转自:http://topic.csdn.net/u/20100904 ... f-135284d6834d.html复制代码
- @echo off
- title Virus.Win32.Tc专杀
- color 2f
- ::mode con cols=110 lines=40
- echo -----------------------------------------------------------------------------
- echo 名称:Virus.Win32.Tc.bat 恶意病毒专杀处理方案
- echo.
- echo 作者:Just4/CSDN
- echo.
- echo 日期:2010.09.03
- echo ----------------------------------------------------------------------------
- :: 说明:Virus.Win32.Tc、Type_Win32、Virus.Win32.Parite.b 一大堆关联名字
- ::
- :: 病毒特点:
- ::
- :: 1. 采用dll替换方式,直接注入svchost.exe运行,迅速破坏系统众多服务,重启无效,这一点行为相当恶劣
- ::
- :: 2. 迅速全盘感染所有exe等文件,不停调用rar.exe感染压缩包内文件,这一点行径过于卑鄙,让人损失巨大
- ::
- :: 3. 不停利用svchost.exe后台加载ie下载大量木马,进一步破坏系统
- ::
- :: 4. 直接利用IFEO破坏杀软,直接删除Safeboot造成安全模式蓝屏
- ::
- :: 5. 到如今仍没有专杀工具,杀毒软件对压缩包查杀能力太差,被破坏的exe程序无法再修复
- ::
- :: 注意:本脚本并不清理启动项、木马和垃圾,并不修复exe/rar等被感染文件
- ::
- :: 仅适于Win2k3平台,手工升级SP2补丁,否则修复无效,错误信息是为手工查杀作准备的
- ::
- :: 希望有高手朋友能给出一个像样的专杀方案,多谢:)
- :: ----------------------------------------------------------------------------
- echo 按任意键开始查杀病毒......
- ping 127.1 -n 2 >nul 2>&1
- pause>nul
- cls
- echo ## 开始查杀病毒!!!
- echo.
- echo #1.先杀掉依赖进程svchost.exe
- echo # 以lanmanserver/netman/wzcsvc/audiosrv/w32time等为特征
- rem tasklist /m srvsvc.dll
- for /f "skip=2 tokens=1,2" %%i in ('tasklist /m srvsvc.dll') do if "%%i"=="svchost.exe" taskkill /pid %%j /f /t
- echo.
- echo #2.再杀掉木马后台下载进程iexplore.exe(实为svchost.exe加载)
- echo # 最好及时断网处理
- taskkill /im iexplore.exe /f /t
- echo.
- echo #3.删除IFEO限制
- reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /f
- echo.
- echo #4.修复Safeboot蓝屏,需有Safeboot.reg备份
- rem reg import safeboot.reg
- echo.
- echo #5.删除病毒传播体lsasvc.dll
- if not exist "%systemroot%\system32\lsasvc.dll\" (
- del %systemroot%\system32\lsasvc.dll /s /f
- md %systemroot%\system32\lsasvc.dll\test..\
- attrib %systemroot%\system32\lsasvc.dll +s +h +r
- echo y|cacls %systemroot%\system32\lsasvc.dll /d everyone
- )
- echo.
- echo #6.删除感染程序释放的病毒体backup.exe
- if not exist "%temp%\backup.exe\" (
- del "%temp%\backup.exe" /f /a
- md "%temp%\backup.exe\test..\"
- attrib "%temp%\backup.exe\test..\" +s +h +r
- echo y|cacls "%temp%\backup.exe" /d everyone
- )
- echo.
- echo #7.删除回收站隐藏病毒体~df*.exe
- del %sysdrive%\recycler\*.exe /s /f /a
- echo.
- echo #8.删除rar.exe以避免压缩文档损失
- if not exist "%programfiles%\winrar\rar.exe\" (
- del "%programfiles%\winrar\rar.exe" /f
- md "%programfiles%\winrar\rar.exe\test..\"
- attrib "%programfiles%\winrar\rar.exe" +r +s +h
- echo y|cacls "%programfiles%\winrar\rar.exe" /d everyone
- )
- echo.
- echo #9.删除系统目录下的隐藏病毒文件,并不删除其它目录下病毒文件
- del %systemroot%\system32\*.exe /s /ah /f
- del %systemroot%\system32\*.dll /s /ah /f
- del %systemroot%\system32\*.sys /s /ah /f
- del %systemroot%\system32\*.fon /s /ah /f
- del %systemroot%\system32\*.
- echo.
- echo -----------------------------------------------------------------------------
- echo ## 开始修复被替换的系统服务项,需有补丁备份,需重启修复启动类型
- ping 127.1 -n 2 >nul 2>&1
- echo.
- echo # 修复后台更新服务Bits --^> qmgr.dll
- del %systemroot%\system32\qmgr.dll /s /f /a
- copy %systemroot%\ServicePackFiles\i386\qmgr.dll %systemroot%\system32\qmgr.dll /y
- sc config bits start= disabled
- echo.
- echo # 修复远程注册表服务Regsvc --^> regsvc.dll
- del %systemroot%\system32\regsvc.dll /s /f /a
- copy %systemroot%\ServicePackFiles\i386\regsvc.dll %systemroot%\system32\regsvc.dll /y
- sc config regsvc start= disabled
- echo.
- echo # 修复计划任务服务Schedule --^> schedsvc.dll
- del %systemroot%\system32\schedsvc.dll /s /f /a
- copy %systemroot%\ServicePackFiles\i386\schedsvc.dll %systemroot%\system32\ /y
- sc config schedule start= disabled
- echo.
- echo # 修复帮助和支持服务Helpsvc --^> pchsvc.dll
- del %systemroot%\system32\pchsvc.dll /s /f /a
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Helpsvc\parameters" /v ServiceDll /t reg_expand_sz /d "%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll" /f
- echo.
- echo # 修复管理Xml配置文件服务Xmlporv --^> xmlprov.dll
- del %systemroot%\system32\xmlprov.dll /s /f
- copy %systemroot%\ServicePackFiles\i386\xmlprov.dll %systemroot%\system32\ /y
- sc config xmlprov start= disabled
- echo.
- echo # 修复便携的媒体序号服务WmDmPmSn --^> mspmsnsv.dll
- del %systemroot%\system32\mspmsnsv.dll /s /f
- copy %systemroot%\ServicePackFiles\i386\mspmsnsv.dll %systemroot%\system32\ /y
- sc config wmdmpmsn start= disabled
- echo.
- echo # 直接删除可移动存储管理程序Ntmssvc --^> ntmssvc.dll
- del %systemroot%\system32\ntmssvc.dll /s /f
- sc delete ntmssvc /f
- echo.
- echo # 直接删除Ias服务 --^> ias.dll
- del %systemroot%\system32\ias.dll /s /f
- sc delete ias /f
- echo.
- echo # 修复拨号网络服务tapisrv --^> tapisrv.dll
- del %systemroot%\system32\tapisrv.dll /s /f /a
- copy %systemroot%\ServicePackFiles\i386\tapisrv.dll %systemroot%\system32\ /y
- sc config tapisrv start= demand
- echo.
- echo # 修复应用程序管理服务Appmgmt --^> appmgmts.dll
- del %systemroot%\system32\appmgmts.dll /s /f /a
- copy %systemroot%\ServicePackFiles\i386\appmgmts.dll %systemroot%\system32\ /y
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AppMgmt" /v Start /t reg_dword /d 3 /f
- echo.
- echo # 修复加密服务Cryptsvc --^> cryptsvc.dll
- del %systemroot%\system32\cryptsvc.dll /s /f /a
- copy %systemroot%\ServicePackFiles\i386\cryptsvc.dll %systemroot%\system32\ /y
- echo y|cacls %systemroot%\system32\cryptsvc.dll /g system:r administrators:r
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc" /v Start /t reg_dword /d 3 /f
- echo.
- echo # 修复共享服务browser --^> srvsvc.dll/wkssvc.dll/browser.dll
- del %systemroot%\system32\browser.dll
- copy %systemroot%\ServicePackFiles\i386\browser.dll %systemroot%\system32\ /y
- sc config browser start= demand
- echo.
- echo -----------------------------------------------------------------------------
- echo # 修复完成,请及时征对各项提示分别进行再处理!!!
- echo.
- echo # 最好重启系统再运行一遍,直接进安全模式用杀软全盘查杀!!!
- echo.
- echo # 仅适于系统异常时立即进行查杀,错误信息仅为手工二次查杀做准备!!!
- rem 直接重启
- rem shutdown /r /t 0 /f
- rem 不重启直接恢复系统重要服务
- net start lanmanserver >nul 2>&1
- net start lanmanworkstation >nul 2>&1
- net start audiosrv >nul 2>&1
- net start netman >nul 2>&1
- net start wzcsvc >nul 2>&1
- net start helpsvc >nul 2>&1
- net start winmgmt >nul 2>&1
- pause>nul
欢迎光临 批处理之家 (http://www.bathome.net/) | Powered by Discuz! 7.2 |