==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
[C:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
[D:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
[E:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto
[F:\]
[autorun]
open=PegeFile.pif
shellexecute=PegeFile.pif
shell\Auto\command=PegeFile.pif
shell=Auto

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
进程特权扫描
特殊特权被允许： SeLoadDriverPrivilege [PID = 1828, C:\PROGRAM FILES\RISING\RFW\RFWMAIN.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 992, C:\WINDOWS\LHOTKEY.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 712, C:\WINDOWS\VM_STI.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1148, C:\PROGRAM FILES\RISING\RAV\RAVTASK.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2544, C:\PROGRAM FILES\RISING\RAV\RSAGENT.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2168, C:\PROGRAM FILES\RISING\RAV\RAVMOND.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 2968, C:\PROGRAM FILES\RISING\RAV\RAVMON.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2968, C:\PROGRAM FILES\RISING\RAV\RAVMON.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 3236, C:\PROGRAM FILES\RISING\RAV\RAVSTUB.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 1628, C:\PROGRAM FILES\MAXTHON\MAXTHON.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1628, C:\PROGRAM FILES\MAXTHON\MAXTHON.EXE]

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================


[/CODE]

这次绝对完整......晕饿...

我在 Win32服务应用程序里面没看到列出的以下<wosa><C:\DOCUME~1\Owner\LOCALS~1\Temp\woso.exe> [N/A]
<rxsa><C:\DOCUME~1\Owner\LOCALS~1\Temp\rxso.exe> [N/A]
<qjsa><C:\DOCUME~1\Owner\LOCALS~1\Temp\qjso.exe> [N/A]
<tlsa><C:\DOCUME~1\Owner\LOCALS~1\Temp\tlso.exe> [N/A]
<{713AF41A-21B1-131B-1BFC-D2A90DF4A2B7}><C:\WINDOWS\system32\xyfpri.dll> [N/A]
<{B1351752-5628-1547-FFAB-BADC13512AFB}><C:\WINDOWS\system32\ztkpri.dll> []
<{2F12545B-1212-1314-5679-4512ACEF8902}><C:\WINDOWS\system32\wdbpri.dll> [N/A]
<{22311A42-AC1B-158F-FD32-5674345F23A2}><C:\WINDOWS\system32\dhbpri.dll> [N/A]
<{5A65498A-7653-9801-1647-987114AB7F45}><C:\WINDOWS\system32\zxepri.dll> [N/A]
<{1182C1EB-375C-573D-1F5E-234552345211}><C:\WINDOWS\system32\wldpri.dll> [N/A]
<{0EA66AD2-CF26-2E23-532B-B292E22F3266}><C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll> []
<{40117B96-998D-4D80-8F89-5E9DBD9F3460}><C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Sys> []
<{26368135-64FA-BC34-DA32-DCF4FD431C92}><C:\WINDOWS\system32\qhbpri.dll> [N/A]
<{559AFD5B-159F-ACD8-954C-ACD545FA6585}><C:\WINDOWS\system32\jzepri.dll> [N/A]
<{2FFAB213-ABCF-F421-FBA1-3FA352343212}><C:\WINDOWS\system32\wsbpri.dll> []

倒是在注册表里面有....

恩...消息我已经发了...悄悄话...欢迎指导...QQ263200065