Source กำจัดไวรัสด้วย VB Script 5 in 1

**jerusale** · 09-10-2007, 06:01 PM

'*************************************************************************
' รายละเอียดการฆ่า
' 1/ W32/Hakaglan.worm.gen
' 2/ BackDoor-AVW
' 3/ Keylog-Perfect
' 4/ NTRootKit-W
' 5/ W32/Bagle.ea
'*************************************************************************

Option Explicit

' SCRIPT CONFIGURATION
Dim WshShell, DocDir, TmpDir, WinDir, SysDir
Dim strComp, strLogs, arrProcs(10), arrFiles(51)

Set WshShell = WScript.CreateObject("WScript.Shell")
DocDir = WshShell.ExpandEnvironmentStrings("%UserProfile%") & chr(92)
TmpDir = WshShell.ExpandEnvironmentStrings("%Temp%") & chr(92)
WinDir = WshShell.ExpandEnvironmentStrings("%WinDir%") & chr(92)
SysDir = WinDir & "system32"

strComp = "." ' สามารถเปลี่ยนชื่อเป็นเครื่องอื่นๆใน Network เดียวกันได้
strLogs = ""

' ชื่อ Process Names (in lowercase)
arrProcs(0) = "rvhost.exe"
arrProcs(1) = "ssvichosst.exe"
arrProcs(2) = "sscviihost.exe"
arrProcs(3) = "new folder.exe"
arrProcs(4) = "hinhem.scr"
arrProcs(5) = "blastclnnn.exe"
arrProcs(6) = "skcvhost.exe"
arrProcs(7) = "systems.exe"
arrProcs(8) = "hidr.exe"
arrProcs(9) = "m_hook.sys"

' W32/Hakaglan.worm.gen (nhattruongquang, nhatquanglan[*], hinhem, etc.)
arrFiles(0) = WinDir & "RVHOST.exe"
arrFiles(1) = WinDir & "SSVICHOSST.exe"
arrFiles(2) = WinDir & "SSCVIIHOST.exe"
arrFiles(3) = WinDir & "Tasks\At1.job"
arrFiles(4) = SysDir & "nhatquanglan9.exe"
arrFiles(5) = SysDir & "nhatquanglan11.exe"
arrFiles(6) = SysDir & "SSVICHOSST.exe"
arrFiles(7) = SysDir & "SSCVIIHOST.exe"
arrFiles(8) = SysDir & "New Folder.exe"
arrFiles(9) = SysDir & "hinhem.scr"
arrFiles(10) = SysDir & "blastclnnn.exe"
arrFiles(11) = SysDir & "autorun.ini"
arrFiles(12) = SysDir & "setting.ini"
arrFiles(13) = SysDir & "setting.xls"
arrFiles(14) = SysDir & "setting.doc"

' BackDoor-AVW
arrFiles(15) = WinDir & "services.exe"
arrFiles(16) = WinDir & "ktd32.atm"
arrFiles(17) = WinDir & "system\sservice.exe"
arrFiles(18) = SysDir & "fservice.exe"
arrFiles(19) = SysDir & "server.exe"
arrFiles(20) = SysDir & "reginv.dll"
arrFiles(21) = SysDir & "winkey.dll"

' Keylog-Perfect
arrFiles(22) = SysDir & "SKCVHOST.exe"
arrFiles(23) = SysDir & "SKCVHOSTr.exe"
arrFiles(24) = SysDir & "SKCVHOSThk.dll"
arrFiles(25) = SysDir & "SYSTEMS.exe"
arrFiles(26) = SysDir & "SYSTEMShk.dll"
arrFiles(27) = SysDir & "SYSTEMShk.dll"
arrFiles(28) = SysDir & "apps.dat"
arrFiles(29) = SysDir & "bpk.bin"
arrFiles(30) = SysDir & "bpk.dat"
arrFiles(31) = SysDir & "bpk.exe"
arrFiles(32) = SysDir & "bpkch.dat"
arrFiles(33) = SysDir & "bsdhooks.dll"
arrFiles(34) = SysDir & "inst.dat"
arrFiles(35) = SysDir & "inst.tmp"
arrFiles(36) = SysDir & "kw.dat"
arrFiles(37) = SysDir & "mc.dat"
arrFiles(38) = SysDir & "pk.bin"
arrFiles(39) = SysDir & "rinst.dat"
arrFiles(40) = SysDir & "rinst.exe"
arrFiles(41) = SysDir & "titles.dat"
arrFiles(42) = SysDir & "web.dat"
arrFiles(43) = SysDir & "web.dll"
arrFiles(44) = SysDir & "keystrokes.html"
arrFiles(45) = SysDir & "websites.html"
arrFiles(46) = SysDir & "chats.html"
arrFiles(47) = SysDir & "report.txt"

' W32/Bagle.ea
arrFiles(48) = DocDir & "Application Data\hidires\hidr.exe"
arrFiles(49) = DocDir & "Application Data\hidires\m_hook.sys"
arrFiles(50) = SysDir & "wintems.exe"

' RESTORE REGISTRY
' W32/Hakaglan.worm.gen
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shares"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger"
setRegVal "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell", "Explorer.exe", "REG_SZ"
delRegVal "HKLM\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours"

' BackDoor-AVW
delRegVal "HKCR\CLSID\{1D1B2879-99FF-11E3-8D96-D7ACAC95952A}"
delRegVal "HKCR\TypeLib\{1D1B286C-99FF-11E3-8D96-D7ACAC95952A}"
delRegVal "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}"

' Keylog-Perfect
delRegVal "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bpk"
delRegVal "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYSTEMS"

' NTRootKit-W
delRegVal "HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_M_HOOK"
delRegVal "HKLM\SYSTEM\ControlSet001\Services\m_hook"
delRegVal "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK"

' W32/Bagle.ea
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvsyskit"

If strLogs <> "" Then
WScript.Echo "ทำการตรวจหาไวรัส: " & VBCrLf & VBCrLf & strLogs
strLogs = ""
End If

Sub setRegVal(Target, Value, Reg)
On Error Resume Next
WshShell.RegWrite Target, Value, Reg
If Err = 0 Then
strLogs = strLogs & ".. ทำการเซทค่า : " & Target & " to " & Value & VBCrLf
End If
Err.Clear
On Error Goto 0
End Sub

Sub delRegVal(Target)
On Error Resume Next
WshShell.RegDelete Target
If Err = 0 Then
strLogs = strLogs & ".. ทำการฆ่าไวรัส : " & Target & VBCrLf
End If
Err.Clear
On Error Goto 0
End Sub

' KILL 'EM
Dim objWMI : Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComp & "\root\cimv2")
Dim objFSO : Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")

If Err = 0 Then
KillProcs
Set objWMI = Nothing
Set objFSO = Nothing
End If
Err.Clear

Sub KillProcs
' Variables
Dim objProc, objFile
Dim strFile, i

' Kill process if running
Dim colProc : Set colProc = objWMI.ExecQuery("Select Name from Win32_Process")
For Each objProc in colProc
For i=0 to UBound(arrProcs)
If arrProcs(i) = LCase(CStr(objProc.Name)) Then
objProc.Terminate()
strLogs = strLogs & ".. ทำการ Terminated process: " & arrProcs(i) & VBCrLf
Exit For
End If
Next
Next

Set colProc = Nothing
Set objProc = Nothing

' Delete file
For i=0 to UBound(arrFiles)
RemoveFile arrFiles(i)
Next

' Delete folder
If objFSO.FolderExists(DocDir & "Application Data\hidires") Then
Dim objFolder : Set objFolder = objFSO.GetFolder(DocDir & "Application Data\hidires")
objFolder.Attributes = 0
objFolder.Delete
Set objFolder = Nothing
End If

' Empty TEMP folder
RemoveTmpFolder TmpDir

If strLogs <> "" Then
WScript.Echo "ทำการตรวจหาไวรัส: " & VBCrLf & VBCrLf & strLogs
End If
End Sub

Sub RemoveTmpFolder(Target)
On Error Resume Next
Dim tmpDir : Set tmpDir = objFSO.GetFolder(Target)
Dim tmpFolder, tmpFile

For Each tmpFile In tmpDir.Files
tmpFile.Attributes = 0
tmpFile.Delete
Next

For Each tmpFolder In tmpDir.SubFolders
RemoveTmpFolder tmpFolder.Path
tmpFolder.Attributes = 0
tmpFolder.Delete
Next

Set tmpDir = Nothing
Set tmpFolder = Nothing
Set tmpFile = Nothing
On Error Goto 0
End Sub

Sub RemoveFile(Target)
On Error Resume Next
If objFSO.FileExists(Target) Then
Dim objFile : Set objFile = objFSO.GetFile(Target)
objFile.attributes = 0
objFile.Delete
Set objFile = Nothing
strLogs = strLogs & ".. ทำการลบไฟล์ : " & Target & VBCrLf
End If
On Error Goto 0
End Sub

' BYE
WScript.Echo "Program by Jerusale"
WScript.Echo "เสร็จสิ้นกระบวนการ!"
WScript.Quit

วิธีการใช้งาน
1.ทำการ Copy Source ไป Paste ที่ Notepad
2.เมื่อ Paste เสร็จแล้วทำการ Save as เป็นชื่อ antivirus.vbs อย่าลืมเลือก Type เป็น All file หละ
3.สามารถใช้งานได้ทันที หวังว่าคงจะชอบนะครับ

Thread: Source กำจัดไวรัสด้วย VB Script 5 in 1

Thread Tools

Similar Threads

แจก Script "MSN Web Messenger Script 1.2 Nulled"

ใครมี script หรือ source ทำ ebook online แบบนี้บ้าง

Source Code เกม OX แต่ไม่เหมือน Source ทั่วไป

PHP Script

Source code MsWord Script.vbs

Members who have read this thread : 0

Tags for this Thread

Posting Permissions