[vbs] Borrar Msn NetZeek

Iniciado por Erik#, 6 Febrero 2009, 22:47 PM

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario

Erik#

6 Febrero 2009, 22:47 PM Ultima modificación: 11 Marzo 2009, 13:57 PM por Novlucker
Bueno, el anti netzeek esta inhabilitado (el que ofrecia el-brujo(alex)) y me decidi a crear el mio, no lo he probado, pero, decirme si esta bien logicamente, o mal. (la variable whs ya se que tendria que ser wsh xD).

Código (vb) [Seleccionar]
Set whs = createobject("WScript.shell")
Set fso = createobject("scripting.filesystemobject")
unidad = inputbox("Cual es tu principal unidad de disco duro" & vbNewLine & "Por ejemplo: C:\, D:\, E:\...","Seleccione su unidad","")
whs.regdelete("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update")
fso.deletefile unidad & "Windows\csrss.exe"
whs.regdelete ("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows")
whs.regdelete ("HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\System")
whs.regdelete ("HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Update")
fso.deletefile unidad & "Windows\services.exe"
fso.deletefile unidad & "WINDOWS\system32\Drivers\lsass.exe"
fso.deletefile unidad & "WINDOWS\system32\Drivers\smss.exe"
whs.regdelete ("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Run Service")
whs.regdelete ("HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Run")
fso.deletefile unidad & "Windows\winlogon.exe"
fso.deletefile unidad & "Windows\system32\drivers\spoolsv.exe"
whs.regdelete ("HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\CTFMON")
fso.deletefile unidad & "Windows\system32\drivers\ctfmon.exe"

Novlucker

#1
6 Febrero 2009, 23:27 PM
El anti netzeek igual se consigue, y es por eso que al ver el code se nota que te faltan varias cosas por hacer :P

Código (vb) [Seleccionar]
' Script to remove netzeek MSN worm/trojan. 29.10.2008
' Written by Kye of the SA-MP team - team@sa-mp.com
'

Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."
intFoundVirus = 0

' Get the Windows folder locations
Dim objFSO, strWindowsFolder, x
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set WshShell = WScript.CreateObject("WScript.Shell")

strWindowsFolder = objFSO.GetSpecialFolder(0)
strSystemFolder = objFSO.GetSpecialFolder(1)

Dim arrVirusFiles(7)

arrVirusFiles(0) = strWindowsFolder & "\csrss.exe"
arrVirusFiles(1) = strWindowsFolder & "\services.exe"
arrVirusFiles(2) = strWindowsFolder & "\winlogon.exe"
arrVirusFiles(3) = strSystemFolder & "\drivers\lsass.exe"
arrVirusFiles(4) = strSystemFolder & "\drivers\smss.exe"
arrVirusFiles(5) = strSystemFolder & "\drivers\spoolsv.exe"
arrVirusFiles(6) = strSystemFolder & "\drivers\ctfmon.exe"
arrVirusFiles(7) = strWindowsFolder & "\ctfmon.exe"

' Go ahead and kill those processes if we find them

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcesses = objWMIService.ExecQuery("select * from win32_process")

For Each objProcess in colProcesses

    ' check if this process is a bady
    If Len(objProcess.ExecutablePath) > 0 Then
x = 0
While(x <= UBound(arrVirusFiles))
'Wscript.Echo "Comparing: " & objProcess.ExecutablePath & ":" & arrVirusFiles(x)
      If (StrComp(objProcess.ExecutablePath, arrVirusFiles(x), vbTextCompare) = 0) Then
objProcess.Terminate
'Wscript.Echo "I killed " & objProcess.ExecutablePath
intFoundVirus = 1
End If
x = x + 1
Wend
End If

Next

' Now remove those registry keys
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

oReg.DeleteValue HKEY_CURRENT_USER, "Software\Microsoft\Windows\CurrentVersion\Run", "Windows Update"
oReg.DeleteValue HKEY_CURRENT_USER, "Software\Microsoft\Windows\CurrentVersion\Run", "Windows"
oReg.DeleteValue HKEY_CURRENT_USER, "Software\Microsoft\Windows\CurrentVersion\Run", "Windows Run Service"
oReg.DeleteValue HKEY_CURRENT_USER, "Software\Microsoft\Windows\CurrentVersion\RunOnce", "System"
oReg.DeleteValue HKEY_CURRENT_USER, "Software\Microsoft\Windows\CurrentVersion\RunOnce", "System Update"
oReg.DeleteValue HKEY_CURRENT_USER, "Software\Microsoft\Windows\CurrentVersion\RunOnce", "System Run"
oReg.DeleteValue HKEY_CURRENT_USER, "Software\Microsoft\Windows\CurrentVersion\RunOnce", "CTFMON"
oReg.DeleteValue HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Run", "Windows Update"
oReg.DeleteValue HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Run", "Windows"
oReg.DeleteValue HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Run", "Windows Run Service"
oReg.DeleteValue HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\RunOnce", "System"
oReg.DeleteValue HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\RunOnce", "System Update"
oReg.DeleteValue HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\RunOnce", "System Run"
oReg.DeleteValue HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\RunOnce", "CTFMON"

' Now delete the virus files
x = 0
While(x < UBound(arrVirusFiles))
If objFSO.FileExists(arrVirusFiles(x)) Then
objFSO.DeleteFile(arrVirusFiles(x))
'Wscript.Echo "I deleted " & arrVirusFiles(x)
End If
x = x + 1
Wend

If intFoundVirus = 1 Then
    Wscript.Echo "Netzeek MSN virus is deleted." & vbCrlf & "Restart your computer."
Else
    Wscript.Echo "Netzeek virus not found. Nothing was done."
End if

Con respecto a tu code, cambiar ...
Código (vb) [Seleccionar]
unidad = inputbox("Cual es tu principal unidad de disco duro" & vbNewLine & "Por ejemplo: C:\, D:\, E:\...","Seleccione su unidad","")
Por :P ...
Código (vb) [Seleccionar]
unidad = whs.ExpandEnvironmentStrings("%SystemDrive%")

Saludos  ;)
Contribuye con la limpieza del foro, reporta los "casos perdidos" a un MOD XD

"Hay dos cosas infinitas: el Universo y la estupidez  humana. Y de la primera no estoy muy seguro."
Albert Einstein
Imprimir
Ir Arriba Páginas1
Acciones del Usuario