|
論壇說明 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2003-08-15, 09:03 PM | #1 |
註冊會員
|
疾風病毒自動掃瞄移除工具---不止疾風病毒含其他蠕蟲病毒
疾風病毒自動掃瞄移除工具---不止疾風病毒含其他蠕蟲病毒
及變種 此程式FOR所有版本 NT/2000/XP/2003 程式 ftp://ftp.kaspersky.com/utils/clrav.com 用法說明及參數 **************************************************************************** Utility for cleaning infection by: I-Worm.BleBla.b I-Worm.Navidad I-Worm.Sircam I-Worm.Goner I-Worm.Klez.a,e,f,g,h Win32.Elkern.c I-Worm.Lentin.a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p I-Worm.Tanatos.a,b Worm.Win32.Opasoft.a,b,c,d,e,f,g,h I-Worm.Avron.a,b,c,d,e I-Worm.LovGate.a,b,c,d,e,f,g,h,i,j,k,l I-Worm.Fizzer I-Worm.Magold.a,b,c,d,e Worm.Win32.Lovesan Version 10.0.5.2 Copyright (C) Kaspersky Lab 2000-2003. All rights reserved. **************************************************************************** Command line: /s[n] - to force scaning of hard drives. Program will scan hard drive for I-Worm.Klez.a(e,f,g,h) infection in any case. n - include scaning of mapped network drives. /y - end program without pressing any key. /i - show command line info. /nr - do not reboot system automatically in any cases. /Rpt[ao][=<Report file path>] - create report file a - add report file o - report only (do not cure/delete infected files) Return codes: 0 - nothing to clean 1 - virus was deleted and system restored 2 - to finilize removal of virus you shold reboot system 3 - to finilize removal of virus you shold reboot system and start program the second time 4 - programm error. **************************************************************************** I-Worm.BleBla.b --------------- If program find HKEY_CLASSES_ROOT\rnjfile key in registry it: delete registry keys HKEY_CLASSES_ROOT\rnjfile HKEY_CLASSES_ROOT\.lha repair registry key to default value HKEY_CLASSES_ROOT\.jpg to jpegfile HKEY_CLASSES_ROOT\.jpeg to jpegfile HKEY_CLASSES_ROOT\.jpe to jpegfile HKEY_CLASSES_ROOT\.bmp to Paint.Picture HKEY_CLASSES_ROOT\.gif to giffile HKEY_CLASSES_ROOT\.avi to avifile HKEY_CLASSES_ROOT\.mpg to mpegfile HKEY_CLASSES_ROOT\.mpeg to mpegfile HKEY_CLASSES_ROOT\.mp2 to mpegfile HKEY_CLASSES_ROOT\.wmf to empty HKEY_CLASSES_ROOT\.wma to wmafile HKEY_CLASSES_ROOT\.wmv to wmvfile HKEY_CLASSES_ROOT\.mp3 to mp3file HKEY_CLASSES_ROOT\.vqf to empty HKEY_CLASSES_ROOT\.doc to word.document.8 or wordpad.document.1 HKEY_CLASSES_ROOT\.xls to excel.sheet.8 HKEY_CLASSES_ROOT\.zip to winzip HKEY_CLASSES_ROOT\.rar to winrar HKEY_CLASSES_ROOT\.arj to archivefile or winzip HKEY_CLASSES_ROOT\.reg to regfile HKEY_CLASSES_ROOT\.exe to exefile try to delete file c:\windows\sysrnj.exe I-Worm.Navidad -------------- If program find HKEY_CURRENT_USER\Software\Navidad, HKEY_CURRENT_USER\Software\xxxxmas or HKEY_CURRENT_USER\Software\Emanuel key in registry it: delete registry keys HKEY_CURRENT_USER\Software\Navidad HKEY_CURRENT_USER\Software\xxxxmas HKEY_CURRENT_USER\Software\Emanuel SOFTWARE\Microsoft\Windows\CurrentVersion\Run Win32BaseServiceMOD repair registry key to default value HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %* try to delete file winsvrc.vxd winfile.vxd wintask.exe I-Worm.Sircam ------------- If program find HKEY_LOCAL_MACHINE\Software\SirCam key in registry, "@win \recycled\sirc32.exe" in autoexec.bat or \windows\run32.exe and \windows\rundll32.exe was created on Delphi it: delete registry keys HKEY_LOCAL_MACHINE\Software\SirCam Software\Microsoft\Windows\CurrentVersion\RunServices Driver32 repair registry key to default value HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %* try to delete file %Windows drive%:\RECYCLED\SirC32.exe %Windows directory%\ScMx32.exe %Windows system directory%\SCam32.exe %Windows startup directory%\"Microsoft Internet Office.exe" %Windows drive%:\windows\rundll32.exe try to rename files %Windows drive%:\windows\Run32.exe to %Windows drive%:\windows\RunDll32.exe try to repair files autoexec.bat In case program can not delete or rename any files (it may be used at that moment) it set these files to queue to delete or rename during bootup process and offer user to reboot system. I-Worm.Goner ------------ If gone.scr process exist in memory, program will try to stop it. if file %Windows system directory%\gone.scr exist on hard drive, program will try to delete it. If program find %Windows system directory%\gone.scr key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run of system registry, it will delete this key. I-Worm.Klez.a,e-h, Win32.Elkern.c, I-Worm.Lentin.a-p, I-Worm.Tanatos.a-b, ------------------------------------------------------------------------- Worm.Win32.Opasoft.a-h, I-Worm.Avron.a-e, I-Worm.LovGate.a-l, I-Worm.Fizzer, ---------------------------------------------------------------------------- I-Worm.Magold.a-e, Worm.Win32.Lovesan ------------------------------------- If program find next processes in memory: Krn132.exe WQK.exe or any processes, infected by these viruses, it will try to unhook virus hooks and patch needed processes to stop reinfection and then stop them and delete/cure their files on hard drive and delete links to their files from system registry and other startup places. If program find that WQK.DLL library has been loaded by any processes it will rename file of this library and will remove it after system reboot. In case program find such library in memory of your PC you should reboot your PC when program finish and start it the second time after reboot to clean your system registry. If program find any infected processes in memory it will start scan of your hard drive (and all mapped network drives if you specify /netscan in command line). It will check only infection by these viruses. If you specify /s key in command line program will scan your hard drive (and all mapped network drives if you specify /sn) in all cases. If Win32.Elkern.c virus create memory mapping, program will disinfect this memory area. Program can restore next startup links used by viruses: autoexec.bat win %virus file path and name% win.ini section [Windows] run=<virus file> registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows values AppInit_DLLs Run HKEY_CLASSES_ROOT\txtfile\shell\open\command (txt association) restoring to link to notepad.exe program HKEY_CLASSES_ROOT\exefile\shell\open\command (exe association) restoring to "%1" %* HKEY_CLASSES_ROOT\comfile\shell\open\command (com association) restoring to "%1" %* HKEY_CLASSES_ROOT\batfile\shell\open\command (bat association) restoring to "%1" %* HKEY_CLASSES_ROOT\piffile\shell\open\command (pif association) restoring to "%1" %* HKEY_CLASSES_ROOT\scrfile\shell\open\command (scr association) restoring to "%1" %* installed NT services mIRC start scripts <Program Files folder>\Mirc\script.ini <Program Files folder>\Mirc32\script.ini Pirch start scripts <Program Files folder>\Pirch98\events.ini 用法: 1. copy clrav.com 到你的windows\system32目錄下 2. 開始--->執行----->鍵入clrav.com /s----> 確定 |
送花文章: 0,
|
2003-08-16, 04:10 AM | #2 (permalink) |
長老會員
|
感謝大大分享
趕緊來掃描一下 |
__________________ http://tw.search.bid.yahoo.com/searc...D1%A8%CF%AB%CE |
|
送花文章: 480,
|