近期出现一种病毒通过ARP攻击劫持用户和正常服务器之间的会话，在其中插入病毒代码。由此造成的后果是，用户正常访问这些网站时，会被引导下载病毒和木马程序，或者被跳转到其它网页。国内已经有部分知名网站受此影响。

傍晚拿到样本,写了个VBS专杀.

把以下（方框中的内容）代码复制进一个新建的记事本,后缀改为VBS,测试过,成功.最好在断网的环境下运行.

拿了ycosxhack的模版写,我真没效率,看来这种专杀没必要的话不做为好....还是去认真学习了.......

PS.修改好了....调试过了..安全模式下运行就杀干净.

4.29:昨天漏了几个.补上,.

4.29晚:最后还是由YY弄了个AUTORUN.INF免疫和HOSTS恢复/我本来想加多个BAT辅助.最后还是放弃了.全都用VBS吧

4.30凌晨更新

on error resume next msgbox "本专杀由[G-AVR]Gryesign提供---http://hi.baidu.com/greysign",64,"搜索引擎乱码病毒专杀,请在安全模式下运行" '-----------------病毒进程结束模块开始----------------- set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='fyso.exe'") for each i in p i.terminate next on error resume next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='jtso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='mhso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='qjso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='qqso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='wgso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='wlso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='wmso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='woso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='ztso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='nwizAskTao'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='nwizAskTao'") for each i in p i.terminate next '-----------------病毒进程结束模块终止----------------- '-----------------病毒文件删除模块开始----------------- CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso0.dll") iReturn=objShell.Run("cmd.exe /C attrib -a -s -h -r c:\progra~1\Intern~1\PLUGINS\BinNice.bak", 0, TRUE) iReturn=objShell.Run("cmd.exe /C attrib -a -s -h -r c:\progra~1\Intern~1\PLUGINS\BinNice.dll", 0, TRUE) CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.bak") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\IEXPLORE.EXE") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.dll") CreateObject("Scripting.FileSystemObject").deletefile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost32.exe") CreateObject("Scripting.FileSystemObject").deletefile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\srogm.exe") CreateObject("Scripting.FileSystemObject").deletefile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\csrss.exe") CreateObject("Scripting.FileSystemObject").deletefile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\conime.exe") '-----------------病毒文件删除模块终止----------------- '-----------------病毒文件免疫模块开始----------------- CreateFolderCreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.bak") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\IEXPLORE.EXE") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.exe") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.exe") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.dll") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.dll") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost32.exe") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\srogm.exe") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\csrss.exe") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\conime.exe") '-----------------病毒文件免疫模块终止----------------- '-----------------遍历删除各盘符根目录下病毒文件模块开始----------------- set fso=createobject("scripting.filesystemobject") set drvs=fso.drives for each drv in drvs if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then set u=fso.getfile(drv.driveletter&":\autorun.inf") u.attributes=0 u.delete end if next '-----------------遍历删除各盘符根目录下病毒文件模块终止----------------- '-----------------注册表操作模块开始----------------- set reg=wscript.createobject("wscript.shell") Set objFSO = CreateObject( "Scripting.FileSystemObject" ) reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", objFSO.GetSpecialFolder( 1 ) & "\userinit.exe,","REG_SZ" reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue",1,"REG_DWORD" reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue",2,"REG_DWORD" reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue",2,"REG_DWORD" reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\DefaultValue",2,"REG_DWORD" reg.regdelete "HKEY_CLASSES_ROOT\CLSID\{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{A6011F8F-A7F8-49AA-9ADA-49127D43138F}" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mhsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qqsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ztsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwizAskTao" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwiztlbb" '-----------------注册表操作模块终止----------------- '-----------------系统文件恢复模块开始----------------- '-----------------系统文件修复模块终止----------------- '-----------------HOST文件修复模块开始----------------- set re=fso.OpenTextFile("C:\WINDOWS\system32\drivers\etc\hosts",2,0) re.Write "127.0.0.1           localhost" re.Write "127.0.0.1           7y7.us" re.Write "127.0.0.1          http://www.beginget.com/GetVer/Ver.txt" re.Close set re=nothing '-----------------HOST文件修复模块终止----------------- '-----------------Autorun免疫模块开始----------------- set drvs=fso.drives for each drv in drvs if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then fso.createfolder(drv.driveletter&":\autorun.inf") fso.createfolder(drv.driveletter&":\autorun.inf\免疫文件夹..\") set fl=fso.getfolder(drv.driveletter&":\autorun.inf") fl.attributes=3 end if next '-----------------Autorun免疫模块终止----------------- msgbox "病毒清除成功，请重启电脑！",64,"搜索引擎乱码病毒专杀"

本站已经把该vbs专杀给大家设置好，可到down.45its.com直接下载使用即可。