Virus exclusive vbs template update

I wrote the worm.win32.vb.fwvirus killer and the rundll.exe Virus killer release and source code sharing from the author.ArticleAfter Virus exclusive in, my virus exclusive vbs template also began to be improved. This added the "hosts file recovery function module" and "autorun immune function module ". The control module of the local service is still being tested ...... The source code is completely open. The advantage is that interested friends can continue to improve it. Thanks to G, Umu, and others!

The update date of 07.4.30 is as follows:
1. The "Virus File Deletion module" supports environment variables, which enhances the versatility of this killing template!
2. The "hosts file recovery module" supports the URL feature to be blocked by line breaks and complies with the hosts file format standard.

Update on 07.5.04 as follows:
1. Add "ARP virus spoofing-client immune module", which is a temporary method to combat lan arp spoofing.
2. added the "insert DLL virus release module" and called the third-party cmdProgramPs.exe. This program can be downloaded from my online storage.Http://ycosxhack.ys168.com/, And the file name is "“ps.rar", with instructions for use.
3. Each function module can be used independently.
4. ConsideringCodeIt is efficient and concise, and the CMD program is called in some places; and The Code versatility is enhanced by adding environment variables!

Update 07.5.13 as follows:
To solve the backslash \ problem, see here: virus exclusive vbs template update: Solve the backslash \ problem. The focus of template writing began to shift to WMI.

Update 07.5.15 as follows:
In the write Trojan-PSW.Win32.OnlineGames.kw virus exclusive when the code optimization, add array and other elements. For details, see:Trojan-PSW.Win32.OnlineGames.kw exclusive.

Reprinted the following virus killing template to ensure the integrity of the template information. Thank you ~~~

Appendix: to learn how to write a vbs exclusive attack, refer to my previous article 《Vbs programming to build your own virus killing tool", To attract others ...... Thanks to Xiao G, this template can be improved in a timely manner, and there are still many shortcomings. I also hope you can join us. The fire is high.

'--------------- Source code of the virus-specific kill vbs template -----------------
On Error resume next
Msgbox "this special kill has ycosxhack to provide http://hi.baidu.com/ycosxhack! ", 64," XXX virus exclusive"
'This special kill template is made by ycosxhack (cosine function). My blog is http://hi.baidu.com/ycosxhack,welcome to the discussion.

'--------------- The virus Process Termination module starts -----------------
Set W = GetObject ("winmgmts :")
Set p1_w.exe cquery ("select * From win32_process where name1_'rundll.exe '")
For each I in P
I. Terminate
Next
'--------------- Virus Process Termination module -----------------

'--------------- Start of the inserted DLL virus release module -----------------
Set wshshell = wscript. Createobject ("wscript. Shell ")
Wshshell. Run ("PS/E * hook. dll"), 0, true
'Please put the third-party program ps.exe and the kill in the same directory.
'--------------- Stop the inserted DLL virus release module -----------------

'--------------- Virus File Deletion module started -----------------
Set FSO = Createobject ("scripting. FileSystemObject ")
Set del = wscript. Createobject ("wscript. Shell ")
D1 = del. expandenvironmentstrings ("% Temp % \ rundll.exe ")
D2 = del. expandenvironmentstrings ("% SystemRoot % \ rundll86.exe ")
D3 = del. expandenvironmentstrings ("% SystemRoot % \ system32 \ rundll86.exe ")
Set V1 = FSO. GetFile (D1)
Set v2 = FSO. GetFile (D2)
Set V3 = FSO. GetFile (D3)
Set V4 = FSO. GetFile ("D: \ virus \ virus.exe") 'can be written directly if no environment variable is involved.
V1.attributes = 0
V2.attributes = 0
V3.attributes = 0
V4.attributes = 0
V1.delete
V2.delete
V3.delete
V4.delete
'--------------- Virus File Deletion module termination -----------------

'--------------- traverse and delete the virus file module under the root directory of each drive letter. Start -----------------
set FSO = Createobject ("scripting. fileSystemObject ")
set drvs = FSO. drives
for each DRV in drvs
If DRV. drivetype = 1 or DRV. drivetype = 2 or DRV. drivetype = 3 or DRV. drivetype = 4 then
set w = FSO. getFile (DRV. driveletter & ": \ rundll.exe")
W. attributes = 0
W. delete
set U = FSO. getFile (DRV. driveletter & ": \ autorun. INF ")
U. attributes = 0
U. delete
end if
next
'--------------- traverse and delete the virus file module in the root directory of each drive letter to terminate -----------------

'--------------- Registry operation module started -----------------
Set FSO = Createobject ("scripting. FileSystemObject ")
Set Reg = wscript. Createobject ("wscript. Shell ")
Reg. regwrite "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ userinit", FSO. getspecialfolder (1) & "\ userinit.exe,", "REG_SZ"
Reg. regwrite "HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System \ disableregistrytools", 0, "REG_DWORD"
Reg. regdelete "HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ nofolderoptions"
'--------------- Registry operation module termination -----------------

'--------------- Start of the system file recovery module -----------------
Set FSO = Createobject ("scripting. FileSystemObject ")
FSO. GetFile ("rundll32.exe"). Copy ("C: \ windows \ system32 \ rundll32.exe ")
FSO. GetFile ("rundll32.exe"). Copy ("C: \ windows \ system32 \ dllcache \ rundll32.exe ")
'--------------- System file repair module termination -----------------

'--------------- Host file repair module started -----------------
Set FSO = Createobject ("scripting. FileSystemObject ")
Set Re = FSO. opentextfile ("C: \ windows \ system32 \ drivers \ etc \ hosts", 2, 0)
Re. writeline "127.0.0.1 localhost"
Re. writeline "127.0.0.1 www. The malicious website or ip.com you want to block"
Re. Close
Set Re = nothing
'--------------- Host file repair module termination -----------------

'--------------- Autorun immune module starts -----------------
Set FSO = Createobject ("scripting. FileSystemObject ")
Set drvs = FSO. Drives
For each DRV in drvs
If DRV. drivetype = 1 or DRV. drivetype = 2 or DRV. drivetype = 3 or DRV. drivetype = 4 then
FSO. createfolder (DRV. driveletter & ": \ autorun. inf ")
FSO. createfolder (DRV. driveletter & ": \ autorun. inf \ immune folder ..\")
Set FL = FSO. getfolder (DRV. driveletter & ": \ autorun. inf ")
Fl. Attributes = 3
End if
Next
'--------------- Autorun immune module termination -----------------

'--------------- ARP virus spoofing -- client immune module started -----------------
Set wshshell = wscript. Createobject ("wscript. Shell ")
Wshshell. Run "ARP-d", 0
Wshshell. Run "ARP-s 202.4.139.1 00-07-ec-23-f8-0a", 0, true
'--------------- ARP virus spoofing -- client immune module termination -----------------

Set FSO = nothing
Msgbox "virus cleared successfully. Please restart your computer! ", 64," XXX virus exclusive"
'--------------- Virus exclusive vbs template source code termination -----------------

Finally, attach the bat to remove the autorun immune folder. The red part below is the drive letter. You can continue to add ......

@ Echo off
Echo relieved Autorun immunity ...... Ycosxhack
Pause
For % A in (c d e f) do RD % A: \ autorun. INF \ immune folder .. \ & attrib-H-r-s-a % A: \ autorun. INF & RD % A: \ autorun. INF
@ Echo immune relief completed! Http://hi.baidu.com/ycosxhack
Pause

Complete virus exclusive vbs template can be downloaded to my Network Disk: Workshop :)