转载自：http://bbs.wuyou.net/forum.php?mod=viewthread&tid=419497&extra=page%3D4

WINXP-WIN10都可以

@echo off
::此程序主要针对勒索病毒而定制
::by edison_zhu 20200320
title 勒索病毒仿护1.0
color 0a
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
setlocal enabledelayedexpansion
echo.
echo 今天是:%date%  现在是: %time%
echo.
for /f "tokens=16" %%i in ('ipconfig ^|find /i "ipv4"') do set ip=%%i
echo 本机IP地址为：%ip%
echo.
set o=端口开启
set n=端口关闭
netstat -an|findstr 135 >nul 2>nul && echo 135%o% || echo 135%n%
netstat -an|findstr 137 >nul 2>nul && echo 137%o% || echo 137%n%
netstat -an|findstr 138 >nul 2>nul && echo 138%o% || echo 138%n%
netstat -an|findstr 139 >nul 2>nul && echo 139%o% || echo 139%n%
netstat -an|findstr 445 >nul 2>nul && echo 445%o% || echo 445%n%
netstat -an|findstr 3389 >nul 2>nul && echo 3389%o% || echo 3389%n%或已修改
echo.
echo.
echo.
set "str=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
for /f "tokens=3" %%i in ('reg query "%str%" /v PortNumber') do set "PortNum=%%i"
set /a n=%PortNum%
echo 当前远程桌面端口为：%n%
echo.
echo.
echo ----------------------------------------------------------------------------------------------------------------
echo 勒索防护建议：
echo 1.禁用弱口令！
echo 2.关闭系统默认共享，尽量避免使用局域网共享。
echo 3.重要资料的共享文件夹应设置访问权限控制，并进行定期备份。
echo 4.定期检测系统和软件中的安全漏洞，及时打上补丁。
echo 5.安装杀毒软件并升级到最新。
echo ----------------------------------------------------------------------------------------------------------------
echo.
echo.
pause


:start
cls
echo.
echo.
echo.
echo.
echo                       下一步需要如何操作
echo.
echo                       1.一键关闭共享端口 
echo.
echo.                      2.一键开放共享端口
echo.
echo.                      3.修改远程桌面端口
echo.
echo.                      4.一键删除被感染的文件(devos类/ipk.dll)
echo.
echo.
set ST=s
set /p ST=             选择后按回车键:
if %ST%==0 (
set ok=0
goto stat
 )else (
if "%ST%"=="1" goto yjgb
if "%ST%"=="2" goto yjkf
if "%ST%"=="3" goto yjxg
if "%ST%"=="4" goto yjsc
)
goto start


:yjgb
cls
::删除系统默共享
net share C$ /delete
net share d$ /delete
net share e$ /delete
net share f$ /delete
net share admin$ /delete
echo.
echo                                         准备关闭135 137 138 139 445 端口
echo.

netsh ipsec static delete policy name = SECCPP
netsh ipsec static add policy name = SECCPP description=安全策略20200320
netsh ipsec static add filteraction name = Block action = block
netsh ipsec static add filterlist name = SECCPF
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 135 protocol = TCP
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 137 protocol = TCP
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 138 protocol = TCP
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 139 protocol = TCP
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 445 protocol = TCP
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 137 protocol = UDP
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 138 protocol = UDP
netsh ipsec static add rule name=SECCPR policy=SECCPP filterlist=SECCPF filteraction=Block
netsh ipsec static set policy name = SECCPP assign = y

echo. 
echo. 
echo 正在关闭135端口 请稍候… 
netsh advfirewall firewall add rule name = "Disable port 135 - TCP" dir = in action = block protocol = TCP localport = 135
echo. 
netsh advfirewall firewall add rule name = "Disable port 135 - UDP" dir = in action = block protocol = UDP localport = 135
echo. 
echo 正在关闭137端口 请稍候… 
netsh advfirewall firewall add rule name = "Disable port 137 - TCP" dir = in action = block protocol = TCP localport = 137
echo. 
netsh advfirewall firewall add rule name = "Disable port 137 - UDP" dir = in action = block protocol = UDP localport = 137
echo. 
echo 正在关闭138端口 请稍候… 
netsh advfirewall firewall add rule name = "Disable port 138 - TCP" dir = in action = block protocol = TCP localport = 138
echo. 
netsh advfirewall firewall add rule name = "Disable port 138 - UDP" dir = in action = block protocol = UDP localport = 138
echo. 
echo 正在关闭139端口 请稍候… 
netsh advfirewall firewall add rule name = "Disable port 139 - TCP" dir = in action = block protocol = TCP localport = 139
echo. 
netsh advfirewall firewall add rule name = "Disable port 139 - UDP" dir = in action = block protocol = UDP localport = 139
echo. 
echo 正在关闭445端口 请稍候… 
netsh advfirewall firewall add rule name = "Disable port 445 - TCP" dir = in action = block protocol = TCP localport = 445
echo. 
netsh advfirewall firewall add rule name = "Disable port 445 - UDP" dir = in action = block protocol = UDP localport = 445
echo.
echo.
::关闭共享
net stop LanmanServer
sc config LanmanServer start= disabled
echo 共享服务与端口均已关闭!!
pause >nul
goto start


:yjkf
cls
echo 正在停用并删除组策略
netsh ipsec static set policy name = SECCPP assign = n
netsh ipsec static delete  filterlist name = SECCPF

echo 开启共享
echo. 
echo. 
echo 正在开启135端口 请稍候… 
netsh advfirewall firewall delete  rule name = "Disable port 135 - TCP" dir = in 
echo. 
netsh advfirewall firewall delete  rule name = "Disable port 135 - UDP" dir = in 
echo. 
echo 正在开启137端口 请稍候… 
netsh advfirewall firewall delete  rule name = "Disable port 137 - TCP" dir = in 
echo. 
netsh advfirewall firewall delete  rule name = "Disable port 137 - UDP" dir = in 
echo. 
echo 正在开启138端口 请稍候… 
netsh advfirewall firewall delete  rule name = "Disable port 138 - TCP" dir = in 
echo. 
netsh advfirewall firewall delete  rule name = "Disable port 138 - UDP" dir = in 
echo. 
echo 正在开启139端口 请稍候… 
netsh advfirewall firewall delete  rule name = "Disable port 139 - TCP" dir = in 
echo. 
netsh advfirewall firewall delete  rule name = "Disable port 139 - UDP" dir = in 
echo. 
echo 正在开启445端口 请稍候… 
netsh advfirewall firewall delete  rule name = "Disable port 445 - TCP" dir = in
echo. 
netsh advfirewall firewall delete  rule name = "Disable port 445 - UDP" dir = in

::开启共享服务
net start LanmanServer
sc config LanmanServer start= auto

echo 共享服务与端口均已开启!!
pause >nul
goto start

:yjxg
cls
echo
echo 修改远程桌面3389端口(支持Win2003-Win10 ) 来自52pojie.
echo 自动添加防火墙规则
echo.
echo.
set /p c= 请输入新的端口:
if "%c%"=="" goto end
goto edit

:edit
netsh advfirewall firewall add rule name="Remote PortNumber" dir=in action=allow protocol=TCP localport="%c%"
netsh advfirewall firewall add rule name="Remote PortNumber" dir=in action=allow protocol=TCP localport="%c%"
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v "PortNumber" /t REG_DWORD /d "%c%" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d "%c%" /f
echo                      修改成功
echo                   重启电脑后生效
pause >nul
goto start

:yjsc
cls
echo.
echo 注意！！此操作会删除病毒感染后扩展名为devos文件。如你中的是其它类形的病毒，请自行修改。
echo 注意！！为避免病毒继续扩散，删除文件过程中，无法进行其它操作。
echo 注意！！删除结束后，系统会强制重启。
echo 如确认，请按任意键继续。否则请关闭。
pause >nul
::删除系统默共享
net share C$ /delete
net share d$ /delete
net share e$ /delete
net share f$ /delete
net share admin$ /delete

::强制结束关键进程
taskkill /f /im explorer.exe
taskkill /f /im spoolsv.exe
taskkill /f /im svchost.exe
taskkill /f /im tasksche.exe
::删除被感染的文件...
echo.
echo 正在删除被感染的文件...
for %%a in (c d e f g h i j) do (
for %%i in (*.devos ipk.dll) do (
del /s /f /q /a "%%a:\%%i"
)
)
echo 请在系统配置中将所有启动项/加载类全部关闭！！
start msconfig.exe
cls
echo   任意键将重启。如果无法完成重启，请手动强制。
pause >nul
shutdown -r -t 0