本帖最后由 tony223322 于 2014-8-15 02:30 编辑
閃退
SONAR MISS
360MISS
virtualtotal: https://www.virustotal.com/en/fi ... nalysis/1408038744/
VBS File
[mw_shl_code=javascript,true]
On Error Resume Next
Dim strComputer,GOj,Wsh,fso,oReg,Datad_a,Datad_b,Datad_c,Datad_d,strKeyPath_1,strKeyPath_2,strKey,datd,Itemss,Rt,objFile,ID1,Arrtr,Items_datc,fpcth,fcy,i
strComputer = "."
Set GOj = GetObject("winmgmts:")
Set Wsh = WScript.CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
Const HKLM = &H80000002
strKeyPath_1 = "SOFTWARE\KasperskyLab\protected"
strKeyPath_2 = "SOFTWARE\Wow6432Node\KasperskyLab\protected"
strKey = "SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates"
if Err.Number <> 0 then
msgbox "权限不足。请以管理员身份运行, 或登陆“Administrator”帐户再执行此操作!" ,48,"警告!(天诺时空www.zolsky.com) "
WScript.Quit
end if
On Error GoTo 0
On Error Resume Next
oReg.EnumKey HKLM, strKeyPath_2, arrSubKeys
For Each subkey In arrSubKeys
if Mid(subkey,1,3) = "AVP" or Mid(subkey,1,3) = "KES" then
Datad_a = Wsh.RegRead("HKLM"& "\"& strKeyPath_2 &"\"& subkey &"\environment\DataRoot")
Datad_b = Wsh.RegRead("HKLM"& "\"& strKeyPath_2 &"\"& subkey &"\environment\ProductType")
Datad_c = Wsh.RegRead("HKLM"& "\"& strKeyPath_2 &"\"& subkey &"\environment\ProductRoot")
Datad_d = Wsh.RegRead("HKLM"& "\"& strKeyPath_2 &"\"& subkey &"\settings\EnableSelfProtection")
if Err.Number = 0 and fso.FileExists(Datad_c& "\avp.exe") then
Location = strKeyPath_2 &"\"& subkey
end if
end if
Next
On Error GoTo 0
On Error Resume Next
oReg.EnumKey HKLM, strKeyPath_1, arrSubKeys
For Each subkey In arrSubKeys
if Mid(subkey,1,3) = "AVP" or Mid(subkey,1,3) = "KES" then
On Error GoTo 0
On Error Resume Next
Datad_a = Wsh.RegRead("HKLM"& "\"& strKeyPath_1 &"\"& subkey &"\environment\DataRoot")
Datad_b = Wsh.RegRead("HKLM"& "\"& strKeyPath_1 &"\"& subkey &"\environment\ProductType")
Datad_c = Wsh.RegRead("HKLM"& "\"& strKeyPath_1 &"\"& subkey &"\environment\ProductRoot")
Datad_d = Wsh.RegRead("HKLM"& "\"& strKeyPath_1 &"\"& subkey &"\settings\EnableSelfProtection")
if Err.Number = 0 and fso.FileExists(Datad_c& "\avp.exe") then
Location = strKeyPath_1 &"\"& subkey
end if
end if
Next
Datad_b = "":Datad_b = Wsh.RegRead("HKLM"& "\"& Location &"\environment\ProductType")
Datad_c = "":Datad_c = Wsh.RegRead("HKLM"& "\"& Location &"\environment\ProductRoot")
bt1 = ""
for k=1 to Len(Datad_b)
bt1 = bt1& hex(AscW(Mid(Datad_b,k,1)))& "00"
next
On Error GoTo 0
On Error Resume Next
fpcth=wscript.arguments(0)
oReg.EnumKey HKLM, strKey, arrValues
For i=0 To UBound(arrValues)
oReg.GetBinaryValue HKLM, strKey &"\"& arrValues(i),"Blob",strValue
datd = ""
for b = 0 to UBound(strValue)
if (strValue(b) < 16) Then
datd = datd & "0" & Hex(strValue(b))
else
datd = datd & Hex(strValue(b))
end if
next
VAT = i
if Instr(datd, "6B00690073") > "0" then VAT = "kis_"& i
if Instr(datd, "6B00610076") > "0" then VAT = "kav_"& i
if Instr(datd, "6B00740073") > "0" then VAT = "kts_"& i
if Instr(datd, "77006B0073") > "0" then VAT = "wks_"& i
if Instr(datd, "6B00650073") > "0" then VAT = "kes_"& i
if Instr(datd, "6B0073006F007300660073") > "0" then VAT = "ksosfs_"& i
if Instr(datd, "6B0073006F007300700063") > "0" then VAT = "ksospc_"& i
if Instr(datd, bt1) > 0 then
if Instr(Mid(datd,Instr(datd, bt1)+Len(bt1)), bt1) > 0 then
datd1 = Mid(datd,Instr(datd,"2000000001"))
Itemss = arrValues(i)
VAT = Datad_b& "_using_"& i
end if
end if
if Right(Left(datd,9),7) = "A700000" and fpcth = "" then
Select Case msgbox( "天诺时空zolsky.com提示:确定备份「卡巴斯基」的授权吗 ? ",68, "提示 !(天诺时空www.zolsky.com)")
Case 7 WScript.Quit
end Select
Set Rt = fso.OpenTextFile("kaspersky_"& VAT& ".dat",2,true)
Rt.writeline Mid(datd,Instr(datd, "10A7000001")+16,Instr(Replace(Replace(Replace(Replace(Mid(datd,Instr(datd, "10A7000001")), "11A7000001", "t"), "12A7000001", "t"), "2000000001", "t"), "0300000001", "t"), "t")-17)
Rt.Close
end if
if Right(Left(datd,9),7) = "A700000" and fpcth <> "" then
Select Case msgbox( "天诺时空zolsky.com提示:确定为「卡巴斯基」添加此授权吗 ? ",68, "提示 !(天诺时空www.zolsky.com)")
Case 7 WScript.Quit
end Select
On Error GoTo 0
On Error Resume Next
Wsh.RegDelete "HKLM\"& strKey &"\"& arrValues(i)&"\"
if Err.Number <> 0 then
msgbox "权限不足。请以管理员身份运行, 或登陆“Administrator”帐户再执行此操作!" ,48,"警告!(天诺时空www.zolsky.com) "
WScript.Quit
end if
end if
Next
if fpcth <> "" then
objFile = fso.OpenTextFile(fpcth).ReadLine
objFile1 = "10A7000001000000"& Trim(objFile)& "030000000100000014000000"& Itemss& datd1
Redim Items_datc(len(objFile1)/2-1)
fcy = 0
for h=1 to len(objFile1) step 2
Items_datc(fcy) = "&H"& Mid(objFile1, h, 2)
fcy = fcy+1
next
if Itemss <> "" and Datad_b <> "" and datd1 <> "" then
oReg.CreateKey HKLM, strKey &"\"& Itemss
oReg.SetBinaryValue HKLM,strKey &"\"& Itemss, "Blob", Items_datc
end if
Wsh.run "cmd /c net user Administrator /Usercomment: ",0
if Itemss = "" or Datad_b = "" or datd1 = "" then
oReg.EnumKey HKLM, strKey, arrValues1
For V=0 To UBound(arrValues1)
Wsh.RegDelete "HKLM\"& strKey &"\"& arrValues1(V)&"\"
NEXT
msgbox " 未找到数据。 安装“卡巴斯基”或重启一遍“卡巴斯基”后再尝试加载授权。 " ,64,"警告!(天诺时空www.zolsky.com) "
WScript.Quit
end if
Arrtr = ""
Set ID1 = GOj.ExecQuery("select * from win32_process where name = 'avp.exe'" )
For Each i In ID1
Arrtr = Arrtr & i.ProcessId
Next
if Len(Arrtr) > 0 then
msgbox "天诺时空zolsky.com提示:授权加载完成; 手动重启“卡巴斯基”生效 。" ,64,"警告!(天诺时空www.zolsky.com) "
else
Wsh.Run Chr(34) & Datad_c &"\avp.com"& Chr(34),true,true
Wsh.Run Chr(34) & Datad_c &"\avp.com"& Chr(34),true
end if
end if
Set GOj = Nothing:Set Wsh = Nothing:Set fso = Nothing:Set oReg = Nothing
WScript.Quit
[/mw_shl_code]
了解大卡巴为何杀它吗?
楼主用360急救试试
64 32 |
发表于 2014-8-15 00:34:56
楼主
