Virus specifically kill VBS module _VBS

"Virus specifically kill VBS module. vbs" This file you can directly execute, there will be no damage ^ ^.

By providing a template, you can write your own virus killing tools based on your analysis of the virus behavior.

Very convenient, very efficient!

As an anti-virus person should not only be able to analyze the good virus log, but also know how to analyze the virus behavior!

And then give your own solution!

This solution does not necessarily have to be used on the internet's well-known small software icesword and so on.

Because you can also write your own kill, as long as you have learned the VBS on the line!

VBS code is very simple, and VB, VBScript is the same ...

Natural bat Batch (DOS command) can also be written to kill, as long as the programming language most of them can be easily written to kill.

Ah ~ ~ This time you have to understand is how to use a VBS to write kill, I have given the template, do not understand and you are really interested to know, can go to my blog http://hi.baidu.com/ycosxhack to communicate with me.


Good luck to you:). Writing a special kill is definitely a happy thing, because you can help a lot of friends.

Finally thanks Buddy Little G (Http://hi.baidu.com/greysign) and Umu (http://hi.baidu.com/umu618)

Copy Code code as follows:

' See more about this virus kill template information: Http://hi.baidu.com/ycosxhack/modify/blog/36569f51dbd0cc8e8c5430d8

'-----------------virus to kill the VBS template source code start-----------------
On Error Resume Next
MsgBox "This special kill has Ycosxhack provided http://hi.baidu.com/ycosxhack! ",", "XXX virus specifically killed"
' This special kill template has Ycosxhack (cosine function) production, my blog: http://hi.baidu.com/ycosxhack, Welcome to discuss.

'-----------------virus process End Module started-----------------
Set W=getobject ("winmgmts:")
Set P=w.execquery ("SELECT * from Win32_Process where name= ' Rundll.exe '")
For all I in P
I.terminate
Next
'-----------------virus process End Module terminated-----------------

'-----------------the Insert DLL virus release module starts-----------------
Set Wshshell=wscript.createobject ("Wscript.Shell")
Wshshell.run ("ps/e * hook.dll"), 0,true
' Please put the third party program Ps.exe and this special kill in the same directory
'-----------------the Insert DLL virus release module terminates-----------------

'-----------------virus file deletion module started-----------------
Set Fso=createobject ("Scripting.FileSystemObject")
Set Del=wscript.createobject ("Wscript.Shell")
D1=del. ExpandEnvironmentStrings ("%temp%\rundll.exe")
D2=del. ExpandEnvironmentStrings ("%systemroot%\rundll86.exe")
D3=del. ExpandEnvironmentStrings ("%systemroot%\system32\rundll86.exe")
Set V1=fso.getfile (D1)
Set V2=fso.getfile (D2)
Set V3=fso.getfile (D3)
Set V4=fso.getfile ("D:\virus\virus.exe") ' does not involve environment variables that can be written directly.
V1.attributes=0
V2.attributes=0
V3.attributes=0
V4.attributes=0
V1.delete
V2.delete
V3.delete
V4.delete
'-----------------virus file deletion module terminated-----------------

'-----------------traversal deletes the virus file module in each disk Fugen directory to begin-----------------
Set Fso=createobject ("Scripting.FileSystemObject")
Set Drvs=fso.drives
For each DRV in DRVs
If drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
Set W=fso.getfile (drv.driveletter& ": \rundll.exe")
W.attributes=0
W.delete
Set U=fso.getfile (drv.driveletter& ": \autorun.inf")
U.attributes=0
U.delete
End If
Next
'-----------------traversal deletes the disk Fugen directory the virus file module terminates-----------------

'-----------------registry operation module starts-----------------
Set Reg=wscript.createobject ("Wscript.Shell")
Reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\currentversion\winlogon\userinit", FSO. GetSpecialFolder (1) & "\userinit.exe,", "REG_SZ"
Reg.regwrite "Hkey_current_user\software\microsoft\windows\currentversion\policies\system\disableregistrytools" , 0, "REG_DWORD"
Reg.regdelete "Hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\nofolderoptions"
'-----------------registry operation module terminated-----------------

'-----------------System File Recovery module starts-----------------
Set Fso=createobject ("Scripting.FileSystemObject")
Fso.getfile ("Rundll32.exe"). Copy ("C:\windows\system32\rundll32.exe")
Fso.getfile ("Rundll32.exe"). Copy ("C:\WINDOWS\system32\dllcache\rundll32.exe")
'-----------------System File repair module terminated-----------------

'-----------------the Host File repair module starts-----------------
Set Fso=createobject ("Scripting.FileSystemObject")
Set RE=FSO. OpenTextFile ("C:\WINDOWS\system32\drivers\etc\hosts", 2,0)
Re. Writeline "127.0.0.1 localhost"
Re. Writeline "127.0.0.1 www. You want to block the malicious URL or ip.com"
Re. Close
Set re=nothing
'-----------------Host File repair module terminated-----------------

'-----------------Autorun immune module starts-----------------
Set Fso=createobject ("Scripting.FileSystemObject")
Set Drvs=fso.drives
For each DRV in DRVs
If drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
Fso.createfolder (drv.driveletter& ": \autorun.inf")
Fso.createfolder (drv.driveletter& ": \autorun.inf\ Immunization folder. \")
Set Fl=fso.getfolder (drv.driveletter& ": \autorun.inf")
Fl.attributes=3
End If
Next
'-----------------Autorun Immune module terminated-----------------

'-----------------ARP virus spoofing--The client immune module starts-----------------
Set Wshshell=wscript.createobject ("Wscript.Shell")
Wshshell.run "Arp-d", 0
Wshshell.run "Arp-s 202.4.139.1 00-07-ec-23-f8-0a", 0,true
'-----------------ARP virus spoofing--client immune module terminated-----------------

Set fso=nothing
MsgBox "Virus removal successful, please reboot the computer!" ",", "XXX virus specifically killed"
'-----------------virus specifically kill VBS template source code termination-----------------

Package file Download