编程实现清除temp1.exe,temp2.exe木马
编程实现清除temp1.exe, temp2.exe木马.(这个木马没查用叫什么名称...-_-!!!, 看到网上好象都是这样叫, 就用上了那个名字)
今天打开本本的时候, 又击驱动器图标的时候, 总是在新窗口中打开, 立马感觉不对头, 查看一下进程, 发现里面多了一个”temp1.exe”的进程, 在网上一查, 原来是中标了……..-_-!!! 本本上面还好,只有3个驱动器, 挨个删除以后也就没来了, 可台式机上分了6个区…..所以就有了下面这个小程序…..因本人机器的木马均已手工清除, 未能再测试程序了. 下面代码仅仅是参考用, 希望对中标的兄弟们有帮助….
今天(8/9/2006)不小心又中上了, U盘带来的(我不用杀毒软件的). 这次对代码进行了编译我运行, 程序有问题, 因为copy.exe, host.exe的文件属性问题, 添加下面红色部分的代码后, 可以杀毒了. 不过杀完后, 好象注册表仍不干净, 重启会提示无法找到"c:\windows\svchost.exe", 手动在注册表中找到这个删除后就没问题了.
.Net Framework 2.0 : http://www.microsoft.com/downloads/details.aspx?familyid=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en
经过编译的程序:/Files/XiaoHui/killvirus.rar
PS:见到有人提出运行不了的疑问,特将经过编译的程序放上来。程序需要在.Net Framework 2.0下面运行。当然你完全可以自己复制代码,然后自己编译。
Source Code
1using System;
2
3using System.Diagnostics;
4
5using System.IO;
6
7using System.Management;
8
9using System.Collections;
10
11using Microsoft.Win32;
12
13using System.Security.Permissions;
14
15
16
17[assembly:RegistryPermissionAttribute(SecurityAction.RequestMinimum,
18
19 ViewAndModify="HKEY_CURRENT_USER")]
20
21class Program
22
23{
24
25 static readonly string XCopy = "xcopy.exe";
26
27 static readonly string SVCHost = "svchost.exe";
28
29 static readonly string Temp1 = "temp1.exe";
30
31 static readonly string Temp2 = "temp2.exe";
32
33 static readonly string Copy = "copy.exe";
34
35 static readonly string Host = "host.exe";
36
37 static readonly string AutoRun = "autorun.inf";
38
39 static readonly string RegKey = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
40
41 static readonly string LoadKey = "load";
42
43
44
45 static void Main()
46
47 {
48
49 bool foundVirus = QueryProcess(true);
50
51 bool isRegistryExists = IsRegistryExists();
52
53 Console.WriteLine(isRegistryExists.ToString());
54
55 if (!foundVirus)
56
57 {
58
59 Console.WriteLine("Not found virus.");
60
61 return;
62
63 }
64
65
66
67 Console.WriteLine("Starting kill the virus.");
68
69 Console.WriteLine("Delete the xcopy.exe");
70
71 string xcopyPath = string.Concat(GetWindowPath(), Path.DirectorySeparatorChar, XCopy);
72
73 KillVirus(xcopyPath);
74
75
76
77 Console.WriteLine("Delete the svchost.exe");
78
79 string svchostPath = string.Concat(GetWindowPath(), Path.DirectorySeparatorChar, SVCHost);
80
81 KillVirus(svchostPath);
82
83
84
85 Console.WriteLine("Delete the temp1.exe");
86
87 string temp1Path = string.Concat(GetSystemPath(), Path.DirectorySeparatorChar, Temp1);
88
89 KillVirus(temp1Path);
90
91
92
93 Console.WriteLine("Delete the temp2.exe");
94
95 string temp2Path = string.Concat(GetSystemPath(), Path.DirectorySeparatorChar, Temp2);
96
97 KillVirus(temp2Path);
98
99
100
101 Console.WriteLine("Starting kill virus in each drive");
102
103 ArrayList drives = GetAllLogicalDrives();
104
105 string drive = string.Empty;
106
107 for(int i = 0; i < drives.Count; i++)
108
109 {
110
111 string copyPath = string.Concat(drives[i], Path.DirectorySeparatorChar, Copy);
112
113 string hostPath = string.Concat(drives[i], Path.DirectorySeparatorChar, Host);
114
115 string autorunPath = string.Concat(drives[i], Path.DirectorySeparatorChar, AutoRun);
116
117 KillVirus(copyPath);
118 // 上次下面的代码忘记写了, 导致只删除了copy.exe, host.exe和autorun.inf没删除 -_-!!!
119 KillVirus(hostPath);
120 KillVirus(autorunPath);
121
122 }
123
124 Console.ReadLine();
125
126 }
127
128
129
130 static ArrayList GetAllLogicalDrives()
131
132 {
133
134 ManagementObjectSearcher query = new ManagementObjectSearcher("SELECT * FROM Win32_LogicalDisk");
135
136 ManagementObjectCollection queryCollection = query.Get();
137
138 ArrayList drives = new ArrayList(30);
139
140 foreach(ManagementObject mo in queryCollection)
141
142 {
143
144 Console.WriteLine("Drive: " + mo["Name"].ToString());
145
146 drives.Add(mo["Name"].ToString());
147
148 }
149
150
151
152 return drives;
153
154 }
155
156
157
158 static bool QueryProcess(bool killProcess)
159
160 {
161
162 Process currentProcess = Process.GetCurrentProcess();
163
164 Process[] localByName;
165
166
167
168 localByName = Process.GetProcessesByName("temp1");
169
170 if (localByName.Length > 0)
171
172 {
173
174 if (killProcess)
175
176 {
177
178 KillProcess(localByName);
179
180 }
181
182 return true;
183
184 }
185
186
187
188 localByName = Process.GetProcessesByName("temp2");
189
190 if (localByName.Length > 0)
191
192 {
193
194 if (killProcess)
195
196 {
197
198 KillProcess(localByName);
199
200 }
201
202 return true;
203
204 }
205
206
207
208 return false;
209
210 }
211
212
213
214 static void KillProcess(Process[] processes)
215
216 {
217
218 foreach(Process p in processes)
219
220 {
221
222 p.Kill();
223
224 }
225
226 }
227
228
229
230 static void KillVirus(string filePath)
231
232 {
233
234 if (File.Exists(filePath))
235
236 {
237
238 Console.WriteLine("Are your sure want to delete: {0} [y/n]", filePath);
239
240 string answer = Console.ReadLine();
241
242
243
244 if (answer.ToUpper().Equals("Y"))
245
246 {
247 // 加上文件的只读属性判断. 如果文件带只读属性, 就去除
248 if ((File.GetAttributes(filePath) & FileAttributes.ReadOnly) == FileAttributes.ReadOnly) {
249 File.SetAttributes(filePath, FileAttributes.Archive);
250 }
251 File.Delete(filePath);
252
253 }
254
255 }
256
257 }
258
259
260
261 static void DeleteRegisterKey()
262
263 {
264
265 bool isRegistryExists = IsRegistryExists();
266
267
268
269 if (!isRegistryExists)
270
271 {
272
273 Console.WriteLine("Not found Registry Key / Value");
274
275 return;
276
277 }
278
279
280
281 RegistryKey hkcu = Registry.CurrentUser;
282
283 RegistryKey loadKey = hkcu.OpenSubKey(RegKey);
284
285 loadKey.DeleteSubKey(LoadKey);
286
287 return;
288
289 }
290
291
292
293 static bool IsRegistryExists()
294
295 {
296
297 bool isExists = false;
298
299 RegistryKey hkcu = Registry.CurrentUser;
300
301 RegistryKey loadKey = hkcu.OpenSubKey(RegKey);
302
303 string[] valueNames = loadKey.GetValueNames();
304
305 foreach(string s in valueNames)
306 {
307 if (s.ToLower().Equals(LoadKey))
308 {
309 string loadValue = loadKey.GetValue(s) as string;
310 if (!(string.IsNullOrEmpty(loadValue)))
311 {
312 isExists = true;
313
314 break;
315 }
316 }
317 }
318
319 return isExists;
320 }
321
322 static string GetWindowPath()
323 {
324 string systemPath = GetSystemPath();
325 return systemPath.Substring(0, systemPath.LastIndexOf("\\"));
326 }
327
328 static string GetSystemPath()
329 {
330 return Environment.GetFolderPath(Environment.SpecialFolder.System);
331 }
332}
1using System;
2
3using System.Diagnostics;
4
5using System.IO;
6
7using System.Management;
8
9using System.Collections;
10
11using Microsoft.Win32;
12
13using System.Security.Permissions;
14
15
16
17[assembly:RegistryPermissionAttribute(SecurityAction.RequestMinimum,
18
19 ViewAndModify="HKEY_CURRENT_USER")]
20
21class Program
22
23{
24
25 static readonly string XCopy = "xcopy.exe";
26
27 static readonly string SVCHost = "svchost.exe";
28
29 static readonly string Temp1 = "temp1.exe";
30
31 static readonly string Temp2 = "temp2.exe";
32
33 static readonly string Copy = "copy.exe";
34
35 static readonly string Host = "host.exe";
36
37 static readonly string AutoRun = "autorun.inf";
38
39 static readonly string RegKey = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
40
41 static readonly string LoadKey = "load";
42
43
44
45 static void Main()
46
47 {
48
49 bool foundVirus = QueryProcess(true);
50
51 bool isRegistryExists = IsRegistryExists();
52
53 Console.WriteLine(isRegistryExists.ToString());
54
55 if (!foundVirus)
56
57 {
58
59 Console.WriteLine("Not found virus.");
60
61 return;
62
63 }
64
65
66
67 Console.WriteLine("Starting kill the virus.");
68
69 Console.WriteLine("Delete the xcopy.exe");
70
71 string xcopyPath = string.Concat(GetWindowPath(), Path.DirectorySeparatorChar, XCopy);
72
73 KillVirus(xcopyPath);
74
75
76
77 Console.WriteLine("Delete the svchost.exe");
78
79 string svchostPath = string.Concat(GetWindowPath(), Path.DirectorySeparatorChar, SVCHost);
80
81 KillVirus(svchostPath);
82
83
84
85 Console.WriteLine("Delete the temp1.exe");
86
87 string temp1Path = string.Concat(GetSystemPath(), Path.DirectorySeparatorChar, Temp1);
88
89 KillVirus(temp1Path);
90
91
92
93 Console.WriteLine("Delete the temp2.exe");
94
95 string temp2Path = string.Concat(GetSystemPath(), Path.DirectorySeparatorChar, Temp2);
96
97 KillVirus(temp2Path);
98
99
100
101 Console.WriteLine("Starting kill virus in each drive");
102
103 ArrayList drives = GetAllLogicalDrives();
104
105 string drive = string.Empty;
106
107 for(int i = 0; i < drives.Count; i++)
108
109 {
110
111 string copyPath = string.Concat(drives[i], Path.DirectorySeparatorChar, Copy);
112
113 string hostPath = string.Concat(drives[i], Path.DirectorySeparatorChar, Host);
114
115 string autorunPath = string.Concat(drives[i], Path.DirectorySeparatorChar, AutoRun);
116
117 KillVirus(copyPath);
118 // 上次下面的代码忘记写了, 导致只删除了copy.exe, host.exe和autorun.inf没删除 -_-!!!
119 KillVirus(hostPath);
120 KillVirus(autorunPath);
121
122 }
123
124 Console.ReadLine();
125
126 }
127
128
129
130 static ArrayList GetAllLogicalDrives()
131
132 {
133
134 ManagementObjectSearcher query = new ManagementObjectSearcher("SELECT * FROM Win32_LogicalDisk");
135
136 ManagementObjectCollection queryCollection = query.Get();
137
138 ArrayList drives = new ArrayList(30);
139
140 foreach(ManagementObject mo in queryCollection)
141
142 {
143
144 Console.WriteLine("Drive: " + mo["Name"].ToString());
145
146 drives.Add(mo["Name"].ToString());
147
148 }
149
150
151
152 return drives;
153
154 }
155
156
157
158 static bool QueryProcess(bool killProcess)
159
160 {
161
162 Process currentProcess = Process.GetCurrentProcess();
163
164 Process[] localByName;
165
166
167
168 localByName = Process.GetProcessesByName("temp1");
169
170 if (localByName.Length > 0)
171
172 {
173
174 if (killProcess)
175
176 {
177
178 KillProcess(localByName);
179
180 }
181
182 return true;
183
184 }
185
186
187
188 localByName = Process.GetProcessesByName("temp2");
189
190 if (localByName.Length > 0)
191
192 {
193
194 if (killProcess)
195
196 {
197
198 KillProcess(localByName);
199
200 }
201
202 return true;
203
204 }
205
206
207
208 return false;
209
210 }
211
212
213
214 static void KillProcess(Process[] processes)
215
216 {
217
218 foreach(Process p in processes)
219
220 {
221
222 p.Kill();
223
224 }
225
226 }
227
228
229
230 static void KillVirus(string filePath)
231
232 {
233
234 if (File.Exists(filePath))
235
236 {
237
238 Console.WriteLine("Are your sure want to delete: {0} [y/n]", filePath);
239
240 string answer = Console.ReadLine();
241
242
243
244 if (answer.ToUpper().Equals("Y"))
245
246 {
247 // 加上文件的只读属性判断. 如果文件带只读属性, 就去除
248 if ((File.GetAttributes(filePath) & FileAttributes.ReadOnly) == FileAttributes.ReadOnly) {
249 File.SetAttributes(filePath, FileAttributes.Archive);
250 }
251 File.Delete(filePath);
252
253 }
254
255 }
256
257 }
258
259
260
261 static void DeleteRegisterKey()
262
263 {
264
265 bool isRegistryExists = IsRegistryExists();
266
267
268
269 if (!isRegistryExists)
270
271 {
272
273 Console.WriteLine("Not found Registry Key / Value");
274
275 return;
276
277 }
278
279
280
281 RegistryKey hkcu = Registry.CurrentUser;
282
283 RegistryKey loadKey = hkcu.OpenSubKey(RegKey);
284
285 loadKey.DeleteSubKey(LoadKey);
286
287 return;
288
289 }
290
291
292
293 static bool IsRegistryExists()
294
295 {
296
297 bool isExists = false;
298
299 RegistryKey hkcu = Registry.CurrentUser;
300
301 RegistryKey loadKey = hkcu.OpenSubKey(RegKey);
302
303 string[] valueNames = loadKey.GetValueNames();
304
305 foreach(string s in valueNames)
306 {
307 if (s.ToLower().Equals(LoadKey))
308 {
309 string loadValue = loadKey.GetValue(s) as string;
310 if (!(string.IsNullOrEmpty(loadValue)))
311 {
312 isExists = true;
313
314 break;
315 }
316 }
317 }
318
319 return isExists;
320 }
321
322 static string GetWindowPath()
323 {
324 string systemPath = GetSystemPath();
325 return systemPath.Substring(0, systemPath.LastIndexOf("\\"));
326 }
327
328 static string GetSystemPath()
329 {
330 return Environment.GetFolderPath(Environment.SpecialFolder.System);
331 }
332}