批处理删除Dir2Exe病毒，并修复系统设置

御风而行 · 发表于 2009-5-8 20:02:10

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

您需要登录才可以下载或查看，没有账号？立即注册

×

这是一个非常常见的u盘病毒，最新变种的特征如下
除C盘外的驱动器根目录所有文件夹被隐藏，病毒生成同名的exe文件，但是扩展名不可见
文件夹选项中的“显示已知的文件扩展名”选项消失
文件夹选项中的“显示隐藏的文件”选项消失或无效（就是你选了，但再次打开发现还是没选）
不能启动autoruns和processexplorer这两个最常用的辅助工具
以下批处理删除病毒，并恢复文件夹，恢复以上选项，并在完成后重新启动系统
将一下代码复制到记事本病保存为.cmd或.bat
复制内容到剪贴板
代码:

@echo off
echo.##################################
echo.#Kill Dir2Exe Batch File by PHiSH#
echo.##################################
echo.Killing virus process...
taskkill /f /im "ttry.exe"
echo.
echo.Deleting virus files...
attrib -h -s -r "%indir%\ttry.exe"
del/q "%windir%\ttry.exe"
attrib -h -s -r "%windir%\tsay.exe"
del/q "%windir%\tsay.exe"
echo.
echo.Removing registry entries...
reg delete "HKLM\SOFTWARE\Classes\Drive\Shell\Explore" /f
reg delete "HKLM\SOFTWARE\Classes\Drive\Shell\Open" /f
reg delete "HKLM\SOFTWARE\Classes\Directory\Shell\Explore" /f
reg delete "HKLM\SOFTWARE\Classes\Directory\Shell\Open" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v msfsa /f
echo.
echo.Recovering "Show Hidden" registry entries...
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NoHidden /v CheckedValue /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NoHidden /v DefaultValue /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowAll /v CheckedValue /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowAll /v DefaultValue /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowAll /v CheckedValue /t REG_DWORD /d 1
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NoHidden /v CheckedValue /t REG_DWORD /d 0
echo.
echo.Recovering "Show Known Extension" registry entries...
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v Type /d checkbox
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v Text /d "@shell32.dll,-30503"
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v HKeyRoot /t REG_DWORD /d "80000001"
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v RegPath /d "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v ValueName /d HideFileExt
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v CheckedValue /t REG_DWORD /d 1
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v UncheckedValue /t REG_DWORD /d 0
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v DefaultValue /t REG_DWORD /d 0
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /v HelpID /d "shell.hlp#51101"
echo.
echo.Now treating all your root drivers, please stand by...
for %%i in (C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z) do (
for /f "delims=" %%k in ('dir %%i:\/b/ad') do (
attrib -h -s -r "%%i:\%%k"
attrib -h -s -r "%%i:\%%k.exe"
del/q "%%i:\%%k.exe"
)
)
echo.
echo.Consider it done!
echo.
echo.Restarting your system in 5 seconds...
shutdown -r -t 5 -c "Dir2Eex virus removing program by PHiSH"

复制代码

账号		自动登录	找回密码
密码			立即注册

教程经验总索引	TVMW5/小日本5 索引【视频转换】	小日本4/TE4XP 索引【视频转换】	TAW4 / TDA3 索引【DVD打包软件】
Nero 索引	DVD-Lab 索引【DVD打包软件】	编解码器索引	【必读】固顶帖011号！

[教程] 批处理删除Dir2Exe病毒，并修复系统设置

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。