每个盘的回收站目录里都有 lapyr.exe 文件，每个盘根目录都有 autorun.inf
[AutoRun]
OPEN=RECYCLER\lapyr.exe
shellexecute=RECYCLER\lapyr.exe
shell\Auto\command=RECYCLER\lapyr.exe
[system]
ver=1.5
zid=901

hijackthis 的log.......

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:13:00, on 2007-5-26
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Sogou PXP\p2psvr.exe
C:\Program Files\Serv-U\ServUDaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tssdis.exe
c:\addolsrv4\UpServer.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Rising\AntiSpyware\runiep.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Serv-U\ServUTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE
C:\addolsrv4\Addol.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zsdn.exe
C:\program files\Internet Explorer\IEXPLORE.EXE
C:\program files\Internet Explorer\IEXPLORE.EXE
C:\program files\Internet Explorer\IEXPLORE.EXE
C:\program files\Internet Explorer\IEXPLORE.EXE
C:\addolsrv4\AddolNetShow.exe
C:\program files\Internet Explorer\IEXPLORE.EXE
C:\program files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Symantec AntiVirus\VPC32.EXE
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\Opera\Opera.exe
C:\temp\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: windows 信息管理 - {B1B9CA6E-D469-4501-9ADC-90DC1F1EE841} - C:\WINDOWS\system32\serverhelp.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: 快车(FlashGet) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [runeip] C:\Program Files\Rising\AntiSpyware\runiep.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ServUTrayIcon] C:\Program Files\Serv-U\ServUTray.exe
O4 - HKCU\..\Run: [htdhx9bldekrjdv] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iexpl0re.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &使用快车(FlashGet)下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: 快车 - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: 快车(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O15 - ESC Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - ESC Trusted Zone: http://oca.microsoft.com
O15 - ESC Trusted Zone: http://windowsupdate.microsoft.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.microsoft.com (HKLM)
O15 - ESC Trusted Zone: http://go.microsoft.com (HKLM)
O15 - ESC Trusted Zone: http://msdn.microsoft.com (HKLM)
O15 - ESC Trusted Zone: http://oca.microsoft.com (HKLM)
O15 - ESC Trusted Zone: http://support.microsoft.com (HKLM)
O15 - ESC Trusted Zone: http://technet.microsoft.com (HKLM)
O15 - ESC Trusted Zone: http://windowsupdate.microsoft.com (HKLM)
O15 - ESC Trusted Zone: http://www.microsoft.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130194842119
O17 - HKLM\System\CCS\Services\Tcpip\..\{3574F112-84F7-4E06-8E8C-D1756E6C04C6}: NameServer = 202.96.128.68,202.96.128.86
O17 - HKLM\System\CCS\Services\Tcpip\..\{74D77FAD-FAB7-446D-9DB1-2B7F1D280A0C}: NameServer = 202.96.128.166
O17 - HKLM\System\CS1\Services\Tcpip\..\{3574F112-84F7-4E06-8E8C-D1756E6C04C6}: NameServer = 202.96.128.68,202.96.128.86
O17 - HKLM\System\CS2\Services\Tcpip\..\{3574F112-84F7-4E06-8E8C-D1756E6C04C6}: NameServer = 202.96.128.68,202.96.128.86
O20 - Winlogon Notify: msv1_1 - C:\WINDOWS\SYSTEM32\msv1_1.dll
O22 - SharedTaskScheduler: Browseui 预加载程序 - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: 组件类别缓存程序 - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: P4P Service - Sohu.com Inc. - C:\Program Files\Common Files\Sogou PXP\p2psvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Cat Soft - C:\Program Files\Serv-U\ServUDaemon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UpService - Unknown owner - c:\addolsrv4\UpServer.exe

--
End of file - 7908 bytes