Scribd Logo
Carica

Benvenuto in Scribd!

  • Remove Malicious Software and Restore Hidden Files

    Caricato da

    dcoolsam
    221 visualizzazioni4 pagine
    The document is a script that scans a system for malicious files and registry entries associated with viruses like amvo and removes them. It uses regular expressions to search file contents and attributes for suspicious names, then uses the Windows Shell to delete the files and modify registry keys to restore hidden file settings and remove auto-starting options. After cleaning, it notifies the user that disinfection is complete.

    Descrizione originale:

    Delete Amvo virus script

    Titolo originale

    Delete Amvo Virus Amvo Script

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    TXT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    The document is a script that scans a system for malicious files and registry entries associated with viruses like amvo and removes them. It uses regular expressions to search file contents and attributes for suspicious names, then uses the Windows Shell to delete the files and modify registry keys to restore hidden file settings and remove auto-starting options. After cleaning, it notifies the user that disinfection is complete.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    221 visualizzazioni4 pagine

    Remove Malicious Software and Restore Hidden Files

    Caricato da

    dcoolsam
    The document is a script that scans a system for malicious files and registry entries associated with viruses like amvo and removes them. It uses regular expressions to search file contents and attributes for suspicious names, then uses the Windows Shell to delete the files and modify registry keys to restore hidden file settings and remove auto-starting options. After cleaning, it notifies the user that disinfection is complete.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 4

    on Error Resume Next Dim Dim Dim Dim Dim objShell, objFileSystem, objTextStream, objRegex colRegexMatches1, colRegexMatches2 nReturnCode

    strIpFileText element, i

    Dim Lista Lista=array("n1de?ect.com","nide?ect.com","nlde?ect.com","j*.bat","m*.com","d*.c om","copy.exe","host.exe",_ "a0*.com","ntdeiect.com","ntdelect.com", "u?de*.com","ntde1ect.com", "x*.com", "tio*.*",_ "80*.com","semo*.exe","autorun*.*","x*.exe","yl*.exe","qd*.cmd") Set geekside=WScript.CreateObject("WScript.Shell") Set objShell = WScript.CreateObject("WScript.Shell") Set objFileSystem = CreateObject("Scripting.FileSystemObject") Set objFSO = CreateObject("Scripting.FileSystemObject") Set colDrives = objFSO.Drives Wscript.Echo "Software provided by MyGeekSide.com to remove malicious software a mvo, avpo, n1detect y variants" Wscript.Echo "Proccess of search and removing can take some seconds. Please be p atient." i=0 For Each objDrive in colDrives If objDrive.IsReady = True Then nret=geekside.Run("cmd /C attrib -s -h -r "&objDrive.DriveLetter &":\autorun.inf",0,TRUE) Set objTextStream = objFileSystem.OpenTextFile(objDrive.DriveLet ter&":\autorun.inf",1) strIpFileText = objTextStream.ReadAll objTextStream.Close End If Next Set objRegex = new RegExp objRegex.Pattern = "=\w+(.com|.bat|.exe|.pif|.scr|.svd|.dat|.tmp|.cmd)" objRegex.Global = True objRegex.IgnoreCase = True Set colRegexMatches1 = objRegex.Execute(strIpFileText)

    i=0 For Each element In colRegexMatches1 element = Replace(element,"=","") WScript.Echo "Proceeding to remove file of virus :" & element For Each objDrive in colDrives If objDrive.IsReady = True Then Wscript.Echo "Clean drive: " & objDrive.DriveLetter

    nret=geekside.Run("cmd /C taskkill /f /im amvo.exe",0,TR UE) nret=geekside.Run("cmd /C taskkill /f /im avpo.exe",0,TR UE) nret=geekside.Run("cmd /C taskkill /f /im semo2x.exe.tmp ",0,TRUE) nret=geekside.Run("cmd /C taskkill /f /im semo2x.exe",0, TRUE) nret=geekside.Run("cmd /C taskkill /f /im help.exe.tmp", 0,TRUE) nret=geekside.Run("cmd /C attrib -s -h -r " &objDrive.Dr iveLetter&":\" & element &"",0,TRUE) nret=geekside.Run("cmd /C cd \ & del "&objDrive.DriveLet ter&":\" & element & "/f /q /a",0,TRUE) nret=geekside.Run("cmd /C cd \ & del "&objDrive.DriveLet ter&":\autorun.inf",0,TRUE) End If Next i = i + 1 Next Set Set Set Set objRegex= Nothing objTextStream = Nothing objFileSystem = Nothing objShell = Nothing

    nret15=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\amvo*.*" ,0,TRUE) nret16=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\avpo*.*" ,0,TRUE) nret20=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\help.exe .tmp",0,TRUE) nret56=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\semo*.*" ,0,TRUE) nret60=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\semo*.*. *",0,TRUE) nret23=geekside.Run("cmd /C del /f c:\windows\system32\amvo*.*",0,TRUE) nret24=geekside.Run("cmd /C del /f c:\windows\system32\avpo*.*",0,TRUE) nret57=geekside.Run("cmd /C del /f c:\windows\system32\semo*.*.*",0,TRUE ) nret59=geekside.Run("cmd /C del /f c:\windows\system32\semo*.*",0,TRUE) WScript.Echo "Proceeding to restore registry to see Hidden Files" nret31=geekside.Run("cmd /C reg oft\Windows\CurrentVersion\Run\ /v amva nret32=geekside.Run("cmd /C reg oft\Windows\CurrentVersion\Run\ /v avpo delete HKEY_CURRENT_USER\Software\Micros /f",0,TRUE) delete HKEY_CURRENT_USER\Software\Micros /f",0,TRUE)

    nret68=geekside.Run("cmd /C reg delete HKEY_CURRENT_USER\Software\Micros oft\Windows\CurrentVersion\Run\ /v avpa /f",0,TRUE) nret33=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\Advanced\ /v Hidden /t REG_DWORD /d 1 /f",0,TRU E) nret43=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\Advanced\ /v SuperHidden /t REG_DWORD /d 1 /f", 0,TRUE) nret44=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\Advanced\ /v ShowSuperHidden /t REG_DWORD /d 1 /f",0,TRUE) nret45=geekside.Run("cmd /C reg add t\Windows\CurrentVersion\Explorer\Advanced\ UE) nret46=geekside.Run("cmd /C reg add t\Windows\CurrentVersion\Explorer\Advanced\ ,0,TRUE) nret47=geekside.Run("cmd /C reg add t\Windows\CurrentVersion\Explorer\Advanced\ /f",0,TRUE) HKEY_LOCAL_MACHINE\Software\Microsof /v Hidden /t REG_DWORD /d 1 /f",0,TR HKEY_LOCAL_MACHINE\Software\Microsof /v SuperHidden /t REG_DWORD /d 1 /f" HKEY_LOCAL_MACHINE\Software\Microsof /v ShowSuperHidden /t REG_DWORD /d 1

    nret34=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsof t\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\ /v CheckedVal ue /t REG_DWORD /d 2 /f",0,TRUE) nret35=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsof t\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\ /v DefaultVal ue /t REG_DWORD /d 2 /f",0,TRUE) nret36=geekside.Run("cmd /C reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Micro soft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\ /v CheckedV alue /f",0,TRUE) nret37=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsof t\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\ /v CheckedValu e /t REG_DWORD /d 1 /f",0,TRUE) nret38=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsof t\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\ /v DefaultValu e /t REG_DWORD /d 2 /f",0,TRUE) nret39=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsof t\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\ /v CheckedValue / t REG_DWORD /d 0 /f",0,TRUE) nret40=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsof t\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\ /v DefaultValue / t REG_DWORD /d 0 /f",0,TRUE) nret48=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsof t\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ /v Type /t REG_SZ /d G roup /f",0,TRUE)

    nret61=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Policies\Explorer\ /v NoFolderOptions /t REG_DWORD /d 0

    /f",0,TRUE) nret62=geekside.Run("cmd /C reg add t\Windows\CurrentVersion\Policies\Explorer\ /f",0,TRUE) nret63=geekside.Run("cmd /C reg add \Windows\CurrentVersion\Policies\System\ /v 0 /f",0,TRUE)

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsof /v NoFolderOptions /t REG_DWORD /d 0 HKEY_CURRENT_USER\Software\Microsoft DisableRegistryTools /t REG_DWORD /d

    nret78=geekside.Run("cmd /C taskkill /f /im explorer.exe",0,TRUE) nret79=geekside.Run("cmd /C start explorer.exe",0,TRUE) nret15=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\amvo*.*" ,0,TRUE) nret16=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\avpo*.*" ,0,TRUE) nret20=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\help.exe .tmp",0,TRUE)

    nret56=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\semo*.*. *",0,TRUE) nret60=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\semo*.*" ,0,TRUE) nret23=geekside.Run("cmd /C del /f c:\windows\system32\amvo*.*",0,TRUE) nret24=geekside.Run("cmd /C del /f c:\windows\system32\avpo*.*",0,TRUE) nret57=geekside.Run("cmd /C del /f c:\windows\system32\semo*.*.*",0,TRUE ) nret59=geekside.Run("cmd /C del /f c:\windows\system32\semo*.*",0,TRUE) For Each objDrive in colDrives If objDrive.IsReady = True Then For X=0 to UBound(Lista) nret=geekside.Run("cmd /C attrib -s -h -r "&objDrive.Dri veLetter&":\"&Lista(X)&"",0,TRUE) nret=geekside.Run("cmd /C cd \ & del "&objDrive.DriveLet ter&":\" &Lista(X)& "/f /q /a",0,TRUE) Next End If Next WScript.Echo "Congratulations! Your computer is disinfected of amvo virus and va riants" WScript.Echo "www.mygeekside.com" WScript. Quit(0)

    Potrebbero piacerti anche