清除全盘挂马代码VBS脚本

有的时候中毒后会将所有的网页程序被感染，上午花些时间写了个清除代码的脚本。

主要功能清除挂马代码，清除前会备份文件。自动遍历整个硬盘的文件，发现为网页文件即查找代码并清除。同时E盘下回生成日志文件E:\logs.txt.

效果图如下：

使用方法：

将以下代码保存为VBS文件，然后打开命令行，切换到当前VBS路径下，运行cscript VBS文件名即可。

On Error Resume Next
ScriptString="<script language=javascript src=http://www.haofbi.com/js/w.js></script>;"      
 
MyString=".asp|.html|.htm|.aspx|.php|.jsp|.php"     '检查的文件后缀                
MyArray = Split(MyString, "|", -1, 1)  
Wscript.echo (br) & "恶意代码：" & ScriptString & vbCrLf & vbCrLf 
Set fso = createObject("Scripting.FileSystemObject") 
Set ds=fso.Drives
For Each d in ds

Wscript.echo (br) & " 扫描盘符：" & d.DriveLetter & (br)

Scan(d.DriveLetter & ":\")
Next
sub Scan(filesder) 
set filesder1=fso.getfolder(filesder) 
set files1=filesder1.files 
for each fext in files1

Wscript.echo (br) & " 扫描文件：" & fext & (br) 
     Set file1 = fso.GetFile(fext) 
     filesext=file1.Name 
     ext=lcase(filesext)
     For Each idx in MyArray 

         if Right(ext,4)=lcase(idx)  Or Right(ext,5)=lcase(idx) then 

 wr_content = GetFileContent(fext)

 echo = (br) & " 正在检查 " & fext & "  文件中的内容" & (br) 
              Wscript.echo (echo) 

 if CheckCode(fext,wr_content,ScriptString) = 1 then
              call ClearCode(fext,wr_content,ScriptString)


 else

Wscript.echo (br) & " 恭喜  " & fext & "  文件中没有恶意代码" & (br) 
              Wscript.echo (echo) 

 end if

 
              Wscript.echo (echo) 
        end if 
    next 
next 
'扫描子目录
set subfolders2=filesder1.subfolders
for each subfolder2 in subfolders2
     Scan(subfolder2)
next
end sub
'读取文件内容
Function GetFileContent(filename)
Set file2=fso.OpenTextFile(filename)
set file3 = fso.GetFile(filename)
if file3.size > 0 Then

'if fso.FileExists(filename) Then

file_content = file2.ReadAll
else

file_content = ""
end if
set file3  = Nothing
file2.close
set file2 = nothing
GetFileContent = file_content
End Function
'检查是否存在恶意挂马代码
Function CheckCode(fext,file_content,ScriptString)
if instr(file_content,ScriptString) <> 0 Then

Wscript.echo (br) & " 在  " & fext & "  发现恶意代码" & (br) 

wr_content = replace(file_content,ScriptString,"")

res = 1 
else

res = 0 
end if
CheckCode = res
End Function
'清除文件中的恶意代码
Sub ClearCode(fext,wr_content,ScriptString)
'备份文件
Call fso.CopyFile(fext,fext & ".bak")
'写入日志
call WriteLogs(fext)
Set ts = fso.OpenTextFile(fext,2) 
if wr_content <> "" Then

wr_content =replace(wr_content,ScriptString,"",1)


if trim(wr_content) <> "" Then

ts.WriteLine(wr_content & " ")

end if 

Wscript.echo (br) & " 正在清除  " & fext & "  文件中恶意代码" & (br) 

if CheckCode(fext,wr_content,ScriptString) = 0  then

echo = (br) & " 恭喜  " & fext & "  恶意代码已经清除" & (br) 
            Wscript.echo (echo) 

else

echo = (br) & fext & "  恶意代码清除失败" & (br) 
            Wscript.echo (echo)

end if

echo="    " 

echo = (br) & " 清除 " & fext & "文件中的恶意代码完成  " & (br) 

Wscript.echo (echo)
end if 
ts.close
Set ts = nothing
end sub
'西入有问题的文件路径
Sub WriteLogs(fext)
Set ts = fso.OpenTextFile("e:\logs.txt",8) 
if fext <> "" Then

ts.WriteLine(fext & " 文件中发现恶意代码")  

echo = (br)  & fext & "  写入日志成功" & (br) 
   Wscript.echo (echo) 
end if 
ts.close
set ts = nothing
end sub