清理autorun及增加免疫 AUTOIT3脚本
Autorun 病毒修复\免疫程序脚本作者 xunchi
[code]#Include <File.au3>
#Include <Array.au3>
Dim $del_filelist
Dim $msg_anti_ok
$del_filelist = ""
$msg_anti_ok = ""
$msg_cdrom = ""
$drivers_exe_FileList_Exist = ""
Dim $avArray[31]
$avArray[0] = 30
; sxs.exe
$avArray[1] = "rose.exe"
$avArray[2] = "sxs.exe"
$avArray[3] = "tfidma.exe"
$avArray[4] = "severe.exe"
$avArray[5] = "oso.exe"
$avArray[6] = "conime.exe"
$avArray[7] = "teuyen.exe"
$avArray[8] = "mpnxyl.exe"
$avArray[9] = "gfosdg.exe"
$avArray[10] = "hnunkl.exe"
$avArray[11] = "SVOHOST.exe"
;copy.exe host.exe
$avArray[12] = "temp1.exe"
$avArray[13] = "temp2.exe"
;memsub.exe shelltask.exe msvds.dll
$avArray[14] = "memsub.exe"
$avArray[15] = "shelltask.exe"
;rose
$avArray[16] = "vchost.exe"
$avArray[17] = "rundll32.exe"
$avArray[18] = ""&@TempDir&""
$avArray[19] = "baba.exe"
$avArray[20] = "ndtstat.exe"
$avArray[21] = "msccrt.exe"
$avArray[22] = "wgs3.exe"
$avArray[23] = "wms3.exe"
$avArray[24] = "wsttrs.exe"
$avArray[25] = "mppds.exe"
$avArray[26] = "winform.exe"
$avArray[27] = "mppdys.exe"
$avArray[28] = "htpatch.exe"
$avArray[29] = "cmdbcs.exe"
$avArray[30] = "twunk32.exe"
$drivers_exe_FileList = _FileListToArray(""&@SystemDir&"\drivers", "*.exe", 1)
If @Error <> 4 and @Error <> 1 Then
$drivers_exe_FileList_Exist = 1
$avArray[0] = $avArray[0]+$drivers_exe_FileList[0]
For $exe_i = 1 to $drivers_exe_FileList[0]
_ArrayAdd( $avArray, $drivers_exe_FileList[$exe_i])
Next
Else
$drivers_exe_FileList_Exist = 0
EndIf
repair_reg()
repair_reg()
kill_autorun_Process()
repair_reg()
kill_autorun_Process()
If $drivers_exe_FileList_Exist = 1 Then del_dri_virfiles()
del_sysfiles()
repair_reg()
repair_reg_Image_File_Execution_Options()
$var = DriveGetDrive( "ALL" )
For $i = 1 to $var[0]
$diskready = DriveStatus( ""&$var[$i]&"\" )
If $diskready = "READY" Then
If DirGetSize(""&$var[$i]&"\autorun.inf") = -1 Then
If FileExists(""&$var[$i]&"\autorun.inf") = 1 Then
$autorun_file = IniRead (""&$var[$i]&"\autorun.inf", "autorun", "open", "none" )
del_autorun_files()
$autorun_file = IniRead (""&$var[$i]&"\autorun.inf", "autorun", "ShellExecute", "none" )
del_autorun_files()
$autorun_file = IniRead (""&$var[$i]&"\autorun.inf", "autorun", "shell\Auto\command", "none" )
del_autorun_files()
$shell_ini = IniRead (""&$var[$i]&"\autorun.inf", "autorun", "shell", "none" )
If $shell_ini <> "none"Then
$autorun_file = IniRead
(""&$var[$i]&"\autorun.inf", "autorun",
"shell\"&$shell_ini&"\command", "none" )
del_autorun_files()
EndIf
FileDelete(""&$var[$i]&"\autorun.inf")
create_autorun_dir()
Else
create_autorun_dir()
EndIf
Else
$msg_anti_ok = $msg_anti_ok & ""&$var[$i]&" 已经免疫了!" & @CR
EndIf
del_files()
Else
$msg_cdrom = ""&$var[$i]&" 不能读写!可能是光盘,免疫没有成功!"
EndIf
Next
MsgBox(4096, "", $msg_anti_ok)
If $del_filelist = "" Then $del_filelist = "没有找到可疑的文件!"
MsgBox(4096, "", $del_filelist)
If $msg_cdrom <> "" Then MsgBox(4096, "免疫没有成功", $msg_cdrom)
Run("explorer.exe")
Func del_files()
FileDelete(""&$var[$i]&"\Pagefile.pif")
FileDelete(""&$var[$i]&"\美女游戏.pif")
FileDelete(""&$var[$i]&"\重要资料.exe")
FileDelete(""&$var[$i]&"\成人小说.exe")
FileDelete(""&$var[$i]&"\个人档案.exe")
FileDelete(""&$var[$i]&"\oso.exe")
FileDelete(""&$var[$i]&"\autorun.exe")
FileDelete(""&$var[$i]&"\autorun.ini")
FileDelete(""&$var[$i]&"\sxs.exe")
FileDelete(""&$var[$i]&"\command.exe")
FileDelete(""&$var[$i]&"\copy.exe")
FileDelete(""&$var[$i]&"\host.exe")
FileDelete(""&$var[$i]&"\BootIO.exe")
FileDelete(""&$var[$i]&"\rose.exe")
FileDelete(""&$var[$i]&"\_desktop.ini")
FileDelete(""&$var[$i]&"\meisub.exe")
FileDelete(""&$var[$i]&"\SocksA.exe")
FileDelete(""&$var[$i]&"\tel.xls.exe")
FileDelete(""&$var[$i]&"\SVOHOST.exe")
FileDelete(""&$var[$i]&"\meisub.exe")
FileDelete(""&$var[$i]&"\systemdate.ini")
FileDelete(""&$var[$i]&"\systemfile.com")
DirRemove(""&$var[$i]&"\RECYCLER", 1)
EndFunc
Func kill_autorun_Process()
ProcessClose("explorer.exe")
ProcessClose("iexplore.exe")
ProcessClose("spoolsv.exe")
ProcessClose("wscript.exe")
For $k1 = 1 to $avArray[0]
ProcessClose(""&$avArray[$k1]&"")
Next
EndFunc
Func del_dri_virfiles()
For $d2 = 1 to $drivers_exe_FileList[0]
If FileExists(""&@SystemDir&"\drivers\"&$drivers_exe_FileList[$d2]&"") Then
ProcessClose(""&$drivers_exe_FileList[$d2]&"")
FileDelete(""&@SystemDir&"\drivers\"&$drivers_exe_FileList[$d2]&"")
$del_filelist = $del_filelist &
""&@SystemDir&"\drivers\"&$drivers_exe_FileList[$d2]&""
& @CR
EndIf
Next
EndFunc
Func del_sysfiles()
If FileExists(""&@SystemDir&"\SocksA.exe") Then
FileDelete(""&@SystemDir&"\SocksA.exe")
$del_filelist = $del_filelist & ""&@SystemDir&"\SocksA.exe" & @CR
EndIf
If FileExists(""&@SystemDir&"\gfosdg.exe") Then
FileDelete(""&@SystemDir&"\gfosdg.exe")
$del_filelist = $del_filelist & ""&@SystemDir&"\gfosdg.exe" & @CR
EndIf
If FileExists(""&@SystemDir&"\gfosdg.dll") Then
FileDelete(""&@SystemDir&"\gfosdg.dll")
$del_filelist = $del_filelist & ""&@SystemDir&"\gfosdg.dll" & @CR
EndIf
If FileExists(""&@SystemDir&"\severe.exe") Then
FileDelete(""&@SystemDir&"\severe.exe")
$del_filelist = $del_filelist & ""&@SystemDir&"\severe.exe" & @CR
EndIf
If FileExists(""&@SystemDir&"\hx1.bat") Then
FileDelete(""&@SystemDir&"\hx1.bat")
$del_filelist = $del_filelist & ""&@SystemDir&"\hx1.bat" & @CR
EndIf
If FileExists(""&@SystemDir&"\noruns.reg") Then
FileDelete(""&@SystemDir&"\noruns.reg")
$del_filelist = $del_filelist & ""&@SystemDir&"\noruns.reg" & @CR
EndIf
If FileExists(""&@SystemDir&"\hnunkl.exe") Then
FileDelete(""&@SystemDir&"\hnunkl.exe")
$del_filelist = $del_filelist & ""&@SystemDir&"\hnunkl.exe" & @CR
EndIf
If FileExists(""&@SystemDir&"\Rose.exe") Then
FileDelete(""&@SystemDir&"\Rose.exe")
$del_filelist = $del_filelist & ""&@SystemDir&"\Rose.exe" & @CR
EndIf
If FileExists("c:\system32\rose.exe") Then
FileDelete("c:\system32\rose.exe")
$del_filelist = $del_filelist & "c:\system32\rose.exe" & @CR
EndIf
If FileExists(""&@SystemDir&"\run.reg") Then
FileDelete(""&@SystemDir&"\run.reg")
$del_filelist = $del_filelist & ""&@SystemDir&"\run.reg" & @CR
EndIf
If FileExists(""&@SystemDir&"\systemdate.ini") Then
FileDelete(""&@SystemDir&"\systemdate.ini")
$del_filelist = $del_filelist & ""&@SystemDir&"\systemdate.ini" & @CR
EndIf
If FileExists("c:\system.sys") Then
FileDelete("c:\system.sys")
$del_filelist = $del_filelist & "c:\system.sys" & @CR
EndIf
;copy.exe host.exe
If FileExists(""&@SystemDir&"\temp1.exe") Then
FileDelete(""&@SystemDir&"\temp1.exe")
$del_filelist = $del_filelist & ""&@SystemDir&"\temp1.exe" & @CR
EndIf
If FileExists(""&@SystemDir&"\temp2.exe") Then
FileDelete(""&@SystemDir&"\temp2.exe")
$del_filelist = $del_filelist & ""&@SystemDir&"\temp2.exe" & @CR
EndIf
If FileExists(""&@WindowsDir&"\xcopy.exe") Then
FileDelete(""&@WindowsDir&"\xcopy.exe")
$del_filelist = $del_filelist & ""&@WindowsDir&"\xcopy.exe" & @CR
EndIf
If FileExists(""&@WindowsDir&"\svchost.exe") Then ;只能删除系统目录里面的。
FileDelete(""&@WindowsDir&"\svchost.exe")
$del_filelist = $del_filelist & ""&@WindowsDir&"\svchost.exe" & @CR
EndIf
;sxs.Exe
If FileExists(""&@SystemDir&"\SVOHOST.exe") Then
FileDelete(""&@SystemDir&"\SVOHOST.exe")
$del_filelist = $del_filelist & ""&@SystemDir&"\SVOHOST.exe" & @CR
EndIf
If FileExists(""&@SystemDir&"\sxs.exe") Then
FileDelete(""&@SystemDir&"\sxs.exe")
$del_filelist = $del_filelist & ""&@SystemDir&"\sxs.exe" & @CR
EndIf
EndFunc
Func del_autorun_files()
If StringInStr($autorun_file, ":\") <> 0 And FileExists(""&$autorun_file&"") Then
ProcessClose(""&$autorun_file&"")
FileDelete(""&$autorun_file&"")
$del_filelist = $del_filelist & $autorun_file & @CR
ElseIf $autorun_file <> "none" And FileExists(""&$var[$i]&"\"&$autorun_file&"") Then
ProcessClose(""&$autorun_file&"")
FileDelete(""&$var[$i]&"\"&$autorun_file&"")
$del_filelist = $del_filelist & ""&$var[$i]&"\"&$autorun_file&"" & @CR
EndIf
EndFunc
Func repair_reg()
; HKLM
For $i = 1 to 100
$key_var = RegEnumVal("HKLM\Software\Microsoft\Windows\CurrentVersion\Run", $i)
if @error <> 0 Then ExitLoop
$key = RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Run", $key_var)
For $kk = 1 to $avArray[0]
If StringInStr($key, ""&$avArray[$kk]&"") <> 0 Then
Select
Case StringInStr($key, ":\") <> 0 And FileExists(""&$key&"")
ProcessClose(""&$key&"")
FileDelete(""&$key&"")
$del_filelist = $del_filelist & $key & @CR
Case StringInStr($key, ":\") = 0 And FileExists(""&@WindowsDir&"\"&$key&"")
ProcessClose(""&$key&"")
FileDelete(""&@WindowsDir&"\"&$key&"")
$del_filelist = $del_filelist & ""&@WindowsDir&"\"&$key&"" & @CR
Case StringInStr($key, ":\") = 0 And FileExists(""&@SystemDir&"\"&$key&"")
ProcessClose(""&$key&"")
FileDelete(""&@SystemDir&"\"&$key&"")
$del_filelist = $del_filelist & ""&@SystemDir&"\"&$key&"" & @CR
Case StringInStr($key, ":\") = 0 And FileExists(""&$key&"")
ProcessClose(""&$key&"")
FileDelete(""&$key&"")
$del_filelist = $del_filelist & $key & @CR
Case Else
EndSelect
RegDelete("HKLM\Software\Microsoft\Windows\CurrentVersion\Run", $key_var)
EndIf
Next
next
; HKCU
For $i = 1 to 100
$key_var = RegEnumVal("HKCU\Software\Microsoft\Windows\CurrentVersion\Run", $i)
if @error <> 0 Then ExitLoop
$key = RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Run", $key_var)
For $kk = 1 to $avArray[0]
If StringInStr($key, ""&$avArray[$kk]&"") <> 0 Then
Select
Case StringInStr($key, ":\") <> 0 And FileExists(""&$key&"")
ProcessClose(""&$key&"")
FileDelete(""&$key&"")
$del_filelist = $del_filelist & $key & @CR
Case StringInStr($key, ":\") = 0 And FileExists(""&@WindowsDir&"\"&$key&"")
ProcessClose(""&$key&"")
FileDelete(""&@WindowsDir&"\"&$key&"")
$del_filelist = $del_filelist & ""&@WindowsDir&"\"&$key&"" & @CR
Case StringInStr($key, ":\") = 0 And FileExists(""&@SystemDir&"\"&$key&"")
ProcessClose(""&$key&"")
FileDelete(""&@SystemDir&"\"&$key&"")
$del_filelist = $del_filelist & ""&@SystemDir&"\"&$key&"" & @CR
Case StringInStr($key, ":\") = 0 And FileExists(""&$key&"")
ProcessClose(""&$key&"")
FileDelete(""&$key&"")
$del_filelist = $del_filelist & $key & @CR
Case Else
EndSelect
RegDelete("HKCU\Software\Microsoft\Windows\CurrentVersion\Run", $key_var)
EndIf
Next
next
$key = RegRead("HKCU\Software\Micosoft\Windows NT\Current Version\Windows", "Load")
For $kkk = 1 to $avArray[0]
If StringInStr($key, ""&$avArray[$kkk]&"") <> 0 Then
Select
Case StringInStr($key, ":\") <> 0 And FileExists(""&$key&"")
ProcessClose(""&$key&"")
FileDelete(""&$key&"")
$del_filelist = $del_filelist & $key & @CR
Case StringInStr($key, ":\") = 0 And FileExists(""&@WindowsDir&"\"&$key&"")
ProcessClose(""&$key&"")
FileDelete(""&@WindowsDir&"\"&$key&"")
$del_filelist = $del_filelist & ""&@WindowsDir&"\"&$key&"" & @CR
Case StringInStr($key, ":\") = 0 And FileExists(""&@SystemDir&"\"&$key&"")
ProcessClose(""&$key&"")
FileDelete(""&@SystemDir&"\"&$key&"")
$del_filelist = $del_filelist & ""&@SystemDir&"\"&$key&"" & @CR
Case StringInStr($key, ":\") = 0 And FileExists(""&$key&"")
ProcessClose(""&$key&"")
FileDelete(""&$key&"")
$del_filelist = $del_filelist & $key & @CR
Case Else
EndSelect
RegDelete("HKCU\Software\Micosoft\Windows NT\Current Version\Windows", "Load")
EndIf
Next
RegWrite("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL",
"CheckedValue", "REG_DWORD", "1")
EndFunc
Func create_autorun_dir()
DirCreate(""&$var[$i]&"\autorun.inf")
runwait(@comspec&" /c md "&$var[$i]&"\Autorun.inf\病毒免疫目录不要删除!..\>nul 2>nul","",@SW_HIDE)
runwait(@comspec&" /c attrib +S +R +H "&$var[$i]&"\Autorun.inf>nul 2>nul","",@SW_HIDE)
EndFunc
Func repair_reg_Image_File_Execution_Options()
For $i = 1 to 1000
$img_Key_var = RegEnumKey("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options", $i)
if @error <> 0 Then ExitLoop
$Debugger_files = RegRead("HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution
Options\"&$img_Key_var&"", "Debugger")
If $Debugger_files <> "" Then
RegDelete("HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution
Options\"&$img_Key_var&"")
If FileExists(""&$Debugger_files&"") Then
ProcessClose(""&$Debugger_files&"")
FileDelete(""&$Debugger_files&"")
$del_filelist = $del_filelist & $Debugger_files & @CR
EndIf
EndIf
next
EndFunc[/code]
页:
[1]