自己中的一个病毒, 瑞星好象叫它“代理脚本蠕虫变种Q” , duba6升级到2008.1.6的病毒库还是不能判断出它是病毒...
转载自:http://www.oldjun.com/blog/article.asp?id=197
其实修改配置文件就可以自我清除,但我还是多此一举,写了个专杀(专杀只能恢复注册表以及删除病毒副本,对于被感染的文件还需要手动清除):
引用
@ECHO OFF
cls
echo.
echo ***************************************
echo * administrator.vbs专杀工具——oldjun *
echo * Http://www.oldjun.com *
echo ***************************************
echo.
echo 正在关闭Script进程...
taskkill /im WScript.exe /f
taskkill /im cscript.exe /f
echo 关闭成功...
echo %username%
echo 正在删除相关文件...
@if exist %windir%/%username%.vbs del %windir%/%username%.vbs /f/q/a
@if exist %windir%/system32/%username%.vbs del %windir%/system32/%username%.vbs /f/q/a
@if exist %windir%/system32/%username%.ini del %windir%/system32/%username%.ini /f/q/a
@if exist c:/autorun.inf del c:/autorun.inf /f/q/a
@if exist d:/autorun.inf del d:/autorun.inf /f/q/a
@if exist e:/autorun.inf del e:/autorun.inf /f/q/a
@if exist f:/autorun.inf del f:/autorun.inf /f/q/a
@if exist g:/autorun.inf del g:/autorun.inf /f/q/a
@if exist h:/autorun.inf del h:/autorun.inf /f/q/a
@if exist c:/%username%.vbs del c:/%username%.vbs /f/q/a
@if exist d:/%username%.vbs del d:/%username%.vbs /f/q/a
@if exist e:/%username%.vbs del e:/%username%.vbs /f/q/a
@if exist f:/%username%.vbs del f:/%username%.vbs /f/q/a
@if exist g:/%username%.vbs del g:/%username%.vbs /f/q/a
@if exist h:/%username%.vbs del h:/%username%.vbs /f/q/a
echo 删除成功...
echo 正在修改注册表...
echo 显示隐藏文件
reg add "HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden/SHOWALL" /v CheckedValue /t reg_dword /d 1 /f
reg add "HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced" /v ShowSuperHidden /t reg_dword /d 1 /f
echo 关闭自动播放
reg add "HKCU/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer" /v NoDriveTypeAutoRun /t reg_dword /d 1 /f
echo 删除启动项
reg delete "HKCU/SoftWare/Microsoft/Windows NT/CurrentVersion/Windows" /v Load /f
echo 恢复文件关联
reg add "HKLM/SOFTWARE/Classes/txtfile/shell/open/command" /ve /t REG_EXPAND_SZ /d "%%SystemRoot%%/system32/NOTEPAD.EXE %%1" /f
reg add "HKLM/SOFTWARE/Classes/regfile/shell/open/command" /ve /t REG_EXPAND_SZ /d "regedit.exe "%%1"" /f
reg add "HKLM/SOFTWARE/Classes/chm.file/shell/open/command" /ve /t REG_EXPAND_SZ /d ""hh.exe" %%1" /f
reg add "HKLM/SOFTWARE/Classes/hlpfile/shell/open/command" /ve /t REG_EXPAND_SZ /d "winhlp32.exe %%1" /f
reg add "HKLM/SOFTWARE/Classes/exefile/shell/open/command" /ve /t REG_SZ /d ""%%1" %%*" /f
echo 修改成功...
cls
echo.
echo ****************
echo * 清 除 完 毕 ! *
echo ****************
echo.
echo. & pause
cls
echo.
echo ***************************************
echo * administrator.vbs专杀工具——oldjun *
echo * Http://www.oldjun.com *
echo ***************************************
echo.
echo 正在关闭Script进程...
taskkill /im WScript.exe /f
taskkill /im cscript.exe /f
echo 关闭成功...
echo %username%
echo 正在删除相关文件...
@if exist %windir%/%username%.vbs del %windir%/%username%.vbs /f/q/a
@if exist %windir%/system32/%username%.vbs del %windir%/system32/%username%.vbs /f/q/a
@if exist %windir%/system32/%username%.ini del %windir%/system32/%username%.ini /f/q/a
@if exist c:/autorun.inf del c:/autorun.inf /f/q/a
@if exist d:/autorun.inf del d:/autorun.inf /f/q/a
@if exist e:/autorun.inf del e:/autorun.inf /f/q/a
@if exist f:/autorun.inf del f:/autorun.inf /f/q/a
@if exist g:/autorun.inf del g:/autorun.inf /f/q/a
@if exist h:/autorun.inf del h:/autorun.inf /f/q/a
@if exist c:/%username%.vbs del c:/%username%.vbs /f/q/a
@if exist d:/%username%.vbs del d:/%username%.vbs /f/q/a
@if exist e:/%username%.vbs del e:/%username%.vbs /f/q/a
@if exist f:/%username%.vbs del f:/%username%.vbs /f/q/a
@if exist g:/%username%.vbs del g:/%username%.vbs /f/q/a
@if exist h:/%username%.vbs del h:/%username%.vbs /f/q/a
echo 删除成功...
echo 正在修改注册表...
echo 显示隐藏文件
reg add "HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden/SHOWALL" /v CheckedValue /t reg_dword /d 1 /f
reg add "HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced" /v ShowSuperHidden /t reg_dword /d 1 /f
echo 关闭自动播放
reg add "HKCU/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer" /v NoDriveTypeAutoRun /t reg_dword /d 1 /f
echo 删除启动项
reg delete "HKCU/SoftWare/Microsoft/Windows NT/CurrentVersion/Windows" /v Load /f
echo 恢复文件关联
reg add "HKLM/SOFTWARE/Classes/txtfile/shell/open/command" /ve /t REG_EXPAND_SZ /d "%%SystemRoot%%/system32/NOTEPAD.EXE %%1" /f
reg add "HKLM/SOFTWARE/Classes/regfile/shell/open/command" /ve /t REG_EXPAND_SZ /d "regedit.exe "%%1"" /f
reg add "HKLM/SOFTWARE/Classes/chm.file/shell/open/command" /ve /t REG_EXPAND_SZ /d ""hh.exe" %%1" /f
reg add "HKLM/SOFTWARE/Classes/hlpfile/shell/open/command" /ve /t REG_EXPAND_SZ /d "winhlp32.exe %%1" /f
reg add "HKLM/SOFTWARE/Classes/exefile/shell/open/command" /ve /t REG_SZ /d ""%%1" %%*" /f
echo 修改成功...
cls
echo.
echo ****************
echo * 清 除 完 毕 ! *
echo ****************
echo.
echo. & pause
后注:发现这篇日志的浏览量巨大啊...有人加我QQ说不知道怎么用...我寒,批处理就是把代码另存为*.bat文件,双击运行就可以了...