无意间发现的,试了试,完美过360安全卫士(不是360杀毒)。无任何提示。因为不是自启动,所以未验证是否会有启动提示。
进入正题:
今天下午虚拟机看黄片的时候有部片子是网盘存放的,存放在www.gogobox.com.tw这个网站上面,需要用专门的下载工具下载,因为是虚拟机,也无所谓中不中毒,就安装了gogobox。
我们知道:即使是安全软件,比如杀毒软件、HIPS、常用工具等,即使安全也会有一个绿色的小窗口提示。
如果文件不确定是否有问题则会显示一个黄色的提示窗口。
若360特征库里面有木马特征值则会提示红色窗口并拒绝启动。
但是直到gogobox安装结束,360都没有任何提示,这个无意间的发现让我立即来了精神。
卸载掉之后运行regsnap,备份注册表键值,然后监视C盘文件,安装gogobox直至结束。再备份注册表键值,与之前的进行对比。
有18个主键被修改,126个新增主键:
修改的主键
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\Discardable\PostSetup\ShellNew\~reserved~
新: 类型: REG_BINARY 长度: 24 (0×18) 字节 s
18 00 00 00 01 00 01 00 D9 07 0B 00 05 00 14 00 | ……..?…… 0F 00 2F 00 26 00 22 02 | ../.&.”.旧: 类型: REG_BINARY 长度: 24 (0×18) 字节 s
18 00 00 00 01 00 01 00 D9 07 0B 00 05 00 14 00 | ……..?…… 0E 00 1F 00 28 00 E4 01 | ….(.?HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\MenuOrder\Start Menu2\Programs\Order
新: 类型: REG_BINARY 长度: 3258 (0xcba) 字节 s
000000: 08 00 00 00 02 00 00 00 B2 0C 00 00 01 00 00 00 | ……..?/font>……. 000010: 17 00 00 00 9C 00 00 00 00 00 00 00 8E 00 00 00 | ….?……?.. 000020: 41 75 67 4D 02 00 00 00 01 00 00 00 7C 00 32 00 | AugM……..|.2. 000030: 8E 01 00 00 B3 3A ED 48 20 00 57 49 4E 44 4F 57 | ?..?鞨 .WINDOW …更多…旧: 类型: REG_BINARY 长度: 3152 (0xc50) 字节 s
000000: 08 00 00 00 02 00 00 00 48 0C 00 00 01 00 00 00 | ……..H……. 000010: 16 00 00 00 9C 00 00 00 00 00 00 00 8E 00 00 00 | ….?……?.. 000020: 41 75 67 4D 02 00 00 00 01 00 00 00 7C 00 32 00 | AugM……..|.2. 000030: 8E 01 00 00 B3 3A ED 48 20 00 57 49 4E 44 4F 57 | ?..?鞨 .WINDOW …更多…HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\StartPage\StartMenu_Balloon_Time
新: 类型: REG_BINARY 长度: 8 (0×8) 字节 s
46 E4 8D B1 B5 69 CA 01 | F?钡i?旧: 类型: REG_BINARY 长度: 8 (0×8) 字节 s
12 01 43 5F AB 69 CA 01 | ..C_?/font>i?HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU
新: 类型: REG_BINARY 长度: 16 (0×10) 字节 s
07 00 00 00 AE 00 00 00 10 CB ED 9B B5 69 CA 01 | ….?/font>….隧?/font>礽?旧: 类型: REG_BINARY 长度: 16 (0×10) 字节 s
07 00 00 00 AD 00 00 00 40 9F 1A 57 B5 69 CA 01 | ….?/font>…@?W礽?HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG
新: 类型: REG_BINARY 长度: 16 (0×10) 字节 s
07 00 00 00 61 00 00 00 60 33 9B 9A B5 69 CA 01 | ….a…`3洑礽?旧: 类型: REG_BINARY 长度: 16 (0×10) 字节 s
07 00 00 00 60 00 00 00 B0 34 89 56 B5 69 CA 01 | ….`…?塚礽?HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ColInfo
新: 类型: REG_BINARY 长度: 112 (0×70) 字节 s
000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ……………. 000010: FD DF DF FD 0F 00 04 00 20 00 10 00 28 00 3C 00 | 啐…. …(.<. 000020: 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 | ……………. 000030: B4 00 60 00 78 00 78 00 00 00 00 00 01 00 00 00 | ?`.x.x……… …更多…旧: 类型: REG_BINARY 长度: 92 (0×5c) 字节 s
000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ……………. 000010: FD DF DF FD 0F 00 04 00 20 00 10 00 00 00 28 00 | 啐…. …..(. 000020: 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 | ……………. 000030: B4 00 60 00 78 00 78 00 00 00 00 00 00 00 00 00 | ?`.x.x……… …更多…HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1440×900(1)
新: 类型: REG_BINARY 长度: 1968 (0×7b0) 字节 s
000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ……………. 000010: 15 00 00 00 02 00 00 00 14 00 1F 50 E0 4F D0 20 | ………..P郞? 000020: EA 3A 69 10 A2 D8 08 00 2B 30 30 9D 15 00 00 00 | ?i.⒇..+00….. 000030: 51 00 00 00 14 00 1F 58 60 2C 8D 20 EA 3A 69 10 | Q……X`,. ?i. …更多…旧: 类型: REG_BINARY 长度: 1968 (0×7b0) 字节 s
000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ……………. 000010: 15 00 00 00 02 00 00 00 14 00 1F 50 E0 4F D0 20 | ………..P郞? 000020: EA 3A 69 10 A2 D8 08 00 2B 30 30 9D 15 00 00 00 | ?i.⒇..+00….. 000030: 51 00 00 00 14 00 1F 58 60 2C 8D 20 EA 3A 69 10 | Q……X`,. ?i. …更多…HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\409
新: 字符串: “Controls that are safely scriptable”
旧: 字符串: “Controls safely scriptable!”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\409
新: 字符串: “Controls safely initializable from persistent data”
旧: 字符串: “Controls safely initializable from persistent data!”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed
新: 类型: REG_BINARY 长度: 80 (0×50) 字节 s
000000: C3 2E 2C 78 E2 40 54 D5 51 0D 82 80 4E 0E 6A 7A | ?,x釦T誕.?N.jz 000010: 2E 4A D2 CA AC 7E 9D 51 A3 33
28 93 25 DC 4F F8 | .J沂瑍.Q?(?躉?/font> 000020: 56 36 7A 81 8B C7 C7 03 93 92 27 F3 94 86 EF 47 | V6z.嬊?搾’髷嗭G 000030: E0 C2 0B 80 E4 12 96 BF 18 C4 7E 7A FA 12 89 22 | 嗦..?柨.膥z??quot; 000040: 03 A7 8E 08 84 72 20 F7 88 8F 60 89 73 F5 1D CD | ..剅 ?.`塻??/font>旧: 类型: REG_BINARY 长度: 80 (0×50) 字节 s
000000: DE E6 33 1A C1 57 5A B9 46 11 99 21 38 10 2F 37 | 捩3.罻Z笷..!8./7 000010: 63 3A 31 5D 67 C1 C1 58 70 B6 51 DC 8D 19 B7 9E | c:1]g亮xp禥?.窞 000020: D0 41 AE BC 55 A1 39 68 70 2D 43 75 EA 8B C6 FA | 蠥U?hp-Cu陭弃 000030: 93 27 51 6D 83 FF 77 AC 2E E6 A6 04 83 6B 1E 90 | ?Qm?w?姒.僰.. 000040: E5 57 75 57 5F 6A 2F E9 BE E4 FA 75 A5 3D FE 69 | 錡uW_j/榫潸u?HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kl1\InData
新: 类型: REG_BINARY 长度: 8 (0×8) 字节 s
0A 2B DE 02 00 00 00 00 | .+?….旧: 类型: REG_BINARY 长度: 8 (0×8) 字节 s
DE 29 DE 02 00 00 00 00 | ??….HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kl1\OutData
新: 类型: REG_BINARY 长度: 8 (0×8) 字节 s
FB 58 36 00 00 00 00 00 | 鸛6…..旧: 类型: REG_BINARY 长度: 8 (0×8) 字节 s
09 55 36 00 00 00 00 00 | .U6…..HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kmixer\Enum\Count
新: DWORD: 1 (0×1)
旧: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance
新: DWORD: 1 (0×1)
旧: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kl1\InData
新: 类型: REG_BINARY 长度: 8 (0×8) 字节 s
0A 2B DE 02 00 00 00 00 | .+?….旧: 类型: REG_BINARY 长度: 8 (0×8) 字节 s
DE 29 DE 02 00 00 00 00 | ??….HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kl1\OutData
新: 类型: REG_BINARY 长度: 8 (0×8) 字节 s
FB 58 36 00 00 00 00 00 | 鸛6…..旧: 类型: REG_BINARY 长度: 8 (0×8) 字节 s
09 55 36 00 00 00 00 00 | .U6…..HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count
新: DWORD: 1 (0×1)
旧: DWORD: 0 (0)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance
新: DWORD: 1 (0×1)
旧: DWORD: 0 (0)
————–
总计数量: 18新增主键
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew\Regsnap 文档
键值: 类型: REG_BINARY 长度: 928 (0×3a0) 字节 s
000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 00 | …………..R. 000010: 65 00 67 00 73 00 6E 00 61 00 70 00 20 00 87 65 | e.g.s.n.a.p. .噀 000020: 63 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ch………….. 000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ……………. …更多…HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\GOGOBOX\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\GOGOBOX\Order
键值: 类型: REG_BINARY 长度: 262 (0×106) 字节 s
000000: 08 00 00 00 02 00 00 00 FE 00 00 00 01 00 00 00 | ……..?…… 000010: 02 00 00 00 76 00 00 00 00 00 00 00 68 00 00 00 | ….v…….h… 000020: 41 75 67 4D 02 00 00 00 01 00 00 00 56 00 32 00 | AugM……..V.2. 000030: 3F 03 00 00 74 3B DB 3D 20 00 47 4F 47 4F 42 4F | ?…t;? .GOGOBO …更多…HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\桌面\TBTBObkFrghc.rkr
键值: 类型: REG_BINARY 长度: 16 (0×10) 字节 s
07 00 00 00 06 00 00 00 00 15 F0 9B B5 69 CA 01 | ……….饹礽?HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\桌面\GOGOBoxSetup.exe
键值: 字符串: “GOGOBoxSetup”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\@
键值: 字符串: “MultiUpload Control”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\Control\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\Control\@
键值: 字符串: “”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\Implemented Categories\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\InprocServer32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\InprocServer32\@
键值: 字符串: “C:\PROGRA~1\NextLink\GOGOBOX\GMULTI~1.OCX”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\InprocServer32\ThreadingModel
键值: 字符串: “Apartment”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\MiscStatus\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\MiscStatus\1\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\MiscStatus\1\@
键值: 字符串: “131473″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\MiscStatus\@
键值: 字符串: “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\ProgID\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\ProgID\@
键值: 字符串: “MULTIUPLOAD.MultiUploadCtrl.2″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\ToolboxBitmap32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\Toolbox
Bitmap32\@
键值: 字符串: “C:\PROGRA~1\NextLink\GOGOBOX\GMULTI~1.OCX, 1″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\TypeLib\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\TypeLib\@
键值: 字符串: “{65A5B8AC-206A-4227-8F59-8D7639596102}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\Version\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58722EA6-FC55-44DB-A9A8-B42DA149D816}\Version\@
键值: 字符串: “1.0″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6F553C18-15E6-4E5E-8F44-ADD50DE754ED}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6F553C18-15E6-4E5E-8F44-ADD50DE754ED}\@
键值: 字符串: “NowStarter Property”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6F553C18-15E6-4E5E-8F44-ADD50DE754ED}\InprocServer32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6F553C18-15E6-4E5E-8F44-ADD50DE754ED}\InprocServer32\@
键值: 字符串: “C:\PROGRA~1\NextLink\GOGOBOX\GNOWST~1.OCX”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\@
键值: 字符串: “NowStarter Control”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\Control\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\Control\@
键值: 字符串: “”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\Implemented Categories\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\InprocServer32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\InprocServer32\@
键值: 字符串: “C:\PROGRA~1\NextLink\GOGOBOX\GNOWST~1.OCX”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\InprocServer32\ThreadingModel
键值: 字符串: “Apartment”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\MiscStatus\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\MiscStatus\1\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\MiscStatus\1\@
键值: 字符串: “131473″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\MiscStatus\@
键值: 字符串: “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\ProgID\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\ProgID\@
键值: 字符串: “NOWSTARTER.NowStarterCtrl.2″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\ToolboxBitmap32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\ToolboxBitmap32\@
键值: 字符串: “C:\PROGRA~1\NextLink\GOGOBOX\GNOWST~1.OCX, 1″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\TypeLib\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\TypeLib\@
键值: 字符串: “{2A25850A-737C-4405-93CA-BDC750496679}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\Version\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}\Version\@
键值: 字符串: “1.0″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D28A05-860F-4649-B56B-0FA7A49E9685}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D28A05-860F-4649-B56B-0FA7A49E9685}\@
键值: 字符串: “MultiUpload Property Page”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D28A05-860F-4649-B56B-0FA7A49E9685}\InprocServer32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D28A05-860F-4649-B56B-0FA7A49E9685}\InprocServer32\@
键值: 字符串: “C:\PROGRA~1\NextLink\GOGOBOX\GMULTI~1.OCX”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4E1F5254-AAAA-4C1A-97CE-46538B8A9EAF}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4E1F5254-AAAA-4C1A-97CE-46538B8A9EAF}\@
键值: 字符串: “_DMultiUploadEvents”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4E1F5254-AAAA-4C1A-97CE-46538B8A9EAF}\ProxyStubClsid32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4E1F5254-AAAA-4C1A-97CE-46538B8A9EAF}\ProxyStubClsid32\@
键值: 字符串: “{00020420-0000-0000-C000-000000000046}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4E1F5254-AAAA-4C1A-97CE-46538B8A9EAF}\ProxyStubClsid\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4E1F5254-AAAA-4C1A-97CE-46538B8A9EAF}\ProxyStubClsid\@
键值: 字符串: “{00020420-0000-0000-C000-000000000046}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4E1F5254-AAAA-4C1A-97CE-46538B8A9EAF}\TypeLib\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4E1F5254-AAAA-4C1A-97CE-46538B8A9EAF}\TypeLib\@
键值: 字符串: “{65A5B8AC-206A-4227-8F59-8D7639596102}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4E1F5254-AAAA-4C1A-97CE-46538B8A9EAF}\TypeLib\Version
键值: 字符串: “1.0″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5D9B2667-10B6-44AC-9BDE-0A1DBAB94E59}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5D9B2667-10B6-44AC-9BDE-0A1DBAB94E59}\@
键值: 字符串: “_DMultiUpload”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5D9B2667-10B6-44AC-9BDE-0A1DBAB94E59}\ProxyStubClsid32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5D9B2667-10B6-44AC-9BDE-0A1DBAB94E59}\ProxyStubClsid32\@
键值: 字符串: “{00020420-0000-0000-C000-000000000046}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5D9B2667-10B6-44AC-9BDE-0A1DBAB94E59}\ProxyStubClsid\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5D9B2667-10B6-44AC-9BDE-0A1DBAB94E59}\ProxyStubClsid\@
键值: 字符串: “{00020420-0000-0000-C000-000000000046}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5D9B2667-10B6-44AC-9BDE-0A1DBAB94E59}\TypeLib\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5D9B2667-10B6-44AC-9BDE-0A1DBAB94E59}\TypeLib\@
键值: 字符串: “{65A5B8AC-206A-4227-8F59-8D7639596102}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5D9B2667-10B6-44AC-9BDE-0A1DBAB94E59}\TypeLib\Version
键值: 字符串: “1.0″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7181716-6892-4FDE-BEAC-3A556314041E}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7181716-6892-4FDE-BEAC-3A556314041E}\@
键值: 字符串: “_DNowStarterEvents”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7181716-6892-4FDE-BEAC-3A556314041E}\ProxyStubClsid32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7181716-6892-4FDE-BEAC-3A556314041E}\ProxyStubClsid32\@
键值: 字符串: “{00020420-0000-0000-C000-000000000046}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7181716-6892-4FDE-BEAC-3A556314041E}\ProxyStubClsid\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7181716-6892-4FDE-BEAC-3A556314041E}\ProxyStubClsid\@
键值: 字符串: “{00020420-0000-0000-C000-000000000046}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7181716-6892-4FDE-BEAC-3A556314041E}\TypeLib\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7181716-6892-4FDE-BEAC-3A556314041E}\TypeLib\@
键值: 字符串: “{2A25850A-737C-4405-93CA-BDC750496679}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7181716-6892-4FDE-BEAC-3A556314041E}\TypeLib\Version
键
值: 字符串: “1.0″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F83B7562-18A5-4562-8836-0173EBF533CA}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F83B7562-18A5-4562-8836-0173EBF533CA}\@
键值: 字符串: “_DNowStarter”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F83B7562-18A5-4562-8836-0173EBF533CA}\ProxyStubClsid32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F83B7562-18A5-4562-8836-0173EBF533CA}\ProxyStubClsid32\@
键值: 字符串: “{00020420-0000-0000-C000-000000000046}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F83B7562-18A5-4562-8836-0173EBF533CA}\ProxyStubClsid\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F83B7562-18A5-4562-8836-0173EBF533CA}\ProxyStubClsid\@
键值: 字符串: “{00020420-0000-0000-C000-000000000046}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F83B7562-18A5-4562-8836-0173EBF533CA}\TypeLib\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F83B7562-18A5-4562-8836-0173EBF533CA}\TypeLib\@
键值: 字符串: “{2A25850A-737C-4405-93CA-BDC750496679}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F83B7562-18A5-4562-8836-0173EBF533CA}\TypeLib\Version
键值: 字符串: “1.0″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MULTIUPLOAD.MultiUploadCtrl.2\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MULTIUPLOAD.MultiUploadCtrl.2\@
键值: 字符串: “MultiUpload Control”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MULTIUPLOAD.MultiUploadCtrl.2\CLSID\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MULTIUPLOAD.MultiUploadCtrl.2\CLSID\@
键值: 字符串: “{58722EA6-FC55-44DB-A9A8-B42DA149D816}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NOWSTARTER.NowStarterCtrl.2\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NOWSTARTER.NowStarterCtrl.2\@
键值: 字符串: “NowStarter Control”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NOWSTARTER.NowStarterCtrl.2\CLSID\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NOWSTARTER.NowStarterCtrl.2\CLSID\@
键值: 字符串: “{A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2A25850A-737C-4405-93CA-BDC750496679}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2A25850A-737C-4405-93CA-BDC750496679}\1.0\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2A25850A-737C-4405-93CA-BDC750496679}\1.0\0\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2A25850A-737C-4405-93CA-BDC750496679}\1.0\0\win32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2A25850A-737C-4405-93CA-BDC750496679}\1.0\0\win32\@
键值: 字符串: “C:\Program Files\NextLink\GOGOBOX\GNowStarter.ocx”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2A25850A-737C-4405-93CA-BDC750496679}\1.0\@
键值: 字符串: “NowStarter ActiveX Control module”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2A25850A-737C-4405-93CA-BDC750496679}\1.0\FLAGS\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2A25850A-737C-4405-93CA-BDC750496679}\1.0\FLAGS\@
键值: 字符串: “2″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2A25850A-737C-4405-93CA-BDC750496679}\1.0\HELPDIR\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2A25850A-737C-4405-93CA-BDC750496679}\1.0\HELPDIR\@
键值: 字符串: “C:\Program Files\NextLink\GOGOBOX”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{65A5B8AC-206A-4227-8F59-8D7639596102}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{65A5B8AC-206A-4227-8F59-8D7639596102}\1.0\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{65A5B8AC-206A-4227-8F59-8D7639596102}\1.0\0\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{65A5B8AC-206A-4227-8F59-8D7639596102}\1.0\0\win32\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{65A5B8AC-206A-4227-8F59-8D7639596102}\1.0\0\win32\@
键值: 字符串: “C:\Program Files\NextLink\GOGOBOX\GMultiUpload.ocx”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{65A5B8AC-206A-4227-8F59-8D7639596102}\1.0\@
键值: 字符串: “MultiUpload ActiveX Control module”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{65A5B8AC-206A-4227-8F59-8D7639596102}\1.0\FLAGS\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{65A5B8AC-206A-4227-8F59-8D7639596102}\1.0\FLAGS\@
键值: 字符串: “2″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{65A5B8AC-206A-4227-8F59-8D7639596102}\1.0\HELPDIR\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{65A5B8AC-206A-4227-8F59-8D7639596102}\1.0\HELPDIR\@
键值: 字符串: “C:\Program Files\NextLink\GOGOBOX”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GOGOBOX\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GOGOBOX\DisplayName
键值: 字符串: “GOGOBOX”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GOGOBOX\UninstallString
键值: 字符串: “C:\Program Files\NextLink\GOGOBOX\GOGOBOXUninstall.exe”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kmixer\Enum\0
键值: 字符串: “SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0
键值: 字符串: “SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}”
————–
总计数量: 126
新增键值没什么好看的,主要看这两个键值:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Order
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Balloon_Time
360这蠢货应该是没有检测到这个键值。
现在过360的思路有了,只要在木马里面添加一条语句,将木马的释放路径释放到此目录下,然后再自启动,应该可以完美过掉360。
此思路尚未验证,等晚上有空的时候试试。
杭州【敏感词】:
SEE:
Strategy Blogspot:
Taobao.COM:
记忆盒子:
K:
yesvpn:
从来不用360这个东西。
说起来为什么我每次进你的博客,资料都不能保存
嘿嘿,博主看黄片还这么专业的呀
试过 成功了吗?
好崇拜呀
看A片都这么讲究