Since the release of the "write a WORM.WIN32.VB.FW virus kill" and " virus Rundll.exe Release and source sharing " two articles in the virus specifically killed, my virus specifically kill VBS template also began to consider perfect. This time, the "Hosts file restore function module " and "Autorun immune Function Module " were added. The control module for the local service is still being tested ... The source is still completely open, such benefits are interested friends can continue to improve, thanks to small G, umu, disillusioned!
The 07.4.30 day update is as follows:
1, "Virus file deletion module" to support the environment variables, so that this special kill template to enhance the universality!
2, "Hosts File Recovery module" to support line break write to screen the URL function, in line with the Hosts file format standards.
The 07.5.04 day update is as follows:
1, add "ARP Virus spoofing--Client Immune module", this is to deal with Lan ARP spoofing a temporary method.
2, add "Insert DLL virus release module", called the Third party cmd program Ps.exe. This program can go to my network disk download http://ycosxhack.ys168.com/, "Virus Kill" directory, file name "Ps.rar", with instructions.
3, this time each function module optimization, each function module can be used alone.
4, taking into account the high efficiency and simplicity of the code, in some places invoke the CMD program, and because of the addition of the environment variable to make the code more versatile!
The 07.5.13 update is as follows:
Solve the backslash \ problem, please see here: Virus kill VBS Template UPDATE: Solve the backslash \ problem. The template Writing center of gravity begins to turn to WMI.
The 07.5.15 update is as follows:
in the writing trojan-psw.win32.onlinegames.kw virus specially kills the code to optimize, adds the array and so on element. Please see:trojan-psw.win32.onlinegames.kw Special kill in the description.
Reproduced below virus kill template Please keep the template information integrity, thank you ~ ~ ~
attached: To learn the style of the VBS kill can refer to my previous article " VBS program to create your own virus killing tools ", a" ... Thanks to small G, this set of templates to be able to improve in time, the inadequacies of natural still many. I also hope that you will join us. Sching.
'-----------------virus to kill the VBS template source code start-----------------
On Error Resume Next
MsgBox "This special kill has Ycosxhack provided http://hi.baidu.com/ycosxhack! ",", "XXX virus specifically killed"
' This special kill template has Ycosxhack (cosine function) production, my blog: http://hi.baidu.com/ycosxhack, Welcome to discuss.
'-----------------virus process End Module started-----------------
Set W=getobject ("winmgmts:")
Set P=w.execquery ("SELECT * from Win32_Process where name= ' Rundll.exe '")
For all I in P
I.terminate
Next
'-----------------virus process End Module terminated-----------------
'-----------------the Insert DLL virus release module starts-----------------
Set Wshshell=wscript.createobject ("Wscript.Shell")
Wshshell.run ("ps/e * hook.dll"), 0,true
' Please put the third party program Ps.exe and this special kill in the same directory
'-----------------the Insert DLL virus release module terminates-----------------
"-----------------virus file deletion module started-----------------
Set Fso=createobject (" Scripting.FileSystemObject ")
Set Del=wscript.createobject (" Wscript.Shell ")
D1=del. ExpandEnvironmentStrings ("%temp%\rundll.exe")
D2=del. ExpandEnvironmentStrings ("%systemroot%\rundll86.exe")
D3=del. ExpandEnvironmentStrings ("%systemroot%\system32\rundll86.exe")
Set V1=fso.getfile (D1)
Set V2=fso.getfile ( D2)
Set V3=fso.getfile (D3)
Set V4=fso.getfile ("D:\virus\virus.exe") '
v1.attributes=0
v2.attributes=0
v3.attributes=0
v4.attributes=0
V1.delete
V2.delete
V3.delete
V4.delete
"-----------------virus file deletion module terminated-----------------
-----------------traversal deletes the virus file module from each disk Fugen directory-----------------
Set Fso=createobject ( "Scripting.FileSystemObject")
Set drvs=fso.drives
for each DRV in DRVs
if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
set W=fso.getfile (drv.driveletter& ": \rundll.exe")
W.attributes =0
W.delete
Set U=fso.getfile (drv.driveletter& ": \autorun.inf")
u.attributes=0
U.delete
End If
Next
-----------------traversal deletes the Fugen directory virus file module termination-----------------
"-----------------Registry operation module-----------------
set CreateObject ("Scripting.FileSystemObject")
Set Reg=wscript.createobject ("Wscript.Shell")
Reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\currentversion\winlogon\userinit", FSO. GetSpecialFolder (1) & "\userinit.exe,", "REG_SZ"
Reg.regwrite HKEY_CURRENT_USER\Software\Microsoft\Windows \currentversion\policies\system\disableregistrytools ", 0," REG_DWORD "
Reg.regdelete" Hkey_current_user\ Software\microsoft\windows\currentversion\policies\explorer\nofolderoptions "
"------- ----------the Registry Action module terminates-----------------
'-----------------System File Recovery module starts-----------------
Set Fso=createobject ("Scripting.FileSystemObject")
Fso.getfile ("Rundll32.exe"). Copy ("C:\windows\system32\rundll32.exe")
Fso.getfile ("Rundll32.exe"). Copy ("C:\WINDOWS\system32\dllcache\rundll32.exe")
'-----------------System File repair module terminated-----------------
'-----------------the Host File repair module starts-----------------
Set Fso=createobject ("Scripting.FileSystemObject")
Set RE=FSO. OpenTextFile ("C:\WINDOWS\system32\drivers\etc\hosts", 2,0)
Re. Writeline "127.0.0.1 localhost"
Re. Writeline "127.0.0.1 www. You want to block the malicious URL or ip.com"
Re. Close
Set re=nothing
'-----------------Host File repair module terminated-----------------
'-----------------Autorun immune module starts-----------------
Set Fso=createobject ("Scripting.FileSystemObject")
Set Drvs=fso.drives
For each DRV in DRVs
If drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
Fso.createfolder (drv.driveletter& ": \autorun.inf")
Fso.createfolder (drv.driveletter& ": \autorun.inf\ Immunization folder. \")
Set Fl=fso.getfolder (drv.driveletter& ": \autorun.inf")
Fl.attributes=3
End If
Next
'-----------------Autorun Immune module terminated-----------------
'-----------------ARP virus spoofing--The client immune module starts-----------------
Set Wshshell=wscript.createobject ("Wscript.Shell")
Wshshell.run "Arp-d", 0
Wshshell.run "Arp-s 202.4.139.1 00-07-ec-23-f8-0a", 0,true
'-----------------ARP virus spoofing--client immune module terminated-----------------
Set fso=nothing
MsgBox "Virus removal successful, please reboot the computer!" ",", "XXX virus specifically killed"
'-----------------virus specifically kill VBS template source code termination-----------------
Finally attach the Autorun immune folder to the bat, the following red section for the letter, you can continue to add ...
@echo off
echo relieves autorun immunity ... Ycosxhack Production
Pause
For%%a in (C D E F) do rd%%a:\autorun.inf\ immunization folder. \ & Attrib-h-r-s-a%%a:\autorun.inf & Rd%%a:\autorun.inf
@echo Immunity Complete! Http://hi.baidu.com/ycosxhack
Pause
Complete virus kill VBS template can go to my network disk download: http://ycosxhack.ys168.com/, "Virus Kill" directory, file name is "Virus kill vbs template. rar", there are defects also hope that: