@echo off
title 憶林子
color 0a
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo 該病毒資料
echo.
echo 該病毒建立的包括的源文件如下:(4E8F8D4C這個文件名是這個病毒隨機生成的,
echo 但是不管它的名字是怎樣,大小都壹樣)
echo.
echo 病毒文件全路徑 大小(字節)
echo c:\windows\4E8F8D4C.hlp 44(左右)
echo c:\WINDOWS\Help\4E8F8D4C.chm 36,659(左右)
echo c:\Documents and Settings\Admin\Local Settings\Temp\4E8F8D4C.exe 36,659(左右)
echo c:\Program Files\Common Files\Microsoft Shared\MSInfo\4E8F8D4C.dll 47,923(左右)
echo c:\Program Files\Common Files\Microsoft Shared\MSInfo\4E8F8D4C.dat 36,659(左右)
echo 其它所有分區:\autorun.inf 172(左右)
echo 其它所有分區:\4E8F8D4C.exe 36,659(左右)
echo.
echo autorun.inf文件裏的內容
echo.
echo [AutoRun]
echo open=4e8f8d4c.exe
echo shell\open=打開(^&O)
echo shell\open\Command=4e8f8d4c.exe
echo shell\open\Default=1
echo shell\explore=資源管理器(^&X)
echo shell\explore\Command=4e8f8d4c.exe
echo.
echo 該病毒的後果:
echo 妳的殺毒軟件會無法打開,另外只要妳的文件名中如果是"病毒","殺毒","瑞星"等和病毒.
echo 有關的字眼時,妳這個文件打開之後會馬上被關閉.網頁中壹搜索這些字眼也會馬上關閉.
echo 可能還有其它的情況,我這裏就不詳細說明了.
echo.
echo 註意:因為該病毒與exeplorer.exe關聯,所以在殺毒時,妳的桌面
echo 會出現暫時只剩背景圖片,那時請不要結束該程序,讓它繼續運行。
echo 到該程序運行結束之後,會自然顯示出桌面的。
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
set /p tmp=以上是該病毒的信息,如果要清除該病毒,請回車鍵開始殺毒...
del tmp.憶林子
dir "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /b /ah >>tmp.憶林子
for /f "tokens=1" %%j in ('more tmp.憶林子') do call :getFileName %%j
:killSpy
del tmp.憶林子 /q
taskkill /fi "modules eq %fileName%.dll" /f
ATTRIB -S -H -R c:\windows\%fileName%.hlp
ATTRIB -S -H -R c:\windows\%fileName%.chm
ATTRIB -S -H -R c:\windows\help\%fileName%.chm
ATTRIB -S -H -R "C:\Program Files\Common Files\Microsoft Shared\MSInfo\%fileName%.dat"
ATTRIB -S -H -R "C:\Program Files\Common Files\Microsoft Shared\MSInfo\%fileName%.dll"
ATTRIB -S -H -R "C:\Program Files\Common Files\Microsoft Shared\MSInfo\%fileName%.exe"
cls
del c:\windows\%fileName%.hlp /q
del c:\windows\%fileName%.chm /q
del c:\windows\help\%fileName%.chm /q
del "C:\Program Files\Common Files\Microsoft Shared\MSInfo\%fileName%.dat" /q
del "C:\Program Files\Common Files\Microsoft Shared\MSInfo\%fileName%.dll" /q
del "C:\Program Files\Common Files\Microsoft Shared\MSInfo\%fileName%.exe" /q
cls
set RegDeleteIFEO=reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
%RegDeleteIFEO%\360rpt.exe" /v Debugger /f
%RegDeleteIFEO%\360Safe.exe" /v Debugger /f
%RegDeleteIFEO%\360tray.exe" /v Debugger /f
%RegDeleteIFEO%\adam.exe" /v Debugger /f
%RegDeleteIFEO%\AgentSvr.exe" /v Debugger /f
%RegDeleteIFEO%\AppSvc32.exe" /v Debugger /f
%RegDeleteIFEO%\autoruns.exe" /v Debugger /f
%RegDeleteIFEO%\avgrssvc.exe" /v Debugger /f
%RegDeleteIFEO%\AvMonitor.exe" /v Debugger /f
cls
%RegDeleteIFEO%\avp.com" /v Debugger /f
%RegDeleteIFEO%\avp.exe" /v Debugger /f
%RegDeleteIFEO%\CCenter.exe" /v Debugger /f
%RegDeleteIFEO%\ccSvcHst.exe" /v Debugger /f
%RegDeleteIFEO%\FileDsty.exe" /v Debugger /f
%RegDeleteIFEO%\FTCleanerShell.exe" /v Debugger /f
cls
%RegDeleteIFEO%\HijackThis.exe" /v Debugger /f
%RegDeleteIFEO%\IceSword.exe" /v Debugger /f
%RegDeleteIFEO%\iparmo.exe" /v Debugger /f
%RegDeleteIFEO%\Iparmor.exe" /v Debugger /f
%RegDeleteIFEO%\isPwdSvc.exe" /v Debugger /f
cls
%RegDeleteIFEO%\kabaload.exe" /v Debugger /f
%RegDeleteIFEO%\KaScrScn.SCR" /v Debugger /f
%RegDeleteIFEO%\KASMain.exe" /v Debugger /f
%RegDeleteIFEO%\KASTask.exe" /v Debugger /f
%RegDeleteIFEO%\KAV32.exe" /v Debugger /f
cls
%RegDeleteIFEO%\KAVDX.exe" /v Debugger /f
%RegDeleteIFEO%\KAVPFW.exe" /v Debugger /f
%RegDeleteIFEO%\KAVSetup.exe" /v Debugger /f
%RegDeleteIFEO%\KAVStart.exe" /v Debugger /f
%RegDeleteIFEO%\KISLnchr.exe" /v Debugger /f
cls
%RegDeleteIFEO%\KMailMon.exe" /v Debugger /f
%RegDeleteIFEO%\KMFilter.exe" /v Debugger /f
%RegDeleteIFEO%\KPFW32.exe" /v Debugger /f
%RegDeleteIFEO%\KPFW32X.exe" /v Debugger /f
cls
%RegDeleteIFEO%\KPFWSvc.exe" /v Debugger /f
%RegDeleteIFEO%\KRegEx.exe" /v Debugger /f
%RegDeleteIFEO%\KRepair.COM" /v Debugger /f
%RegDeleteIFEO%\KsLoader.exe" /v Debugger /f
%RegDeleteIFEO%\KVCenter.kxp" /v Debugger /f
cls
%RegDeleteIFEO%\KvDetect.exe" /v Debugger /f
%RegDeleteIFEO%\KvfwMcl.exe" /v Debugger /f
%RegDeleteIFEO%\KVMonXP.kxp" /v Debugger /f
%RegDeleteIFEO%\KVMonXP_1.kxp" /v Debugger /f
%RegDeleteIFEO%\kvol.exe" /v Debugger /f
cls
%RegDeleteIFEO%\kvolself.exe" /v Debugger /f
%RegDeleteIFEO%\KvReport.kxp" /v Debugger /f
%RegDeleteIFEO%\KVScan.kxp" /v Debugger /f
%RegDeleteIFEO%\KVSrvXP.exe" /v Debugger /f
%RegDeleteIFEO%\KVStub.kxp" /v Debugger /f
cls
%RegDeleteIFEO%\kvupload.exe" /v Debugger /f
%RegDeleteIFEO%\kvwsc.exe" /v Debugger /f
%RegDeleteIFEO%\KvXP.kxp" /v Debugger /f
%RegDeleteIFEO%\KvXP_1.kxp" /v Debugger /f
%RegDeleteIFEO%\KWatch.exe" /v Debugger /f
cls
%RegDeleteIFEO%\KWatch9x.exe" /v Debugger /f
%RegDeleteIFEO%\KWatchX.exe" /v Debugger /f
%RegDeleteIFEO%\loaddll.exe" /v Debugger /f
%RegDeleteIFEO%\MagicSet.exe" /v Debugger /f
cls
%RegDeleteIFEO%\mcconsol.exe" /v Debugger /f
%RegDeleteIFEO%\mmqczj.exe" /v Debugger /f
%RegDeleteIFEO%\mmsk.exe" /v Debugger /f
%RegDeleteIFEO%\NAVSetup.exe" /v Debugger /f
%RegDeleteIFEO%\nod32krn.exe" /v Debugger /f
cls
%RegDeleteIFEO%\nod32kui.exe" /v Debugger /f
%RegDeleteIFEO%\PFW.exe" /v Debugger /f
%RegDeleteIFEO%\PFWLiveUpdate.exe" /v Debugger /f
%RegDeleteIFEO%\QHSET.exe" /v Debugger /f
%RegDeleteIFEO%\Ras.exe" /v Debugger /f
%RegDeleteIFEO%\Rav.exe" /v Debugger /f
cls
%RegDeleteIFEO%\RavMon.exe" /v Debugger /f
%RegDeleteIFEO%\RavMonD.exe" /v Debugger /f
%RegDeleteIFEO%\RavStub.exe" /v Debugger /f
%RegDeleteIFEO%\RavTask.exe" /v Debugger /f
%RegDeleteIFEO%\RegClean.exe" /v Debugger /f
cls
%RegDeleteIFEO%\rfwcfg.exe" /v Debugger /f
%RegDeleteIFEO%\RfwMain.exe" /v Debugger /f
%RegDeleteIFEO%\rfwProxy.exe" /v Debugger /f
%RegDeleteIFEO%\rfwsrv.exe" /v Debugger /f
cls
%RegDeleteIFEO%\RsAgent.exe" /v Debugger /f
%RegDeleteIFEO%\Rsaupd.exe" /v Debugger /f
%RegDeleteIFEO%\runiep.exe" /v Debugger /f
%RegDeleteIFEO%\safelive.exe" /v Debugger /f
cls
%RegDeleteIFEO%\scan32.exe" /v Debugger /f
%RegDeleteIFEO%\shcfg32.exe" /v Debugger /f
%RegDeleteIFEO%\SmartUp.exe" /v Debugger /f
%RegDeleteIFEO%\SREng.exe" /v Debugger /f
cls
%RegDeleteIFEO%\symlcsvc.exe" /v Debugger /f
%RegDeleteIFEO%\SysSafe.exe" /v Debugger /f
%RegDeleteIFEO%\TrojanDetector.exe" /v Debugger /f
%RegDeleteIFEO%\Trojanwall.exe" /v Debugger /f
%RegDeleteIFEO%\TrojDie.kxp" /v Debugger /f
cls
%RegDeleteIFEO%\UIHost.exe" /v Debugger /f
%RegDeleteIFEO%\UmxAgent.exe" /v Debugger /f
%RegDeleteIFEO%\UmxAttachment.exe" /v Debugger /f
%RegDeleteIFEO%\UmxCfg.exe" /v Debugger /f
%RegDeleteIFEO%\UmxFwHlp.exe" /v Debugger /f
cls
%RegDeleteIFEO%\UmxPol.exe" /v Debugger /f
%RegDeleteIFEO%\UpLive.EXE.exe" /v Debugger /f
%RegDeleteIFEO%\WoptiClean.exe" /v Debugger /f
%RegDeleteIFEO%\zxsweep.exe" /v Debugger /f
cls
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" /v {F8D44E8F-4E8F-8D4C-8F8D-E8FD03884CB9} /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /f
cls
reg add "HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\autorun.inf ATTRIB -S -H -R %%d:\autorun.inf
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\autorun.inf del %%d:\autorun.inf /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\%fileName%.exe ATTRIB -S -H -R %%d:\%fileName%.exe
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\%fileName%.exe del %%d:\%fileName%.exe /q
cls
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo 病毒清除完畢,按回車鍵開始解決分區無法雙擊打開的問題.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
set /p test=
cls
@echo off
title 憶林子--解決分區無法打開
color 0a
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo 例如:D盤無法打開則輸入 d,妳也可以
echo 輸入d,e,f這樣來同時對d,e,f等多個分區操作.
echo.
echo 註意:在這裏先不要輸入C盤,如果輸入C盤,請重啟之後再運行壹次
echo 本程序才能解決妳其它分區無法雙擊打開的錯誤.
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
set /p input=[請輸入無法打開的分區的盤符]
if /i "%input%"=="c" goto :特殊
for /d %%i in (%input%) do cacls %%i:\autorun.inf /c /e /p everyone:f
for /d %%i in (%input%) do ATTRIB -S -H -R %%i:\autorun.inf
for /d %%i in (%input%) do del %%i:\autorun.inf /q
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SVOHOST /f
cls
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /t reg_dword /d 1 /f
cls
for /d %%i in (%input%) do chkdsk %%i: /f /x
cls
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo 恭喜妳,妳的這個病毒已經被清除,按回車鍵顯示桌面,
echo 然後請關閉該程序就可以了。
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
set /p tmp=
c:\windows\explorer.exe
:exit
exit
:特殊
ATTRIB -S -H -R %input%:\autorun.inf
del %input%:\autorun.inf /q
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo 操作成功結束,請重啟,然後就可以雙擊就可以打開了。
echo 如果重啟之後,還是無法雙擊打開的話,說明妳的電腦
echo 裏還有病毒,請先殺毒。然後再運行該程序。
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
set /p tmp=操作結束,按回車鍵顯示桌面,然後請關閉該程序就可以了。
c:\windows\explorer.exe
exit
:getFileName
set var=%1
set fileName=%var:~0,8%
goto :killSpy