中此病毒,每次连接网络,在C:/Documents and Settings/用户名/Cookies和其content.ie5产生一个文本文件,里面包括下面或类似的网址
143:http://down1.1a2b3c1.com/down/1.exe
143:http://down1.1a2b3c1.com/down/2.exe
143:http://down1.1a2b3c1.com/down/3.exe
143:http://down1.1a2b3c1.com/down/4.exe
143:http://down1.1a2b3c1.com/down/5.exe
143:http://down1.1a2b3c1.com/down/6.exe
143:http://down1.1a2b3c1.com/down/7.exe
143:http://down1.1a2b3c1.com/down/8.exe
143:http://down2.1a2b3c1.com/down/9.exe
143:http://down2.1a2b3c1.com/down/10.exe
143:http://down2.1a2b3c1.com/down/11.exe
143:http://down2.1a2b3c1.com/down/12.exe
143:http://down2.1a2b3c1.com/down/13.exe
143:http://down2.1a2b3c1.com/down/14.exe
143:http://down2.1a2b3c1.com/down/15.exe
143:http://down2.1a2b3c1.com/down/16.exe
143:http://down2.1a2b3c1.com/down/17.exe
143:http://down2.1a2b3c1.com/down/18.exe
143:http://down2.1a2b3c1.com/down/19.exe
143:http://down2.1a2b3c1.com/down/20.exe
143:http://down2.1a2b3c1.com/down/21.exe
143:http://down3.1a2b3c1.com/down/22.exe
143:http://down3.1a2b3c1.com/down/23.exe
143:http://down3.1a2b3c1.com/down/24.exe
143:http://down3.1a2b3c1.com/down/25.exe
143:http://down3.1a2b3c1.com/down/26.exe
143:http://down3.1a2b3c1.com/down/27.exe
这个主要是C:/WINDOWS/explorer.exe被恶意替换,最明显的是图标可能会变,清除完病毒后,记住把此文件从其他机器中找一个过来替换,还有启动项相应删除,实在找不到,看看C:/WINDOWS/system32/dllcache下的那个explorer.exe是否是原来的。因为病毒替换掉的C:/WINDOWS/explorer.exe本身没有大的危害,它只自动连接网站下载,因此瑞星等杀毒软件查不出来。