小心 meex.exe的U盘病毒（类似ＡＶ终结者）

昨天帮同学的一台机子杀毒，杀毒软件会无法打开,另外只要你的文件名中如果是"病毒","杀毒","瑞星"等和病毒.有关的字眼时,你这个文件打开之后会马上被关闭.网页中一搜索这些字眼也会马上关闭.可能还有其它的情况,这里就不详细说明了.任务管理器中会有两个删除不了的进程rcqekta.exe 和tefigra.exe，但无没手动结束。经从网上查找，是中了meex.exe，但同时也带有好多其他衍生病毒（owpaccb.exe,tytcbtl.exe,tnemumf.exe，tkwdmwe.exe，hxljjqu.exe，dfawrrk.exe，ikcswon.exe,wkhawlu.exe，jytbikec.exe……）这些衍生病毒可以跟据病毒作者个人的辟好而更改名称。所以对付meex.exeU盘病毒得从这些这些衍生病毒下手。下面给出批处代码，各人可以根据自家的情况，修改衍生病毒名称并进行查杀。如无法执行，是cmd.exe命令被劫持，请先将regedit.exe改名为其他（如1.exe），执行1.exe,在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 项下，将cmd.exe项删除，再双击执行。
　　
代码如下：红色部分可按你自身情况修改（如有错误请斧正）
+++++++++++++++++++++++++---分隔线---+++++++++++++++++++++++++++
@echo off
title meex专杀
color 0a
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo                                    该病毒资料
echo.
echo    瑞星将此病毒报告为：Worm.Win32.AvKiller.az
echo    usbcleaner报告此病毒为worm.pabug.gen
echo.
echo    该病毒建立的包括的源文件如下:
echo.
echo    病毒文件全路径                                              大小(字节)
echo.
echo    C:/Program Files/meex.exe                                    36,219
echo    C:/Program Files/Common Files/Microsoft Shared/uboqsgw.inf   169
echo    c:/Program Files/Common Files/Microsoft Shared/hxljjqu.exe   36,219
echo    c:/Program Files/Common Files/System/uboqsgw.inf             169
echo    C:/Program Files/Common Files/System/tkwdmwe.exe             36,219
echo    其它所有分区:/autorun.inf                                    169
echo    其它所有分区:/ssncpst.exe                                    36,219
echo.
echo     autorun.inf和uboqsgw.inf文件里的内容
echo.
echo      [AutoRun]
echo      open=ssncpst.exe
echo      shell/open=打开(^&O)
echo      shell/open/Command=ssncpst.exe
echo      shell/open/Default=1
echo      shell/explore=资源管理器(^&X)
echo      shell/explore/Command=ssncpst.exe
echo.
echo   该病毒的后果:
echo   你的杀毒软件会无法打开,另外只要你的文件名中如果是"病毒","杀毒","瑞星"等和病毒.
echo   有关的字眼时,你这个文件打开之后会马上被关闭.网页中一搜索这些字眼也会马上关闭.
echo   可能还有其它的情况,这里就不详细说明了.
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
rem set /p tmp=以上是该病毒的信息，如果要清除该病毒，请回车键开始杀毒...
rem 结束病毒进程
for %%d in (hxljjqu.exe,tkwdmwe.exe,ssncpst.exe,meex.exe) do (
   taskkill /im %%d /f
   cls
)
rem 去除病毒源文件的 系统、隐藏、只读 属性,然后删除它们。

for %%d in (meex.exe) do if exist "C:/Program Files/%%d" (
   attrib -s -h -r "C:/Program Files/%%d"
   del "C:/Program Files/%%d" /q
)

for %%d in (hxljjqu.exe,uboqsgw.inf) do (
   if exist "C:/Program Files/Common Files/Microsoft Shared/%%d"  (
     attrib -s -h -r "C:/Program Files/Common Files/Microsoft Shared/%%d"
     del "C:/Program Files/Common Files/Microsoft Shared/%%d" /q
   )
)
for %%d in (tkwdmwe.exe,uboqsgw.inf) do (
   if exist "C:/Program Files/Common Files/System/%%d" (
     attrib -s -h -r "C:/Program Files/Common Files/System/%%d"
     del "C:/Program Files/Common Files/System/%%d" /q
   )
)
for %%f in (autorun.inf,ssncpst.exe,uboqsgw.inf) do (
   for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:/%%f (
     attrib -s -h -r "%%d:/%%f"
     del "%%d:/%%f" /q
   )
)
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo   病毒文件消除完成，请回车键开始修复注册表...
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
set /p tmp=
rem 添加被病毒删除的注册表项
reg add "HKLM/SYSTEM/ControlSet003/Services/kmixer/Enum" /v 0 /d "SW/{b7eafdc0-a680-11d0-96d8-00aa0051e51d}/{9B365890-165F-11D0-A195-0020AFD156E4}" /f
reg add "HKLM/SYSTEM/ControlSet001/Services/kmixer/Enum" /v 0 /d "SW/{b7eafdc0-a680-11d0-96d8-00aa0051e51d}/{9B365890-165F-11D0-A195-0020AFD156E4}" /f
reg add "HKLM/SYSTEM/CurrentControlSet/Services/kmixer/Enum" /v 0 /d "SW/{b7eafdc0-a680-11d0-96d8-00aa0051e51d}/{9B365890-165F-11D0-A195-0020AFD156E4}" /f
rem 添加进入安全模式的注册表项
reg add "HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
cls

rem 解除对任务管理器的禁用
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /f
rem 解除禁用Windows更新程序
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate" /v DisableWindowsUpdateAccess /f
rem 添加显示隐藏文件的注册表项
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN" /v Text /d "@shell32.dll,-30501" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /t reg_dword /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v DefaultValue /t reg_dword /d 2 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v HelpID /d "shell.hlp#51105" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v HKeyRoot /t reg_dword /d 2147483649 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v RegPath /d "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v Text /d "@shell32.dll,-30500" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v Type /d "radio" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v ValueName /d "Hidden" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /d 1 /f
rem 删除病毒添加的启动项
for %%f in (uboqsgw,ssncpst) do (
   reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v %%f /f
)
rem 删除病毒在注册表中添加的关联
if exist test.meex专杀 del test.meex专杀
reg query "HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options">test.meex专杀
for /f "tokens=* delims= skip=4" %%j in (test.meex专杀) do (
    reg delete "%%j" /v debugger /f
    cls
    if exist test.meex专杀 del test.meex专杀
    echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
    echo.
    echo       正在清除由病毒添加的注册表项,请稍候...
    echo.
    echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
)
if exist test.meex专杀 del test.meex专杀
reg add "HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Your Image File Name Here without a path" /v Debugger /d "ntsd -d" /f 54pe.com
cls
color a0
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo       病毒清除完毕，按回车键开始解决分区无法双击打开的问题.
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
set /p test=
cls
@echo   off
title 解决分区无法打开
color a0
rem 删除引起磁盘无法双击打开的autorun.inf文件
for /d %%i in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist "%%i:/autorun.inf" (
   cacls %%i:/autorun.inf /c /e /p everyone:f
   attrib -s -h -r "%%i:/autorun.inf"
   del "%%i:/autorun.inf" /q
)
rem 进行磁盘检查，恢复双击打开功能
for /d %%i in (d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%i: chkdsk %%i: /f /x
cls
color ec
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo                 操作结束,按回车键退出该程序...
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
set /p temp=
:exit
exit

+++++++++++++++++++++++++---分隔线---+++++++++++++++++++++++++++