中国DOS联盟论坛 - Powered by Discuz! Board

标题: sxs病毒 U盘专杀脚本请大虾帮助 [打印本页]

作者: kootoo 时间: 2007-1-4 02:17 标题: sxs病毒 U盘专杀脚本请大虾帮助

以下是自己编的不知道有什么问题运行了不奏效

rem 下面是清除SVOHOST.exe和 sxs.exe
for /f "skip=1 tokens=1,2 " %%i in ('tasklist') do if %%i equ conime.exe ntsd -c q -p %%j
for /f "skip=1 tokens=1,2 " %%i in ('tasklist') do if %%i equ SVOHOST.exe ntsd -c q -p %%j
for /f "skip=1 tokens=1,2 " %%i in ('tasklist') do if %%i equ sxs.exe ntsd -c q -p %%j
for /f "skip=1 tokens=1,2 " %%i in ('tasklist') do if %%i equ explore.exe ntsd -c q -p %%j
for /f "skip=1 tokens=1,2 " %%i in ('tasklist') do if %%i equ jvmlts.exe ntsd -c q -p %%j

set w=%windir%\system32\

attrib  -r -h -s %w%SVOHOST.exe
attrib  -r -h -s %w%sxs.exe
attrib  -r -h -s %w%winscok.dll
attrib  -r -h -s %w%noruns.reg
attrib  -r -h -s %w%explore.exe
attrib  -r -h -s %w%jvmlts.exe
attrib  -r -h -s %w%jvmlts.dll
attrib  -r -h -s %w%QQhx.dat

del /s /q %w%sxs.exe
del /s /q %w%SVOHOST.exe
del /s /q %w%winscok.dll
del /s /q %w%noruns.reg
del /s /q %w%explore.exe
del /s /q %w%jvmlts.exe
del /s /q %w%jvmlts.dll
del /s /q %w%QQhx.dat

setlocal enabledelayedexpansion
for /f "skip=1 tokens=1,2 delims=\" %%a in ('fsutil fsinfo drives^|find /v ""') do (
set aa=%%a
set aa=!aa:~-2!
for %%i in (!aa!) do (
      del /q /ah %%i\sxs.exe & del /q /ah %%i\autorun.inf & attrib.exe -r -h -s %%i\RECYCLER && cd %%i\RECYCLER && del . /q /ah /as & cd \))

rem 下面的是清除sxs.exe的残留注册文件
echo Windows Registry Editor Version 5.00 >repair.reg
echo.  >>repair.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] >>repair.reg
echo "SoundMam"=-  >>repair.reg
echo "rose"=-  >>repair.reg

echo [HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL] >>repair.reg

echo "CheckedValue"=- >>repair.reg
echo "CheckedValue"=dword:1 >>repair.reg

echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>repair.reg
echo "Shell"="Explorer.exe" >>repair.reg

echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] >>repair.reg
echo "NoDriveAutoRun"=dword:03FFFFFF >>repair.reg
echo "NoDrivetypeAutoRun"=dword:000000FF >>repair.reg
echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44d308f0-1270-11db-bb87-009096256d40}\Shell\AutoRun\command] >>repair.reg
echo @=- >>repair.reg
regedit /s repair.reg
del /s /q repair.reg

[ Last edited by kootoo on 2007-1-4 at 02:19 AM ]