把下面的红色代码复制下来,另存为.bat为后缀的文件也就是批处理文件,然后双击运行保存的批处理就可以了,不过这个病毒有点特殊,要把保存的批处理放在桌面上运行。
@echo off
title 忆林子
color 0a
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo 该病毒资料
echo.
echo 该病毒建立的包括的源文件如下:
echo.
echo 病毒文件全路径 大小(字节)
echo C:\Program Files\system32\SysInfo.dll 197,632
echo 其它所有分区:\autorun.inf 169
echo 其它所有分区:\SysInfo.dll 197,632
echo.
echo autorun.inf文件里的内容
echo.
echo [AutoRun]
echo open=RunDll32.exe .\SysInfo2.Dll,MyFun
echo shell\1=打开(^&O)
echo shell\1\Command=RunDll32.exe ^.^\SysInfo2.Dll,MyFun
echo shellexecute=RunDll32.exe ^.^\SysInfo2.Dll,MyFun
echo.
echo 注意:因为该病毒与系统进程绑定在一起,所以在杀毒时你的计算机将会被强制重启
echo 重启之后,请再运行一次本程序,该病毒方可清除完毕。
echo 请把该程序放在桌面上执行,并且在重启之后马上再次运行该程序。
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
set /p tmp=以上是该病毒的信息,如果要清除该病毒,请回车键开始杀毒...
if not exist %systemroot%\system32\sysinfo.dll echo 你的计算机中不存在该病毒,请按任意键退出该程序。 & pause & exit
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v isFirstRun>>tmp.忆林子
for /f "tokens=1,2,3 skip=4 delims= " %%j in ('more tmp.忆林子') do set isFirstRun=%%l
del tmp.忆林子
if /i "%isFirstRun%"=="1" goto :secondStep
taskkill /fi "modules eq SysInfo.dll" /f
rem 删除被病毒新建的注册表项
reg delete "HKLM\SOFTWARE\Classes\CLSID\{989D2FEB-5411-4565-8988-1DD2C5263377}" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{989D2FEB-5411-4565-8988-1DD2C5263377}" /f
reg delete "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /f
reg delete "HKLM\SOFTWARE\Classes\CLSID\{989D2FEB-5411-4565-8988-1DD2C5263377}" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{989D2FEB-5411-4565-8988-1DD2C5263377}" /f
reg delete "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v isFirstRun /d 1 /f
shutdown -r -t 0
exit
:secondStep
cls
rem 添加被病毒删除的关于显示隐藏文件的注册表项
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /v CheckedValue /t reg_dword /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /v DefaultValue /t reg_dword /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /v HelpID /d "shell.hlp#51103" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /v HKeyRoot /t reg_dword /d 2147483649 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden" /ve /d "" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /v RegPath /d "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /v Text /d "@shell32.dll,-30508" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /v Type /d checkbox /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /v UncheckedValue /t reg_dword /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /v ValueName /d ShowSuperHidden /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /v WarningIfNotDefault /d "@shell32.dll,-28964" /f
attrib -s -h -r %SystemRoot%\system32\SysInfo.dll
del %SystemRoot%\system32\SysInfo.dll /q
for %%f in (autorun.inf,SysInfo2.dll) do for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\%%f attrib -s -h -r %%d:\%%f
for %%f in (autorun.inf,SysInfo2.dll) do for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\%%f del %%d:\%%f /q
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v isFirstRun /f
cls
for /d %%i in (d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%i: chkdsk %%i: /f /x
cls
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
set /p tmp= 操作结束,按回车键退出该程序。
exit
