再来个东东：查杀与预防QQ龟病毒、爱情森林病毒等 - DOS批处理 & 脚本技术（批处理室） - 中国DOS联盟论坛

@echo off&mode con cols=80 lines=34
setlocal enabledelayedexpansion
set dLine=────────────────────────────────────────
Title 查杀与预防【 QQ龟病毒,QQ乐病毒,QQ尾巴病毒,QQ缘病毒,QQ女友病毒,爱情森林病毒等】

::终止进程名
SET qqVirName=rundll32 System32 TIMP1atform hack rundll sysedit32 SVCH0ST b INTERNET systray Explorer NOTEPAD
::屏蔽文件名
SET qqDisvar=TIMP1atform.exe System32.exe Sendmess.exe wwwo.exe updater.exe sysnot.exe hack.exe rundll.exe sysedit32.exe SVCH0ST.EXE b.exe INTERNET.EXE
::全盘删除文件
SET qqdelAll=TIMP1atform.exe System32.exe Sendmess.exe wwwo.exe admin.bat updater.exe sysnot.exe hack.exe rundll.exe sysedit32.exe SVCH0ST.EXE b.sys
::系统盘符下删除文件
set varSysDrv=666666.exe MP3.exe update.exe my_photo.exe game.exe pass.exe 123456.exe flash.com hello.exe setup.exe

ECHO 查杀与预防【QQ龟病毒,QQ乐病毒,QQ尾巴病毒,QQ缘病毒,QQ女友病毒,爱情森林病毒等】
ECHO\&ECHO QQ病毒简介:
ECHO\&ECHO QQ尾巴病毒症状:收到一条消息加网址的广告消息;
ECHO QQ缘病毒症状:将IE默认首页改为[url]HTTP://WWW.[/url]**115.COM/,并发送消息;
ECHO QQ乐病毒症状:自动向好友发送一串网址消息;
ECHO QQ龟病毒症状:自动向好友发送病毒文件;
ECHO QQ女友病毒症状:向在线的好友发送诱惑的文字和链接.
ECHO\&ECHO 【对于替换了系统文件的病毒,我就不作专杀了,系统被病毒糟蹋的还不如重做系统算了
ECHO 像QQ狩猎者替换了rundll32.exe,cmd.exe...还有些替换了notepad.exe,systray.exe】
ECHO\&ECHO    编者:AX    QQ:420751783    论坛相关下载:[url]http://www.gline.5d6d.com&ECHO[/url] %dLine%

ECHO 1.查杀病毒时将临时会关闭以下进程,请事先做好保存:
ECHO    NOTEPAD.EXE RUNDLL32.EXE SYSTRAY.EXE
ECHO\&ECHO 2.查杀病毒步骤:防止病毒再次运行 ^> 终止可疑病毒进程 ^> 删除病毒文件 ^>
ECHO    清除病毒启动分支 ^> 恢复文件关联 ^> 修复显示隐藏文件 ^> 踢除病毒建立的用户
ECHO\&ECHO %dLine%&ECHO                      ^>^>^> 按任意键开始查杀与预防QQ病毒 ^<^<^<
Pause>nul

cls&echo 正在查杀QQ龟病毒、QQ乐病毒...&echo %dLine%
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /t REG_SZ /d "全盘禁止运行notepad.exe" /f >nul 2>nul &&echo 禁止病毒再次运行:〖notepad.exe〗 √
for %%i in (%qqDisvar%) do reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%%i" /v Debugger /t REG_SZ /d "全盘禁止运行%%i" /f >nul 2>nul &&echo 禁止病毒再次运行:〖%%i〗 √
set vartN=0&for /f "skip=4 tokens=1 delims= " %%i in ('tasklist') do set /a vartN+=1&set listName!vartN!=%%i
set vartN=0&for /f "skip=4 tokens=2 delims= " %%i in ('tasklist') do set /a vartN+=1&set listNum!vartN!=%%i
for %%a in (%qqVirName%) do for /l %%i in (1,1,!vartN!) do if /i "!listName%%i!"=="%%a.exe" start /b /min ntsd -c q -p !listNum%%i! && echo 进程过滤:〖!listName%%i!〗√
del /a- /q "%systemroot%\qq32.ini" >nul 2>nul
del /a- /q "%windir%\system\Explorer.exe"  >nul 2>nul
del /a- /q "%windir%\system32\Explorer.exe" >nul 2>nul
if exist "%windir%\system\notepad.exe" (
  if exist "%windir%\system\taskmgr.exe" (
echo 不幸中了QQ缘病毒,记事本程序被病毒替换了,现清除...
taskkill /im taskmgr.exe
taskkill /im notepad.exe
copy "%windir%\system32\dllcache\notepad.exe" "%temp%\notepad_exe" >nul 2>nul
del /a- /s /f "%systemdrive%\notepad.exe" >nul 2>nul
copy "%temp%\notepad_exe" "%windir%\notepad.exe" >nul 2>nul))
TASKKILL /im "notepad.exe" >nul 2>nul &&echo 查杀病毒相关进程:  〖notepad.exe〗√
DEL /a- /s /f "%systemdrive%\notepad.exe" >nul 2>nul &&echo 清除病毒残留:〖notepad.exe〗√
FOR %%i in (%varSysDrv%) do del /a- /f "%systemdrive%\%%i" >nul 2>nul &&echo 清除病毒残留:〖%%i〗√
<nul set/p=  清除根目录病毒:
for /f "delims=\" %%i in ('fsutil fsinfo drives^|find /v ""') do set var=%%i&set drive=!var:~-2!&fsutil fsinfo drivetype !drive!|find "固定">nul && del /a- /f !drive!\Autorun.inf >nul 2>nul
<nul set/p=〖Autorun.inf〗√
for /f "delims=\" %%i in ('fsutil fsinfo drives^|find /v ""') do set var=%%i&set drive=!var:~-2!&fsutil fsinfo drivetype !drive!|find "固定">nul && del /a- /f !drive!\System32.exe >nul 2>nul
<nul set/p=  〖System32.exe〗√
for /f "delims=\" %%i in ('fsutil fsinfo drives^|find /v ""') do set var=%%i&set drive=!var:~-2!&fsutil fsinfo drivetype !drive!|find "固定">nul && del /a- /f !drive!\System32dll.dll >nul 2>nul
echo 〖System32dll.dll〗√
FOR %%i IN (!qqdelAll!) DO (
for %%j in (c d e f g h i j k l m n o p q r s t u v w x y z) do del /a- /s /f "%%j:\%%i" >nul 2>nul
echo 全盘清除病毒残留:〖%%i〗√)
reg delete "HKEY_LOCAL_MACHINE\software\Microsoft\windows\CurrentVersion\Run" /f /v Taskmgr >nul 2>nul
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v Explorer >nul 2>nul
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v intarnet >nul 2>nul
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v S0undMan >nul 2>nul
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "Network Associates, Inc." >nul 2>nul
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\Msipv" /f /v MainSetup >nul 2>nul
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\Msipv" /f /v MainUp >nul 2>nul
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\Msipv" /f /v MainVer >nul 2>nul
reg delete "HKEY_CURRENT_USER\Software\Classes\Msipv" /f /v MainSetup >nul 2>nul
reg delete "HKEY_CURRENT_USER\Software\Classes\Msipv" /f /v MainUp >nul 2>nul
reg delete "HKEY_CURRENT_USER\Software\Classes\Msipv" /f /v MainVer >nul 2>nul
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v Sendmess.exe >nul 2>nul
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v wwwo.exe >nul 2>nul
echo 清除病毒启动项 √
reg add HKEY_CLASSES_ROOT\exefile\shell\open\command /t REG_SZ /ve /f /d "\"%%1\" %%*" >nul 2>nul
reg add HKEY_CLASSES_ROOT\txtfile\shell\open\command /t REG_SZ /ve /f /d "%systemroot%\notepad.exe %%1" >nul 2>nul &&echo 恢复.txt与.exe文件关联 √
pause

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f >nul 2>nul &&echo 修复显示隐藏文件 √
net user /delete LSS >nul 2>nul
echo 踢除病毒用户 √

echo\&echo %dLine%&Pause&Exit