Shulou(Shulou.com)06/03 Report--

Editor to share with you how to use VBS to achieve virus-specific killing function, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

The code is as follows:

'check out more information about this virus kill template: http://hi.baidu.com/ycosxhack/modify/blog/36569f51dbd0cc8e8c5430d8

'- the source code of the virus specific kill VBS template starts-

On error resume next

Msgbox "this special kill has ycosxhack to provide http://hi.baidu.com/ycosxhack!" , 64, "xxx virus kill"

This special template is made by ycosxhack (CoSine function). My blog: http://hi.baidu.com/ycosxhack, welcome to discuss.

'- start of the virus process end module-

Set w=getobject ("winmgmts:")

Set p=w.execquery ("select * from win32_process where name='rundll.exe'")

For each i in p

I.terminate

Next

'- the virus process termination module terminates-

'- plug-in dll virus release module starts-

Set WSHShell=wscript.createobject ("wscript.shell")

WSHShell.run ("ps / e * hook.dll"), 0Jing true

'Please put the third-party program ps.exe in the same directory as this special kill

'- plug-in dll virus release module terminated-

'- start of virus file deletion module-

Set fso=createobject ("scripting.filesystemobject")

Set del=wscript.createobject ("wscript.shell")

D1=del.ExpandEnvironmentStrings ("% temp%\ rundll.exe")

D2=del.ExpandEnvironmentStrings ("% SystemRoot%\ rundll86.exe")

D3=del.ExpandEnvironmentStrings ("% SystemRoot%\ system32\ rundll86.exe")

Set v1=fso.getfile (D1)

Set v2=fso.getfile (D2)

Set v3=fso.getfile (d3)

Set v4=fso.getfile ("d:\ virus\ virus.exe") 'can be written directly if it does not involve environment variables.

V1.attributes=0

V2.attributes=0

V3.attributes=0

V4.attributes=0

V1.delete

V2.delete

V3.delete

V4.delete

'- virus file deletion module terminates-

'- start traversing and deleting the virus file module under the root directory of each drive-

Set fso=createobject ("scripting.filesystemobject")

Set drvs=fso.drives

For each drv in drvs

If drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then

Set w=fso.getfile (drv.driveletter& ":\ rundll.exe")

W.attributes=0

W.delete

Set u=fso.getfile (drv.driveletter& ":\ autorun.inf")

U.attributes=0

U.delete

End if

Next

'- traversing and deleting the virus file module under the root directory of each drive terminates-

'- the registry operation module starts-

Set reg=wscript.createobject ("wscript.shell")

Reg.regwrite "HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon\ Userinit", fso.GetSpecialFolder (1) & "\ userinit.exe,"REG_SZ"

Reg.regwrite "HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System\ DisableRegistryTools", 0, "REG_DWORD"

Reg.regdelete "HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\ NoFolderOptions"

'- Registry operation module terminates-

'- system file recovery module starts-

Set fso=createobject ("scripting.filesystemobject")

Fso.getfile ("rundll32.exe") .copy ("c:\ windows\ system32\ rundll32.exe")

Fso.getfile ("rundll32.exe") .copy ("C:\ WINDOWS\ system32\ dllcache\ rundll32.exe")

'- system file repair module terminates-

'- HOST file repair module starts-

Set fso=createobject ("scripting.filesystemobject")

Set re=fso.OpenTextFile ("C:\ WINDOWS\ system32\ drivers\ etc\ hosts", 2Power0)

Re.Writeline "127.0.0.1 localhost"

Re.Writeline "127.0.0.1 www. Malicious URL or IP.com you want to block"

Re.Close

Set re=nothing

'- HOST file repair module terminates-

'- Autorun immune module begins-

Set fso=createobject ("scripting.filesystemobject")

Set drvs=fso.drives

For each drv in drvs

If drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then

Fso.createfolder (drv.driveletter& ":\ autorun.inf")

Fso.createfolder (drv.driveletter& ":\ autorun.inf\ Immunization folder..\")

Set fl=fso.getfolder (drv.driveletter& ":\ autorun.inf")

Fl.attributes=3

End if

Next

'- Autorun immune module terminates-

'- ARP virus spoofing-client immune module starts-

Set WshShell=wscript.createobject ("wscript.shell")

WshShell.run "arp-d", 0

WshShell.run "arp-s 202.4.139.1 00-07-ec-23-f8-0a", 0penny true

'- ARP virus spoofing-client immune module terminates-

Set fso=nothing

Msgbox "virus cleared successfully, please restart your computer!" , 64, "xxx virus kill"

'- the source code of the virus kill VBS template is terminated-

The above is all the contents of this article entitled "how to use VBS to achieve virus specific killing function". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.