批处理删除Dir2Exe病毒,并修复系统设置
这是一个非常常见的u盘病毒,最新变种的特征如下除C盘外的驱动器根目录所有文件夹被隐藏,病毒生成同名的exe文件,但是扩展名不可见
文件夹选项中的“显示已知的文件扩展名”选项消失
文件夹选项中的“显示隐藏的文件”选项消失或无效(就是你选了,但再次打开发现还是没选)
不能启动autoruns和processexplorer这两个最常用的辅助工具
以下批处理删除病毒,并恢复文件夹,恢复以上选项,并在完成后重新启动系统
将一下代码复制到记事本病保存为.cmd或.bat
复制内容到剪贴板
代码:@echo off
echo.##################################
echo.#Kill Dir2Exe Batch File by PHiSH#
echo.##################################
echo.Killing virus process...
taskkill /f /im "ttry.exe"
echo.
echo.Deleting virus files...
attrib -h -s -r "%indir%\ttry.exe"
del/q "%windir%\ttry.exe"
attrib -h -s -r "%windir%\tsay.exe"
del/q "%windir%\tsay.exe"
echo.
echo.Removing registry entries...
reg delete "HKLM\SOFTWARE\Classes\Drive\Shell\Explore" /f
reg delete "HKLM\SOFTWARE\Classes\Drive\Shell\Open" /f
reg delete "HKLM\SOFTWARE\Classes\Directory\Shell\Explore" /f
reg delete "HKLM\SOFTWARE\Classes\Directory\Shell\Open" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v msfsa /f
echo.
echo.Recovering "Show Hidden" registry entries...
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NoHidden /v CheckedValue /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NoHidden /v DefaultValue /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowAll /v CheckedValue /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowAll /v DefaultValue /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowAll /v CheckedValue /t REG_DWORD /d 1
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NoHidden /v CheckedValue /t REG_DWORD /d 0
echo.
echo.Recovering "Show Known Extension" registry entries...
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v Type /d checkbox
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v Text /d "@shell32.dll,-30503"
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v HKeyRoot /t REG_DWORD /d "80000001"
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v RegPath /d "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v ValueName /d HideFileExt
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v CheckedValue /t REG_DWORD /d 1
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v UncheckedValue /t REG_DWORD /d 0
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v DefaultValue /t REG_DWORD /d 0
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v HelpID /d "shell.hlp#51101"
echo.
echo.Now treating all your root drivers, please stand by...
for %%i in (C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z) do (
for /f "delims=" %%k in ('dir %%i:\/b/ad') do (
attrib -h -s -r "%%i:\%%k"
attrib -h -s -r "%%i:\%%k.exe"
del/q "%%i:\%%k.exe"
)
)
echo.
echo.Consider it done!
echo.
echo.Restarting your system in 5 seconds...
shutdown -r -t 5 -c "Dir2Eex virus removing program by PHiSH"
页:
[1]