前几天刚中过那个 xxso0 的.
请保存 vbs, 并在安全模式下运行.
- on error resume next
- msgbox "本专杀由[G-AVR]Gryesign提供---http://hi.baidu.com/greysign",64,"搜索引擎乱码病毒专杀,请在安全模式下运行"
- '-----------------病毒进程结束模块开始-----------------
- set w=getobject("winmgmts:")
- set p=w.execquery("select * from win32_process where name='fyso.exe'")
- for each i in p
- i.terminate
- next
- on error resume next
- set w=getobject("winmgmts:")
- set p=w.execquery("select * from win32_process where name='jtso.exe'")
- for each i in p
- i.terminate
- next
- set w=getobject("winmgmts:")
- set p=w.execquery("select * from win32_process where name='mhso.exe'")
- for each i in p
- i.terminate
- next
- set w=getobject("winmgmts:")
- set p=w.execquery("select * from win32_process where name='qjso.exe'")
- for each i in p
- i.terminate
- next
- set w=getobject("winmgmts:")
- set p=w.execquery("select * from win32_process where name='qqso.exe'")
- for each i in p
- i.terminate
- next
- set w=getobject("winmgmts:")
- set p=w.execquery("select * from win32_process where name='wgso.exe'")
- for each i in p
- i.terminate
- next
- set w=getobject("winmgmts:")
- set p=w.execquery("select * from win32_process where name='wlso.exe'")
- for each i in p
- i.terminate
- next
- set w=getobject("winmgmts:")
- set p=w.execquery("select * from win32_process where name='wmso.exe'")
- for each i in p
- i.terminate
- next
- set w=getobject("winmgmts:")
- set p=w.execquery("select * from win32_process where name='woso.exe'")
- for each i in p
- i.terminate
- next
- set w=getobject("winmgmts:")
- set p=w.execquery("select * from win32_process where name='ztso.exe'")
- for each i in p
- i.terminate
- next
- set w=getobject("winmgmts:")
- set p=w.execquery("select * from win32_process where name='nwizAskTao'")
- for each i in p
- i.terminate
- next
- set w=getobject("winmgmts:")
- set p=w.execquery("select * from win32_process where name='explorer.exe'")
- for each i in p
- i.terminate
- next
- '-----------------病毒进程结束模块终止-----------------
- '-----------------病毒文件删除模块开始-----------------
- set fso=createobject("scripting.filesystemobject")
- set del=wscript.createobject("wscript.shell")
- d1=del.ExpandEnvironmentStrings("%temp%\fyso.exe")
- d2=del.ExpandEnvironmentStrings("%temp%\jtso.exe")
- d3=del.ExpandEnvironmentStrings("%temp%\mhso.exe")
- d4=del.ExpandEnvironmentStrings("%temp%\qjso.exe")
- d5=del.ExpandEnvironmentStrings("%temp%\qqso.exe")
- d6=del.ExpandEnvironmentStrings("%temp%\wgso.exe")
- d7=del.ExpandEnvironmentStrings("%temp%\wlso.exe")
- d8=del.ExpandEnvironmentStrings("%temp%\wmso.exe")
- d9=del.ExpandEnvironmentStrings("%temp%\woso.exe")
- d10=del.ExpandEnvironmentStrings("%temp%\ztso.exe")
- d11=del.ExpandEnvironmentStrings("%temp%\fyso0.dll")
- d12=del.ExpandEnvironmentStrings("%temp%\jtso0.dll")
- d13=del.ExpandEnvironmentStrings("%temp%\mhso0.dll")
- d14=del.ExpandEnvironmentStrings("%temp%\conime.exe")
- d15=del.ExpandEnvironmentStrings("%temp%\qjso0.dll")
- d16=del.ExpandEnvironmentStrings("%temp%\qqso0.dll")
- d17=del.ExpandEnvironmentStrings("%temp%\wgso0.dll")
- d18=del.ExpandEnvironmentStrings("%temp%\wlso0.dll")
- d19=del.ExpandEnvironmentStrings("%temp%\wmso0.dll")
- d20=del.ExpandEnvironmentStrings("%temp%\woso0.dll")
- d21=del.ExpandEnvironmentStrings("%temp%\ztso0.dll")
- d22=del.ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.bak")
- d23=del.ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.dll")
- d24=del.ExpandEnvironmentStrings("%temp%\svchost.exe")
- d25=del.ExpandEnvironmentStrings("%temp%\IEXPLORE.EXE")
- d26=del.ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.exe")
- d27=del.ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.exe")
- d28=del.ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.dll")
- d29=del.ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.dll")
- d30=del.ExpandEnvironmentStrings("%temp%\svchost32.exe")
- d31=del.ExpandEnvironmentStrings("%temp%\srogm.exe")
- d32=del.ExpandEnvironmentStrings("%temp%\csrss.exe")
- set v1=fso.getfile(d1)
- set v2=fso.getfile(d2)
- set v3=fso.getfile(d3)
- set v4=fso.getfile(d4)
- set v5=fso.getfile(d5)
- set v6=fso.getfile(d6)
- set v7=fso.getfile(d7)
- set v8=fso.getfile(d8)
- set v9=fso.getfile(d9)
- set v10=fso.getfile(d10)
- set v11=fso.getfile(d11)
- set v12=fso.getfile(d12)
- set v13=fso.getfile(d13)
- set v14=fso.getfile(d14)
- set v15=fso.getfile(d15)
- set v16=fso.getfile(d16)
- set v17=fso.getfile(d17)
- set v18=fso.getfile(d18)
- set v19=fso.getfile(d19)
- set v20=fso.getfile(d20)
- set v21=fso.getfile(d21)
- set v22=fso.getfile(d22)
- set v23=fso.getfile(d23)
- set v24=fso.getfile(d24)
- set v25=fso.getfile(d25)
- set v26=fso.getfile(d26)
- set v27=fso.getfile(d27)
- set v28=fso.getfile(d28)
- set v29=fso.getfile(d29)
- set v30=fso.getfile(d30)
- set v31=fso.getfile(d31)
- set v32=fso.getfile(d32)
- v1.attributes=0
- v2.attributes=0
- v3.attributes=0
- v4.attributes=0
- v5.attributes=0
- v6.attributes=0
- v7.attributes=0
- v8.attributes=0
- v9.attributes=0
- v10.attributes=0
- v11.attributes=0
- v12.attributes=0
- v13.attributes=0
- v14.attributes=0
- v15.attributes=0
- v16.attributes=0
- v17.attributes=0
- v18.attributes=0
- v19.attributes=0
- v20.attributes=0
- v21.attributes=0
- v22.attributes=0
- v23.attributes=0
- v24.attributes=0
- v25.attributes=0
- v26.attributes=0
- v27.attributes=0
- v28.attributes=0
- v29.attributes=0
- v30.attributes=0
- v31.attributes=0
- v32.attributes=0
- v1.delete
- v2.delete
- v3.delete
- v4.delete
- v5.delete
- v6.delete
- v7.delete
- v8.delete
- v9.delete
- v10.delete
- v11.delete
- v12.delete
- v13.delete
- v14.delete
- v15.delete
- v16.delete
- v17.delete
- v18.delete
- v19.delete
- v20.delete
- v21.delete
- v22.delete
- v23.delete
- v24.delete
- v25.delete
- v26.delete
- v27.delete
- v28.delete
- v29.delete
- v30.delete
- v31.delete
- v32.delete
- '-----------------病毒文件删除模块终止-----------------
- '-----------------病毒文件免疫模块开始-----------------
- CreateFolderCreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso.exe")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso.exe")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso.exe")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso.exe")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso.exe")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso.exe")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso.exe")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso.exe")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso.exe")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso.exe")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso0.dll")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso0.dll")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso0.dll")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso0.dll")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso0.dll")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso0.dll")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso0.dll")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso0.dll")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso0.dll")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso0.dll")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.bak")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.dll")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost.exe")
- CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\IEXPLORE.EXE")
- CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.exe")
- CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.exe")
- CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.dll")
- CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.dll")
- CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost32.exe")
- CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\srogm.exe")
- CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\csrss.exe")
- CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\conime.exe")
- '-----------------病毒文件免疫模块终止-----------------
- '-----------------遍历删除各盘符根目录下病毒文件模块开始-----------------
- set fso=createobject("scripting.filesystemobject")
- set drvs=fso.drives
- for each drv in drvs
- if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
- set !![/url]<font color=#ff0000>谢绝广告帖!再发封ID!</font>fso.getfile(drv.driveletter&":\autorun.inf")
- u.attributes=0
- u.delete
- end if
- next
- '-----------------遍历删除各盘符根目录下病毒文件模块终止-----------------
- '-----------------注册表操作模块开始-----------------
- set reg=wscript.createobject("wscript.shell")
- Set objFSO = CreateObject( "Scripting.FileSystemObject" )
- reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", objFSO.GetSpecialFolder( 1 ) & "\userinit.exe,","REG_SZ"
- reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue",1,"REG_DWORD"
- reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue",2,"REG_DWORD"
- reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue",2,"REG_DWORD"
- reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\DefaultValue",2,"REG_DWORD"
- reg.regdelete "HKEY_CLASSES_ROOT\CLSID\{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{A6011F8F-A7F8-49AA-9ADA-49127D43138F}"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtsa"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mhsa"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qqsa"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmsa"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ztsa"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwizAskTao"
- reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwiztlbb"
- '-----------------注册表操作模块终止-----------------
- '-----------------系统文件恢复模块开始-----------------
- '-----------------系统文件修复模块终止-----------------
- '-----------------HOST文件修复模块开始-----------------
- set fso=createobject("scripting.filesystemobject")
- Set objFSO = CreateObject( "Scripting.FileSystemObject" )
- set re=fso.OpenTextFile(objFSO.GetSpecialFolder( 1 ) &"\drivers\etc\hosts",2,0)
- re.Write "127.0.0.1 localhost" & vbCrLf
- re.Write "127.0.0.1 7y7.us"& vbCrLf
- re.Write "127.0.0.1 [url]http://www.beginget.com/GetVer/Ver.txt[/url]"& vbCrLf
- re.Close
- set re=nothing
- '-----------------HOST文件修复模块终止-----------------
- '-----------------Autorun免疫模块开始-----------------
- set drvs=fso.drives
- for each drv in drvs
- if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
- fso.createfolder(drv.driveletter&":\autorun.inf")
- fso.createfolder(drv.driveletter&":\autorun.inf\免疫文件夹..")
- set fl=fso.getfolder(drv.driveletter&":\autorun.inf")
- fl.attributes=3
- end if
- next
- '-----------------Autorun免疫模块终止-----------------
- msgbox "病毒清除成功,请重启电脑!",64,"搜索引擎乱码病毒专杀"
复制代码 |