批处理删除Dir2Exe病毒，并修复系统设置

御风而行

这是一个非常常见的u盘病毒，最新变种的特征如下
除C盘外的驱动器根目录所有文件夹被隐藏，病毒生成同名的exe文件，但是扩展名不可见
文件夹选项中的“显示已知的文件扩展名”选项消失
文件夹选项中的“显示隐藏的文件”选项消失或无效（就是你选了，但再次打开发现还是没选）
不能启动autoruns和processexplorer这两个最常用的辅助工具
以下批处理删除病毒，并恢复文件夹，恢复以上选项，并在完成后重新启动系统
将一下代码复制到记事本病保存为.cmd或.bat
复制内容到剪贴板
代码:

1. @echo off
   
2. echo.##################################
   
3. echo.#Kill Dir2Exe Batch File by PHiSH#
   
4. echo.##################################
   
5. echo.Killing virus process...
   
6. taskkill /f /im "ttry.exe"
   
7. echo.
   
8. echo.Deleting virus files...
   
9. attrib -h -s -r "%indir%\ttry.exe"
   
10. del/q "%windir%\ttry.exe"
    
11. attrib -h -s -r "%windir%\tsay.exe"
    
12. del/q "%windir%\tsay.exe"
    
13. echo.
    
14. echo.Removing registry entries...
    
15. reg delete "HKLM\SOFTWARE\Classes\Drive\Shell\Explore" /f
    
16. reg delete "HKLM\SOFTWARE\Classes\Drive\Shell\Open" /f
    
17. reg delete "HKLM\SOFTWARE\Classes\Directory\Shell\Explore" /f
    
18. reg delete "HKLM\SOFTWARE\Classes\Directory\Shell\Open" /f
    
19. reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v msfsa /f
    
20. echo.
    
21. echo.Recovering "Show Hidden" registry entries...
    
22. reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NoHidden /v CheckedValue /f
    
23. reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NoHidden /v DefaultValue /f
    
24. reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowAll /v CheckedValue /f
    
25. reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowAll /v DefaultValue /f
    
26. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowAll /v CheckedValue /t REG_DWORD /d 1
    
27. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NoHidden /v CheckedValue /t REG_DWORD /d 0
    
28. echo.
    
29. echo.Recovering "Show Known Extension" registry entries...
    
30. reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /f
    
31. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v Type /d checkbox
    
32. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v Text /d "@shell32.dll,-30503"
    
33. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v HKeyRoot /t REG_DWORD /d "80000001"
    
34. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v RegPath /d "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
    
35. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v ValueName /d HideFileExt
    
36. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v CheckedValue /t REG_DWORD /d 1
    
37. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v UncheckedValue /t REG_DWORD /d 0
    
38. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v DefaultValue /t REG_DWORD /d 0
    
39. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v HelpID /d "shell.hlp#51101"
    
40. echo.
    
41. echo.Now treating all your root drivers, please stand by...
    
42. for %%i in (C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z) do (
    
43. for /f "delims=" %%k in ('dir %%i:\/b/ad') do (
    
44. attrib -h -s -r "%%i:\%%k"
    
45. attrib -h -s -r "%%i:\%%k.exe"
    
46. del/q "%%i:\%%k.exe"
    
47. )
    
48. )
    
49. echo.
    
50. echo.Consider it done!
    
51. echo.
    
52. echo.Restarting your system in 5 seconds...
    
53. shutdown -r -t 5 -c "Dir2Eex virus removing program by PHiSH"

复制代码