由于有些病毒很恶心的感染了全盘文件, 感染exe还不说,还感染网页文件,真的极度变态恶心啊!杀毒软件清除exe文件还好,但是网页文件会被直接删除掉,好吧,自己动手,丰衣足食。用vbs写了这个脚本。
使用说明:将以下代码复制保存到一个vbs文件中,然后在执行的时候打开cmd,用cd命令切换到vbs脚本文件夹下,执行cscript 脚本名字。然后会弹出一个对话框要求输入挂马代码,输入即可。然后接下来等着脚本自动遍历所有盘符中的网页脚本文件,并且自动去清除挂马代码。
该脚本主要为遍历所有的文件于文件夹,如果发现是网页脚本后缀名的,先对其网页文件检查是否有挂马代码,如果发现有,先备份网页文件,然后把挂马代码替换为空。替换后再进行检查确认是否成功清除,并且给出提示。清除成功后写入日子文件记录。日志文件保存在d:/log.txt文件中。
效果如下:
'On Error Resume Next
'ma="<script type=" & chr(34) & "text/javascript"& chr(34) & " src="& chr(34) &"http://web.nba1001.net:8888/tj/tongji.js"& chr(34) & "></script>"ma=inputbox("please input string")
MyString=".asp|.html|.htm|.aspx|.php|.jsp|.php"
MyArray = Split(MyString, "|", -1, 1)
Wscript.echo (br) & "恶意代码:" & ma & vbCrLf & vbCrLf
Set fso = createObject("Scripting.FileSystemObject")
Set ds=fso.Drives
For Each d in ds
Wscript.echo (br) & " 扫描盘符:" & d.DriveLetter & (br)
scan(d.DriveLetter & ":\")
Next
'scan("G:\")
'set filesder0=fso.getfolder("G:\")
'set subfolders3=filesder0.subfolders
'for each subfolder0 in subfolders3
' scan(subfolder0)
'next
'扫描文件
sub scan(filesder)
set filesder1=fso.getfolder(filesder)
set files1=filesder1.files
for each fext in files1
Wscript.echo (br) & " 扫描文件:" & fext & (br)
Set file1 = fso.GetFile(fext)
filesext=file1.Name
ext=lcase(filesext)
For Each inx in MyArray
if Right(ext,4)=lcase(inx) Or Right(ext,5)=lcase(inx) then
'Wscript.echo Right(ext,4)
wr_content = GetFileContent(fext)
echo = (br) & " 正在检查 " & fext & " 文件中的内容" & (br)
'echo= "正在检查" & fext & " 文件中的内容"
Wscript.echo (echo)
if CheckCode(fext,wr_content,ma) = 1 then
call ClearCode(fext,wr_content,ma)
else
echo=" "
'echo=" 恭喜" & fext & "文件中没有恶意代码"
Wscript.echo (br) & " 恭喜 " & fext & " 文件中没有恶意代码" & (br)
Wscript.echo (echo)
end if
Wscript.echo (echo)
end if
next
next
'扫描子目录
set subfolders2=filesder1.subfolders
for each subfolder2 in subfolders2
scan(subfolder2)
next
end sub
'读取文件内容
Function GetFileContent(filename)
'msgbox filename
'Wscript.Echo filename
Set file2=fso.OpenTextFile(filename)
set file3 = fso.GetFile(filename)
if file3.size > 0 Then
'if fso.FileExists(filename) Then
file_content = file2.ReadAll
else
file_content = ""
end if
set file3 = Nothing
'if not files.Eof Then
' file_content = file2.ReadAll
'else
' file_content = ""
'end if
file2.close
set file2 = nothing
GetFileContent = file_content
End Function
'检查是否存在恶意挂马代码
Function CheckCode(fext,file_content,ma)
'wscript.echo file_content
if instr(file_content,ma) <> 0 Then
Wscript.echo (br) & " 在 " & fext & " 发现恶意代码" & (br)
wr_content = replace(file_content,ma,"")
res = 1
else
res = 0
end if
CheckCode = res
End Function
'清除文件中的恶意代码
Sub ClearCode(fext,wr_content,ma)
Call fso.CopyFile(fext,fext & ".bak")
call WriteLogs(fext)
Set ts = fso.OpenTextFile(fext,2)
if wr_content <> "" Then
'if not ts.eof Then
'wr_content = ts.ReadAll
wr_content =replace(wr_content,ma,"",1)
if trim(wr_content) <> "" Then
ts.WriteLine(wr_content & " ")
'if err then
' wscript.echo wr_content
'end if
end if
'else
'wr_content = ""
'end if
echo=" "
'wscript.echo (br) & " Clear " & fext & " malware code " & (br)
Wscript.echo (br) & " 正在清除 " & fext & " 文件中恶意代码" & (br)
if CheckCode(wr_content,ma) = 0 then
echo=" "
'echo=" 恭喜!" & fext & "恶意代码已经清除"
echo = (br) & " 恭喜 " & fext & " 恶意代码已经清除" & (br)
Wscript.echo (echo)
else
echo = (br) & " 恭喜 " & fext & " 恶意代码清除失败" & (br)
Wscript.echo (echo)
'call ClearCode(fext,wr_content,ma)
end if
echo=" "
'echo=" 清除" & fext & "文件中的恶意代码完成"
echo = (br) & " 清除 " & fext & "文件中的恶意代码完成 " & (br)
Wscript.echo (echo)
end if
ts.close
Set ts = nothing
end sub
'写入日志文件
Sub WriteLogs(fext)
Set ts = fso.OpenTextFile("d:\logs.txt",8)
if fext <> "" Then
ts.WriteLine(fext & " 文件中发现恶意代码")
echo = (br) & " 清除 " & fext & "文件中的恶意代码完成 " & (br)
Wscript.echo (echo)
echo=" "
echo = (br) & fext & " 写入日志成功" & (br)
Wscript.echo (echo)
end if
ts.close
set ts = nothing
end sub