that's an awesome function radimus. now how would I grab an array of processes to evauluate running EnumProcess() against them? Is there a function to put all running processes into an array?
Code:
$Procs = "select * from Win32_Process where" $ProcArray = GetObject($winmgmts).ExecQuery($Proc)
Hmm... not sure where I "inherited" it from but it is not an intrinsic function.
Code:
Function PList($PC) Dim $PC,$Query,$ProcList $Query = 'Select * from Win32_Process' $objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\"+$PC+"\root\cimv2") If @error ? @Serror+' on '+$PC ? Exit @error Endif $Processes = $objWMIService.ExecQuery($Query) for each $process in $Processes $ProcList = $ProcList + $Process.name + '|' next $PList=Split($ProcList,'|') EndFunction
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
#147810 - 2005-09-1410:25 PMRe: Anyone written a WinFixer removal script??
RadimusRadimus Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
Quote: that's an awesome function radimus. now how would I grab an array of processes to evauluate running EnumProcess() against them? Is there a function to put all running processes into an array?
Code:
$Procs = "select * from Win32_Process where" $ProcArray = GetObject($winmgmts).ExecQuery($Proc)
???
WMIQuery()
$processes = WMIQUERY("name","Win32_Process") for each $process in $processes ? $process next
#147811 - 2005-09-1410:41 PMRe: Anyone written a WinFixer removal script??
NTDOCNTDOC Administrator
Registered: 2000-07-28
Posts: 11625
Loc: CA
Typically most of this junk can be removed from within normal Windows session, however there are many spyware/adware annoyances that need to be removed from within SAFE MODE and can not be removed from within a normal Windows session.
I would highly recommend this site for assistance with cleaning up spyware/adware from your system if you're not experienced at it.
I know this is a lot to ask but I just got down writing my WinFixer removal script based off of the following link and just wanted feedback on more efficient or better ways I might be able to accomplish the same thing in the future??
$MiscFiles = "C:\8355.exe", "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\riak.exe"
FOR EACH $Proc IN $ProcArray IF LEFT($Proc, 5) = "UWFX5" EnumProcess($Proc,1) ? $Proc + @CRLF ENDIF
IF $Proc = "196_150_NI.EXE" EnumProcess($Proc,1) ? $Proc + @CRLF ENDIF NEXT
FOR EACH $x IN $Sys32Files $File = $Sys + "\$x" KillFile($File) NEXT
FOR EACH $x IN $WinFiles $File = $WinDir + "\$x" KillFile($File) NEXT
FOR EACH $x IN $CommonFiles $File = $ProgFiles + "\common files\winsoftware\$x" KillFile($File) NEXT
FOR EACH $x IN $WinFixerFiles $File = $ProgFiles + "\winfixer 2005\$x" KillFile($File) NEXT
FOR EACH $x IN $RegKeys KillRegKeys($x) NEXT
FOR EACH $x IN $MiscFiles IF EXIST($x) DEL /F /S /Q $x IF @ERROR = 0 ? "$x Was Successfully Deleted!" + @CRLF ELSE ? "$x Was NOT Deleted!" + @CRLF ENDIF ELSE ? "$x Did NOT Exist!" + @CRLF ENDIF NEXT
FUNCTION KillRegKeys($key) IF KEYEXIST($key) DELKEY($key) IF @ERROR = 0 ? "$key Successfully Deleted." + @CRLF ELSE ? "$key Was NOT Deleted!" + @CRLF ENDIF ELSE ? "$key Did NOT Exist!" + @CRLF ENDIF ENDFUNCTION
Function PList($PC) Dim $PC,$Query,$ProcList $Query = 'Select * from Win32_Process' $objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\"+$PC+"\root\cimv2") If @error ? @Serror+' on '+$PC ? Exit @error Endif $Processes = $objWMIService.ExecQuery($Query) for each $process in $Processes $ProcList = $ProcList + $Process.name + '|' next $PList=Split($ProcList,'|') EndFunction
FUNCTION KillFile($File) ;***** $File = A combination of the path and the variable
IF EXIST ($File) IF RIGHT($File, 4) = ".dll" SHELL '%COMSPEC% /e:1024 /c regsvr32 /s $File' IF @ERROR = 0 ? "$File Successfully Unregistered" + @CRLF del $File IF @ERROR = 0 ? "$File Successfully Deleted" + @CRLF ELSE ? "$File Was NOT Deleted!" + @CRLF ENDIF ELSE del $File IF @ERROR = 0 ? "$File Successfully Unregistered!" + @CRLF ELSE ? "$File Was NOT Unregistered!" + @CRLF ENDIF
FUNCTION EnumProcess($exe, optional $terminate, optional $Computer) Dim $winmgmts, $ExecQuery, $Process, $id, $getobject, $ if not $computer $computer=@wksta endif $winmgmts="winmgmts:{impersonationLevel=impersonate}!//$COMPUTER" select case val($exe)>0 $ExecQuery="select * from Win32_Process where ProcessId='$exe'" $GetObject=GetObject($winmgmts).ExecQuery($ExecQuery) For each $Process in $GetObject if $terminate $=$Process.Terminate endif $EnumProcess = $Process.name next $GetObject='' case vartype($exe)=8 $ExecQuery="select * from Win32_Process where Name='$exe'" $GetObject=GetObject($winmgmts).ExecQuery($ExecQuery) For each $Process in $GetObject if $terminate $=$Process.Terminate endif $id=$Process.ProcessId $EnumProcess = "$Id" + "|" + "$EnumProcess" Next $EnumProcess=left($EnumProcess,len($EnumProcess)-1) $GetObject='' case 1 exit 1 endselect ENDFUNCTION
#147814 - 2005-09-1508:26 AMRe: Anyone written a WinFixer removal script??
NTDOCNTDOC Administrator
Registered: 2000-07-28
Posts: 11625
Loc: CA
More then likely as they do, won't remove it from the NORMAL Windows session. Many of the current spyware infections can not be removed from within a normal session and must be removed from within SAFE MODE.
it does work and the reason I wrote it the way I did is because winfixer creates a number of randomly generated DLLs, EXEs, etc. This way, when more are found, all you have to do is add them to the arrays and that's it. I also changed all of the "?" lines to actually write to a local log file so you can actually view the results. thanx for the feedback gents and I'll be looking at your spywarewarrior link for further information. Thanx again guys.
#147817 - 2005-09-1508:53 PMRe: Anyone written a WinFixer removal script??
NTDOCNTDOC Administrator
Registered: 2000-07-28
Posts: 11625
Loc: CA
Not questioning the script in general, just the approach I suppose. But hey, if it helps one to learn coding better that's great too. But if it has WinFixer almost guaranteed it has a ton of other junk by now too that his script won't deal with.
#147819 - 2005-09-1602:57 AMRe: Anyone written a WinFixer removal script??
NTDOCNTDOC Administrator
Registered: 2000-07-28
Posts: 11625
Loc: CA
Well something that you might want to think about running is re-registering all the DLL files. Not all of them require registering, so it runs silently. Often some of the new spyware crap is destroying some of the COM registrations of valid DLL files so this restores them for most.
1. Make sure you first remove ALL spyware and similar junk from the system otherwise this could easily re-enable spyware that was otherwise crippled. 2. Run a FULL CHKDSK /F /R on the volume before hand as well to fix possible errors.
When you are reasonably certain that the system is clean you can then run something like this.
But what does this do that common antispy/ad-ware doesn't?
