wert123
中级用户
积分 301
发帖 135
注册 2007-5-15
状态 离线
|
『楼 主』:
(忆林子)u盘病毒之auto(忆林子)
关于下面bat有几个问题啊,谁能告诉我啊
1)reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0x000000FF /f
这条命令我插入前运行了,可是双击U盘还是中标了,插入前少运行了什么reg add命令
2)我看了中标后电脑多了个A0A29414.DLL(这个数字是病毒随机生成的,被explorer调用),真狠,以前我听所插入dl后要重启explorer,它就这阴,什么原理啊
3)记得好像有个checkvalue的值,忘了,改了后文件夹选项的“隐藏文件和文件夹”下的单选按钮可以选择了,小点终于出来了,可是TMD点了一下,老是在“不显示文件和文件夹”上,要该哪两处注册表啊?
这个批处理还能改进吗
================================================================================
================================================================================
@echo off
title 忆林子
color 0a
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo 该病毒资料
echo.
echo 该病毒建立的包括的源文件如下:
echo.
echo 病毒文件全路径 大小(字节)
echo c:\WINDOWS\system32\54D427F8.EXE(这个数字是病毒随机生成的) 20,284
echo c:\WINDOWS\system32\A0A29414.DLL(这个数字是病毒随机生成的) 13,812
echo 其它所有分区:\autorun.inf 78
echo 其它所有分区:\auto.exe 20,284 20,284
echo.
echo 其中autorun.inf文件里的内容
echo.
echo [AutoRun]
echo open=auto.exe
echo shellexecute=auto.exe
echo shell\Auto\command=auto.exe
echo.
echo 注意:因为该病毒与系统进程绑定在一起,所以在杀毒时你的计算机将会被强制重启
echo 重启之后,请再运行一次本程序,该病毒方可清除完毕。
echo 请把该程序放在桌面上执行,并且在重启之后马上再次运行该程序。
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
set /p tmp=以上是该病毒的信息,如果要清除该病毒,请回车键开始杀毒...
if not exist c:\tmp1.忆林子 (
reg query HKLM\SYSTEM\CurrentControlSet\Services\CF9EDF4C /v ImagePath >>c:\tmp1.忆林子
)
if not exist c:\tmp2.忆林子 (
reg query HKLM\SYSTEM\CurrentControlSet\Services\CF9EDF4C /v Description >>c:\tmp2.忆林子
)
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v isFirstRun>>tmp.忆林子
for /f "tokens=1,2,3 skip=4 delims= " %%j in ('more tmp.忆林子') do set isFirstRun=%%l
if exist tmp.忆林子 del tmp.忆林子 /q
if /i "%isFirstRun%"=="1" goto :secondStep
net stop cf9edf4c>nul
for /L %%c in (1,1,10) do (
sc delete cf9edf4c>nul
)
rem 删除由病毒新建的项
reg delete "HKCU\SYSTEM" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT" /v ReportBootOk /f
reg delete "HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CF9EDF4C" /f
reg delete "HKLM\SYSTEM\ControlSet001\Services\CF9EDF4C" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CF9EDF4C" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\CF9EDF4C" /f
reg delete "HKU\.DEFAULT\SYSTEM" /f
reg delete "HKU\S-1-5-18\SYSTEM" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v isFirstRun /d 1 /f
shutdown -r -t 0
exit
:secondStep
for /f "tokens=1,2,3 skip=1 delims= " %%j in ('more c:\tmp1.忆林子') do set test=%%l
set fileName1=%test:~-12%
echo %fileName1%
for /f "tokens=1,2,3 skip=1 delims= " %%j in ('more c:\tmp2.忆林子') do set fileName2=%%l.dll
echo %fileName2%
for %%d in (%fileName1%,%fileName2%) do (
taskkill /im %%d /f>nul
taskkill /fi "modules eq %%d" /f>nul
)
if exist c:\temp1.忆林子 del c:\temp1.忆林子 /q
if exist c:\temp2.忆林子 del c:\temp2.忆林子 /q
for %%d in (%fileName1%,%fileName2%) do (
if exist "%systemroot%\system32\%%d" (
attrib -s -h -r "%systemroot%\system32\%%d"
del "%systemroot%\system32\%%d" /q
)
)
del c:\WINDOWS\Prefetch\*.* /q
rd "%userprofile%\Local Settings\temp" /s /q
rem 添加病毒删除的项
echo Windows Registry Editor Version 5.00>>tmp.忆林子.reg
echo.>>tmp.忆林子.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc]>>tmp.忆林子.reg
echo "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00>>tmp.忆林子.reg
echo "Description"="服务和应用程序在非标准环境下运行时允许错误报告。">>tmp.忆林子.reg
echo "DisplayName"="Error Reporting Service">>tmp.忆林子.reg
echo "ErrorControl"=dword:00000000>>tmp.忆林子.reg
echo "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\>>tmp.忆林子.reg
echo 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\>>tmp.忆林子.reg
echo 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\>>tmp.忆林子.reg
echo 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00>>tmp.忆林子.reg
echo "ObjectName"="LocalSystem">>tmp.忆林子.reg
echo "Start"=dword:00000002>>tmp.忆林子.reg
echo "Type"=dword:00000020>>tmp.忆林子.reg
echo.>>tmp.忆林子.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc\Parameters]>>tmp.忆林子.reg
echo "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\>>tmp.忆林子.reg
echo 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\>>tmp.忆林子.reg
echo 65,00,72,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00>>tmp.忆林子.reg
echo.>>tmp.忆林子.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc\Security]>>tmp.忆林子.reg
echo "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\>>tmp.忆林子.reg
echo 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\>>tmp.忆林子.reg
echo 00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\>>tmp.忆林子.reg
echo 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\>>tmp.忆林子.reg
echo 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\>>tmp.忆林子.reg
echo 00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\>>tmp.忆林子.reg
echo 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00>>tmp.忆林子.reg
echo.>>tmp.忆林子.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc\Enum]>>tmp.忆林子.reg
echo "0"="Root\\LEGACY_ERSVC\\0000">>tmp.忆林子.reg
echo "Count"=dword:00000001>>tmp.忆林子.reg
echo "NextInstance"=dword:00000001>>tmp.忆林子.reg
reg import tmp.忆林子.reg
for %%d in (c:\tmp1.忆林子,c:\tmp2.忆林子,tmp.忆林子,tmp.忆林子.reg) do (
if exist %%d del %%d /q
)
rem 改回被病毒修改的注册表项
reg add "HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting" /v DoReport /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting" /v ShowUI /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /d 1 /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v isFirstRun /f
for %%d in (c:\tmp1.忆林子,c:\tmp2.忆林子,tmp.忆林子,tmp.忆林子.reg) do (
if exist %%d del %%d /q
)
rem 删除病毒在注册表中添加的关联
if exist test.忆林子 del test.忆林子
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options">test.忆林子
for /f "tokens=* delims= skip=4" %%j in (test.忆林子) do (
reg delete "%%j" /v debugger /f
cls
if exist test.忆林子 del test.忆林子
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo 正在清除由病毒添加的注册表项,请稍候...
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
)
if exist test.忆林子 del test.忆林子
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft^\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path" /v Debugger /d "ntsd -d" /f
cls
for %%f in (auto.exe,autorun.inf) do (
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do (
if exist %%d:\%%f attrib -s -h -r %%d:\%%f
if exist %%d:\%%f del %%d:\%%f /q
)
)
cls
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo 病毒清除完毕,按回车键开始解决分区无法双击打开的问题.
echo 注意:因为删除了第个分区根目录下的autorun.inf文件,所以要
echo 对你的分区进行磁盘检查才能双击打开,或者你也可以重启。
echo 在磁盘检查时你的一些应用程序像QQ可能会被强制退出。如果不想
echo 现在检查的话,请关闭该批处理。下次重启你的分区即可双击打开。
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
set /p test=
for /D %%d in (d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do (
if exist %%d:\ chkdsk %%d: /f /x
)
cls
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
set /p tmp= 操作结束,按回车键退出该程序。
exit
[ Last edited by wert123 on 2007-10-19 at 06:45 PM ]
|
|