无忧启动论坛

标题: exe文件运行后,强制删除自身程序,并且程序还要正常运行? [打印本页]
作者: 安情    时间: 2006-8-20 15:02
提示: 作者被禁止或删除 内容自动屏蔽
作者: strongchen    时间: 2006-8-20 18:24
ms lz 真得在研究病毒。。。

不会编程不可能吧
作者: namejm    时间: 2006-8-20 18:40
  安情,你这想法也太离谱了吧。皮之不存,毛将焉附?程序都被你删了,你还能指望它能运行,并且正常运行吗?

[ 本帖最后由 namejm 于 2006-8-20 08:06 PM 编辑 ]
作者: bdfcy    时间: 2006-8-20 19:27
运行时把自身复制到临时目录,再运行临时目录的,删除自身
作者: 安情    时间: 2006-8-20 20:05
提示: 作者被禁止或删除 内容自动屏蔽
作者: strongchen    时间: 2006-8-20 22:01
你的要求根本就是运行病毒,只有病毒可以在进程里面不显示。
作者: cjzzz    时间: 2006-8-20 22:24
fu.exe    隐藏进程   杀毒软件会报

https://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip
作者: 安情    时间: 2006-8-21 00:19
提示: 作者被禁止或删除 内容自动屏蔽
作者: 老毛桃    时间: 2006-8-21 09:14
可以参考一些病毒、木马的做法,运行时在系统文件夹按随机名称生成一个可执行文件,执行完毕再删除它,这样会比较安全些,一般人也不会在运行这个文件的当儿去扫描他的系统文件夹有什么变化。
作者: 安情    时间: 2006-8-21 17:40
提示: 作者被禁止或删除 内容自动屏蔽
作者: wjgyz740526    时间: 2006-8-22 15:15
你可以做成个自解包,自解包解压到临时目录,并且自解包解压后运行cmd,在icmd里再删除那些个文件
作者: 安情    时间: 2006-8-23 08:43
提示: 作者被禁止或删除 内容自动屏蔽
作者: 13987260859    时间: 2006-8-29 09:47
偶现在遇到一个:
1、在注册 表键值中删除了那个恶意代码,它会自动再加上;
2、删除原文件后它会很快再复原;
。。。。。。也就是这个文件不能从我的机器上弄走

。。。晕了晕!

\windows\winlogon.exe
\windows\ExeRoute.exe

注册表中的是:Trojan Program >\windows\winlogon.exe
作者: zts59    时间: 2006-8-29 18:55
让他自己改一下自己程序名
作者: namejm    时间: 2006-8-29 22:48
  呵呵,恭喜你,你中了最近比较流行的木马——落雪。

  在网上找到了一个比较完美的批处理解决方案,张贴如下:

  2. @echo off
  3. cls
  4. echo ***********************************************************
  5. echo   此文件用于清除WINLOGON系列木马并修复其破坏的注册表信息
  6. echo                 警告:只适用于XP操作系统
  7. echo   空指针 制作     感谢 风乱舞 鼎力相助并提供系统优化功能
  8. echo ***********************************************************
  9. echo    名称:WINLOGON系列木马修复程序
  10. echo    功能:
  11. echo        1. 删除木马相关文件
  12. echo        2. 修复被木马修改的系统关联
  13. echo        3. 部分系统优化(ADSL拨号.桌面速度.IE速度.等部分系统优化)
  14. echo.        

  16. pause
  17. cls
  18. @SETLOCAL
  19. @rem 活动代码页设为中文
  20. @chcp 936>nul 2>nul
  21. @echo.
  22. @echo ************************************************************
  23. @echo *                                                          *
  24. @echo *    欢迎使用WINLOGON系列木马清除/修复程序              *
  25. @echo *                                                          *
  26. @echo ************************************************************

  28. :chkOS
  29. @echo.
  30. @ver|find "XP"
  31. @if "%ERRORLEVEL%"=="0" goto :XP
  32. @echo.
  33. @echo #您的操作系统不是Windows XP,无法使用。
  34. @goto quit

  36. @rem 在下面语句插不同系统的不同命令
  37. :XP
  38. @set UpdatePolicy=GPUpdate /Force
  39. @goto Selection

  41. :Selection
  42. @rem User Choice
  43. @echo.
  44. @echo    请注意选择您的操作系统安装在哪个分区
  45. @echo    我要进行功能选择:
  46. @echo.
  47. @echo 1: 我的XP系统安装在C盘
  48. @echo 2: 我的XP系统安装在D盘
  49. @echo 3: 我想做部分系统优化(网络.桌面.速度)
  50. @echo 4: 退出
  51. @echo.
  52. @set /p UserSelection=请输入您的选择(1=C盘、2=D盘、3=系统优化、4=退出程序)后按回车:
  53. @if "%UserSelection%"=="1" goto C
  54. @if "%UserSelection%"=="2" goto D
  55. @if "%UserSelection%"=="3" goto good
  56. @if "%UserSelection%"=="4" goto quit
  57. @rem 输入其他字符
  58. @cls
  59. @goto Selection


  62. :C
  63. if exist c:\windows\1.com  attrib -s -r -h c:\windows\1.com
  64. if exist c:\windows\exeroute.exe  attrib -s -r -h c:\windows\exeroute.exe
  65. if exist c:\windows\explorer.com  attrib -s -r -h c:\windows\explorer.com
  66. if exist C:\WINDOWS\EXERT.exe  attrib -s -r -h C:\WINDOWS\EXERT.exe
  67. if exist c:\windows\finder.com attrib -s -r -h c:\windows\finder.com
  68. if exist C:\WINDOWS\IO.SYS.BAK attrib -s -r -h C:\WINDOWS\IO.SYS.BAK
  69. if exist C:\WINDOWS\lsass.exe attrib -s -r -h C:\WINDOWS\lsass.exe
  70. if exist c:\windows\services.exe attrib -s -r -h c:\windows\services.exe
  71. if exist c:\windows\SMSS.EXE attrib -s -r -h c:\windows\SMSS.EXE
  72. if exist c:\windows\WINLOGON.exe attrib -s -r -h c:\windows\WINLOGON.exe
  73. if exist c:\windows\debug\debugprogram.exe attrib -s -r -h c:\windows\debug\debugprogram.exe
  74. if exist c:\progra~1\common~1\iexplore.pif attrib -s -r -h c:\progra~1\common~1\iexplore.pif
  75. if exist c:\progra~1\intern~1\iexplore.com attrib -s -r -h c:\progra~1\intern~1\iexplore.com
  76. if exist c:\windows\system32\command.pif attrib -s -r -h c:\windows\system32\command.pif
  77. if exist c:\windows\system32\dxdiag.com attrib -s -r -h c:\windows\system32\dxdiag.com
  78. if exist c:\windows\system32\finder.com attrib -s -r -h c:\windows\system32\finder.com
  79. if exist c:\windows\system32\i.com attrib -s -r -h c:\windows\system32\i.com
  80. if exist c:\windows\system32\msconfig.com attrib -s -r -h c:\windows\system32\msconfig.com
  81. if exist c:\windows\system32\regedit.com attrib -s -r -h c:\windows\system32\regedit.com
  82. if exist c:\windows\system32\rundll32.com attrib -s -r -h c:\windows\system32\rundll32.com
  83. if exist d:\pagefile.pif attrib -s -r -h d:\pagefile.pif
  84. if exist d:\command.com attrib -s -r -h d:\command.com
  85. if exist d:\autorun.inf attrib -s -r -h d:\autorun.inf

  87. echo ************************************************************
  88. @echo 删除病毒文件

  90. @echo off
  91. if exist c:\windows\1.com  del c:\windows\1.com
  92. if exist c:\windows\exeroute.exe  del c:\windows\exeroute.exe
  93. if exist c:\windows\explorer.com  del c:\windows\explorer.com
  94. if exist C:\WINDOWS\EXERT.exe  del C:\WINDOWS\EXERT.exe
  95. if exist c:\windows\finder.com del c:\windows\finder.com
  96. if exist C:\WINDOWS\IO.SYS.BAK del C:\WINDOWS\IO.SYS.BAK
  97. if exist C:\WINDOWS\lsass.exe del C:\WINDOWS\lsass.exe
  98. if exist c:\windows\services.exe del c:\windows\services.exe
  99. if exist c:\windows\SMSS.EXE del c:\windows\SMSS.EXE
  100. if exist c:\windows\WINLOGON.exe del c:\windows\WINLOGON.exe
  101. if exist c:\windows\debug\debugprogram.exe del c:\windows\debug\debugprogram.exe
  102. if exist c:\progra~1\common~1\iexplore.pif del c:\progra~1\common~1\iexplore.pif
  103. if exist c:\progra~1\intern~1\iexplore.com del c:\progra~1\intern~1\iexplore.com
  104. if exist c:\windows\system32\command.pif del c:\windows\system32\command.pif
  105. if exist c:\windows\system32\dxdiag.com del c:\windows\system32\dxdiag.com
  106. if exist c:\windows\system32\finder.com del c:\windows\system32\finder.com
  107. if exist c:\windows\system32\i.com del c:\windows\system32\i.com
  108. if exist c:\windows\system32\msconfig.com del c:\windows\system32\msconfig.com
  109. if exist c:\windows\system32\regedit.com del c:\windows\system32\regedit.com
  110. if exist c:\windows\system32\rundll32.com del c:\windows\system32\rundll32.com
  111. if exist d:\pagefile.pif del d:\pagefile.pif
  112. if exist d:\command.com del d:\command.com
  113. if exist d:\autorun.inf del d:\autorun.inf

  115. @echo ***********************************************************
  116. @echo *         已删除可能的病毒文件,按任意键修复注册表信息     *
  117. @echo ***********************************************************



  121. @echo Windows Registry Editor Version 5.00>Fix.reg
  122. @echo [HKEY_CLASSES_ROOT\exefile\shell\open\command]>>Fix.reg
  123. @echo @=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2A,00,00,00>>Fix.reg
  124. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]>>Fix.reg
  125. @echo @="exefile">>Fix.reg
  126. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]>>Fix.reg
  127. @echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,00,00>>Fix.reg

  129. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command]>>Fix.reg
  130. @echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,25,00,31,00,00,00>>Fix.reg

  132. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command]>>Fix.reg
  133. @echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,25,00,31,00,00,00>>Fix.reg

  135. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command]>>Fix.reg
  136. @echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,2D,00,6E,00,6F,00,68,00,6F,00,6D,00,65,00,00,00>>Fix.reg

  138. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell\open\command]>>Fix.reg
  139. @echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,2D,00,6E,00,6F,00,68,00,6F,00,6D,00,65,00,00,00>>Fix.reg

  141. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet]>>Fix.reg
  142. @echo @=hex(2):49,00,45,00,58,00,50,00,4C,00,4F,00,52,00,45,00,2E,00,45,00,58,00,45,00,00,00>>Fix.reg

  144. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc\ShellNew\Command]>>Fix.reg
  145. @echo @=->>Fix.reg

  147. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shell\find\command]>>Fix.reg
  148. @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00>>Fix.reg

  150. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\print\command]>>Fix.reg
  151. @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00>>Fix.reg

  153. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\Install\command]>>Fix.reg
  154. @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,73,00,65,00,74,00,75,00,70,00,61,00,70,00,69,00,2c,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,48,00,69,00,6e,00,66,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,20,00,44,00,65,00,66,00,61,00,75,00,6c,00,74,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,31,00,33,00,32,00,20,00,25,00,31,00,00,00>>Fix.reg

  156. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command]>>Fix.reg
  157. @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,4f,00,70,00,65,00,6e,00,41,00,73,00,5f,00,52,00,75,00,6e,00,44,00,4c,00,4c,00,20,00,25,00,31,00,00,00>>Fix.reg

  159. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Command]>>Fix.reg
  160. @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,61,00,70,00,70,00,77,00,69,00,7A,00,2E,00,63,00,70,00,6C,00,2C,00,4E,00,65,00,77,00,4C,00,69,00,6E,00,6B,00,48,00,65,00,72,00,65,00,20,00,25,00,31,00,00,00>>Fix.reg

  162. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cplfile\shell\cplopen\command\]>>Fix.reg
  163. @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,73,00,68,00,65,00,6C,00,6C,00,33,00,32,00,2E,00,64,00,6C,00,6C,00,2C,00,43,00,6F,00,6E,00,74,00,72,00,6F,00,6C,00,5F,00,52,00,75,00,6E,00,44,00,4C,00,4C,00,20,00,22,00,25,00,31,00,22,00,2C,00,25,00,2A,00,00,00>>Fix.reg

  165. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command\]>>Fix.reg
  166. @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,73,00,68,00,64,00,6F,00,63,00,76,00,77,00,2E,00,64,00,6C,00,6C,00,2C,00,4F,00,70,00,65,00,6E,00,55,00,52,00,4C,00,20,00,6C,00,00,00>>Fix.reg

  168. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command\]>>Fix.reg
  169. @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,64,00,65,00,73,00,6B,00,2E,00,63,00,70,00,6C,00,2C,00,49,00,6E,00,73,00,74,00,61,00,6C,00,6C,00,53,00,63,00,72,00,65,00,65,00,6E,00,53,00,61,00,76,00,65,00,72,00,20,00,6C,00,00,00>>Fix.reg

  171. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scriptletfile\Shell\Generate Typelib\command\]>>Fix.reg
  172. @echo @=hex(2):22,00,43,00,3A,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,52,00,55,00,4E,00,44,00,4C,00,4C,00,33,00,32,00,2E,00,45,00,58,00,45,00,22,00,20,00,43,00,3A,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,73,00,63,00,72,00,6F,00,62,00,6A,00,2E,00,64,00,6C,00,6C,00,2C,00,47,00,65,00,6E,00,65,00,72,00,61,00,74,00,65,00,54,00,79,00,70,00,65,00,4C,00,69,00,62,00,20,00,22,00,25,00,31,00,22,00,00,00>>Fix.reg

  174. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet\shell\open\command\]>>Fix.reg
  175. @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,75,00,72,00,6C,00,2E,00,64,00,6C,00,6C,00,2C,00,54,00,65,00,6C,00,6E,00,65,00,74,00,50,00,72,00,6F,00,74,00,6F,00,63,00,6F,00,6C,00,48,00,61,00,6E,00,64,00,6C,00,65,00,72,00,20,00,6C,00,00,00>>Fix.reg

  177. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>Fix.reg
  178. @echo "Shell"="Explorer.exe">>Fix.reg

  180. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>Fix.reg
  181. @echo "Userinit"=hex(2):43,00,3A,00,5C,00,77,00,69,00,6E,00,64,00,6F,00,77,00,73,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,75,00,73,00,65,00,72,00,69,00,6E,00,69,00,74,00,2E,00,65,00,78,00,65,00,00,00>>Fix.reg>>Fix.reg

  183. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
  184. @echo "ToP"=->>Fix.reg

  186. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
  187. @echo "TProgram"=->>Fix.reg

  189. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]>>Fix.reg
  190. @echo "TProgram"=->>Fix.reg

  192. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
  193. @echo "Torjan Program"=->>Fix.reg

  195. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]>>Fix.reg
  196. @echo "Torjan Program"=->>Fix.reg
  197. echo.

  199. @pause
  200. start /w regedit /s Fix.reg
  201. del Fix.reg
  202. echo.
  203. @echo ***********************************************************
  204. @echo *                修复已知被破坏的文件关联成功               *
  205. @echo ***********************************************************
  206. echo.
  207. @echo 按任意键,返回选择
  208. @pause
  209. @cls
  210. @goto Selection

  212. :D
  213. if exist d:\windows\1.com  attrib -s -r -h d:\windows\1.com
  214. if exist d:\windows\exeroute.exe  attrib -s -r -h d:\windows\exeroute.exe
  215. if exist d:\windows\explorer.com  attrib -s -r -h d:\windows\explorer.com
  216. if exist d:\WINDOWS\EXERT.exe  attrib -s -r -h d:\WINDOWS\EXERT.exe
  217. if exist d:\windows\finder.com attrib -s -r -h d:\windows\finder.com
  218. if exist d:\WINDOWS\IO.SYS.BAK attrib -s -r -h d:\WINDOWS\IO.SYS.BAK
  219. if exist d:\WINDOWS\lsass.exe attrib -s -r -h d:\WINDOWS\lsass.exe
  220. if exist d:\windows\services.exe attrib -s -r -h d:\windows\services.exe
  221. if exist d:\windows\SMSS.EXE attrib -s -r -h d:\windows\SMSS.EXE
  222. if exist d:\windows\WINLOGON.exe attrib -s -r -h d:\windows\WINLOGON.exe
  223. if exist d:\windows\debug\debugprogram.exe attrib -s -r -h d:\windows\debug\debugprogram.exe
  224. if exist d:\progra~1\common~1\iexplore.pif attrib -s -r -h d:\progra~1\common~1\iexplore.pif
  225. if exist d:\progra~1\intern~1\iexplore.com attrib -s -r -h d:\progra~1\intern~1\iexplore.com
  226. if exist d:\windows\system32\command.pif attrib -s -r -h d:\windows\system32\command.pif
  227. if exist d:\windows\system32\dxdiag.com attrib -s -r -h d:\windows\system32\dxdiag.com
  228. if exist d:\windows\system32\finder.com attrib -s -r -h d:\windows\system32\finder.com
  229. if exist d:\windows\system32\i.com attrib -s -r -h d:\windows\system32\i.com
  230. if exist d:\windows\system32\msconfig.com attrib -s -r -h d:\windows\system32\msconfig.com
  231. if exist d:\windows\system32\regedit.com attrib -s -r -h d:\windows\system32\regedit.com
  232. if exist d:\windows\system32\rundll32.com attrib -s -r -h d:\windows\system32\rundll32.com
  233. if exist d:\pagefile.pif attrib -s -r -h d:\pagefile.pif
  234. if exist d:\autorun.inf attrib -s -r -h d:\autorun.inf

  236. echo ************************************************************
  237. @echo 删除病毒文件

  239. @echo off
  240. if exist d:\windows\1.com  del d:\windows\1.com
  241. if exist d:\windows\exeroute.exe  del d:\windows\exeroute.exe
  242. if exist d:\windows\explorer.com  del d:\windows\explorer.com
  243. if exist d:\WINDOWS\EXERT.exe  del d:\WINDOWS\EXERT.exe
  244. if exist d:\windows\finder.com del d:\windows\finder.com
  245. if exist d:\WINDOWS\IO.SYS.BAK del d:\WINDOWS\IO.SYS.BAK
  246. if exist d:\WINDOWS\lsass.exe del d:\WINDOWS\lsass.exe
  247. if exist d:\windows\services.exe del d:\windows\services.exe
  248. if exist d:\windows\SMSS.EXE del d:\windows\SMSS.EXE
  249. if exist d:\windows\WINLOGON.exe del d:\windows\WINLOGON.exe
  250. if exist d:\windows\debug\debugprogram.exe del d:\windows\debug\debugprogram.exe
  251. if exist d:\progra~1\common~1\iexplore.pif del d:\progra~1\common~1\iexplore.pif
  252. if exist d:\progra~1\intern~1\iexplore.com del d:\progra~1\intern~1\iexplore.com
  253. if exist d:\windows\system32\command.pif del d:\windows\system32\command.pif
  254. if exist d:\windows\system32\dxdiag.com del d:\windows\system32\dxdiag.com
  255. if exist d:\windows\system32\finder.com del d:\windows\system32\finder.com
  256. if exist d:\windows\system32\i.com del d:\windows\system32\i.com
  257. if exist d:\windows\system32\msconfig.com del d:\windows\system32\msconfig.com
  258. if exist d:\windows\system32\regedit.com del d:\windows\system32\regedit.com
  259. if exist d:\windows\system32\rundll32.com del d:\windows\system32\rundll32.com
  260. if exist d:\pagefile.pif del d:\pagefile.pif
  261. if exist d:\autorun.inf del d:\autorun.inf

  263. @echo ***********************************************************
  264. @echo *         已删除可能的病毒文件,按任意键修复注册表信息     *
  265. @echo ***********************************************************

  267. @echo Windows Registry Editor Version 5.00>Fix.reg

  269. @echo [HKEY_CLASSES_ROOT\exefile\shell\open\command]>>Fix.reg
  270. @echo @=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2A,00,00,00>>Fix.reg
  271. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]>>Fix.reg
  272. @echo @=hex(2):65,00,78,00,65,00,66,00,69,00,6C,00,65,00,00,00>>Fix.reg
  273. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]>>Fix.reg
  274. @echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,00,00>>Fix.reg

  276. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command]>>Fix.reg
  277. @echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,25,00,31,00,00,00>>Fix.reg

  279. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command]>>Fix.reg
  280. @echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,25,00,31,00,00,00>>Fix.reg

  282. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command]>>Fix.reg
  283. @echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,2D,00,6E,00,6F,00,68,00,6F,00,6D,00,65,00,00,00>>Fix.reg

  285. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell\open\command]>>Fix.reg
  286. @echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,2D,00,6E,00,6F,00,68,00,6F,00,6D,00,65,00,00,00>>Fix.reg

  288. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet]>>Fix.reg
  289. @echo @=hex(2):49,00,45,00,58,00,50,00,4C,00,4F,00,52,00,45,00,2E,00,45,00,58,00,45,00,00,00>>Fix.reg

  291. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc\ShellNew\Command]>>Fix.reg
  292. @echo @=->>Fix.reg

  294. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shell\find\command]>>Fix.reg
  295. @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00>>Fix.reg

  297. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\print\command]>>Fix.reg
  298. @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00>>Fix.reg

  300. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\Install\command]>>Fix.reg
  301. @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,73,00,65,00,74,00,75,00,70,00,61,00,70,00,69,00,2c,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,48,00,69,00,6e,00,66,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,20,00,44,00,65,00,66,00,61,00,75,00,6c,00,74,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,31,00,33,00,32,00,20,00,25,00,31,00,00,00>>Fix.reg

  303. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command]>>Fix.reg
  304. @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,4f,00,70,00,65,00,6e,00,41,00,73,00,5f,00,52,00,75,00,6e,00,44,00,4c,00,4c,00,20,00,25,00,31,00,00,00>>Fix.reg

  306. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Command]>>Fix.reg
  307. @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,61,00,70,00,70,00,77,00,69,00,7A,00,2E,00,63,00,70,00,6C,00,2C,00,4E,00,65,00,77,00,4C,00,69,00,6E,00,6B,00,48,00,65,00,72,00,65,00,20,00,25,00,31,00,00,00>>Fix.reg

  309. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cplfile\shell\cplopen\command\]>>Fix.reg
  310. @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,73,00,68,00,65,00,6C,00,6C,00,33,00,32,00,2E,00,64,00,6C,00,6C,00,2C,00,43,00,6F,00,6E,00,74,00,72,00,6F,00,6C,00,5F,00,52,00,75,00,6E,00,44,00,4C,00,4C,00,20,00,22,00,25,00,31,00,22,00,2C,00,25,00,2A,00,00,00>>Fix.reg

  312. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command\]>>Fix.reg
  313. @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,73,00,68,00,64,00,6F,00,63,00,76,00,77,00,2E,00,64,00,6C,00,6C,00,2C,00,4F,00,70,00,65,00,6E,00,55,00,52,00,4C,00,20,00,6C,00,00,00>>Fix.reg

  315. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command\]>>Fix.reg
  316. @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,64,00,65,00,73,00,6B,00,2E,00,63,00,70,00,6C,00,2C,00,49,00,6E,00,73,00,74,00,61,00,6C,00,6C,00,53,00,63,00,72,00,65,00,65,00,6E,00,53,00,61,00,76,00,65,00,72,00,20,00,6C,00,00,00>>Fix.reg

  318. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scriptletfile\Shell\Generate Typelib\command\]>>Fix.reg
  319. @echo @=hex(2):22,00,44,00,3A,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,52,00,55,00,4E,00,44,00,4C,00,4C,00,33,00,32,00,2E,00,45,00,58,00,45,00,22,00,20,00,44,00,3A,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,73,00,63,00,72,00,6F,00,62,00,6A,00,2E,00,64,00,6C,00,6C,00,2C,00,47,00,65,00,6E,00,65,00,72,00,61,00,74,00,65,00,54,00,79,00,70,00,65,00,4C,00,69,00,62,00,20,00,22,00,25,00,31,00,22,00,00,00>>Fix.reg

  321. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet\shell\open\command\]>>Fix.reg
  322. @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,75,00,72,00,6C,00,2E,00,64,00,6C,00,6C,00,2C,00,54,00,65,00,6C,00,6E,00,65,00,74,00,50,00,72,00,6F,00,74,00,6F,00,63,00,6F,00,6C,00,48,00,61,00,6E,00,64,00,6C,00,65,00,72,00,20,00,6C,00,00,00>>Fix.reg

  324. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>Fix.reg
  325. @echo "Shell"="Explorer.exe">>Fix.reg

  327. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>Fix.reg
  328. @echo "Userinit"=hex(2):43,00,3A,00,5C,00,77,00,69,00,6E,00,64,00,6F,00,77,00,73,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,75,00,73,00,65,00,72,00,69,00,6E,00,69,00,74,00,2E,00,65,00,78,00,65,00,00,00>>Fix.reg>>Fix.reg

  330. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
  331. @echo "ToP"=->>Fix.reg

  333. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
  334. @echo "TProgram"=->>Fix.reg

  336. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]>>Fix.reg
  337. @echo "TProgram"=->>Fix.reg

  339. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
  340. @echo "Torjan Program"=->>Fix.reg

  342. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]>>Fix.reg
  343. @echo "Torjan Program"=->>Fix.reg
  344. echo.

  346. @pause
  347. start /w regedit /s Fix.reg
  348. del Fix.reg
  349. echo.
  350. @echo ***********************************************************
  351. @echo *                修复已知被破坏的文件关联成功               *
  352. @echo ***********************************************************
  353. echo.
  354. @echo 按任意键,返回选择
  355. @pause
  356. @cls
  357. @goto Selection

  359. :good
  360. @cls
  361. @echo Windows Registry Editor Version 5.00>Fix.reg

  363. @echo [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]>>Fix.reg
  364. @echo "MaxConnectionsPerServer"=dword:00000020>>Fix.reg
  365. @echo "MaxConnectionsPer1_0Server"=dword:00000020>>Fix.reg

  367. @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]>>Fix.reg
  368. @echo "SackOpts"=dword:00000001>>Fix.reg
  369. @echo "TcpWindowSize"=dword:0003ebc0>>Fix.reg
  370. @echo "Tcp1323Opts"=dword:00000001>>Fix.reg
  371. @echo "DefaultTTL"=dword:00000040>>Fix.reg
  372. @echo "EnablePMTUBHDetect"=dword:00000000>>Fix.reg
  373. @echo "EnablePMTUDiscovery"=dword:00000001>>Fix.reg
  374. @echo "GlobalMaxTcpWindowSize"=dword:0003ebc0>>Fix.reg

  376. @echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]>>Fix.reg
  377. @echo "MaxConnectionsPerServer"=dword:00000020>>Fix.reg
  378. @echo "MaxConnectionsPer1_0Server"=dword:00000020>>Fix.reg

  380. @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vxd\BIOS]>>Fix.reg
  381. @echo "CPUPriority"=dword:00000001>>Fix.reg
  382. @echo "PCIConcur"=dword:00000001>>Fix.reg
  383. @echo "FastDRAM"=dword:00000001>>Fix.reg
  384. @echo "AGPConcur"=dword:00000001>>Fix.reg

  386. @echo[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]>>Fix.reg
  387. @echo "MaxConnectionsPer1_0Server"=dword:00000009>>Fix.reg
  388. @echo "MaxConnectionsPerServer"=dword:00000009>>Fix.reg

  390. @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]>>Fix.reg
  391. @echo "ConfigFileAllocSize"=dword:000001f4>>Fix.reg

  393. @echo [HKEY_CURRENT_USER\Control Panel\desktop]>>Fix.reg
  394. @echo "MenuShowDelay"="0">>Fix.reg

  396. @echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz]>>Fix.reg
  397. @echo "NoRun"=dword:00000001>>Fix.reg

  399. @echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\Tour>>Fix.reg
  400. @echo "RunCount"=dword:00000000>>Fix.reg

  402. @echo [-HKEY_CLASSES_ROOT\.zip\CompressedFolder]>>Fix.reg
  403. @echo [-HKEY_CLASSES_ROOT\CLSID\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}]>>Fix.reg
  404. @echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CompressedFolder]>>Fix.reg

  406. @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi\Parameters]>>Fix.reg
  407. @echo "EnableBigLba"=dword:00000001>>Fix.reg

  409. @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]>>Fix.reg
  410. @echo "Enable"="Y">>Fix.reg
  411. @echo.

  413. echo ******************************
  414. echo    *   正在进行系统优化   *
  415. echo ******************************
  416. pause
  417. start /w regedit /s Fix.reg
  418. del Fix.reg

  420. echo ******************************
  421. echo     *   系统优化完毕   *
  422. echo ******************************
  423. echo.
  424. @echo 按任意键,返回选择
  425. @pause
  426. @cls
  427. @goto Selection


  430. :quit
  431. exit
复制代码

[ 本帖最后由 namejm 于 2006-9-3 12:24 AM 编辑 ]
作者: haiou327    时间: 2006-8-29 23:53
好多反弹病毒就是运用这种技术的,用在远程控制软件,首先在服务端生成一个可执行的EXE客户端,选种运行后自己删除自己.也就把目标文件删除了,自己在后台运行.而且主动联接服务端.在后台以EXPLORER或SVCHOST出现,让人真假难辨

[ 本帖最后由 haiou327 于 2006-8-29 11:57 PM 编辑 ]
作者: 安情    时间: 2006-9-2 11:23
提示: 作者被禁止或删除 内容自动屏蔽
作者: 小军军    时间: 2006-9-2 12:49
这一句有问题, 这样用find能真正得到OS的版本吗? errorlevel将永为零
@ver find "XP"
@if "%ERRORLEVEL%"=="0" ...

[ 本帖最后由 小军军 于 2006-9-2 12:51 PM 编辑 ]
作者: greenangel    时间: 2006-9-2 19:03
把内存中运行的代码复制一份注入到某个系统进程中,然后在新的代码中结束原来的进程,再删除文件

哈哈,要有本事不让杀毒、木马查杀软件杀掉才行哦
作者: namejm    时间: 2006-9-3 00:23
原帖由 小军军 于 2006-9-2 12:49 PM 发表
这一句有问题, 这样用find能真正得到OS的版本吗? errorlevel将永为零
@ver find "XP"
@if "%ERRORLEVEL%"=="0" ...

那一句确实有问题,应该改为ver|find /i "XP"
作者: 小军军    时间: 2006-9-3 02:31
还是 ver|find "98" 最稳当,2003会被处理成非 XP



欢迎光临 无忧启动论坛 (http://wuyou.net/) Powered by Discuz! X3.3