社区应用 最新帖子 精华区 社区服务 会员列表 统计排行
发帖 回复
« 返回列表
  • 1060阅读
  • 2回复

电脑公司特别版7.0流氓软件测试及修改成纯净版实录

 楼层直达
铁臂阿童木
级别: 光盘中级
发帖
775
飞翔币
335
威望
241
飞扬币
1555
信誉值
0
只看楼主 更多操作 0 发表于: 2007-04-10
05fefed54a9865aa54f0c782ad048128 GhostXP_SP2电脑公司特别版_7.0.iso
ccdca6faa9eaa61b86c60f57f1b54c3b WINXPSP2.GHO

下面引用Phexon的Donghai的LJ电脑公司版7.0分析报告

QUOTE:
一、集成有流氓软件。
1.3721中文上网
2.IE搜索工具条
二、Hosts劫持auto.search.msn.com
Hosts文件中有这么一行
219.153.32.215 auto.search.msn.com
经测试,打开219.153.32.215,跳转到tomatolei.265.com。而tomatolei.265.com恰恰是大番茄的。看来大番茄已经和东海站到一起了。
三、系统启动项等地方。
1.BHO多出了这么两个
(1) C:\WINDOWS\Downloaded Program Files\CnsHook.dll
(很显然,这个是3721的)
(2) C:\WINDOWS\system32\IEBHO.dll
(这个就是IE搜索工具条的文件)
2.Toolbar有这么一个
C:\WINDOWS\system32\IETool.dll
3.启动项
位置HKLM\...\RUN
(1) Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
(2) C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
位置HIKLM\...\Runonce
C:\WINDOWS\tasks\task1.exe
这个task1.exe隐藏的真隐蔽啊。隐藏到系统的特殊文件夹下。因为这个文件夹是计划任务文件夹,所以只显示计划任务,而不显示其他文件。所以放到这儿,一般小菜鸟是找不到办法删除这个文件的。分析这个task1.exe。一个rar自解压文件。看自解压参数:


CODE:
;下面的注释包含自解压脚本命令

Path=C:\WINDOWS\system32
SavePath
Silent=1
Overwrite=1
Shortcut=D, "淘宝网.lnk", "", "", "淘宝网"
Shortcut=P, "淘宝网.lnk", "", "", "淘宝网"

说明:这是淘宝网的解压包,内有一个网址和一个图标
共两个文件。它不是恶意软件。本解压包放在tasks目录
是为了制作时易于寻找及修改,别无他意。系统说明文档
已公开提到本系统含有淘宝网图标。

为避免误会,特作此说明。
[Copy to clipboard]



这人做得无耻啊,把图标文件和url文件放到文件众多的system32文件夹。而且这个task1.exe运行的时候,是静默方式。
4. IE 按钮
(1)Yahoo 3.5G电邮 http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail
(2) 名品折扣http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1&sid=5042&show=ignore&url=http://www.taobao.com/vertical/mall/pro.php?allyesPara=816
(3) 雅虎助手 http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist
(4) 雅虎WIDGET http://cn.widget.yahoo.com/index.htm?source=Cns
(5) 情景聊天 http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg
(6)修复浏览器 http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair
(7) 清理上网记录 http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean
四、收藏夹里面一堆LJ。
五、IE首页被设置为http://dh.ez597.com/。这个地址并会自动跳转到dh.265.com
3721上网助手yahoo网络实名等清理
删除文件夹
%programfiles%\3721 (13个文件&1个文件夹)
%windir%\Downloaded Program Files (30个文件&1个文件夹)
%windir%\Web\index.htm (1个网页文件hao123)
%windir%\Web\index.files (18个文件&1个文件夹)
%programfiles%\Common Files\Real\GToolbar
删除文件
%windir%\System32\Drivers\CnsMinKP.sys
%windir%\system32\cns.dll
%windir%\system32\cns.dat
%windir%\system32\cns.exe
%windir%\system32\Dllreg.dll
%windir%\system32\IETool.dll
%windir%\system32\IEBHO.dll
删除注册表

CODE:

Windows Registry Editor Version 5.00

;3721
[-HKEY_LOCAL_MACHINE\SOFTWARE\3721]
[-HKEY_CURRENT_USER\software\3721]
[-HKEY_CLASSES_ROOT\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}]
[-HKEY_CLASSES_ROOT\CLSID\{ABEC6103-F6AC-43A3-834F-FB03FBA339A2}]
[-HKEY_CLASSES_ROOT\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}]
[-HKEY_CLASSES_ROOT\TypeLib\{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}]
[-HKEY_CLASSES_ROOT\TypeLib\{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}]
[-HKEY_CLASSES_ROOT\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}]
[-HKEY_CLASSES_ROOT\TypeLib\{F9AD9D67-EFA8-480E-8291-0163F3960DE7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CnsMin]
[-HKEY_USERS\S-1-5-21-2000478354-842925246-1202660629-500\Software\3721]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
"PendingFileRenameOperations"=-

;网络实名cns
[-HKEY_CLASSES_ROOT\CnsHelper.CH]
[-HKEY_CLASSES_ROOT\CnsHelper.CH.1]
[-HKEY_CLASSES_ROOT\CnsMinHK.CnsHook.1]
[-HKEY_CLASSES_ROOT\CnsMinHK.CnsHook]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsHelper.CH]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsHelper.CH.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CnsMinKP]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CnsMinKP]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CNSMINKP]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\CnsMinKP]
[-HKEY_CLASSES_ROOT\Interface\{DF692509-D9EF-48A0-9CD0-3AA5B81F6F68}]
[-HKEY_CLASSES_ROOT\Interface\{1BB0ABBE-2D95-4847-B9D8-6F90DE3714C1}]
[-HKEY_CLASSES_ROOT\Interface\{48E688C8-609F-4B08-944E-3C7FAB99CD08}]
[-HKEY_CLASSES_ROOT\AutoLive.Live]
[-HKEY_CLASSES_ROOT\AutoLive.Live.1]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CNSMINKP]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CNSMINKP]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"CNSMenu"=-
"CNSHint"=-
"CNSReset"=-
"CNSEnable"=-
"CNSList"=-
"CNSAutoUpdate"=-

;yahoo上网助手
[-HKEY_CLASSES_ROOT\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_A0]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A0]

;IEBHO
[-HKEY_CLASSES_ROOT\SearchHook.SrchHook]
[-HKEY_CLASSES_ROOT\SearchHook.SrchHook.1]
[-HKEY_CLASSES_ROOT\CLSID\{F08555B0-9CC3-11D2-AA8E-000000000000}]
[-HKEY_CLASSES_ROOT\TypeLib\{F08555A1-9CC3-11D2-AA8E-000000000000}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F08555B0-9CC3-11D2-AA8E-000000000000}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F08555B0-9CC3-11D2-AA8E-000000000000}]
[-HKEY_CLASSES_ROOT\SearchHook.URLSearchHook]
[-HKEY_CLASSES_ROOT\SearchHook.URLSearchHook.1]
[-HKEY_CLASSES_ROOT\CLSID\{C5067F59-9D0D-11D2-AA90-000000000000}]
[-HKEY_CLASSES_ROOT\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{D157330A-9EF3-49F8-9A67-4141AC41ADD4} {00000000-0000-0000-C000-000000000046} 0x401"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D157330A-9EF3-49F8-9A67-4141AC41ADD4}"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{D157330A-9EF3-49F8-9A67-4141AC41ADD4} {00000000-0000-0000-C000-000000000046} 0x401"=-


;IE搜索工具条
[-HKEY_CLASSES_ROOT\CLSID\{BE830FD4-E393-417F-9F4B-CC70ABB3384C}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BE830FD4-E393-417F-9F4B-CC70ABB3384C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{BE830FD4-E393-417F-9F4B-CC70ABB3384C}"=-
[-HKEY_CLASSES_ROOT\Interface\{F08555AF-9CC3-11D2-AA8E-000000000000}]


;IE加载项
;Yahoo 3.5G电邮
;taobao名品折扣
;雅虎助手
;雅虎WIDGET
;yahoo情景聊天
;yahoo修复浏览器
;yahoo清理上网记录
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
"{507F9113-CD77-4866-BA92-0E86DA3D0B97}"=-
"{59BC54A2-56B3-44a0-93E5-432D58746E26}"=-
"{5D73EE86-05F1-49ed-B850-E423120EC338}"=-
"{6354ABE6-05F1-49ed-B850-E423120EC338}"=-
"{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}"=-
"{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}"=-
"{FD00D911-7529-4084-9946-A29F1BDF4FE5}"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{507F9113-CD77-4866-BA92-0E86DA3D0B97}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59BC54A2-56B3-44A0-93E5-432D58746E26}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D73EE86-05F1-49ED-B850-E423120EC338}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6354ABE6-05F1-49ED-B850-E423120EC338}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ECF2E268-F28C-48D2-9AB7-8F69C11CCB71}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD00D911-7529-4084-9946-A29F1BDF4FE5}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{507F9113-CD77-4866-BA92-0E86DA3D0B97}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{59BC54A2-56B3-44a0-93E5-432D58746E26}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5D73EE86-05F1-49ed-B850-E423120EC338}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6354ABE6-05F1-49ed-B850-E423120EC338}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FD00D911-7529-4084-9946-A29F1BDF4FE5}]

[-HKEY_USERS\S-1-5-21-2000478354-842925246-1202660629-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{507F9113-CD77-4866-BA92-0E86DA3D0B97}]
[-HKEY_USERS\S-1-5-21-2000478354-842925246-1202660629-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59BC54A2-56B3-44A0-93E5-432D58746E26}]
[-HKEY_USERS\S-1-5-21-2000478354-842925246-1202660629-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D73EE86-05F1-49ED-B850-E423120EC338}]
[-HKEY_USERS\S-1-5-21-2000478354-842925246-1202660629-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6354ABE6-05F1-49ED-B850-E423120EC338}]
[-HKEY_USERS\S-1-5-21-2000478354-842925246-1202660629-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}]
[-HKEY_USERS\S-1-5-21-2000478354-842925246-1202660629-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ECF2E268-F28C-48D2-9AB7-8F69C11CCB71}]
[-HKEY_USERS\S-1-5-21-2000478354-842925246-1202660629-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD00D911-7529-4084-9946-A29F1BDF4FE5}]

;启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"helper.dll"=-
"CnsMin"=-

;IE修复(这里搜索改成Google)
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"
"Search Page"="http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
"Default_Search_URL"="http://www.google.com"
"Search Page"="http://www.google.com"

[Copy to clipboard]

清除hosts番茄劫持
记事本打开%windir%\system32\Drivers\ets\hosts
删除下面一行
219.153.32.215 auto.search.msn.com

清除计划任务淘宝图标解压
删除文件
%windir%\tasks\task1.exe
注册表调整
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"task1"=-

IE主页修正
这里有一个小细节
快捷启动项里的IE的目标为
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" c:\windows\web\index.htm
所以默认打开是C:\WINDOWS\Web\index.htm 这个是hao123
修改Ghost\replaced\launch.exe 这个自解压文件
把里面的启动 Internet Explorer 浏览器.lnk 目标改成 "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
还有
Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk

注册表调整主页
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"
"Search Page"="http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
"Default_Search_URL"="http://www.google.com"
"Search Page"="http://www.google.com"

针对Google工具条可以清除注册部分值
删除
%programfiles%\Common Files\Real\GToolbar
注册表删除

CODE:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Common Files\\Real\\GToolbar\\BarControl.dll"=-
"C:\\Program Files\\Common Files\\Real\\GToolbar\\GoogleToolbarInstaller.exe"=-
"C:\\Program Files\\Common Files\\Real\\GToolbar\\GoogleToolbarInstaller98.exe"=-
"C:\\Program Files\\Common Files\\Real\\GToolbar\\gdsapi.dll"=-
"C:\\Program Files\\Common Files\\Real\\GToolbar\\GDSSetup.exe"=-

[-HKEY_CLASSES_ROOT\Software\RealNetworks\Update\6.0\Preferences\Components\gds:1.1]
[-HKEY_CLASSES_ROOT\CLSID\{3338A2DD-8C8E-4AC8-94E8-FD248849D77F}]
[-HKEY_CLASSES_ROOT\CLSID\{5349B405-C992-4A4D-8EB8-5D237C5A0623}]
[-HKEY_CLASSES_ROOT\CLSID\{E876339C-2984-41F8-A49A-F908555CE4C9}]
[-HKEY_CLASSES_ROOT\Software\RealNetworks\Update\6.0\Preferences\Components\gtoolbar:6.3]
[-HKEY_CLASSES_ROOT\TypeLib\{A6A503C7-C7E1-46AA-9E86-C60197E0FB73}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BarControl.DLL]
[-HKEY_CLASSES_ROOT\AppID\{1F7595F7-05C5-489E-BB9F-6BA11ECD0CA0}]

[Copy to clipboard]


清除非经典菜单下开始菜单里的OEM标识
删除windows\system32\下的oemlinkicon.ico


CODE:

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\ShowOEMLink]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Start_ShowOEMLink"=-
[HKEY_USERS\S-1-5-21-2000478354-842925246-1202660629-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Start_ShowOEMLink"=-

[Copy to clipboard]


经过上面分析
注册表调整分为2部分修改
HKEY_CLASSES_ROOT
HKEY_LOCAL_MACHINE
这2部分的注册表通过 winpe 修改后,提取\Windows\system32\config\下的2个注册表文件替换即可
注册表数据文件
software
system

对于其余部分通过runonce来后期导入实现
用GHOST镜像浏览器V8.3.EXE打开WINXPSP2.GHO
1.删文件及文件夹
%programfiles%\3721 (13个文件&1个文件夹)
%programfiles%\Common Files\Real\GToolbar
%windir%\Downloaded Program Files (30个文件&1个文件夹)
%windir%\Web\index.htm (1个网页文件hao123)
%windir%\Web\index.files (18个文件&1个文件夹)
%windir%\System32\Drivers\CnsMinKP.sys
%windir%\system32\cns.dll
%windir%\system32\cns.dat
%windir%\system32\cns.exe
%windir%\system32\Dllreg.dll
%windir%\system32\IETool.dll
%windir%\system32\IEBHO.dll
%windir%\tasks\task1.exe
%windir%\system32\oemlogo.bmp
%windir%\system32\oeminfo.ini
%windir%\system32\oemlinkicon.ico

2.替换文件
%windir%\system32\setup.bmp
%windir%\Temp\dragon21.jpg (注意这里要设置为只读性)
Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk


3.调整注册表文件
用ultraiso工具打开镜像GhostXP_SP2电脑公司特别版_7.0.iso
把已经删除文件的镜像WINXPSP2.GHO替换进去
替换好之后安装(虚拟机中测试)
ghost好后不要进去,用winpe光盘进去打开C盘进行注册表修改
在pe中对目标windows注册表进行编辑
由于在PE里只能修改HKEY_LOCAL_MACHINE和HKEY_CLASSES_ROOT的值
给出以下注册表调整参考(应该比较齐全)

CODE:
Windows Registry Editor Version 5.00

;3721
[-HKEY_LOCAL_MACHINE\SOFTWARE\3721]
[-HKEY_CLASSES_ROOT\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}]
[-HKEY_CLASSES_ROOT\CLSID\{ABEC6103-F6AC-43A3-834F-FB03FBA339A2}]
[-HKEY_CLASSES_ROOT\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}]
[-HKEY_CLASSES_ROOT\TypeLib\{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}]
[-HKEY_CLASSES_ROOT\TypeLib\{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}]
[-HKEY_CLASSES_ROOT\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}]
[-HKEY_CLASSES_ROOT\TypeLib\{F9AD9D67-EFA8-480E-8291-0163F3960DE7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CnsMin]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
"PendingFileRenameOperations"=-

;网络实名cns
[-HKEY_CLASSES_ROOT\CnsHelper.CH]
[-HKEY_CLASSES_ROOT\CnsHelper.CH.1]
[-HKEY_CLASSES_ROOT\CnsMinHK.CnsHook.1]
[-HKEY_CLASSES_ROOT\CnsMinHK.CnsHook]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsHelper.CH]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsHelper.CH.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CnsMinKP]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CnsMinKP]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CNSMINKP]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CnsMinKP]
[-HKEY_CLASSES_ROOT\Interface\{DF692509-D9EF-48A0-9CD0-3AA5B81F6F68}]
[-HKEY_CLASSES_ROOT\Interface\{1BB0ABBE-2D95-4847-B9D8-6F90DE3714C1}]
[-HKEY_CLASSES_ROOT\Interface\{48E688C8-609F-4B08-944E-3C7FAB99CD08}]
[-HKEY_CLASSES_ROOT\AutoLive.Live]
[-HKEY_CLASSES_ROOT\AutoLive.Live.1]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CNSMINKP]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CNSMINKP]

;yahoo上网助手
[-HKEY_CLASSES_ROOT\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_A0]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A0]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\a0]

;IEBHO
[-HKEY_CLASSES_ROOT\SearchHook.SrchHook]
[-HKEY_CLASSES_ROOT\SearchHook.SrchHook.1]
[-HKEY_CLASSES_ROOT\CLSID\{F08555B0-9CC3-11D2-AA8E-000000000000}]
[-HKEY_CLASSES_ROOT\TypeLib\{F08555A1-9CC3-11D2-AA8E-000000000000}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F08555B0-9CC3-11D2-AA8E-000000000000}]
[-HKEY_CLASSES_ROOT\SearchHook.URLSearchHook]
[-HKEY_CLASSES_ROOT\SearchHook.URLSearchHook.1]
[-HKEY_CLASSES_ROOT\CLSID\{C5067F59-9D0D-11D2-AA90-000000000000}]
[-HKEY_CLASSES_ROOT\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D157330A-9EF3-49F8-9A67-4141AC41ADD4}"=-

;IE搜索工具条
[-HKEY_CLASSES_ROOT\CLSID\{BE830FD4-E393-417F-9F4B-CC70ABB3384C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{BE830FD4-E393-417F-9F4B-CC70ABB3384C}"=-
[-HKEY_CLASSES_ROOT\Interface\{F08555AF-9CC3-11D2-AA8E-000000000000}]

;IE加载项
;Yahoo 3.5G电邮
;taobao名品折扣
;雅虎助手
;雅虎WIDGET
;yahoo情景聊天
;yahoo修复浏览器
;yahoo清理上网记录
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{507F9113-CD77-4866-BA92-0E86DA3D0B97}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{59BC54A2-56B3-44a0-93E5-432D58746E26}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5D73EE86-05F1-49ed-B850-E423120EC338}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6354ABE6-05F1-49ed-B850-E423120EC338}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FD00D911-7529-4084-9946-A29F1BDF4FE5}]

;启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"helper.dll"=-
"CnsMin"=-

;IE修复(这里搜索改成Google)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
"Default_Search_URL"="http://www.google.com"
"Search Page"="http://www.google.com"

;googleBarControl
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Common Files\\Real\\GToolbar\\BarControl.dll"=-
"C:\\Program Files\\Common Files\\Real\\GToolbar\\GoogleToolbarInstaller.exe"=-
"C:\\Program Files\\Common Files\\Real\\GToolbar\\GoogleToolbarInstaller98.exe"=-
"C:\\Program Files\\Common Files\\Real\\GToolbar\\gdsapi.dll"=-
"C:\\Program Files\\Common Files\\Real\\GToolbar\\GDSSetup.exe"=-
[-HKEY_CLASSES_ROOT\Software\RealNetworks\Update\6.0\Preferences\Components\gds:1.1]
[-HKEY_CLASSES_ROOT\CLSID\{3338A2DD-8C8E-4AC8-94E8-FD248849D77F}]
[-HKEY_CLASSES_ROOT\CLSID\{5349B405-C992-4A4D-8EB8-5D237C5A0623}]
[-HKEY_CLASSES_ROOT\CLSID\{E876339C-2984-41F8-A49A-F908555CE4C9}]
[-HKEY_CLASSES_ROOT\Software\RealNetworks\Update\6.0\Preferences\Components\gtoolbar:6.3]
[-HKEY_CLASSES_ROOT\TypeLib\{A6A503C7-C7E1-46AA-9E86-C60197E0FB73}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BarControl.DLL]
[-HKEY_CLASSES_ROOT\AppID\{1F7595F7-05C5-489E-BB9F-6BA11ECD0CA0}]

;OEM信息清理
[-HKEY_CLASSES_ROOT\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\ShowOEMLink]
[Copy to clipboard]

注册表修改好之后,提取取\Windows\system32\config\里2个注册表文件:SYSTEM,SOFTWARE
替换WINXPSP2.GHO镜像里的SYSTEM,SOFTWARE(\Windows\system32\config\)
同样的也可以通过Regworkshop加载SYSTEM,SOFTWARE配置单元修改
同时也修改Documents and Settings\Administrator\NTUSER.DAT
这里不细说了

4.细节修改
windows\runonce\让WMP10初次使用时不弹出向导.reg
;把这一项加载启动项去掉(淘宝图标)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"task1"="c:\\windows\\tasks\\task1.exe"

记事本打开windows\system32\Drivers\ets\hosts
删除下面一行
219.153.32.215 auto.search.msn.com

替换Ghost\replaced\launch.exe
system 清除

CODE:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
"PendingFileRenameOperations"= -

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_A0]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CNSMINKP]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\a0]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CnsMinKP]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_A0]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CNSMINKP]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\a0]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CnsMinKP]
[Copy to clipboard]


software 清除


CODE:
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\3721]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BarControl.DLL]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F7595F7-05C5-489E-BB9F-6BA11ECD0CA0}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoLive.Live]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoLive.Live.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3338A2DD-8C8E-4AC8-94E8-FD248849D77F}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5349B405-C992-4A4D-8EB8-5D237C5A0623}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABEC6103-F6AC-43A3-834F-FB03FBA339A2}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE830FD4-E393-417F-9F4B-CC70ABB3384C}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C5067F59-9D0D-11D2-AA90-000000000000}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E876339C-2984-41F8-A49A-F908555CE4C9}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F08555B0-9CC3-11D2-AA8E-000000000000}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsHelper.CH]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsHelper.CH.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsMinHK.CnsHook]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsMinHK.CnsHook.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1BB0ABBE-2D95-4847-B9D8-6F90DE3714C1}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{48E688C8-609F-4B08-944E-3C7FAB99CD08}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DF692509-D9EF-48A0-9CD0-3AA5B81F6F68}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F08555AF-9CC3-11D2-AA8E-000000000000}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchHook.SrchHook]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchHook.SrchHook.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchHook.URLSearchHook]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchHook.URLSearchHook.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\Components\gds:1.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\Components\gtoolbar:6.3]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A6A503C7-C7E1-46AA-9E86-C60197E0FB73}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F08555A1-9CC3-11D2-AA8E-000000000000}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F9AD9D67-EFA8-480E-8291-0163F3960DE7}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{507F9113-CD77-4866-BA92-0E86DA3D0B97}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{59BC54A2-56B3-44a0-93E5-432D58746E26}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5D73EE86-05F1-49ed-B850-E423120EC338}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6354ABE6-05F1-49ed-B850-E423120EC338}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FD00D911-7529-4084-9946-A29F1BDF4FE5}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{BE830FD4-E393-417F-9F4B-CC70ABB3384C}"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F08555B0-9CC3-11D2-AA8E-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D157330A-9EF3-49F8-9A67-4141AC41ADD4}"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\ShowOEMLink]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CnsMin"=-
"helper.dll"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Common Files\\Real\\GToolbar\\BarControl.dll"=-
"C:\\Program Files\\Common Files\\Real\\GToolbar\\gdsapi.dll"=-
"C:\\Program Files\\Common Files\\Real\\GToolbar\\GDSSetup.exe"=-
"C:\\Program Files\\Common Files\\Real\\GToolbar\\GoogleToolbarInstaller.exe"=-
"C:\\Program Files\\Common Files\\Real\\GToolbar\\GoogleToolbarInstaller98.exe"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CnsMin]
[Copy to clipboard]


ntuser.dat 清除


CODE:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\3721]

[HKEY_CURRENT_USER\Software\3721\CnsMin]
"AddControl"=dword:00000001
"ForceHint"=dword:00000001
"KillHint"=dword:00000000
"LastActive"=dword:45405a0e
"LastCheck"=dword:4567e767
"LastCheck_BUP"=dword:19789b70
"LastCheckEx"=dword:4567e768
"LastCheckEx_BUP"=dword:19789b7f
"LastCheckUp"=dword:4567e767
"message"=dword:00000001
"PreCache"="1.0.3.7"
"UpdateHint"=dword:00000001
"UpdateIcon"=dword:0000000b

[HKEY_CURRENT_USER\Software\3721\CnsMin\Variant]
"DEK"="0"
"showfw"="1"

[HKEY_CURRENT_USER\Software\3721\CnsUrl]

[HKEY_CURRENT_USER\Software\3721\InputCns]
"1"="用你的双手点击我的激情|0|0|2"
"10"="百丽新款上市-全场仅6折|0|3|2"
"11"="搞笑贴图笑死活人不偿命|0|0|2"
"12"="美女尺度大胆自拍-搜的爽|0|0|2"
"13"="北京车展车型美女图片盘点|0|0|2"
"14"="男人爱搜女人爱看的电影|0|0|2"
"15"="人体超自然-奥妙大揭秘|0|0|2"
"16"="nike阿迪新款上市-价格超值|0|3|2"
"17"="美女帅哥相聚合租一刻|0|0|2"
"18"="连锁加盟商机特快列车|0|0|2"
"19"="雅虎-全球最新最大免费邮箱|0|0|2"
"2"="男人最爱看的视频每日更新|0|0|2"
"20"="她-记录我生命中的每次激情|0|0|2"
"21"="令人意想不到的美女邂逅|0|0|2"
"22"="打工不如开个小店|0|0|2"
"23"="在线高速听-mp3新热排行榜|0|0|2"
"24"="雅虎搜索质量赶超百度|0|0|2"
"25"="李湘博客-自爆离婚|0|0|2"
"26"="北京车展-聚焦美女车模|0|0|2"
"27"="张钰录像带-曝光演艺圈潜规则|0|0|2"
"3"="诱惑你想入非非的方寸之地|0|0|2"
"4"="要听好听请来一听|0|0|2"
"5"="芙蓉姐姐最新视频隆重发布|0|0|2"
"6"="2006热门网络游戏火爆登场|0|0|2"
"7"="最新大片抢先看|0|0|2"
"8"="阿里巴巴-900万商机免费看|0|4|2"
"9"="在线mp3免费听|0|0|2"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
"{507F9113-CD77-4866-BA92-0E86DA3D0B97}"=dword:00002001
"{59BC54A2-56B3-44a0-93E5-432D58746E26}"=dword:00002002
"{5D73EE86-05F1-49ed-B850-E423120EC338}"=dword:00002003
"{6354ABE6-05F1-49ed-B850-E423120EC338}"=dword:00002004
"{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}"=dword:00002005
"{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}"=dword:00002006
"{FD00D911-7529-4084-9946-A29F1BDF4FE5}"=dword:00002007

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"CNSAutoUpdate"=dword:00000001
"CNSEnable"=dword:00000001
"CNSHint"=dword:00000001
"CNSList"=dword:00000001
"CNSMenu"=dword:5c1f7c17
"CNSReset"=dword:5c1f7c17
"Search Page"="http://www.yahoo.com.cn"
"Start Page"="http://dh.ez597.com/"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{507F9113-CD77-4866-BA92-0E86DA3D0B97}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{507F9113-CD77-4866-BA92-0E86DA3D0B97}\iexplore]
"Count"=dword:00000005
"Time"=hex:d6,07,0b,00,06,00,19,00,09,00,34,00,02,00,24,00
"Type"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59BC54A2-56B3-44A0-93E5-432D58746E26}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59BC54A2-56B3-44A0-93E5-432D58746E26}\iexplore]
"Count"=dword:00000005
"Time"=hex:d6,07,0b,00,06,00,19,00,09,00,34,00,02,00,24,00
"Type"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D73EE86-05F1-49ED-B850-E423120EC338}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D73EE86-05F1-49ED-B850-E423120EC338}\iexplore]
"Count"=dword:00000005
"Time"=hex:d6,07,0b,00,06,00,19,00,09,00,34,00,02,00,24,00
"Type"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6354ABE6-05F1-49ED-B850-E423120EC338}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6354ABE6-05F1-49ED-B850-E423120EC338}\iexplore]
"Count"=dword:00000005
"Time"=hex:d6,07,0b,00,06,00,19,00,09,00,34,00,02,00,24,00
"Type"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\iexplore]
"Flags"=dword:00000004
"Type"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BE830FD4-E393-417F-9F4B-CC70ABB3384C}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BE830FD4-E393-417F-9F4B-CC70ABB3384C}\iexplore]
"Count"=dword:00000024
"Time"=hex:d6,07,0b,00,06,00,19,00,09,00,34,00,01,00,72,02
"Type"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}\iexplore]
"Count"=dword:00000040
"Time"=hex:d6,07,0b,00,06,00,19,00,09,00,34,00,32,00,72,02
"Type"=dword:00000003

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\iexplore]
"Count"=dword:00000005
"Time"=hex:d6,07,0b,00,06,00,19,00,09,00,34,00,02,00,2e,00
"Type"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ECF2E268-F28C-48D2-9AB7-8F69C11CCB71}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ECF2E268-F28C-48D2-9AB7-8F69C11CCB71}\iexplore]
"Count"=dword:00000005
"Time"=hex:d6,07,0b,00,06,00,19,00,09,00,34,00,02,00,2e,00
"Type"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F08555B0-9CC3-11D2-AA8E-000000000000}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F08555B0-9CC3-11D2-AA8E-000000000000}\iexplore]
"Count"=dword:00000049
"Time"=hex:d6,07,0b,00,06,00,19,00,09,00,34,00,32,00,72,02
"Type"=dword:00000003

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD00D911-7529-4084-9946-A29F1BDF4FE5}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD00D911-7529-4084-9946-A29F1BDF4FE5}\iexplore]
"Count"=dword:00000005
"Time"=hex:d6,07,0b,00,06,00,19,00,09,00,34,00,02,00,2e,00
"Type"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{D157330A-9EF3-49F8-9A67-4141AC41ADD4} {00000000-0000-0000-C000-000000000046} 0x401"=hex:01,\
00,00,00,32,00,30,00,f0,8b,f7,29,5d,0e,c7,01

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"D:\\电脑公司特别版制作资源库\\■自动运行一次\\把runbat这个小程序释放到启动组.exe"="把runbat这个小程序释放到启动组"
"D:\\电脑公司特别版制作资源库\\■零散的文件\\死性不改S&R&S\\用这个boot覆盖C盘的.exe"="用这个boot覆盖C盘的"
"D:\\电脑公司特别版制作资源库\\■零散的文件\\死性不改S&R&S\\S&R&SV9.7.1008(接口有倒计时,显示执行的任务名称,有PE启动菜单).exe"="S&R&SV9.7.1008(接口有倒计时,显示执行的任务名称,有PE启动菜单)"
"D:\\电脑公司特别版制作资源库\\■零散的文件\\金山漏洞扫描后提供的几个Office补丁\\安全更新WindowsXP-KB917537-x86-CHS.exe"="Security Update"
"D:\\GhostXP_cns.exe"="GhostXP_cns"
 
分享到 淘江湖 新浪 QQ微博 QQ空间 开心 人人 豆瓣 网易微博 百度 鲜果 白社会 飞信
回复 引用
举报
游乐人
级别: 光盘高级
发帖
1224
飞翔币
128
威望
1973
飞扬币
1155
信誉值
0
只看该作者 2 发表于: 2007-04-10
呵呵
丢弃了7.0的了
回复 引用
举报
flyingfish42
级别: 光盘中级
发帖
1140
飞翔币
335
威望
303
飞扬币
8460
信誉值
0
只看该作者 1 发表于: 2007-04-10
我用FLY出的 呵呵
回复 引用
举报
发帖 回复
« 返回列表