on error resume next msgbox "本专杀由[G-AVR]Gryesign提供---http://hi.baidu.com/greysign",64,"搜索引擎乱码病毒专杀,请在安全模式下运行" '-----------------病毒进程结束模块开始----------------- set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='fyso.exe'") for each i in p i.terminate next on error resume next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='jtso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='mhso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='qjso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='qqso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='wgso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='wlso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='wmso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='woso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='ztso.exe'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='nwizAskTao'") for each i in p i.terminate next set w=getobject("winmgmts:") set p=w.execquery("select * from win32_process where name='nwizAskTao'") for each i in p i.terminate next '-----------------病毒进程结束模块终止-----------------
'-----------------病毒文件删除模块开始----------------- CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso0.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso0.dll") iReturn=objShell.Run("cmd.exe /C attrib -a -s -h -r c:\progra~1\Intern~1\PLUGINS\BinNice.bak", 0, TRUE) iReturn=objShell.Run("cmd.exe /C attrib -a -s -h -r c:\progra~1\Intern~1\PLUGINS\BinNice.dll", 0, TRUE) CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.bak") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\IEXPLORE.EXE") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.exe") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.dll") CreateObject("Scripting.FileSystemObject").DeleteFile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.dll") CreateObject("Scripting.FileSystemObject").deletefile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost32.exe") CreateObject("Scripting.FileSystemObject").deletefile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\srogm.exe") CreateObject("Scripting.FileSystemObject").deletefile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\csrss.exe") CreateObject("Scripting.FileSystemObject").deletefile CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\conime.exe") '-----------------病毒文件删除模块终止----------------- '-----------------病毒文件免疫模块开始----------------- CreateFolderCreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso0.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.bak") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.dll") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost.exe") CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\IEXPLORE.EXE") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.exe") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.exe") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.dll") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.dll") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost32.exe") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\srogm.exe") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\csrss.exe") CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\conime.exe") '-----------------病毒文件免疫模块终止-----------------
'-----------------遍历删除各盘符根目录下病毒文件模块开始----------------- set fso=createobject("scripting.filesystemobject") set drvs=fso.drives for each drv in drvs if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then set u=fso.getfile(drv.driveletter&":\autorun.inf") u.attributes=0 u.delete end if next '-----------------遍历删除各盘符根目录下病毒文件模块终止-----------------
'-----------------注册表操作模块开始----------------- set reg=wscript.createobject("wscript.shell") Set objFSO = CreateObject( "Scripting.FileSystemObject" ) reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", objFSO.GetSpecialFolder( 1 ) & "\userinit.exe,","REG_SZ" reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue",1,"REG_DWORD" reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue",2,"REG_DWORD" reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue",2,"REG_DWORD" reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\DefaultValue",2,"REG_DWORD" reg.regdelete "HKEY_CLASSES_ROOT\CLSID\{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{A6011F8F-A7F8-49AA-9ADA-49127D43138F}" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mhsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qqsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ztsa" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwizAskTao" reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwiztlbb"
'-----------------注册表操作模块终止----------------- '-----------------系统文件恢复模块开始----------------- '-----------------系统文件修复模块终止----------------- '-----------------HOST文件修复模块开始----------------- set re=fso.OpenTextFile("C:\WINDOWS\system32\drivers\etc\hosts",2,0) re.Write "127.0.0.1 localhost" re.Write "127.0.0.1 7y7.us" re.Write "127.0.0.1 http://www.beginget.com/GetVer/Ver.txt" re.Close set re=nothing '-----------------HOST文件修复模块终止-----------------
'-----------------Autorun免疫模块开始----------------- set drvs=fso.drives for each drv in drvs if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then fso.createfolder(drv.driveletter&":\autorun.inf") fso.createfolder(drv.driveletter&":\autorun.inf\免疫文件夹..\") set fl=fso.getfolder(drv.driveletter&":\autorun.inf") fl.attributes=3 end if next '-----------------Autorun免疫模块终止-----------------
msgbox "病毒清除成功,请重启电脑!",64,"搜索引擎乱码病毒专杀"
|