剑盟的转帖，MS很可怕~

显示全部楼层 · 发表于 2008-1-29 00:05:10

原帖由 挪威的冬天 于 2008-1-28 11:50 发表
无语额。。。

我也真是个批处理看看就好了我还非手贱去跑一下

跑一下倒也算了结果双击了才发现自己还原没开

在一个个改回来晕死

我自己甚至不敢作成BAT来尝试~你够英勇的~

不过你应该能写个通用修复程序~这样才强！

显示全部楼层 · 发表于 2008-1-29 14:49:16

Access to the data has been denied!
Warning: A virus or unwanted program has been found in the HTTP Data.

Requested URL: bbs.kafan.cn/attachment.php?aid=191527
Information: Contains detection pattern of the batch virus BAT/Zpepc.13600

显示全部楼层 · 发表于 2008-1-29 15:19:59

@echo off
date 2008-01-29
net START sharedaccess
net START KVWSC
net START KVSRVXP
net START kavsvc
net START rsccenter
net START rsravmon
echo 127.0.0.1 LOCALHOST>>%systemroot%\system32\drivers\etc\hosts.txt
copy %systemroot%\system32\drivers\etc\hosts.txt %systemroot%\system32\drivers\etc\hosts>nul
del %systemroot%\system32\drivers\etc\hosts.txt
@reg DELETE "HKLM\SYSTEM\ControlSet001\Services\HookUrl" /v Start /t reg_dword /d 00000004 /f
@reg DELETE "HKLM\SYSTEM\ControlSet001\Services\mProcRs" /v Start /t reg_dword /d 00000004 /f
@reg DELETE "HKLM\SYSTEM\ControlSet001\Services\RfwProxySrv" /v Start /t reg_dword /d 00000004 /f
@reg DELETE "HKLM\SYSTEM\ControlSet001\Services\RfwService" /v Start /t reg_dword /d 00000004 /f
@reg DELETE "HKLM\SYSTEM\ControlSet001\Services\RsFwDrv" /v Start /t reg_dword /d 00000004 /f
@reg DELETE "HKLM\SYSTEM\ControlSet001\Services\SharedAccess" /v Start /t reg_dword /d 00000004 /f
@reg DELETE "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v Start /t reg_dword /d 00000004 /f
@reg DELETE "HKLM\SYSTEM\ControlSet001\Services\wuauserv" /v Start /t reg_dword /d 00000004 /f
@reg DELETE "HKLM\SYSTEM\ControlSet002\Services\HookUrl" /v Start /t reg_dword /d 00000004 /f
@reg DELETE "HKLM\SYSTEM\ControlSet002\Services\mProcRs" /v Start /t reg_dword /d 00000004 /f
@reg DELETE "HKLM\SYSTEM\ControlSet002\Services\RfwProxySrv" /v Start /t reg_dword /d 00000004 /f
@reg DELETE "HKLM\SYSTEM\ControlSet002\Services\RsFwDrv" /v Start /t reg_dword /d 00000004 /f
@reg DELETE "HKLM\SYSTEM\ControlSet002\Services\PFW" /v Start /t reg_dword /d 00000004 /f
@reg DELETE "HKLM\SYSTEM\ControlSet002\Services\avgwlntf" /v Start /t reg_dword /d 00000004 /f
@reg ADD "HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal" /v {4D36E967-E325-11CE-BFC1-08002BE10318} /f
@reg ADD "HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network" /v {4D36E967-E325-11CE-BFC1-08002BE10318} /f
@reg ADD "HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal" /v {4D36E967-E325-11CE-BFC1-08002BE10318} /f
@reg ADD "HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network" /v {4D36E967-E325-11CE-BFC1-08002BE10318} /f
@reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /v {4D36E967-E325-11CE-BFC1-08002BE10318} /f
@reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network" /v {4D36E967-E325-11CE-BFC1-08002BE10318} /f
reg DELETE "HKEY_LOCAL_MACHINE\Software\class\.reg" /v 默认 /t reg_sz /d txtfile /f
reg DELETE "HKEY_LOCAL_MACHINE\Software\class\.js" /v 默认 /t reg_sz /d txtfile /f
reg DELETE "HKEY_LOCAL_MACHINE\Software\class\.EXE" /v 默认 /t reg_sz /d txtfile /f
reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v AutoRun /t REG_SZ /d %systemroot%\zpepc.vbs /f
reg DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t reg_dword /d 00000091 /f
reg DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v Norun /t reg_dword /d 00000001 /f
reg DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v Nowinkeys /t reg_dword /d 00000001 /f
reg DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t reg_dword /d 00000001 /f
reg DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /d 00000000 /f
reg DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /f
set route=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
echo avp.com >>zpepc.ini
echo avp.exe >>zpepc.ini
echo runiep.exe >>zpepc.ini
echo PFW.exe >>zpepc.ini
echo FYFireWall.exe >>zpepc.ini
echo rfwmain.exe >>zpepc.ini
echo rfwsrv.exe >>zpepc.ini
echo KAVPF.exe >>zpepc.ini
echo KPFW32.exe >>zpepc.ini
echo nod32kui.exe >>zpepc.ini
echo nod32.exe >>zpepc.ini
echo Navapsvc.exe >>zpepc.ini
echo Navapw32.exe >>zpepc.ini
echo avconsol.exe >>zpepc.ini
echo webscanx.exe >>zpepc.ini
echo NPFMntor.exe >>zpepc.ini
echo vsstat.exe >>zpepc.ini
echo KPfwSvc.exe >>zpepc.ini
echo RavTask.exe >>zpepc.ini
echo Rav.exe >>zpepc.ini
echo RavMon.exe >>zpepc.ini
echo mmsk.exe >>zpepc.ini
echo WoptiClean.exe >>zpepc.ini
echo QQKav.exe >>zpepc.ini
echo QQDoctor.exe >>zpepc.ini
echo EGHOST.exe >>zpepc.ini
echo 360Safe.exe >>zpepc.ini
echo iparmo.exe >>zpepc.ini
echo adam.exe >>zpepc.ini
echo IceSword.exe >>zpepc.ini
echo 360rpt.exe >>zpepc.ini
echo 360tray.exe >>zpepc.ini
echo AgentSvr.exe >>zpepc.ini
echo AppSvc32.exe >>zpepc.ini
echo autoruns.exe >>zpepc.ini
echo avgrssvc.exe >>zpepc.ini
echo AvMonitor.exe >>zpepc.ini
echo CCenter.exe >>zpepc.ini
echo ccSvcHst.exe >>zpepc.ini
echo FileDsty.exe >>zpepc.ini
echo FTCleanerShell.exe >>zpepc.ini
echo HijackThis.exe >>zpepc.ini
echo Iparmor.exe >>zpepc.ini
echo isPwdSvc.exe >>zpepc.ini
echo kabaload.exe >>zpepc.ini
echo KaScrScn.SCR >>zpepc.ini
echo KASMain.exe >>zpepc.ini
echo KASTask.exe >>zpepc.ini
echo KAV32.exe >>zpepc.ini
echo KAVDX.exe >>zpepc.ini
echo KAVPFW.exe >>zpepc.ini
echo KAVSetup.exe >>zpepc.ini
echo KAVStart.exe >>zpepc.ini
echo KISLnchr.exe >>zpepc.ini
echo KMailMon.exe >>zpepc.ini
echo KMFilter.exe >>zpepc.ini
echo KPFW32X.exe >>zpepc.ini
echo KPFWSvc.exe >>zpepc.ini
echo KRegEx.exe >>zpepc.ini
echo KRepair.com >>zpepc.ini
echo KsLoader.exe >>zpepc.ini
echo KVCenter.kxp >>zpepc.ini
echo KvDetect.exe >>zpepc.ini
echo KvfwMcl.exe >>zpepc.ini
echo KVMonXP.kxp >>zpepc.ini
echo KVMonXP_1.kxp >>zpepc.ini
echo kvol.exe >>zpepc.ini
echo kvolself.exe >>zpepc.ini
echo KvReport.kxp >>zpepc.ini
echo KVScan.kxp >>zpepc.ini
echo KVSrvXP.exe >>zpepc.ini
echo KVStub.kxp >>zpepc.ini
echo kvupload.exe >>zpepc.ini
echo kvwsc.exe >>zpepc.ini
echo KvXP.kxp >>zpepc.ini
echo KvXP_1.kxp >>zpepc.ini
echo KWatch.exe >>zpepc.ini
echo KWatch9x.exe >>zpepc.ini
echo KWatchX.exe >>zpepc.ini
echo loaddll.exe >>zpepc.ini
echo MagicSet.exe >>zpepc.ini
echo mcconsol.exe >>zpepc.ini
echo mmqczj.exe >>zpepc.ini
echo nod32krn.exe >>zpepc.ini
echo PFWLiveUpdate.exe >>zpepc.ini
echo QHSET.exe >>zpepc.ini
echo RavMonD.exe >>zpepc.ini
echo RavStub.exe >>zpepc.ini
echo RegClean.exe >>zpepc.ini
echo rfwcfg.exe >>zpepc.ini
echo RfwMain.exe >>zpepc.ini
echo RsAgent.exe >>zpepc.ini
echo Rsaupd.exe >>zpepc.ini
echo safelive.exe >>zpepc.ini
echo scan32.exe >>zpepc.ini
echo shcfg32.exe >>zpepc.ini
echo SmartUp.exe >>zpepc.ini
echo SREng.EXE >>zpepc.ini
echo symlcsvc.exe >>zpepc.ini
echo SysSafe.exe >>zpepc.ini
echo TrojanDetector.exe >>zpepc.ini
echo Trojanwall.exe >>zpepc.ini
echo TrojDie.kxp >>zpepc.ini
echo UIHost.exe >>zpepc.ini
echo UmxAgent.exe >>zpepc.ini
echo UmxAttachment.exe >>zpepc.ini
echo UmxCfg.exe >>zpepc.ini
echo UmxFwHlp.exe >>zpepc.ini
echo UmxPol.exe >>zpepc.ini
echo UpLive.exe >>zpepc.ini
echo upiea.exe >>zpepc.ini
echo AST.exe >>zpepc.ini
echo ArSwp.exe >>zpepc.ini
echo USBCleaner.exe >>zpepc.ini
echo rstrui.exe >>zpepc.ini
echo killbox.exe >>zpepc.ini
echo procexp.exe >>zpepc.ini
echo unlocker.exe >>zpepc.ini
echo powerRmv.exe >>zpepc.ini
echo xdelbox1.5R.exe >>zpepc.ini
echo xdelbox1.3R.exe >>zpepc.ini
echo xdelbox.exe >>zpepc.ini
echo wsyscheck.exe >>zpepc.ini
echo ollyice.exe >>zpepc.ini
echo SREngLogA 1.3.exe >>zpepc.ini
echo VirusKillBox 1.1.exe >>zpepc.ini
echo USBkiller.exe >>zpepc.ini
echo ACDsee.exe >>zpepc.ini
echo winrar.exe >>zpepc.ini
echo regedit.exe >>zpepc.ini
echo taskgmr.exe >>zpepc.ini
echo cmd.exe >>zpepc.ini
for /f %%i in (zpepc.ini) do (
reg DELETE "%route%\%%i" /v Debugger /t REG_SZ /d %SystemRoot%\zpepc.vbs /f >nul 2>nul
)
DEL %systemroot%\zpepc.bat
DEL %systemroot%\zpepc.vbs
DEL %systemroot%\zpepc.ini
attrib -s -h -r %systemroot%\zpepc.*
echo [AutoRun] >>Autorun.inf
echo open=zpepc.vbs >>Autorun.inf
echo shell\open=打开(^&O) >>Autorun.inf
echo shell\open\Command=zpepc.vbs >>Autorun.inf
echo shell\open\Default=1 >>Autorun.inf
echo shell\explore=资源管理器(^&X) >>Autorun.inf
echo shell\explore\Command=zpepc.vbs >>Autorun.inf
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do
if exist %%d:\autorun.inf DEL %%d:\autorun.inf
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do
if exist %%d:\autorun.inf attrib -s -h -r %%d:\autorun.inf
assoc .exe=exefile
assoc .txt=txtfile
assoc .js=txtfile
assoc .reg=regfile

把所有句子倒过来 NET STOP 倒成 NET START， REG ADD改成REG DELETE ， COPY 改成 DEL 就成了修复程序了

PS.没有试验会不会搞出更大问题就不知道了..

[ 本帖最后由 qianwenxiang 于 2008-1-29 15:21 编辑 ]

显示全部楼层 · 发表于 2008-1-29 15:39:39

倒过来是可以，不过有条语句我有疑问，就是改时间那条~原来时间被改到91年，你改成今年1月29，但是明天下载的人呢~明天是1月30啊~能不能让时间自动和INTERNET同步

请指点~谢谢~

显示全部楼层 · 发表于 2008-1-29 15:46:07

原帖由 qianwenxiang 于 2008-1-29 15:19 发表 <a href="http://bbs.kafan.cn/redirect.php?goto=findpost&pid=2646833&ptid=194760" target="_blank"><img src="http://bbs.kafan.cn/images/common/back.gif" border="0" alt="" /></a> 
@echo off 
date 2008-01-29 
net START sharedaccess 
net START KVWSC 
net START KVSRVXP 
net START kavsvc 
net START rsccenter 
net START rsravmon 
echo 127.0.0.1 LOCALHOST>>%systemroot%\system32\d ...

无效我一开始就是这样的修复的发现很多条目无法修改成功

前几行改时间关服务还有 host 还有 ini 还有 autorun都可以删掉了。。。

还事先修复 regedit 吧然后就可以全部手工搞定了

[ 本帖最后由挪威的冬天于 2008-1-29 15:47 编辑 ]

显示全部楼层 · 发表于 2008-1-29 15:54:17

卡巴报了.

显示全部楼层 · 发表于 2008-1-29 16:04:11

但提示子系统故障.反垃圾邮件功能启动不了.使用修复不成功.

显示全部楼层 · 发表于 2008-1-29 16:04:59

老技术的结合体~~

[可疑文件] 剑盟的转帖，MS很可怕~

回复 31楼 fish 的帖子

回复 33楼 qianwenxiang 的帖子

浏览过的版块