7:23 更新好了.放学回家研究一下卸载正在加载的模块.
10:49 改善了HOSTS修复模块.加环境变量,控制格式.研究卸载模块去了...
12:17 由于卸载模块对卸载EXPLORER进程里的DLL不能够稳定完美地卸载.所以还是决定使用暂时结束进程进行杀毒.以后病毒插入其他进行再加个卸载模块吧,对于其他进程的卸载还比较稳定.
'-----------------病毒文件删除模块开始-----------------
set fso=createobject("scripting.filesystemobject")
set del=wscript.createobject("wscript.shell")
d1=del.ExpandEnvironmentStrings("%temp%\fyso.exe")
d2=del.ExpandEnvironmentStrings("%temp%\jtso.exe")
d3=del.ExpandEnvironmentStrings("%temp%\mhso.exe")
d4=del.ExpandEnvironmentStrings("%temp%\qjso.exe")
d5=del.ExpandEnvironmentStrings("%temp%\qqso.exe")
d6=del.ExpandEnvironmentStrings("%temp%\wgso.exe")
d7=del.ExpandEnvironmentStrings("%temp%\wlso.exe")
d8=del.ExpandEnvironmentStrings("%temp%\wmso.exe")
d9=del.ExpandEnvironmentStrings("%temp%\woso.exe")
d10=del.ExpandEnvironmentStrings("%temp%\ztso.exe")
d11=del.ExpandEnvironmentStrings("%temp%\fyso0.dll")
d12=del.ExpandEnvironmentStrings("%temp%\jtso0.dll")
d13=del.ExpandEnvironmentStrings("%temp%\mhso0.dll")
d14=del.ExpandEnvironmentStrings("%temp%\conime.exe")
d15=del.ExpandEnvironmentStrings("%temp%\qjso0.dll")
d16=del.ExpandEnvironmentStrings("%temp%\qqso0.dll")
d17=del.ExpandEnvironmentStrings("%temp%\wgso0.dll")
d18=del.ExpandEnvironmentStrings("%temp%\wlso0.dll")
d19=del.ExpandEnvironmentStrings("%temp%\wmso0.dll")
d20=del.ExpandEnvironmentStrings("%temp%\woso0.dll")
d21=del.ExpandEnvironmentStrings("%temp%\ztso0.dll")
d22=del.ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.bak")
d23=del.ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.dll")
d24=del.ExpandEnvironmentStrings("%temp%\svchost.exe")
d25=del.ExpandEnvironmentStrings("%temp%\IEXPLORE.EXE")
d26=del.ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.exe")
d27=del.ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.exe")
d28=del.ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.dll")
d29=del.ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.dll")
d30=del.ExpandEnvironmentStrings("%temp%\svchost32.exe")
d31=del.ExpandEnvironmentStrings("%temp%\srogm.exe")
d32=del.ExpandEnvironmentStrings("%temp%\csrss.exe")
set v1=fso.getfile(d1)
set v2=fso.getfile(d2)
set v3=fso.getfile(d3)
set v4=fso.getfile(d4)
set v5=fso.getfile(d5)
set v6=fso.getfile(d6)
set v7=fso.getfile(d7)
set v8=fso.getfile(d8)
set v9=fso.getfile(d9)
set v10=fso.getfile(d10)
set v11=fso.getfile(d11)
set v12=fso.getfile(d12)
set v13=fso.getfile(d13)
set v14=fso.getfile(d14)
set v15=fso.getfile(d15)
set v16=fso.getfile(d16)
set v17=fso.getfile(d17)
set v18=fso.getfile(d18)
set v19=fso.getfile(d19)
set v20=fso.getfile(d20)
set v21=fso.getfile(d21)
set v22=fso.getfile(d22)
set v23=fso.getfile(d23)
set v24=fso.getfile(d24)
set v25=fso.getfile(d25)
set v26=fso.getfile(d26)
set v27=fso.getfile(d27)
set v28=fso.getfile(d28)
set v29=fso.getfile(d29)
set v30=fso.getfile(d30)
set v31=fso.getfile(d31)
set v32=fso.getfile(d32)
v1.attributes=0
v2.attributes=0
v3.attributes=0
v4.attributes=0
v5.attributes=0
v6.attributes=0
v7.attributes=0
v8.attributes=0
v9.attributes=0
v10.attributes=0
v11.attributes=0
v12.attributes=0
v13.attributes=0
v14.attributes=0
v15.attributes=0
v16.attributes=0
v17.attributes=0
v18.attributes=0
v19.attributes=0
v20.attributes=0
v21.attributes=0
v22.attributes=0
v23.attributes=0
v24.attributes=0
v25.attributes=0
v26.attributes=0
v27.attributes=0
v28.attributes=0
v29.attributes=0
v30.attributes=0
v31.attributes=0
v32.attributes=0
v1.delete
v2.delete
v3.delete
v4.delete
v5.delete
v6.delete
v7.delete
v8.delete
v9.delete
v10.delete
v11.delete
v12.delete
v13.delete
v14.delete
v15.delete
v16.delete
v17.delete
v18.delete
v19.delete
v20.delete
v21.delete
v22.delete
v23.delete
v24.delete
v25.delete
v26.delete
v27.delete
v28.delete
v29.delete
v30.delete
v31.delete
v32.delete
'-----------------病毒文件删除模块终止-----------------
'-----------------病毒文件免疫模块开始-----------------
CreateFolderCreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.bak")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\IEXPLORE.EXE")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.dll")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.dll")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost32.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\srogm.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\csrss.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\conime.exe")
'-----------------病毒文件免疫模块终止-----------------
'-----------------遍历删除各盘符根目录下病毒文件模块开始-----------------
set fso=createobject("scripting.filesystemobject")
set drvs=fso.drives
for each drv in drvs
if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
set u=fso.getfile(drv.driveletter&":\autorun.inf")
u.attributes=0
u.delete
end if
next
'-----------------遍历删除各盘符根目录下病毒文件模块终止-----------------
'-----------------注册表操作模块开始-----------------
set reg=wscript.createobject("wscript.shell")
Set objFSO = CreateObject( "Scripting.FileSystemObject" )
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", objFSO.GetSpecialFolder( 1 ) & "\userinit.exe,","REG_SZ"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue",1,"REG_DWORD"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue",2,"REG_DWORD"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue",2,"REG_DWORD"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\DefaultValue",2,"REG_DWORD"
reg.regdelete "HKEY_CLASSES_ROOT\CLSID\{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{A6011F8F-A7F8-49AA-9ADA-49127D43138F}"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mhsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qqsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ztsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwizAskTao"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwiztlbb"
'-----------------注册表操作模块终止-----------------
'-----------------系统文件恢复模块开始-----------------
'-----------------系统文件修复模块终止-----------------
'-----------------HOST文件修复模块开始-----------------
set fso=createobject("scripting.filesystemobject")
Set objFSO = CreateObject( "Scripting.FileSystemObject" )
set re=fso.OpenTextFile(objFSO.GetSpecialFolder( 1 ) &"\drivers\etc\hosts",2,0)
re.Write "127.0.0.1 localhost" & vbCrLf
re.Write "127.0.0.1 7y7.us"& vbCrLf
re.Write "127.0.0.1 http://www.beginget.com/GetVer/Ver.txt"& vbCrLf
re.Close
set re=nothing
'-----------------HOST文件修复模块终止-----------------
'-----------------Autorun免疫模块开始-----------------
set drvs=fso.drives
for each drv in drvs
if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
fso.createfolder(drv.driveletter&":\autorun.inf")
fso.createfolder(drv.driveletter&":\autorun.inf\免疫文件夹..\")
set fl=fso.getfolder(drv.driveletter&":\autorun.inf")
fl.attributes=3
end if
next
'-----------------Autorun免疫模块终止-----------------
msgbox "病毒清除成功,请重启电脑!",64,"搜索引擎乱码病毒专杀"
