|
最近我的共享目录里面所有exe文件都被病毒感染,上网一查才知道是“logo1_.exe”这个咚咚搞的鬼。网上对这个病毒的危害性评价得很高,认为只要中了病毒,整台机器都只能“Format”了。其原因大概就是因为所有应用程序都被感染,运行任何程序都回使病毒“重生”。我使用“卡巴司机”杀毒,结果提示无法清除,将我整个exe文件给删了。郁闷中,自己动手写了这个咚咚来清除已感染程序里的的病毒。
中了“logo1_.exe”病毒请上网查找相关清除方法,本工具只是清除被感染文件里面的病毒,因没有太多时间,没做注册表自动恢复功能;)
中毒的现象:会在所有含有exe文件的目录下建立一个隐藏的“_desktop.ini”文件,里面记录了病毒感染的日期。如果删除该文件,病毒会重复感染已感染的应用程序并重新生成“_desktop.ini”文件;很多被病毒感染的应用程序会出现很模糊的ICO图标。
网上传说该病毒每三分钟活动一次哦,还说新装的机器在带毒的网络工作,三分钟之内就会被遭毒手,装新系统的朋友小心了。
为防止不小心的朋友运行病毒文件,我已经将“.exe”后缀去掉了。大家可以添加“.exe”后缀名对比杀毒前和杀毒后的ICO图标变换情况。 再次提醒:未使用本工具清除“病毒样本”里的病毒之前,千万别运行“病毒样本”程序。否则马上中标 :D 保存为:Logo1_Kill.js运行即可 复制代码 代码如下: TaskKill("logo1_.exe"); TaskKill("rundl132.exe"); var window, lstKill, pnlScan, form1 = new Form; form1.Run(); function Form() { var IE = WSH.GetObject("", "InternetExplorer.Application"); IE.ToolBar = 0; IE.StatusBar = 0; IE.Width = 350; IE.Height = 360; IE.Navigate("about:blank"); var document = IE.document; document.body.scroll = "no"; document.body.style.font = "9pt 宋体"; window = document.frames; document.body.charset = "gb2312"; document.bgColor = "menu"; document.body.style.border = 0; document.title = "Logo1_.exe 病毒清除工具"; this.Run = function() { var btnKill = new Button("清除病毒"); var filebox = new FileBox; var grpScan = new Group; var grpKill = new Group("快速清除病毒"); var dirPath = new TextBox; var btnScan = new Button("开始扫描"); pnlScan = new Panel; lstKill = new ListBox; dirPath.value = "D:\\"; grpScan.Text.data = "目录扫描"; pnlScan.Text.data = "准备就绪"; lstKill.style.width = "100%"; lstKill.style.height = "2in"; AddControl(grpKill); grpKill.Add(filebox); grpKill.Add(btnKill); AddControl(grpScan); grpScan.Add(dirPath); grpScan.Add(btnScan); grpScan.Add(pnlScan); grpScan.Add(lstKill); btnKill.onclick = btnKill_Clicked; btnScan.onclick = btnScan_Clicked; IE.Visible = true; try { while(!window.closed) { if(btnScan.disabled) { try { var FSO = new ActiveXObject("Scripting.FileSystemObject"); var Folder = FSO.getFolder(dirPath.value); FolderList(Folder); } catch(err) { window.alert(err.message); } btnScan.disabled = false; window.alert("扫描完成。"); } WSH.Sleep(1000); } } catch(err) {} function btnKill_Clicked() { var FilePath = filebox.value; if(FilePath && Check(FilePath)) { if(window.confirm("发现病毒,是否清除?")) { try { Backup(FilePath); } catch(Err){} while(Check(FilePath)) Clear(FilePath); window.alert("清除了一个病毒。"); } } else { window.alert("未发现病毒。"); } } function btnScan_Clicked() { while(lstKill.options.length) lstKill.options.remove(0); btnScan.disabled = true; } } function AddControl(obj) { document.body.appendChild(obj); } function FileBox() { var obj = document.createElement("input"); obj.type = "file"; return obj; } function Button(text) { var obj = document.createElement("input"); obj.type = "button"; obj.value = text; return obj; } function TextBox() { return document.createElement("input"); } function Panel() { var Div = document.createElement("div"); Div.Add = function(Obj) { this.appendChild(Obj); } Div.Text = document.createTextNode(); Div.Add(Div.Text); Div.style.overflow = "hidden"; return Div; } function Group(Title) { var fieldset = document.createElement("fieldset"); var legend = document.createElement("legend"); fieldset.Text = document.createTextNode(); fieldset.Text.data = Title; legend.appendChild(fieldset.Text); fieldset.Add = function(Obj) { this.appendChild(Obj); } fieldset.Add(legend); fieldset.style.marginBottom = "2mm"; return fieldset; } function ListBox() { var select = document.createElement("select"); select.multiple = true; select.Add = function(text) { var opt = window.Option(text); select.options.add(opt); } return select; } } function TaskKill(Process) { var WinMgmts = GetObject("WinMgmts://127.0.0.1"); var ProcList = WinMgmts.ExecQuery("select * from win32_process"); var ProcList = new Enumerator(ProcList); while(!ProcList.atEnd()) { if(ProcList.item().Name.toLowerCase() == Process.toLowerCase()) ProcList.item().terminate(); ProcList.moveNext(); } } function Check(SourcePath) { var Code = "MZKERNEL32.DLL\x00\x00LoadLibraryA\x00\x00\x00\x00GetProcAddress\x00\x00|\x00\x00BKwdwing@"; var Stream = new ActiveXObject("Adodb.Stream"); Stream.Open(); Stream.Charset = "gb2312"; Stream.LoadFromFile(SourcePath); var Body = Stream.ReadText(60); Stream.Close(); Body = Body.replace(/[\s\S]\x00\x00BK/, "|\x00\x00BK"); return Body == Code; } function Clear(SourcePath) { var Stream = new ActiveXObject("Adodb.Stream"); Stream.Open(); Stream.LoadFromFile(SourcePath); var Body = Stream.ReadText(500 * 1024); Stream.Close(); var Match = ""; while(Match.length < 21) Match += "\x00"; Match += "MZ"; var C = 0, Temp = ""; while(C< Body.length && Temp.indexOf(Match) <0) { var Uni = Body.substr(C, 1000); C += 1000; Temp += Decode(Uni); } var Position = Temp.indexOf(Match) + 21; Stream.Type = 1; Stream.Open(); Stream.LoadFromFile(SourcePath); Stream.Position = Position; Body = Stream.Read(); Stream.Position = 0; Stream.SetEOS(); Stream.Write(Body); Stream.SaveToFile(SourcePath, 2); Stream.Close(); } function Backup(SourcePath) { var FSO = new ActiveXObject("Scripting.FileSystemObject"); var File = FSO.GetFile(SourcePath); File.Copy(SourcePath + ".logo1_vir", false); } function Decode(text) { return text.replace(/([\u0000-\uffff])/g, function($1) { var uni = $1.charCodeAt(0).toString(16); while(uni.length < 4) uni = "0" + uni; uni = uni.replace(/(\w{2})(\w{2})/g, "%$2%$1"); return unescape(uni); }); } function ScanFiles(Folder) { var Files = new Enumerator(Folder.Files); while(!Files.atEnd()) { if(Files.item().Name.slice(-4).toLowerCase() == ".exe") { var Path = Files.item().Path; pnlScan.Text.data = Path; if(Check(Path)) { try { Backup(Path); } catch(err){} while(Check(Path)) Clear(Path); lstKill.Add(Path + " (OK)"); } WSH.Sleep(50); } Files.moveNext(); } } function FolderList(Folder) { ScanFiles(Folder); var Folders = new Enumerator(Folder.SubFolders); WSH.Sleep(50); while(!Folders.atEnd()) { if(Folders.item().Path.match(/\\/g).length > 255) continue; pnlScan.Text.data = Folders.item().Path + "\\"; FolderList(Folders.item()); Folders.moveNext(); } }
|
|