瑞星卡卡安全论坛

帮忙看看吧， 卡巴查处好多毒来， 现在系统非常不稳定。 谢谢 你们了！

[CODE]

2007-04-18,14:43:05

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
    <EXPLORER><C:\Program Files\Common Files\System\wab32res.exe>  []
    <yu341ur><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\iexpl0re.exe>  []
    <lbt><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\crasos.exe>  []
    <9ybb3sulz><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\1explore.exe>  []
    <4srqy87dt><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Servera.exe>  []
    <q4><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\c0nime.exe>  []
    <5gd3hu9ufmbxe><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\winlog0n.exe>  []
    <g04bg><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\rundl132.exe>  []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Windows Publisher]
    <High Definition Audio Property Page Shortcut><HDAShCut.exe>  [(Verified)Microsoft Windows Publisher]
    <SoundMAXPnP><C:\Program Files\Analog Devices\Core\smax4pnp.exe>  [Analog Devices, Inc.]
    <SoundMAX><"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray>  [Analog Devices, Inc.]
    <PRONoMgrWired><C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe>  [Intel(R) Corporation]
    <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>  [NVIDIA Corporation]
    <nwiz><nwiz.exe /install>  [NVIDIA Corporation]
    <NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit>  [NVIDIA Corporation]
    <kav><"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe">  [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
    <WinlogonNotify: klogon><C:\WINDOWS\system32\klogon.dll>  [Kaspersky Lab]

启动文件夹
N/A

==================================
服务
[卡巴斯基反病毒6.0 / AVP][Stopped/Auto Start]
  <"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r><Kaspersky Lab>
[TCP/IP Check / Hello Download][Stopped/Auto Start]
  <C:\Program Files\Common Files\System\wab32res.exe><N/A>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Intel NCS NetService / NetSvc][Stopped/Manual Start]
  <C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe><Intel(R) Corporation>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
  <C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>

==================================
驱动程序
[ADI UAA Function Driver for High Definition Audio Service / ADIHdAudAddService][Running/Manual Start]
  <system32\drivers\ADIHdAud.sys><Analog Devices, Inc.>
[AEAudio Service / AEAudioService][Running/Manual Start]
  <system32\drivers\AEAudio.sys><Andrea Electronics Corporation>
[Intel(R) PRO/1000 Network Connection Driver / E1000][Running/Manual Start]
  <system32\DRIVERS\e1000325.sys><Intel Corporation>
[Microsoft UAA Function Driver for High Definition Audio Service / HdAudAddService][Stopped/Manual Start]
  <system32\drivers\HdAudio.sys><Windows (R) Server 2003 DDK provider>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
  <system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[kl1 / kl1][Running/Boot Start]
  <\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[nv / nv][Running/Manual Start]
  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><N/A>
[SenFilt Service / SenFiltService][Running/Manual Start]
  <system32\drivers\Senfilt.sys><Sensaura>
[WINIO / WINIO][Stopped/Manual Start]
  <\??\G:\winio.sys><N/A>

==================================
浏览器加载项
[Web反病毒保护]
  {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll, Kaspersky Lab>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\macromed\flash\flash.ocx, Macromedia, Inc.>

==================================
正在运行的进程
[PID: 668][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 732][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1796][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\nvcpl.dll]  [NVIDIA Corporation, 6.14.10.8040]
    [C:\WINDOWS\system32\nvshell.dll]  [NVIDIA Corporation, 6.14.10.10525]
    [C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\LgSy0.dll]  [N/A, ]
    [C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Msxo0.dll]  [N/A, ]
    [C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Kavs0.dll]  [N/A, ]
    [C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\LgSy1.dll]  [N/A, ]
    [C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Rav20.dll]  [N/A, ]
    [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll]  [Kaspersky Lab, 6.0.0.299]
[PID: 1884][C:\Program Files\Analog Devices\Core\smax4pnp.exe]  [Analog Devices, Inc., 6, 0, 0, 20]
    [C:\Program Files\Analog Devices\Core\SMWDMIF.dll]  [Analog Devices, Inc., 6, 0, 0, 012]
[PID: 1892][C:\Program Files\Analog Devices\SoundMAX\Smax4.exe]  [Analog Devices, Inc., 5, 2, 0, 9]
[PID: 1900][C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe]  [Intel(R) Corporation, 7.2.3.2]
    [C:\Program Files\Intel\PROSetWired\NCS\PROSet\CHSPGUIR.dll]  [Intel(R) Corporation, 7.2.3.2]
    [C:\Program Files\Intel\PROSetWired\NCS\PROSet\8023\PNC802_3.dll]  [Intel(R) Corporation, 7.2.3.2]
    [C:\Program Files\Intel\PROSetWired\NCS\PROSet\8023\CHSPCMRs.dll]  [Intel(R) Corporation, 7.2.3.2]
[PID: 1936][C:\WINDOWS\system32\RUNDLL32.EXE]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\NvMcTray.dll]  [NVIDIA Corporation, 6.14.10.8040]
[PID: 1952][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2024][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2852][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3368][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3852][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3872][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2612][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2636][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2544][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3668][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1620][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 616][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3832][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 404][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 4084][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 684][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2292][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3836][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2948][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3244][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3208][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3048][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3848][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 4000][C:\WINDOWS\system32\notepad.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3096][C:\WINDOWS\system32\wscntfy.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1140][C:\WINDOWS\system32\conime.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 744][E:\病毒专用软件\sreng2\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]
    [C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Rav20.dll]  [N/A, ]
    [C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\LgSy1.dll]  [N/A, ]
    [C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Kavs0.dll]  [N/A, ]
    [C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Msxo0.dll]  [N/A, ]
    [C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\LgSy0.dll]  [N/A, ]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost
127.0.0.1      mmm.caifu18.net
127.0.0.1      www.18dmm.com
127.0.0.1      d.qbbd.com
127.0.0.1      www.5117music.com
127.0.0.1      www.union123.com
127.0.0.1      www.wu7x.cn
127.0.0.1      www.54699.com
127.0.0.1      60.169.0.66
127.0.0.1      60.169.1.29
127.0.0.1      www.97725.com
127.0.0.1      down.97725.com
127.0.0.1      ip.315hack.com
127.0.0.1      ip.54liumang.com
127.0.0.1      www.41ip.com
127.0.0.1      xulao.com
127.0.0.1      www.heixiou.com
127.0.0.1      www.9cyy.com
127.0.0.1      www.hunll.com
127.0.0.1      www.down.hunll.com
127.0.0.1      do.77276.com
127.0.0.1      www.baidulink.com
127.0.0.1      adnx.yygou.cn
127.0.0.1      222.73.220.45
127.0.0.1      www.f5game.com
127.0.0.1      www.guazhan.cn
127.0.0.1      wm,103715.com
127.0.0.1      www.my6688.cn
127.0.0.1      i.96981.com
127.0.0.1      d.77276.com
127.0.0.1      www1.cw988.cn
127.0.0.1      cool.47555.com
127.0.0.1      www.asdwc.com
127.0.0.1      55880.cn
127.0.0.1      61.152.169.234
127.0.0.1      cc.wzxqy.com
127.0.0.1      www.54699.com
127.0.0.1      t.gcuj.com
127.0.0.1      www.puma163.com
127.0.0.1      ceoww.com

==================================
API HOOK
RVA  错误： LoadLibraryA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xF4D3AB25)
RVA  错误： LoadLibraryExA (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xF4D3AD67)
RVA  错误： LoadLibraryExW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xF4D3AF0B)
RVA  错误： LoadLibraryW (危险等级: 一般,  被下面模块所HOOK: Dest Addr: 0xF4D3AC49)
RVA  错误： GetProcAddress (危险等级: 高,  被下面模块所HOOK: Dest Addr: 0xF4D3AE8F)

==================================
隐藏进程
N/A

==================================


[/CODE]

先谢谢你们了  帮我解决一下把  3天了 修了3天了

<EXPLORER><C:\Program Files\Common Files\System\wab32res.exe> []
<yu341ur><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\iexpl0re.exe> []
<lbt><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\crasos.exe> []
<9ybb3sulz><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\1explore.exe> []
<4srqy87dt><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Servera.exe> []
<q4><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\c0nime.exe> []
<5gd3hu9ufmbxe><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\winlog0n.exe> []
<g04bg><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\rundl132.exe> []
<C:\Program Files\Common Files\System\wab32res.exe><N/A>
<\??\G:\winio.sys><N/A>
[C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\LgSy0.dll] [N/A, ]
[C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Msxo0.dll] [N/A, ]
[C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Kavs0.dll] [N/A, ]
[C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\LgSy1.dll] [N/A, ]
[C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Rav20.dll] [N/A, ]
上面的全部干掉

打开sreng
启动项目 注册表 删除以下项目
<EXPLORER><C:\Program Files\Common Files\System\wab32res.exe>
（查看你的电脑里是否有以下文件，如果有，请一并删除）
C:\Program Files\Common Files\System\directdb.exe
C:\Program Files\Common Files\System\temp.ini
C:\Program Files\Common Files\System\avp.ini
C:\Program Files\Common Files\System\temp.txt


<yu341ur><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\iexpl0re.exe> []
<lbt><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\crasos.exe> []
<9ybb3sulz><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\1explore.exe> []
<4srqy87dt><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Servera.exe> []
<q4><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\c0nime.exe> []
<5gd3hu9ufmbxe><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\winlog0n.exe> []
<g04bg><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\rundl132.exe> []
打开sreng  删除以下服务
“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”，
选中以下项目，点“删除服务”，再点“设置”，在弹出的框中点“否”：

[TCP/IP Check / Hello Download][Stopped/Auto Start]
<C:\Program Files\Common Files\System\wab32res.exe><N/A>

删除以下驱动项
[WINIO / WINIO][Stopped/Manual Start]
<\??\G:\winio.sys><N/A>
双击我的电脑，工具，文件夹选项，查看，单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件（推荐）"前面的钩。在提示确定更改时，单击“是” 然后确定并删除文件：
C:\Program Files\Common Files\System\wab32res.exe
G:\winio.sys


[C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\LgSy0.dll] [N/A, ]
[C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Msxo0.dll] [N/A, ]
[C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Kavs0.dll] [N/A, ]
[C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\LgSy1.dll] [N/A, ]
[C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Rav20.dll] [N/A, ]
清空C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\目录下的所有文件。

打开SRE－系统修复－HOSTS 文件

清空你日志里所提到的网址。

多得残月都懒得说了。

在安全模式下用SRENG删除注册表项，用冰刃删除对应文件。

建议能用就都用冰刃删除。

确实太多了,

汗哦....不如重装呢....慢慢整理吧...

清空下hosts

<yu341ur><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\iexpl0re.exe> []
<lbt><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\crasos.exe> []
<9ybb3sulz><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\1explore.exe> []
<4srqy87dt><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\Servera.exe> []
<q4><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\c0nime.exe> []
<5gd3hu9ufmbxe><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\winlog0n.exe> []
<g04bg><C:\DOCUME~1\ZHANGY~1\LOCALS~1\Temp\rundl132.exe> []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
连我这般菜鸟也看出了，呵呵。。。。