解决7y7.us病毒和免疫文件夹问题
昨天中病毒了。折腾了大半天都没有弄好,今天早上终于搞定了。其实也没有真正搞定,只是阻止病毒,让他无法对我访问网站造成影响。
昨天早上我发现访问我的网站时,所有页面尾部都会被截掉部分代码,造成页面显示异常。把程序更新后,问题还在;把服务器上的程序拷贝到本地运行,显示正常。这时候,我想可能是服务器中病毒。后来又发现访问包括Google在内的部分网站也会出现这样的问题。
一次打开Gofficer网站首页的时候,以外的发现状态栏里一个“7y7.us”的地址突然闪了一下。之后我在网上查找关于这个网站的信息。原来果然是这个病毒在作怪。之后在网上找到了一篇删除这个病毒的 VBS程序。但它需要在安全模式下运行,我的系统无法进入安全模式。于是,我按照这段程序的操作,一步一步的手工操作。
又发现 autorun.inf 目录下面有一个 免疫文件夹 无法删除。在网上好一段查找。找了几个强制删除工具,都无法删除。后来看一一个删除命令 RD /Q /S AUTORUN.INF。试了一下,果然管用。以前一直用del命令删除,还没用过rd,没想到它这么强大!
但是,还没有结束。病毒依旧。我已经在IE的受限制站点中加入 “http://*.7y7.us”,但是似乎不管用。无奈之间,我突然想到,状态栏显示的地址似乎没有http。于是我在受限制站点中加入 “*.7y7.us”。哈哈,果然管用。可以正常访问网站了。
但是,我机器上的病毒还是没有杀干净,不知道还有哪里有残留。不管怎么样,堵住它不发作、不影响我就行了。以后有时间再做进一步研究吧。
附(网上找到的删除7y7.us的VBS程序):
on error resume next
msgbox "本专杀由[G-AVR]Gryesign提供---http://hi.baidu.com/greysign",64,"搜索引擎乱码病毒专杀,请在安全模式下运行"
'-----------------病毒进程结束模块开始-----------------
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='fyso.exe'")
for each i in p
i.terminate
next
on error resume next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='jtso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='mhso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='qjso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='qqso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='wgso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='wlso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='wmso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='woso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='ztso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='nwizAskTao'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='explorer.exe'")
for each i in p
i.terminate
next
'-----------------病毒进程结束模块终止-----------------
'-----------------病毒文件删除模块开始-----------------
set fso=createobject("scripting.filesystemobject")
set del=wscript.createobject("wscript.shell")
d1=del.ExpandEnvironmentStrings("%temp%\fyso.exe")
d2=del.ExpandEnvironmentStrings("%temp%\jtso.exe")
d3=del.ExpandEnvironmentStrings("%temp%\mhso.exe")
d4=del.ExpandEnvironmentStrings("%temp%\qjso.exe")
d5=del.ExpandEnvironmentStrings("%temp%\qqso.exe")
d6=del.ExpandEnvironmentStrings("%temp%\wgso.exe")
d7=del.ExpandEnvironmentStrings("%temp%\wlso.exe")
d8=del.ExpandEnvironmentStrings("%temp%\wmso.exe")
d9=del.ExpandEnvironmentStrings("%temp%\woso.exe")
d10=del.ExpandEnvironmentStrings("%temp%\ztso.exe")
d11=del.ExpandEnvironmentStrings("%temp%\fyso0.dll")
d12=del.ExpandEnvironmentStrings("%temp%\jtso0.dll")
d13=del.ExpandEnvironmentStrings("%temp%\mhso0.dll")
d14=del.ExpandEnvironmentStrings("%temp%\conime.exe")
d15=del.ExpandEnvironmentStrings("%temp%\qjso0.dll")
d16=del.ExpandEnvironmentStrings("%temp%\qqso0.dll")
d17=del.ExpandEnvironmentStrings("%temp%\wgso0.dll")
d18=del.ExpandEnvironmentStrings("%temp%\wlso0.dll")
d19=del.ExpandEnvironmentStrings("%temp%\wmso0.dll")
d20=del.ExpandEnvironmentStrings("%temp%\woso0.dll")
d21=del.ExpandEnvironmentStrings("%temp%\ztso0.dll")
d22=del.ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.bak")
d23=del.ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.dll")
d24=del.ExpandEnvironmentStrings("%temp%\svchost.exe")
d25=del.ExpandEnvironmentStrings("%temp%\IEXPLORE.EXE")
d26=del.ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.exe")
d27=del.ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.exe")
d28=del.ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.dll")
d29=del.ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.dll")
d30=del.ExpandEnvironmentStrings("%temp%\svchost32.exe")
d31=del.ExpandEnvironmentStrings("%temp%\srogm.exe")
d32=del.ExpandEnvironmentStrings("%temp%\csrss.exe")
set v1=fso.getfile(d1)
set v2=fso.getfile(d2)
set v3=fso.getfile(d3)
set v4=fso.getfile(d4)
set v5=fso.getfile(d5)
set v6=fso.getfile(d6)
set v7=fso.getfile(d7)
set v8=fso.getfile(d8)
set v9=fso.getfile(d9)
set v10=fso.getfile(d10)
set v11=fso.getfile(d11)
set v12=fso.getfile(d12)
set v13=fso.getfile(d13)
set v14=fso.getfile(d14)
set v15=fso.getfile(d15)
set v16=fso.getfile(d16)
set v17=fso.getfile(d17)
set v18=fso.getfile(d18)
set v19=fso.getfile(d19)
set v20=fso.getfile(d20)
set v21=fso.getfile(d21)
set v22=fso.getfile(d22)
set v23=fso.getfile(d23)
set v24=fso.getfile(d24)
set v25=fso.getfile(d25)
set v26=fso.getfile(d26)
set v27=fso.getfile(d27)
set v28=fso.getfile(d28)
set v29=fso.getfile(d29)
set v30=fso.getfile(d30)
set v31=fso.getfile(d31)
set v32=fso.getfile(d32)
v1.attributes=0
v2.attributes=0
v3.attributes=0
v4.attributes=0
v5.attributes=0
v6.attributes=0
v7.attributes=0
v8.attributes=0
v9.attributes=0
v10.attributes=0
v11.attributes=0
v12.attributes=0
v13.attributes=0
v14.attributes=0
v15.attributes=0
v16.attributes=0
v17.attributes=0
v18.attributes=0
v19.attributes=0
v20.attributes=0
v21.attributes=0
v22.attributes=0
v23.attributes=0
v24.attributes=0
v25.attributes=0
v26.attributes=0
v27.attributes=0
v28.attributes=0
v29.attributes=0
v30.attributes=0
v31.attributes=0
v32.attributes=0
v1.delete
v2.delete
v3.delete
v4.delete
v5.delete
v6.delete
v7.delete
v8.delete
v9.delete
v10.delete
v11.delete
v12.delete
v13.delete
v14.delete
v15.delete
v16.delete
v17.delete
v18.delete
v19.delete
v20.delete
v21.delete
v22.delete
v23.delete
v24.delete
v25.delete
v26.delete
v27.delete
v28.delete
v29.delete
v30.delete
v31.delete
v32.delete
'-----------------病毒文件删除模块终止-----------------
'-----------------病毒文件免疫模块开始-----------------
CreateFolderCreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.bak")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\IEXPLORE.EXE")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.dll")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.dll")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost32.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\srogm.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\csrss.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\conime.exe")
'-----------------病毒文件免疫模块终止-----------------
'-----------------遍历删除各盘符根目录下病毒文件模块开始-----------------
set fso=createobject("scripting.filesystemobject")
set drvs=fso.drives
for each drv in drvs
if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
set u=fso.getfile(drv.driveletter&":\autorun.inf")
u.attributes=0
u.delete
end if
next
'-----------------遍历删除各盘符根目录下病毒文件模块终止-----------------
'-----------------注册表操作模块开始-----------------
set reg=wscript.createobject("wscript.shell")
Set objFSO = CreateObject( "Scripting.FileSystemObject" )
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", objFSO.GetSpecialFolder( 1 ) & "\userinit.exe,","REG_SZ"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue",1,"REG_DWORD"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue",2,"REG_DWORD"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue",2,"REG_DWORD"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\DefaultValue",2,"REG_DWORD"
reg.regdelete "HKEY_CLASSES_ROOT\CLSID\{06E6B6B6-BE3C -6E23-6C 8E-B833E2CE63B8}"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06E6B6B6-BE3C -6E23-6C 8E-B833E2CE63B8}"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{A6011F 8F -A7F 8-49AA-9ADA-49127D43138F }"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mhsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qqsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ztsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwizAskTao"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwiztlbb"
'-----------------注册表操作模块终止-----------------
'-----------------系统文件恢复模块开始-----------------
'-----------------系统文件修复模块终止-----------------
'-----------------HOST文件修复模块开始-----------------
set fso=createobject("scripting.filesystemobject")
Set objFSO = CreateObject( "Scripting.FileSystemObject" )
set re=fso.OpenTextFile(objFSO.GetSpecialFolder( 1 ) &"\drivers\etc\hosts",2,0)
re.Write "127.0.0.1 localhost" & vbCrLf
re.Write "127.0.0.1 7y7.us"& vbCrLf
re.Write "127.0.0.1 http://www.beginget.com/GetVer/Ver.txt"& vbCrLf
re.Close
set re=nothing
'-----------------HOST文件修复模块终止-----------------
'-----------------Autorun免疫模块开始-----------------
set drvs=fso.drives
for each drv in drvs
if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
fso.createfolder(drv.driveletter&":\autorun.inf")
fso.createfolder(drv.driveletter&":\autorun.inf\免疫文件夹..\")
set fl=fso.getfolder(drv.driveletter&":\autorun.inf")
fl.attributes=3
end if
next
'-----------------Autorun免疫模块终止-----------------
msgbox "病毒清除成功,请重启电脑!",64,"搜索引擎乱码病毒专杀"
昨天早上我发现访问我的网站时,所有页面尾部都会被截掉部分代码,造成页面显示异常。把程序更新后,问题还在;把服务器上的程序拷贝到本地运行,显示正常。这时候,我想可能是服务器中病毒。后来又发现访问包括Google在内的部分网站也会出现这样的问题。
一次打开Gofficer网站首页的时候,以外的发现状态栏里一个“7y7.us”的地址突然闪了一下。之后我在网上查找关于这个网站的信息。原来果然是这个病毒在作怪。之后在网上找到了一篇删除这个病毒的 VBS程序。但它需要在安全模式下运行,我的系统无法进入安全模式。于是,我按照这段程序的操作,一步一步的手工操作。
又发现 autorun.inf 目录下面有一个 免疫文件夹 无法删除。在网上好一段查找。找了几个强制删除工具,都无法删除。后来看一一个删除命令 RD /Q /S AUTORUN.INF。试了一下,果然管用。以前一直用del命令删除,还没用过rd,没想到它这么强大!
但是,还没有结束。病毒依旧。我已经在IE的受限制站点中加入 “http://*.7y7.us”,但是似乎不管用。无奈之间,我突然想到,状态栏显示的地址似乎没有http。于是我在受限制站点中加入 “*.7y7.us”。哈哈,果然管用。可以正常访问网站了。
但是,我机器上的病毒还是没有杀干净,不知道还有哪里有残留。不管怎么样,堵住它不发作、不影响我就行了。以后有时间再做进一步研究吧。
附(网上找到的删除7y7.us的VBS程序):
on error resume next
msgbox "本专杀由[G-AVR]Gryesign提供---http://hi.baidu.com/greysign",64,"搜索引擎乱码病毒专杀,请在安全模式下运行"
'-----------------病毒进程结束模块开始-----------------
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='fyso.exe'")
for each i in p
i.terminate
next
on error resume next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='jtso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='mhso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='qjso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='qqso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='wgso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='wlso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='wmso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='woso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='ztso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='nwizAskTao'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='explorer.exe'")
for each i in p
i.terminate
next
'-----------------病毒进程结束模块终止-----------------
'-----------------病毒文件删除模块开始-----------------
set fso=createobject("scripting.filesystemobject")
set del=wscript.createobject("wscript.shell")
d1=del.ExpandEnvironmentStrings("%temp%\fyso.exe")
d2=del.ExpandEnvironmentStrings("%temp%\jtso.exe")
d3=del.ExpandEnvironmentStrings("%temp%\mhso.exe")
d4=del.ExpandEnvironmentStrings("%temp%\qjso.exe")
d5=del.ExpandEnvironmentStrings("%temp%\qqso.exe")
d6=del.ExpandEnvironmentStrings("%temp%\wgso.exe")
d7=del.ExpandEnvironmentStrings("%temp%\wlso.exe")
d8=del.ExpandEnvironmentStrings("%temp%\wmso.exe")
d9=del.ExpandEnvironmentStrings("%temp%\woso.exe")
d10=del.ExpandEnvironmentStrings("%temp%\ztso.exe")
d11=del.ExpandEnvironmentStrings("%temp%\fyso0.dll")
d12=del.ExpandEnvironmentStrings("%temp%\jtso0.dll")
d13=del.ExpandEnvironmentStrings("%temp%\mhso0.dll")
d14=del.ExpandEnvironmentStrings("%temp%\conime.exe")
d15=del.ExpandEnvironmentStrings("%temp%\qjso0.dll")
d16=del.ExpandEnvironmentStrings("%temp%\qqso0.dll")
d17=del.ExpandEnvironmentStrings("%temp%\wgso0.dll")
d18=del.ExpandEnvironmentStrings("%temp%\wlso0.dll")
d19=del.ExpandEnvironmentStrings("%temp%\wmso0.dll")
d20=del.ExpandEnvironmentStrings("%temp%\woso0.dll")
d21=del.ExpandEnvironmentStrings("%temp%\ztso0.dll")
d22=del.ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.bak")
d23=del.ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.dll")
d24=del.ExpandEnvironmentStrings("%temp%\svchost.exe")
d25=del.ExpandEnvironmentStrings("%temp%\IEXPLORE.EXE")
d26=del.ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.exe")
d27=del.ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.exe")
d28=del.ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.dll")
d29=del.ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.dll")
d30=del.ExpandEnvironmentStrings("%temp%\svchost32.exe")
d31=del.ExpandEnvironmentStrings("%temp%\srogm.exe")
d32=del.ExpandEnvironmentStrings("%temp%\csrss.exe")
set v1=fso.getfile(d1)
set v2=fso.getfile(d2)
set v3=fso.getfile(d3)
set v4=fso.getfile(d4)
set v5=fso.getfile(d5)
set v6=fso.getfile(d6)
set v7=fso.getfile(d7)
set v8=fso.getfile(d8)
set v9=fso.getfile(d9)
set v10=fso.getfile(d10)
set v11=fso.getfile(d11)
set v12=fso.getfile(d12)
set v13=fso.getfile(d13)
set v14=fso.getfile(d14)
set v15=fso.getfile(d15)
set v16=fso.getfile(d16)
set v17=fso.getfile(d17)
set v18=fso.getfile(d18)
set v19=fso.getfile(d19)
set v20=fso.getfile(d20)
set v21=fso.getfile(d21)
set v22=fso.getfile(d22)
set v23=fso.getfile(d23)
set v24=fso.getfile(d24)
set v25=fso.getfile(d25)
set v26=fso.getfile(d26)
set v27=fso.getfile(d27)
set v28=fso.getfile(d28)
set v29=fso.getfile(d29)
set v30=fso.getfile(d30)
set v31=fso.getfile(d31)
set v32=fso.getfile(d32)
v1.attributes=0
v2.attributes=0
v3.attributes=0
v4.attributes=0
v5.attributes=0
v6.attributes=0
v7.attributes=0
v8.attributes=0
v9.attributes=0
v10.attributes=0
v11.attributes=0
v12.attributes=0
v13.attributes=0
v14.attributes=0
v15.attributes=0
v16.attributes=0
v17.attributes=0
v18.attributes=0
v19.attributes=0
v20.attributes=0
v21.attributes=0
v22.attributes=0
v23.attributes=0
v24.attributes=0
v25.attributes=0
v26.attributes=0
v27.attributes=0
v28.attributes=0
v29.attributes=0
v30.attributes=0
v31.attributes=0
v32.attributes=0
v1.delete
v2.delete
v3.delete
v4.delete
v5.delete
v6.delete
v7.delete
v8.delete
v9.delete
v10.delete
v11.delete
v12.delete
v13.delete
v14.delete
v15.delete
v16.delete
v17.delete
v18.delete
v19.delete
v20.delete
v21.delete
v22.delete
v23.delete
v24.delete
v25.delete
v26.delete
v27.delete
v28.delete
v29.delete
v30.delete
v31.delete
v32.delete
'-----------------病毒文件删除模块终止-----------------
'-----------------病毒文件免疫模块开始-----------------
CreateFolderCreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\fyso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\jtso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\mhso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qjso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\qqso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wgso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wlso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\wmso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\woso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\ztso0.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.bak")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%programfiles%\Intern~1\PLUGINS\BinNice.dll")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost.exe")
CreateObject("Scripting.FileSystemObject").CreateFolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\IEXPLORE.EXE")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwiztlbb.dll")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%windir%\system32\nwizAskTao.dll")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\svchost32.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\srogm.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\csrss.exe")
CreateObject("Scripting.FileSystemObject").Createfolder CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%\conime.exe")
'-----------------病毒文件免疫模块终止-----------------
'-----------------遍历删除各盘符根目录下病毒文件模块开始-----------------
set fso=createobject("scripting.filesystemobject")
set drvs=fso.drives
for each drv in drvs
if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
set u=fso.getfile(drv.driveletter&":\autorun.inf")
u.attributes=0
u.delete
end if
next
'-----------------遍历删除各盘符根目录下病毒文件模块终止-----------------
'-----------------注册表操作模块开始-----------------
set reg=wscript.createobject("wscript.shell")
Set objFSO = CreateObject( "Scripting.FileSystemObject" )
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", objFSO.GetSpecialFolder( 1 ) & "\userinit.exe,","REG_SZ"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue",1,"REG_DWORD"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue",2,"REG_DWORD"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue",2,"REG_DWORD"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\DefaultValue",2,"REG_DWORD"
reg.regdelete "HKEY_CLASSES_ROOT\CLSID\{06E6B6B6-BE
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06E6B6B6-BE
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{A
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mhsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qqsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ztsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwizAskTao"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwiztlbb"
'-----------------注册表操作模块终止-----------------
'-----------------系统文件恢复模块开始-----------------
'-----------------系统文件修复模块终止-----------------
'-----------------HOST文件修复模块开始-----------------
set fso=createobject("scripting.filesystemobject")
Set objFSO = CreateObject( "Scripting.FileSystemObject" )
set re=fso.OpenTextFile(objFSO.GetSpecialFolder( 1 ) &"\drivers\etc\hosts",2,0)
re.Write "127.0.0.1 localhost" & vbCrLf
re.Write "127.0.0.1 7y7.us"& vbCrLf
re.Write "127.0.0.1 http://www.beginget.com/GetVer/Ver.txt"& vbCrLf
re.Close
set re=nothing
'-----------------HOST文件修复模块终止-----------------
'-----------------Autorun免疫模块开始-----------------
set drvs=fso.drives
for each drv in drvs
if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
fso.createfolder(drv.driveletter&":\autorun.inf")
fso.createfolder(drv.driveletter&":\autorun.inf\免疫文件夹..\")
set fl=fso.getfolder(drv.driveletter&":\autorun.inf")
fl.attributes=3
end if
next
'-----------------Autorun免疫模块终止-----------------
msgbox "病毒清除成功,请重启电脑!",64,"搜索引擎乱码病毒专杀"
