百度首页 | 百度空间
 
查看文章
  
AV终结者xywrebh.exe专杀工具
2007-06-18 20:16

疯狂了两个星期,AV终结者开始没声音了,不过还是“余音绕梁”啊。我最后一次制作这个病毒变种的专杀,以后不管它了(如果它又爆发,那再说吧),有特别需要的网友可以联系我定制(免费的- -||)。

制作非常的容易,因为已经有余弦提供的“完美”模板了(也就是网上流传的什么Autorun专杀的VBS源码,不知道是谁取的这个名字……)。你只要将此毒的一些路径啊,进程名,启动项的键值名称填进去即可……玩VBS脚本玩都这个境界就没意思了- -||。转行……搞底层去。保存下面的代码为VBS后缀,运行即可杀此毒!看得懂VBS的就知道代码在做什么了……很没意思!

'-------------------------------------AV终结者xywrebh.exe专杀代码开始------------------------------------

on error resume next
msgbox "本专杀由余弦函数提供http://hi.baidu.com/ycosxhack!",64,"xywrebh.exe病毒专杀"
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='terebmi.exe' or name='nuygtvw.exe'")
for each i in p
i.terminate
next
set fso=createobject("scripting.filesystemobject")
set del=wscript.createobject("wscript.shell")
dim d(5)
dim v(5)
d(0)=del.ExpandEnvironmentStrings("%ProgramFiles%\Common Files\System\terebmi.exe")
d(1)=del.ExpandEnvironmentStrings("%ProgramFiles%\Common Files\Microsoft Shared\nuygtvw.exe")
d(3)=del.ExpandEnvironmentStrings("%ProgramFiles%\meex.exe")
d(4)=del.ExpandEnvironmentStrings("%ProgramFiles%\tgiqbee.inf")
for i=0 to 4
set v(i)=fso.getfile(d(i))
v(i).attributes=0
v(i).delete
next
set fso=createobject("scripting.filesystemobject")
set drvs=fso.drives
for each drv in drvs
if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
set w=fso.getfile(drv.driveletter&":\xywrebh.exe")
w.attributes=0
w.delete
set u=fso.getfile(drv.driveletter&":\autorun.inf")
u.attributes=0
u.delete
end if
next
set reg=wscript.createobject("wscript.shell")
reg.regwrite "HKLM\SYSTEM\CurrentControlSet\Services\AVP\Start",2,"REG_DWORD"
reg.regwrite "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start",2,"REG_DWORD"
reg.regwrite "HKLM\SYSTEM\CurrentControlSet\Services\helpsvc\Start",2,"REG_DWORD"
reg.regwrite "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start",2,"REG_DWORD"
reg.regwrite "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start",2,"REG_DWORD"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue",1,"REG_DWORD"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue",2,"REG_DWORD"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue",2,"REG_DWORD"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\DefaultValue",2,"REG_DWORD"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\UncheckedValue",1,"REG_DWORD"
reg.regdelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vbcyhid"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xywrebh"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kvsc"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe\"
reg.regdelete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe\"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dmecvcm.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iywdqdf.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\meex.com\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oduxyym.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wojhadp.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rmwaccq.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dtstorp.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ouvjwsc.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wocfiba.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gnkjkrl.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lnmwiid.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\suvtufx.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wojhadp.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rmwaccq.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kocmbcd.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vlskjgs.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\haqeyfy.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udnnnvq.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nqgphqd.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egclmvo.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cyqttve.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmxpbpl.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jgnlkpy.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kplqtjg.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\skrmejg.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\terebmi.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nuygtvw.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xywrebh.exe\Debugger","NoVirus","REG_SZ"
reg.regwrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\meex.exe\Debugger","NoVirus","REG_SZ"
set fso=nothing
msgbox "skrmejg.exe病毒清除成功,请用杀软全盘扫描清理其他病毒。",64,"xywrebh.exe病毒专杀"

'------------------------------------AV终结者xywrebh.exe专杀代码结束------------------------------------

看看yyasong的文章,只要根据他的Sreng扫描报告即可写出此专杀。这一直是我的奋斗目标,草莽已经开发出来了SAT。根据病毒行为生成病毒专杀指令。其实他的工具不是我想的那样,还不够……到时候我测试看看吧。不知道为什么,我还没在上面的专杀源码中添加安全修复的指令……也许这样的修复工具已经很多了吧……

这几天重新将C、C++复习了下,WINDOWS核心编程也开始正式接触。其实早在我拿下VB的时候就开始接触这些了,只是没想到会走到这……以前看这些大脑没病毒、RootKit、CNNIC(我佩服它的技术)、ICESWORD等概念,现在有了……


类别:Virus | 添加到搜藏 | 浏览() | 评论 (25)
 
最近读者:
 
网友评论:
1
2007-06-18 21:07
此毒的作者该来点创意了…我看此类专杀代码都看累了…我的VB啥时候拿下啊…VB网吧没法装,要重启…就用过一次…写了个FTP上传工具…太衰了
 
2
2007-06-18 21:30
恩。
此毒的幕后等着遭殃吧。
 
3
2007-06-18 22:00
那个服务器能不能本身是无孤的?可能只是个国外的免费空间之类的东东…
 
4
2007-06-18 22:10
可以。
一般它们挂马并不会利用自己的服务器(这很暴露)。
他们会入侵某个网站,然后……
 
5
2007-06-19 09:35
呵呵 学习C C++也不错,可以写的学习心得什么的吗?我很喜欢这两门语言的~
 
6
2007-06-19 12:44
好的。
脚本可以告一段落。
我有新的计划。WEB2.0已经深入。
现在顺便将病毒事业发展到底层。
 
7
2007-06-19 16:31
我定个原子弹o(∩_∩)o...
 
8
2007-06-19 16:37
本文被【发掘网】病毒风向栏目采用,谢谢余弦~
 
9
2007-06-19 17:01
呃...
什么原子弹?
YOU ARE WELCOME IEDIT.:)
 
10
2007-06-19 20:03
VBS脚本,嘎嘎,虽然比较简单,兄弟也费心了哦
 
11
2007-06-19 20:45
如果我也写,我肯定会定义一个字符变量来代替“HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options”因为这路径实在又长又臭……
 
12
2007-06-19 22:31
恩,是的。
这确实是个好的方法。- -、、我居然没这样做。估计我现在看到VBS、BAT这类就不喜欢了吧……
to 小小鸟02:呵呵,还好。
 
13
2007-06-19 23:13
w我好象在哪里看国这病毒你手上有吗
 
14
2007-06-20 11:04
嘎嘎~~(/≧▽≦)/ 这次米逃过一劫~~
余弦阿~ 前两段的开场白~~\ ( > < ) /好帅~~
 
15
2007-06-20 11:07
最新的病毒,听说很强。
代码是没有研究。。
 
16
2007-06-20 18:00
糯米没见过此毒遗憾了……
这个病毒令人抓狂,不过不强。
 
17
2007-06-21 12:41
此毒作者我认识
不知道什么时候在我的QQ里
妈妈的B还装沉默
我靠
 
18
2007-06-21 22:51
你认识他啊.
警察正在找他呢...
 
19
2007-06-23 13:39
遇到好事了\( ̄ε(# ̄\)☆
 
20
2007-06-23 18:18
我知道他是哪里人
但是我不是出卖朋友的
他的技术不错哦
但是和我不同道
我喜欢入侵技术其他的不怎么感兴趣
 
21
2007-06-24 13:09
留个脚印
 
22
2007-09-08 21:44
这个东西怎么用啊我是个电脑白痴..
 
23
2007-09-08 22:04
直接双击运行即可。。。
 
24
2007-12-09 11:05
老兄。你累不累啊?天书啊。
 
25
2008-04-27 20:51
你的文章。
正是我需要的~
 
发表评论:
姓 名:
网址或邮箱: (选填)
内 容:
验证码:
 

     

©2008 Baidu