2008-1-3 23:23
zh_star
最近很多网友都中了pagefile.pif(磁碟机新变种)病毒,特提供专杀批处理,希望有所帮助!
[size=6][font=黑体][color=#ff00cc]最近很多网友都中了pagefile.pif(磁碟机新变种)病毒,特提供专杀批处理,希望有所帮助![/color][/font][/size]
[size=5][font=黑体][color=#ff0066]病毒资料:[/color][/font][/size]
病毒全名 Win32.Troj.AutoRun.te.v
病毒长度 89280
威胁级别 ★★
病毒类型 木马
病毒介绍
这是一个AUTO病毒。病毒成功运行后,会在各盘中生成具有隐藏属性的AUTO病毒,注册表被病毒修改后,具有隐藏属性的文件无法查看。众多启动项被病毒删除,包括杀软、系统的启动项,这样会导致机器重启后,杀软失效,使用户机器安全性大大降低。而且该病毒还有破坏安全模式、下载病毒的功能。
病毒行为
1.病毒运行后,生成以下病毒文件
%temp%\RarSFX0
%windows%\system32\Com\LSASS.EXE
%windows%\system32\Com\netcfg.000
%windows%\system32\Com\netcfg.dll
%windows%\system32\Com\SMSS.EXE
%Local Settings%\Temporary Internet Files\Content.IE5\EC5UKR17\r[1].htm
%Local Settings%\Temporary Internet Files\Content.IE5\GR8I0NOH\CAYNKA2Y.HTM
2.在各盘中生成AUTO病毒,包括病毒文件pagefile.pif和autorun.inf辅助文件,都具有隐藏属性。
3.病毒会修改注册表,使系统的隐藏功能失效,用户无法操控,只要具有隐藏属性的文件将无法显示。
4.查看启动项,异常的发现启动项中许多系统启动项都被自动删除,包括毒霸的启动项。
5.由于启动项被删除,再使用反间谍的隐蔽软件扫描,也就可以看到有两个隐蔽软件,分别是:"异常的autorun.inf"和"Broken SafeBoot",Broken SafeBoot很明显是破坏安全模式的,这样会使用户中了该病毒以后无法进入安全模式。
6.该病毒还会引发ARP欺骗,导致在同一局域望网内的机器都有被欺骗的可能,明显的症状是:网络时常断开,会有病毒下载到总ARP的机器。
[size=5][font=黑体][color=#0000ff]解决方法:[/color][/font][/size]
[size=4][color=#669900]将下面线内的内容保存为1.bat,然后运行1.bat,杀完后升级杀软查杀!如杀软被破坏,启动不了,请重新安装杀软查杀。最好在安全模式下查杀,杀后重启! [/color][/size]
===========================================================================
@echo off
title 江海一叶飘工作室---系统之家论坛☆☆☆pagefile.pif(磁碟机新变种)病毒专杀工具☆☆☆
color 37
if exist pagefile.pif echo ☆☆☆pagefile.pif病毒没有清除!☆☆☆
if exist autorun.inf echo ☆☆☆autorun.inf病毒没有清除!☆☆☆
if exist C:\WINDOWS\system32\com\LSASS.EXE echo ☆☆☆LSASS.EXE病毒没有清除!☆☆☆
if exist C:\WINDOWS\system32\com\SMSS.EXE echo ☆☆☆SMSS.EXE病毒没有清除!☆☆☆
if exist C:\WINDOWS\system32\com\netcfg.dll echo ☆☆☆netcfg.dll病毒没有清除!☆☆☆
if exist C:\WINDOWS\system32\drivers\alg.exe echo ☆☆☆alg.exe病毒没有清除!☆☆☆
taskkill /im explorer.exe /f
taskkill /im wscript.exe
taskkill /im LMASS.exe /f
taskkill /im SMASS.exe /f
wmic process where name="LMASS.exe" call terminate
wmic process where name="SMASS.exe" call terminate
attrib C:\WINDOWS\system32\com\LSASS.EXE -s -h -r
del /f /q C:\WINDOWS\system32\com\LSASS.EXE
attrib C:\WINDOWS\system32\com\SMSS.EXE -s -h -r
del /f /q C:\WINDOWS\system32\com\SMSS.EXE
attrib C:\WINDOWS\system32\drivers\alg.exe -s -h -r
del /f /q C:\WINDOWS\system32\drivers\alg.exe
attrib C:\Documents“”and“”Settings\All" "Users\「开始」菜单\程序\启动\~.pif -s -h -r
del /f /q C:\Documents“”and“”Settings\All" "Users\「开始」菜单\程序\启动\~.pif
attrib C:\Documents“”and“”Settings\Administrator\「开始」菜单\程序\启动\~.pif -s -h -r
del /f /q C:\Documents“”and“”Settings\Administrator\「开始」菜单\程序\启动\~.pif
attrib %USERPROFILE%\「开始」菜单\程序\启动\~.pif -s -h -r
del /f /q %USERPROFILE%\「开始」菜单\程序\启动\~.pif
attrib C:\Documents“”and“”Settings\new\「开始」菜单\程序\启动\~.pif -s -h -r
del /f /q C:\Documents“”and“”Settings\new\「开始」菜单\程序\启动\~.pif
attrib %USERPROFILE%\Local" "Settings\Temporary" "Internet" "Files\Content.IE5\EC5UKR17\r[1].htm -s -h -r
del /f /q %USERPROFILE%\Local" "Settings\Temporary" "Internet" "Files\Content.IE5\EC5UKR17\r[1].htm
attrib %USERPROFILE%\Local" "Settings\Temporary" "Internet" "Files\Content.IE5\GR8I0NOH\CAYNKA2Y.HTM -s -h -r
del /f /q %USERPROFILE%\Local" "Settings\Temporary" "Internet" "Files\Content.IE5\GR8I0NOH\CAYNKA2Y.HTM
del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
del /f /s /q "%userprofile%\Local Settings\Temp\*.*"
attrib %temp%\RarSFX0 -s -h -r
del /f /q %temp%\RarSFX0
attrib c:\windows\system32\com\netcfg.000 -s -h -r
del /f /q c:\windows\system32\com\netcfg.000
attrib c:\windows\system32\com\netcfg.dll -s -h -r
del /f /q c:\windows\system32\com\netcfg.dll
attrib c:\windows\system32\000.cfg0 -s -h -r
del /f /q c:\windows\system32\000.cfg0
attrib c:\windows\system32\appand.exe.245625 -s -h -r
del /f /q c:\windows\system32\appand.exe.245625
attrib c:\windows\system32\dnsq.dll -s -h -r
del /f /q c:\windows\system32\dnsq.dll
attrib c:\windows\system32\ntfsus.exe.251890 -s -h -r
del /f /q c:\windows\system32\ntfsus.exe.251890
md C:\WINDOWS\system32\com\LSASS.EXE
cacls C:\WINDOWS\system32\com\LSASS.EXE /e /p everyone:n
md C:\WINDOWS\system32\com\SMSS.EXE
cacls C:\WINDOWS\system32\com\SMSS.EXE /e /p everyone:n
wmic process where name="LMASS.exe" call terminate
wmic process where name="SMASS.exe" call terminate
for /d %%i in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist "%%i:/autorun.inf" (
cacls %%i:/autorun.inf /c /e /p everyone:f
attrib -s -h -r "%%i:/autorun.inf"
del "%%i:/autorun.inf" /q
)
for /d %%i in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist "%%i:/pagefile.pif" (
cacls %%i:/pagefile.pif /c /e /p everyone:f
attrib -s -h -r "%%i:/pagefile.pif"
del "%%i:/pagefile.pif" /q
)
echo Windows Registry Editor Version 5.00>C:\seesaw.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>C:\seesaw.reg
echo "Shell"="Explorer.exe" >>C:\seesaw.reg
echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] >>C:\seesaw.reg
echo "DisableTaskMgr"=dword:00000000 >>C:\seesaw.reg
echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] >>C:\seesaw.reg
echo "DisableRegistryTools"=dword:00000000 >>C:\seesaw.reg
echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] >>C:\seesaw.reg
echo "NoFolderOptions"=dword:00000000 >>C:\seesaw.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] >>C:\seesaw.reg
echo "CheckedValue"=dword:00000001 >>C:\seesaw.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt] >>C:\seesaw.reg
echo "UncheckedValue"=dword:00000000 >>C:\seesaw.reg
echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] >>C:\seesaw.reg
echo "NoDriveAutoRun"=hex:ff,ff,ff,03 >>C:\seesaw.reg
echo "NoSetTaskbar"=dword:00000000 >>C:\seesaw.reg
echo "NoDriveTypeAutoRun"=dword:000000ff >>C:\seesaw.reg
echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] >>C:\seesaw.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] >>C:\seesaw.reg
echo "NoDriveTypeAutoRun"=dword:000000ff >>C:\seesaw.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] >>C:\seesaw.reg
@reg import C:\seesaw.reg
@del /q C:\seesaw.reg
echo Windows Registry Editor Version 5.00>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQ.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.EXE] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.EXE] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.EXE] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.EXE] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.EXE] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvxp.kxp] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVLSUI.kxp] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVIETools.kxp] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thunder.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winamp.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiUtilities.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BeatTrojan.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VnetClient.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\glworld.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TTPlayer.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McAgent.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctskshd.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DefWatch.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetApp.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMaiMon.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvsrvxp.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UdaterUI.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\licmgr.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmcdlg.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashAvast.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashBug.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashChest.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashLogV.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPck.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswclear.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgas.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanBD.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavCopy.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LangSet.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegGuide.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UlibCfg.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ToolsUp.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavXP.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\skinset.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InBuild.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsConfig.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\realplay.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMain.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPStart.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPUpdate.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Clean.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TTPlayer.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinRAR.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiUtilities.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghost.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ghostexp.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kuree.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASSetup0524.EXE] >>C:\seesaw.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Download.exe] >>C:\seesaw.reg
regedit /s C:\seesaw.reg
del /q C:\seesaw.reg
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wscript.exe" /v debugger /t reg_sz /d debugfile.exe /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe" /v debugger /t reg_sz /d debugfile.exe /f
taskkill /f /im Wscript.exe /t
reg add "HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
wmic process where name="LMASS.exe" call terminate
wmic process where name="SMASS.exe" call terminate
start explorer.exe
net start Shadow" "System" "Service
net start sharedaccess >nul
net start "Kingsoft Antivirus KWatch Service"
net start "Kingsoft Personal Firewall Service"
net start "Kingsoft Antivirus Service"
net start "Ravservice"
net start KVSrvXP
net start AVP
net start AVG Anti-Spyware Guard
net start XCOMM
net start LIVESRV
net start bdss
net start VSSERV
net start KVWSC
net start MPSVCService
net start NOD32krn
net start RfwService
net start RfwProxySrv
net start avast! Antivirus
net start avast! Mail Scanner
net start avast! Web Scanner
net start aswUpdSv
for /f "tokens=1-3 delims=-" %%i in ('date/t') do set date_tmp=%%j-%%k > nul
@echo 2007-%date_tmp%|date > nul
@echo %date% > nul
for /d %%i in (c,d,e,f,g,h,i,j,k,l,m,n) do if not exist "%%i:/autorun.inf" (
md "%%i:/autorun.inf"
md "%%i:/autorun.inf/seesaw../"
attrib +s +h +r "%%i:/autorun.inf"
cacls %%i:/autorun.inf /c /e /p everyone:f
)
echo.
echo ******** autorun.inf自动免疫完成!********
echo.
exit
===========================================================================
[size=4][color=#669900]以上方法只针对中毒较轻的情况,如中毒较重建议格盘重装系统,不要浪费时间去查杀,因为你中的是磁碟机新变种,一是手动查杀繁琐,需要一定的电脑知识和杀毒经验;二是查杀不清,容易反复中毒。[/color][/size]
[size=5][font=黑体][color=#0000ff]预防磁碟机新变种的措施:[/color][/font][/size]
1、AUTO类病毒,都是利用移动存储介质的自动播放功能传播的。本批处理已禁用自动播放功能。
2、修补操作系统漏洞、IE漏洞、常用播放器的漏洞,防止病毒通过系统漏洞入侵。
3、及时升级杀毒软件,并开防火墙和杀软监控。
4、中了磁碟机新变种后,会强行删除系统ghost镜像文件,请您把ghost镜像文件的后缀名.gho改成.gho1,恢复镜像时再改回来。
5、该病毒还会引发ARP欺骗,请您使用金山arp防火墙或360度arp防火墙。