中国DOS联盟论坛

中国DOS联盟

-- 联合DOS 推动DOS 发展DOS --

联盟域名:www.cn-dos.net  论坛域名:www.cn-dos.net/forum
DOS,代表着自由开放与发展,我们努力起来,学习FreeDOS和Linux的自由开放与GNU精神,共同创造和发展美好的自由与GNU GPL世界吧!

游客:  注册 | 登录 | 命令行 | 会员 | 搜索 | 上传 | 帮助 »
中国DOS联盟论坛 » DOS批处理 & 脚本技术(批处理室) » 有请大侠出手相助!! 只为求手刃"落雪"的批处理!!!!
作者:
标题: 有请大侠出手相助!! 只为求手刃"落雪"的批处理!!!! 上一主题 | 下一主题
cnmba
初级用户





积分 42
发帖 11
注册 2006-6-28
状态 离线
『楼 主』:  有请大侠出手相助!! 只为求手刃"落雪"的批处理!!!!

小弟我不幸!! 中了极其恐怖的病毒-----落雪!

怎么都杀不死!!

恳求大大们做个BAT,将它完完整整,干干净净地KILLLLLLLLL掉吧!!!!

啊啊啊啊啊!! 我要疯啦!!! 我的文件全都被它给....5555~~~:mad:

关于此病毒,大家可以看看这里的介绍,一但中了,你就会知道自己有多么的不幸!! 那时的你,也许会理解我现在的心情啦!!

简单介绍这个病毒的连接:
http://cache.baidu.com/c?word=%C ... a=94&user=baidu

2006-7-29 23:23
查看资料  发送邮件  发短消息 网志   编辑帖子  回复  引用回复
namejm
荣誉版主

batch fan


积分 5226
发帖 1737
注册 2006-3-10
来自 成都
状态 离线
『第 2 楼』:  

  对你的不幸遭遇表示同情。

  看了关于这个病毒的介绍,感觉在windows系统下是难以解决的,只编个bat文件来执行也是难以奏效的。如果你手头有深山红叶的系统维护盘的话,解决起来会彻底一点,否则,还是用那篇文章介绍的方法来删吧,尽管它的操作比较烦琐,但是有用。

  谈一下用深山红叶系统维护光盘的解决思路:

  1、先在Windows系统下编个bat文件,此bat文件的功能是:删除罗列出来的文件,对WINLOGON.EXE要注意大小写的问题,以免误删了系统原程序;编完之后不要双击文件夹来执行;
  2、用深山红叶系统维护光盘启动机子,然后执行此bat程序。

  这里只是说了思路问题,具体的bat代码有的地方我也不会弄,并且要删除的文件在各人的机子是有差别的吧?期待高人出手。



尺有所短,寸有所长,学好CMD没商量。
考虑问题复杂化,解决问题简洁化。
2006-7-29 23:54
查看资料  发短消息 网志   编辑帖子  回复  引用回复
kclmx
初级用户





积分 38
发帖 15
注册 2006-7-4
状态 离线
『第 3 楼』:  

知道大概是哪段時間中的毒,可以查找该時間生成的文件全部删掉。進程里有可以用命令 ntsd -c q -p PID進程标识符(可以在任務管理器里看到) 結束。如果有DLL文件無法刪除,可以试着反註冊 regsvr32 filename.dll /u 再删.

请教:如果任務管理器被木马強行關閉,有沒辦法通過命令行獲得PID?

[ Last edited by kclmx on 2006-8-1 at 11:55 ]

2006-8-1 11:52
查看资料  发送邮件  发短消息 网志   编辑帖子  回复  引用回复
dirzxl
初级用户





积分 77
发帖 32
注册 2006-8-29
状态 离线
『第 4 楼』:  

有瑞星的橙色八月可以搞定
前几天我中过
手动清除三天没用
最后橙色八月在安全模式下一杀就好了

2006-8-30 10:11
查看资料  发送邮件  发短消息 网志   编辑帖子  回复  引用回复
namejm
荣誉版主

batch fan


积分 5226
发帖 1737
注册 2006-3-10
来自 成都
状态 离线
『第 5 楼』:  

  最近在网上搜索了一番,发现一个好东西,发出来共享一下:
@echo off
cls
echo ***********************************************************
echo   此文件用于清除WINLOGON系列木马并修复其破坏的注册表信息
echo                 警告:只适用于XP操作系统
echo   空指针 制作     感谢 风乱舞 鼎力相助并提供系统优化功能
echo ***********************************************************
echo    名称:WINLOGON系列木马修复程序
echo    功能:
echo        1. 删除木马相关文件
echo        2. 修复被木马修改的系统关联
echo        3. 部分系统优化(ADSL拨号.桌面速度.IE速度.等部分系统优化)
echo.        

pause
cls
@SETLOCAL
@rem 活动代码页设为中文
@chcp 936>nul 2>nul
@echo.
@echo ************************************************************
@echo *                                                          *
@echo *    欢迎使用WINLOGON系列木马清除/修复程序              *
@echo *                                                          *
@echo ************************************************************

:chkOS
@echo.
@ver|find "XP"
@if "%ERRORLEVEL%"=="0" goto :XP
@echo.
@echo #您的操作系统不是Windows XP,无法使用。
@goto quit

@rem 在下面语句插不同系统的不同命令
:XP
@set UpdatePolicy=GPUpdate /Force
@goto Selection

:Selection
@rem User Choice
@echo.
@echo    请注意选择您的操作系统安装在哪个分区
@echo    我要进行功能选择:
@echo.
@echo 1: 我的XP系统安装在C盘
@echo 2: 我的XP系统安装在D盘
@echo 3: 我想做部分系统优化(网络.桌面.速度)
@echo 4: 退出
@echo.
@set /p UserSelection=请输入您的选择(1=C盘、2=D盘、3=系统优化、4=退出程序)后按回车:
@if "%UserSelection%"=="1" goto C
@if "%UserSelection%"=="2" goto D
@if "%UserSelection%"=="3" goto good
@if "%UserSelection%"=="4" goto quit
@rem 输入其他字符
@cls
@goto Selection


:C
if exist c:\windows\1.com  attrib -s -r -h c:\windows\1.com
if exist c:\windows\exeroute.exe  attrib -s -r -h c:\windows\exeroute.exe
if exist c:\windows\explorer.com  attrib -s -r -h c:\windows\explorer.com
if exist C:\WINDOWS\EXERT.exe  attrib -s -r -h C:\WINDOWS\EXERT.exe
if exist c:\windows\finder.com attrib -s -r -h c:\windows\finder.com
if exist C:\WINDOWS\IO.SYS.BAK attrib -s -r -h C:\WINDOWS\IO.SYS.BAK
if exist C:\WINDOWS\lsass.exe attrib -s -r -h C:\WINDOWS\lsass.exe
if exist c:\windows\services.exe attrib -s -r -h c:\windows\services.exe
if exist c:\windows\SMSS.EXE attrib -s -r -h c:\windows\SMSS.EXE
if exist c:\windows\WINLOGON.exe attrib -s -r -h c:\windows\WINLOGON.exe
if exist c:\windows\debug\debugprogram.exe attrib -s -r -h c:\windows\debug\debugprogram.exe
if exist c:\progra~1\common~1\iexplore.pif attrib -s -r -h c:\progra~1\common~1\iexplore.pif
if exist c:\progra~1\intern~1\iexplore.com attrib -s -r -h c:\progra~1\intern~1\iexplore.com
if exist c:\windows\system32\command.pif attrib -s -r -h c:\windows\system32\command.pif
if exist c:\windows\system32\dxdiag.com attrib -s -r -h c:\windows\system32\dxdiag.com
if exist c:\windows\system32\finder.com attrib -s -r -h c:\windows\system32\finder.com
if exist c:\windows\system32\i.com attrib -s -r -h c:\windows\system32\i.com
if exist c:\windows\system32\msconfig.com attrib -s -r -h c:\windows\system32\msconfig.com
if exist c:\windows\system32\regedit.com attrib -s -r -h c:\windows\system32\regedit.com
if exist c:\windows\system32\rundll32.com attrib -s -r -h c:\windows\system32\rundll32.com
if exist d:\pagefile.pif attrib -s -r -h d:\pagefile.pif
if exist d:\command.com attrib -s -r -h d:\command.com
if exist d:\autorun.inf attrib -s -r -h d:\autorun.inf

echo ************************************************************
@echo 删除病毒文件

@echo off
if exist c:\windows\1.com  del c:\windows\1.com
if exist c:\windows\exeroute.exe  del c:\windows\exeroute.exe
if exist c:\windows\explorer.com  del c:\windows\explorer.com
if exist C:\WINDOWS\EXERT.exe  del C:\WINDOWS\EXERT.exe
if exist c:\windows\finder.com del c:\windows\finder.com
if exist C:\WINDOWS\IO.SYS.BAK del C:\WINDOWS\IO.SYS.BAK
if exist C:\WINDOWS\lsass.exe del C:\WINDOWS\lsass.exe
if exist c:\windows\services.exe del c:\windows\services.exe
if exist c:\windows\SMSS.EXE del c:\windows\SMSS.EXE
if exist c:\windows\WINLOGON.exe del c:\windows\WINLOGON.exe
if exist c:\windows\debug\debugprogram.exe del c:\windows\debug\debugprogram.exe
if exist c:\progra~1\common~1\iexplore.pif del c:\progra~1\common~1\iexplore.pif
if exist c:\progra~1\intern~1\iexplore.com del c:\progra~1\intern~1\iexplore.com
if exist c:\windows\system32\command.pif del c:\windows\system32\command.pif
if exist c:\windows\system32\dxdiag.com del c:\windows\system32\dxdiag.com
if exist c:\windows\system32\finder.com del c:\windows\system32\finder.com
if exist c:\windows\system32\i.com del c:\windows\system32\i.com
if exist c:\windows\system32\msconfig.com del c:\windows\system32\msconfig.com
if exist c:\windows\system32\regedit.com del c:\windows\system32\regedit.com
if exist c:\windows\system32\rundll32.com del c:\windows\system32\rundll32.com
if exist d:\pagefile.pif del d:\pagefile.pif
if exist d:\command.com del d:\command.com
if exist d:\autorun.inf del d:\autorun.inf

@echo ***********************************************************
@echo *         已删除可能的病毒文件,按任意键修复注册表信息     *
@echo ***********************************************************



@echo Windows Registry Editor Version 5.00>Fix.reg
@echo [HKEY_CLASSES_ROOT\exefile\shell\open\command]>>Fix.reg
@echo @=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2A,00,00,00>>Fix.reg
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]>>Fix.reg
@echo @="exefile">>Fix.reg
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]>>Fix.reg
@echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command]>>Fix.reg
@echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,25,00,31,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command]>>Fix.reg
@echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,25,00,31,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command]>>Fix.reg
@echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,2D,00,6E,00,6F,00,68,00,6F,00,6D,00,65,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell\open\command]>>Fix.reg
@echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,2D,00,6E,00,6F,00,68,00,6F,00,6D,00,65,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet]>>Fix.reg
@echo @=hex(2):49,00,45,00,58,00,50,00,4C,00,4F,00,52,00,45,00,2E,00,45,00,58,00,45,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc\ShellNew\Command]>>Fix.reg
@echo @=->>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shell\find\command]>>Fix.reg
@echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\print\command]>>Fix.reg
@echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\Install\command]>>Fix.reg
@echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,73,00,65,00,74,00,75,00,70,00,61,00,70,00,69,00,2c,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,48,00,69,00,6e,00,66,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,20,00,44,00,65,00,66,00,61,00,75,00,6c,00,74,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,31,00,33,00,32,00,20,00,25,00,31,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command]>>Fix.reg
@echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,4f,00,70,00,65,00,6e,00,41,00,73,00,5f,00,52,00,75,00,6e,00,44,00,4c,00,4c,00,20,00,25,00,31,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Command]>>Fix.reg
@echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,61,00,70,00,70,00,77,00,69,00,7A,00,2E,00,63,00,70,00,6C,00,2C,00,4E,00,65,00,77,00,4C,00,69,00,6E,00,6B,00,48,00,65,00,72,00,65,00,20,00,25,00,31,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cplfile\shell\cplopen\command\]>>Fix.reg
@echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,73,00,68,00,65,00,6C,00,6C,00,33,00,32,00,2E,00,64,00,6C,00,6C,00,2C,00,43,00,6F,00,6E,00,74,00,72,00,6F,00,6C,00,5F,00,52,00,75,00,6E,00,44,00,4C,00,4C,00,20,00,22,00,25,00,31,00,22,00,2C,00,25,00,2A,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command\]>>Fix.reg
@echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,73,00,68,00,64,00,6F,00,63,00,76,00,77,00,2E,00,64,00,6C,00,6C,00,2C,00,4F,00,70,00,65,00,6E,00,55,00,52,00,4C,00,20,00,6C,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command\]>>Fix.reg
@echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,64,00,65,00,73,00,6B,00,2E,00,63,00,70,00,6C,00,2C,00,49,00,6E,00,73,00,74,00,61,00,6C,00,6C,00,53,00,63,00,72,00,65,00,65,00,6E,00,53,00,61,00,76,00,65,00,72,00,20,00,6C,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scriptletfile\Shell\Generate Typelib\command\]>>Fix.reg
@echo @=hex(2):22,00,43,00,3A,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,52,00,55,00,4E,00,44,00,4C,00,4C,00,33,00,32,00,2E,00,45,00,58,00,45,00,22,00,20,00,43,00,3A,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,73,00,63,00,72,00,6F,00,62,00,6A,00,2E,00,64,00,6C,00,6C,00,2C,00,47,00,65,00,6E,00,65,00,72,00,61,00,74,00,65,00,54,00,79,00,70,00,65,00,4C,00,69,00,62,00,20,00,22,00,25,00,31,00,22,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet\shell\open\command\]>>Fix.reg
@echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,75,00,72,00,6C,00,2E,00,64,00,6C,00,6C,00,2C,00,54,00,65,00,6C,00,6E,00,65,00,74,00,50,00,72,00,6F,00,74,00,6F,00,63,00,6F,00,6C,00,48,00,61,00,6E,00,64,00,6C,00,65,00,72,00,20,00,6C,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>Fix.reg
@echo "Shell"="Explorer.exe">>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>Fix.reg
@echo "Userinit"=hex(2):43,00,3A,00,5C,00,77,00,69,00,6E,00,64,00,6F,00,77,00,73,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,75,00,73,00,65,00,72,00,69,00,6E,00,69,00,74,00,2E,00,65,00,78,00,65,00,00,00>>Fix.reg>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
@echo "ToP"=->>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
@echo "TProgram"=->>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]>>Fix.reg
@echo "TProgram"=->>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
@echo "Torjan Program"=->>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]>>Fix.reg
@echo "Torjan Program"=->>Fix.reg
echo.

@pause
start /w regedit /s Fix.reg
del Fix.reg
echo.
@echo ***********************************************************
@echo *                修复已知被破坏的文件关联成功               *
@echo ***********************************************************
echo.
@echo 按任意键,返回选择
@pause
@cls
@goto Selection

:D
if exist d:\windows\1.com  attrib -s -r -h d:\windows\1.com
if exist d:\windows\exeroute.exe  attrib -s -r -h d:\windows\exeroute.exe
if exist d:\windows\explorer.com  attrib -s -r -h d:\windows\explorer.com
if exist d:\WINDOWS\EXERT.exe  attrib -s -r -h d:\WINDOWS\EXERT.exe
if exist d:\windows\finder.com attrib -s -r -h d:\windows\finder.com
if exist d:\WINDOWS\IO.SYS.BAK attrib -s -r -h d:\WINDOWS\IO.SYS.BAK
if exist d:\WINDOWS\lsass.exe attrib -s -r -h d:\WINDOWS\lsass.exe
if exist d:\windows\services.exe attrib -s -r -h d:\windows\services.exe
if exist d:\windows\SMSS.EXE attrib -s -r -h d:\windows\SMSS.EXE
if exist d:\windows\WINLOGON.exe attrib -s -r -h d:\windows\WINLOGON.exe
if exist d:\windows\debug\debugprogram.exe attrib -s -r -h d:\windows\debug\debugprogram.exe
if exist d:\progra~1\common~1\iexplore.pif attrib -s -r -h d:\progra~1\common~1\iexplore.pif
if exist d:\progra~1\intern~1\iexplore.com attrib -s -r -h d:\progra~1\intern~1\iexplore.com
if exist d:\windows\system32\command.pif attrib -s -r -h d:\windows\system32\command.pif
if exist d:\windows\system32\dxdiag.com attrib -s -r -h d:\windows\system32\dxdiag.com
if exist d:\windows\system32\finder.com attrib -s -r -h d:\windows\system32\finder.com
if exist d:\windows\system32\i.com attrib -s -r -h d:\windows\system32\i.com
if exist d:\windows\system32\msconfig.com attrib -s -r -h d:\windows\system32\msconfig.com
if exist d:\windows\system32\regedit.com attrib -s -r -h d:\windows\system32\regedit.com
if exist d:\windows\system32\rundll32.com attrib -s -r -h d:\windows\system32\rundll32.com
if exist d:\pagefile.pif attrib -s -r -h d:\pagefile.pif
if exist d:\autorun.inf attrib -s -r -h d:\autorun.inf

echo ************************************************************
@echo 删除病毒文件

@echo off
if exist d:\windows\1.com  del d:\windows\1.com
if exist d:\windows\exeroute.exe  del d:\windows\exeroute.exe
if exist d:\windows\explorer.com  del d:\windows\explorer.com
if exist d:\WINDOWS\EXERT.exe  del d:\WINDOWS\EXERT.exe
if exist d:\windows\finder.com del d:\windows\finder.com
if exist d:\WINDOWS\IO.SYS.BAK del d:\WINDOWS\IO.SYS.BAK
if exist d:\WINDOWS\lsass.exe del d:\WINDOWS\lsass.exe
if exist d:\windows\services.exe del d:\windows\services.exe
if exist d:\windows\SMSS.EXE del d:\windows\SMSS.EXE
if exist d:\windows\WINLOGON.exe del d:\windows\WINLOGON.exe
if exist d:\windows\debug\debugprogram.exe del d:\windows\debug\debugprogram.exe
if exist d:\progra~1\common~1\iexplore.pif del d:\progra~1\common~1\iexplore.pif
if exist d:\progra~1\intern~1\iexplore.com del d:\progra~1\intern~1\iexplore.com
if exist d:\windows\system32\command.pif del d:\windows\system32\command.pif
if exist d:\windows\system32\dxdiag.com del d:\windows\system32\dxdiag.com
if exist d:\windows\system32\finder.com del d:\windows\system32\finder.com
if exist d:\windows\system32\i.com del d:\windows\system32\i.com
if exist d:\windows\system32\msconfig.com del d:\windows\system32\msconfig.com
if exist d:\windows\system32\regedit.com del d:\windows\system32\regedit.com
if exist d:\windows\system32\rundll32.com del d:\windows\system32\rundll32.com
if exist d:\pagefile.pif del d:\pagefile.pif
if exist d:\autorun.inf del d:\autorun.inf

@echo ***********************************************************
@echo *         已删除可能的病毒文件,按任意键修复注册表信息     *
@echo ***********************************************************

@echo Windows Registry Editor Version 5.00>Fix.reg

@echo [HKEY_CLASSES_ROOT\exefile\shell\open\command]>>Fix.reg
@echo @=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2A,00,00,00>>Fix.reg
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]>>Fix.reg
@echo @=hex(2):65,00,78,00,65,00,66,00,69,00,6C,00,65,00,00,00>>Fix.reg
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]>>Fix.reg
@echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command]>>Fix.reg
@echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,25,00,31,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command]>>Fix.reg
@echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,25,00,31,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command]>>Fix.reg
@echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,2D,00,6E,00,6F,00,68,00,6F,00,6D,00,65,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell\open\command]>>Fix.reg
@echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,2D,00,6E,00,6F,00,68,00,6F,00,6D,00,65,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet]>>Fix.reg
@echo @=hex(2):49,00,45,00,58,00,50,00,4C,00,4F,00,52,00,45,00,2E,00,45,00,58,00,45,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc\ShellNew\Command]>>Fix.reg
@echo @=->>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shell\find\command]>>Fix.reg
@echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\print\command]>>Fix.reg
@echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\Install\command]>>Fix.reg
@echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,73,00,65,00,74,00,75,00,70,00,61,00,70,00,69,00,2c,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,48,00,69,00,6e,00,66,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,20,00,44,00,65,00,66,00,61,00,75,00,6c,00,74,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,31,00,33,00,32,00,20,00,25,00,31,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command]>>Fix.reg
@echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,4f,00,70,00,65,00,6e,00,41,00,73,00,5f,00,52,00,75,00,6e,00,44,00,4c,00,4c,00,20,00,25,00,31,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Command]>>Fix.reg
@echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,61,00,70,00,70,00,77,00,69,00,7A,00,2E,00,63,00,70,00,6C,00,2C,00,4E,00,65,00,77,00,4C,00,69,00,6E,00,6B,00,48,00,65,00,72,00,65,00,20,00,25,00,31,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cplfile\shell\cplopen\command\]>>Fix.reg
@echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,73,00,68,00,65,00,6C,00,6C,00,33,00,32,00,2E,00,64,00,6C,00,6C,00,2C,00,43,00,6F,00,6E,00,74,00,72,00,6F,00,6C,00,5F,00,52,00,75,00,6E,00,44,00,4C,00,4C,00,20,00,22,00,25,00,31,00,22,00,2C,00,25,00,2A,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command\]>>Fix.reg
@echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,73,00,68,00,64,00,6F,00,63,00,76,00,77,00,2E,00,64,00,6C,00,6C,00,2C,00,4F,00,70,00,65,00,6E,00,55,00,52,00,4C,00,20,00,6C,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command\]>>Fix.reg
@echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,64,00,65,00,73,00,6B,00,2E,00,63,00,70,00,6C,00,2C,00,49,00,6E,00,73,00,74,00,61,00,6C,00,6C,00,53,00,63,00,72,00,65,00,65,00,6E,00,53,00,61,00,76,00,65,00,72,00,20,00,6C,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scriptletfile\Shell\Generate Typelib\command\]>>Fix.reg
@echo @=hex(2):22,00,44,00,3A,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,52,00,55,00,4E,00,44,00,4C,00,4C,00,33,00,32,00,2E,00,45,00,58,00,45,00,22,00,20,00,44,00,3A,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,73,00,63,00,72,00,6F,00,62,00,6A,00,2E,00,64,00,6C,00,6C,00,2C,00,47,00,65,00,6E,00,65,00,72,00,61,00,74,00,65,00,54,00,79,00,70,00,65,00,4C,00,69,00,62,00,20,00,22,00,25,00,31,00,22,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet\shell\open\command\]>>Fix.reg
@echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,75,00,72,00,6C,00,2E,00,64,00,6C,00,6C,00,2C,00,54,00,65,00,6C,00,6E,00,65,00,74,00,50,00,72,00,6F,00,74,00,6F,00,63,00,6F,00,6C,00,48,00,61,00,6E,00,64,00,6C,00,65,00,72,00,20,00,6C,00,00,00>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>Fix.reg
@echo "Shell"="Explorer.exe">>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>Fix.reg
@echo "Userinit"=hex(2):43,00,3A,00,5C,00,77,00,69,00,6E,00,64,00,6F,00,77,00,73,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,75,00,73,00,65,00,72,00,69,00,6E,00,69,00,74,00,2E,00,65,00,78,00,65,00,00,00>>Fix.reg>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
@echo "ToP"=->>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
@echo "TProgram"=->>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]>>Fix.reg
@echo "TProgram"=->>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
@echo "Torjan Program"=->>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]>>Fix.reg
@echo "Torjan Program"=->>Fix.reg
echo.

@pause
start /w regedit /s Fix.reg
del Fix.reg
echo.
@echo ***********************************************************
@echo *                修复已知被破坏的文件关联成功               *
@echo ***********************************************************
echo.
@echo 按任意键,返回选择
@pause
@cls
@goto Selection

:good
@cls
@echo Windows Registry Editor Version 5.00>Fix.reg

@echo [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]>>Fix.reg
@echo "MaxConnectionsPerServer"=dword:00000020>>Fix.reg
@echo "MaxConnectionsPer1_0Server"=dword:00000020>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]>>Fix.reg
@echo "SackOpts"=dword:00000001>>Fix.reg
@echo "TcpWindowSize"=dword:0003ebc0>>Fix.reg
@echo "Tcp1323Opts"=dword:00000001>>Fix.reg
@echo "DefaultTTL"=dword:00000040>>Fix.reg
@echo "EnablePMTUBHDetect"=dword:00000000>>Fix.reg
@echo "EnablePMTUDiscovery"=dword:00000001>>Fix.reg
@echo "GlobalMaxTcpWindowSize"=dword:0003ebc0>>Fix.reg

@echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]>>Fix.reg
@echo "MaxConnectionsPerServer"=dword:00000020>>Fix.reg
@echo "MaxConnectionsPer1_0Server"=dword:00000020>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vxd\BIOS]>>Fix.reg
@echo "CPUPriority"=dword:00000001>>Fix.reg
@echo "PCIConcur"=dword:00000001>>Fix.reg
@echo "FastDRAM"=dword:00000001>>Fix.reg
@echo "AGPConcur"=dword:00000001>>Fix.reg

@echo[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]>>Fix.reg
@echo "MaxConnectionsPer1_0Server"=dword:00000009>>Fix.reg
@echo "MaxConnectionsPerServer"=dword:00000009>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]>>Fix.reg
@echo "ConfigFileAllocSize"=dword:000001f4>>Fix.reg

@echo [HKEY_CURRENT_USER\Control Panel\desktop]>>Fix.reg
@echo "MenuShowDelay"="0">>Fix.reg

@echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz]>>Fix.reg
@echo "NoRun"=dword:00000001>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\Tour>>Fix.reg
@echo "RunCount"=dword:00000000>>Fix.reg

@echo [-HKEY_CLASSES_ROOT\.zip\CompressedFolder]>>Fix.reg
@echo [-HKEY_CLASSES_ROOT\CLSID\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}]>>Fix.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CompressedFolder]>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi\Parameters]>>Fix.reg
@echo "EnableBigLba"=dword:00000001>>Fix.reg

@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]>>Fix.reg
@echo "Enable"="Y">>Fix.reg
@echo.

echo ******************************
echo    *   正在进行系统优化   *
echo ******************************
pause
start /w regedit /s Fix.reg
del Fix.reg

echo ******************************
echo     *   系统优化完毕   *
echo ******************************
echo.
@echo 按任意键,返回选择
@pause
@cls
@goto Selection


:quit
exit
[ Last edited by namejm on 2006-8-30 at 15:53 ]



尺有所短,寸有所长,学好CMD没商量。
考虑问题复杂化,解决问题简洁化。
2006-8-30 11:47
查看资料  发短消息 网志   编辑帖子  回复  引用回复
fastslz
铂金会员

DOS一根葱


积分 5493
发帖 2315
注册 2006-5-1
来自 上海
状态 离线
『第 6 楼』:  



  Quote:
@ver find "XP"

有点奇怪ver后面怎么用全角空格,有谁解释下吗?

2006-8-30 12:28
查看资料  发送邮件  发短消息 网志   编辑帖子  回复  引用回复
namejm
荣誉版主

batch fan


积分 5226
发帖 1737
注册 2006-3-10
来自 成都
状态 离线
『第 7 楼』:  



  Quote:
Originally posted by fastslz at 2006-8-30 12:28:

有点奇怪ver后面怎么用全角空格,有谁解释下吗?

  经过测试,发现这条语句是错误的,现在已经改过来了。



尺有所短,寸有所长,学好CMD没商量。
考虑问题复杂化,解决问题简洁化。
2006-8-30 15:51
查看资料  发短消息 网志   编辑帖子  回复  引用回复
chiwing
初级用户





积分 62
发帖 19
注册 2006-4-14
状态 离线
『第 8 楼』:  



  Quote:
Originally posted by namejm at 2006-8-30 11:47:
  最近在网上搜索了一番,发现一个好东西,发出来共享一下:
[code]
@echo off
cls
echo ***********************************************************
echo   此文件用 ...

在网上那裡看到的??

2006-8-31 21:46
查看资料  发送邮件  发短消息 网志   编辑帖子  回复  引用回复
zfb
初级用户





积分 28
发帖 12
注册 2006-8-9
状态 离线
『第 9 楼』:  

有空好好研究一下,学了bat,就是派这个用的

2006-9-1 08:33
查看资料  发送邮件  发短消息 网志   编辑帖子  回复  引用回复
namejm
荣誉版主

batch fan


积分 5226
发帖 1737
注册 2006-3-10
来自 成都
状态 离线
『第 10 楼』:  

Re chiwing 『第 8 楼』:  

  baidu里用"空指针 清除WINLOGON系列木马"一搜索,冒出一大堆网址,但是原始出处有以下两个地方:

      1、 针对WINLOGON系列木马的批处理:http://www.kingzoo.com/bbs/viewthread.php?tid=3034
  2、还是那个老马的变种:http://kongzhizhen.bokee.com/4879003.html



尺有所短,寸有所长,学好CMD没商量。
考虑问题复杂化,解决问题简洁化。
2006-9-1 10:10
查看资料  发短消息 网志   编辑帖子  回复  引用回复

请注意:您目前尚未注册或登录,请您注册登录以使用论坛的各项功能,例如发表和回复帖子等。


可打印版本 | 推荐给朋友 | 订阅主题 | 收藏主题



论坛跳转:  



[ 联系联盟系统管理团队 - 中国DOS联盟 ]

Sponsored by ifanr Inc | © 2001-2023