapd.exe
C:\WINDOWS\system32\capinstall.exe
  三:开始菜单-运行-输入“regedit”打开注册表删除以下标橙色的项
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
"wosa" = %TEMP%WOSO.EXE
"mhsa" = %TEMP%MHSO.EXE
"Microsoft Autorun14" = %SYSTEM%\ZTINETZT.EXE
"rxsa" = %TEMP%RXSO.EXE
"qjsa" = %TEMP%QJSO.EXE
"Microsoft Autorun9" = %SYSTEM%\RAVASKTAO.EXE
"tlsa" = %TEMP%TLSO.EXE
"dasa" = %TEMP%DASO.EXE
"wlsa" = %TEMP%WLSO.EXE
"wgsa" = %TEMP%WGSO.EXE
       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
" visin" = %SYSTEM%\VISIN.EXE
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
"{ 0EA66AD2-CF26-2E23-532B-B292E22F3266}" =
"{ 754FB7D8-B8FE-4810-B363-A788CD060F1F}" =
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ nm
(Display Name)Network Monitor Driver = (IMAGEPATH)SYSTEM32\DRIVERS\NMNT.SYS
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF
(Display Name)NetGroup Packet Filter Driver = (IMAGEPATH)SYSTEM32\DRIVERS\NPF.SYS
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd
(Display Name)Remote Packet Capture Protocol v.0 (experimental) = (IMAGEPATH)"%PROGRAMFILES%\WINPCAP\RPCAPD.EXE" -D -F "%PROGRAMFILES%\WINPCAP\RPCAPD.INI"
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm.sys
       HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ 0EA66AD2-CF26-2E23-532B-B292E22F3266}
       HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ 425882B0-B0BF-11CE-B59F-00AA006CB37D}
       HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ 754FB7D8-B8FE-4810-B363-A788CD060F1F}
       HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ 944AD531-B09D-11CE-B59C-00AA006CB37D}
       HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ D413C502-3FAA-11D0-B254-444553540000}
 
007-07-30 17:43
显然是病毒,这个你就不用怀疑了!
我机器不能中了这个毒,不过现在已经解决了。
大概的过程是这样的:
查看的时候我发现每一个盘都有这样的文件,我想都没有想,就用瑞星杀了下,OO??情况和你的完全一样,它都没有什么反应!
没有办法了,就只好用手来来了。
用了个bat,先用记事本编辑,在保存为以.bat结尾的文件即可。
再双击运行它。
==============开始,不要复制===================================
@echo off
title kill autorun.inf
rem Made By numax %date%
::    个人主页: [url]http://hi.baidu.com/numax[/url]
::    欢迎光临!!!!
FOR %%a IN ( C: D: E: F: G: H: I: J: K: L:    ) DO (
cls
if exist %%a (
del /f/q/a %%a\autorun.inf
del /f/q/a %%a\ pegefile.pif
md %%a\autorun.inf
md %%a\autorun.inf
md %%a\autorun.inf\JAYVEN..\
md %%a\autorun.inf\SOPHIA..\
echo [.ShellClassInfo]>%%a\autorun.inf\desktop.ini
echo CLSID={20D04FE0-3AEA-1069-A2D8-08002B30309D}>>%% a\autorun.inf\desktop.ini
echo InfoTip=用于防治一些病毒,请不要删除它>>%% a\autorun.inf\desktop.ini
attrib +s +h +r %%a\autorun.inf\desktop.ini
attrib +s +h +r %%a\autorun.inf
)
)
cls
========================结束,不要复制==================
同时,也可以用autorun,processexplorer,syscheck,xdelbox等工具辅助查杀。
最后清理注册表,工作就算完成了。
对于类似的病毒,可应在:
运行中:“gpedit.msc”
关闭硬件自动运行。
#####################
#####################
病毒名字: Trojan.PSW.Win32.Agent.mk(Rising)
样本名: PegeFile.pif
加壳:UPX ( 原帖地址) 请保留,因为此页内容可能会修改
文件大小:16,945 字节
MD5:A3AEB72FCDEEB46C04936564419C7275
SHA1:0F1719C33EA1E8E0B492A00BD3049BC20FB49A26
简单写了,这个病毒其实是一个 Download 病毒,运行后会继续下载其他的病毒!( Rising命名错误
病毒运行后首先释放自己和库文件到:
C:\Program Files\Internet Explorer\PLUGINS\ NewTemp.bak
C:\Program Files\Internet Explorer\PLUGINS\ NewTemp.dll
向所有分区释放:
X:\ PegeFile.pif
X:\ autorun.inf

病毒将库文件注入到 explorer.exe 进程,伺机作案。
若是可以链接网络,它会下载以下病毒到用户的机器上,(很多。。。)

C:\DOCUME~1\TestUser\LOCALS~1\Temp\2.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\1.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\mhso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\mhso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\3.exe
C:\WINDOWS\system32\ztinetzt.exe
C:\WINDOWS\system32\ztinetzt.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\4.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\rxso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\rxso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\5.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\6.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\qjso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\qjso0.dll
C:\WINDOWS\system32\Ravasktao.exe
C:\WINDOWS\system32\Ravasktao.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\7.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\tlso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\tlso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\8.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\daso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\daso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\7.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\8.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\9.exe
C:\Program Files\Internet Explorer\PLUGINS\System64.Jmp
C:\Program Files\Internet Explorer\PLUGINS\System64.Sys
C:\DOCUME~1\TestUser\LOCALS~1\Temp\10.exe
C:\WINDOWS\system32\Drivers\usbinte.sys
C:\WINDOWS\system32\visin.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\11.exe
C:\WINDOWS\system32\mydata.exe
C:\WINDOWS\system32\moyu103.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\13.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\wlso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\wlso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\14.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\wgso.exe
C:\DOCUME~1\TestUser\LOCALS~1\Temp\wgso0.dll
C:\DOCUME~1\TestUser\LOCALS~1\Temp\15.exe
C:\WINDOWS\system32\wuclmi.exe
C:\WINDOWS\system32\wincfg.exe
C:\WINDOWS\system32\mvdbc.exe
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\npf_mgm.exe
C:\WINDOWS\system32\daemon_mgm.exe
C:\WINDOWS\system32\NetMonInstaller.exe
C:\WINDOWS\system32\rpcapd.exe
C:\WINDOWS\system32\capinstall.exe

修改注册表:
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
" wosa" = %TEMP%WOSO.EXE
" mhsa" = %TEMP%MHSO.EXE
" Microsoft Autorun14" = %SYSTEM%\ZTINETZT.EXE
" rxsa" = %TEMP%RXSO.EXE
" qjsa" = %TEMP%QJSO.EXE
" Microsoft Autorun9" = %SYSTEM%\RAVASKTAO.EXE
" tlsa" = %TEMP%TLSO.EXE
" dasa" = %TEMP%DASO.EXE
" wlsa" = %TEMP%WLSO.EXE
" wgsa" = %TEMP%WGSO.EXE
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
" visin" = %SYSTEM%\VISIN.EXE
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
"{ 0EA66AD2-CF26-2E23-532B-B292E22F3266}" =
"{ 754FB7D8-B8FE-4810-B363-A788CD060F1F}" =
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ nm
(Display Name)Network Monitor Driver = (IMAGEPATH)SYSTEM32\DRIVERS\NMNT.SYS
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF
(Display Name)NetGroup Packet Filter Driver = (IMAGEPATH)SYSTEM32\DRIVERS\NPF.SYS
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd
(Display Name)Remote Packet Capture Protocol v.0 (experimental) = (IMAGEPATH)"%PROGRAMFILES%\WINPCAP\RPCAPD.EXE" -D -F "%PROGRAMFILES%\WINPCAP\RPCAPD.INI"
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm.sys
      HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ 0EA66AD2-CF26-2E23-532B-B292E22F3266}
      HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ 425882B0-B0BF-11CE-B59F-00AA006CB37D}
      HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ 754FB7D8-B8FE-4810-B363-A788CD060F1F}
      HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ 944AD531-B09D-11CE-B59C-00AA006CB37D}
      HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ D413C502-3FAA-11D0-B254-444553540000}
 

你可能感兴趣的:(职场,病毒,休闲,autorun)