I know this is a lot to ask but I just got down writing my WinFixer removal script based off of the following link and just wanted feedback on more efficient or better ways I might be able to accomplish the same thing in the future??
http://www.spyware-removal-guideline.com/winfixer-removal
Code:
Break ON
$ = SetOption("WrapAtEOL","ON")
$Handle = FreeFileHandle()
$ProgFiles = %ProgramFiles%
$Comp = %ComputerName%
$ProcArray = PList($Comp)
$WinDir = %WinDir%
$Sys = $WinDir + "\System32"
$Sys32Files = "crqsibss.dll", "pss.dll", "uwtuh.dll", "lquwhfff.dll",
"dkmsrpcn.dll", "jtr2079oe.dll", "igzxgqcr.dll", "eaann.dll",
"fssjjdf.dll", "nikppcy.dll", "tshk.dll", "AG1KPVU0.INI",
"eqwxzb.exe", "hqyikxs.exe", "iasnhl.exe", "odensc.exe",
"riqzcju.exe", "sspggd.exe", "u9uhk5i0.ini", "unb59hf8.ini",
"wayyftxi.exe", "xau.exe"
$WinFiles = "asappsrv.dll", "mznoo.dll", "ktcar.exe"
$CommonFiles = "crxml.dll", "pcheck.dll"
$WinFixerFiles = "compcln.dll", "df_fixer.dll", "df_proxy.dll", "ffcom.dll",
"ffwraper.dll", "fixcore.dll", "ftrec.dll", "idletrac.dll",
"mmfix.dll", "oedrop.dll", "strres.dll"
$RegKeys = "HKEY_CLASSES_ROOT\compcleancore.appcleaner.1\clsid",
"HKEY_CLASSES_ROOT\compcleancore.appcleaner\clsid",
"HKEY_CLASSES_ROOT\compcleancore.appcleaner\curver",
"HKEY_CLASSES_ROOT\compcleancore.filecleaner.1\clsid",
"HKEY_CLASSES_ROOT\compcleancore.filecleaner\clsid",
"HKEY_CLASSES_ROOT\compcleancore.filecleaner\curver",
"HKEY_CLASSES_ROOT\compcleancore.inetcleaner.1\clsid",
"HKEY_CLASSES_ROOT\compcleancore.inetcleaner\clsid",
"HKEY_CLASSES_ROOT\compcleancore.inetcleaner\curver",
"HKEY_CLASSES_ROOT\compcleancore.regcleaner.1\clsid",
"HKEY_CLASSES_ROOT\compcleancore.regcleaner\clsid",
"HKEY_CLASSES_ROOT\compcleancore.regcleaner\curver",
"HKEY_CLASSES_ROOT\compcleancore.systemcleaner.1\clsid",
"HKEY_CLASSES_ROOT\compcleancore.systemcleaner\clsid",
"HKEY_CLASSES_ROOT\compcleancore.systemcleaner\curver",
"HKEY_CLASSES_ROOT\df_fixer.fixer.1\clsid",
"HKEY_CLASSES_ROOT\df_fixer.fixer\clsid",
"HKEY_CLASSES_ROOT\df_fixer.fixer\curver",
"HKEY_CLASSES_ROOT\df_proxy.drivermanipulate.1\clsid",
"HKEY_CLASSES_ROOT\df_proxy.drivermanipulate\clsid",
"HKEY_CLASSES_ROOT\df_proxy.drivermanipulate\curver",
"HKEY_CLASSES_ROOT\ffcom.flfixer\clsid",
"HKEY_CLASSES_ROOT\ffwraper.ffenginwraper.1\clsid",
"HKEY_CLASSES_ROOT\ffwraper.ffenginwraper\clsid",
"HKEY_CLASSES_ROOT\ffwraper.ffenginwraper\curver",
"HKEY_CLASSES_ROOT\fixcore.mmfixcore.1\clsid",
"HKEY_CLASSES_ROOT\fixcore.mmfixcore\clsid",
"HKEY_CLASSES_ROOT\fixcore.mmfixcore\curver",
"HKEY_CLASSES_ROOT\interface\{1ce1c25b-f8b4-4974-99d2-5d4ae96b9900}",
"HKEY_CLASSES_ROOT\interface\{9e984934-cd94-4763-9dbc-618e483d4b7f}",
"HKEY_CLASSES_ROOT\typelib\{30ed49a5-ca6c-4918-b5f3-5e6818c91d8b}\1.0",
"HKEY_CLASSES_ROOT\typelib\{6a077841-5016-42c8-92c8-f2d6b865bcd1}",
"HKEY_CLASSES_ROOT\typelib\{ad70ac89-f460-4e7e-b5a5-7eaf7e207736}",
"HKEY_CLASSES_ROOT\typelib\{b6625280-8cd8-4632-97c0-83cec12a49a3}",
"HKEY_CLASSES_ROOT\typelib\{f458adae-d53b-4859-b99f-9fa127791278}",
"HKEY_CLASSES_ROOT\typelib\{fc76a5b8-db35-4f3e-8b9a-bf0eea098d64}",
"HKEY_CURRENT_USER\software\winsoftware\winfixer 2005"
$MiscFiles = "C:\8355.exe",
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\riak.exe"
FOR EACH $Proc IN $ProcArray
IF LEFT($Proc, 5) = "UWFX5"
EnumProcess($Proc,1)
? $Proc + @CRLF
ENDIF
IF $Proc = "196_150_NI.EXE"
EnumProcess($Proc,1)
? $Proc + @CRLF
ENDIF
NEXT
FOR EACH $x IN $Sys32Files
$File = $Sys + "\$x"
KillFile($File)
NEXT
FOR EACH $x IN $WinFiles
$File = $WinDir + "\$x"
KillFile($File)
NEXT
FOR EACH $x IN $CommonFiles
$File = $ProgFiles + "\common files\winsoftware\$x"
KillFile($File)
NEXT
FOR EACH $x IN $WinFixerFiles
$File = $ProgFiles + "\winfixer 2005\$x"
KillFile($File)
NEXT
FOR EACH $x IN $RegKeys
KillRegKeys($x)
NEXT
FOR EACH $x IN $MiscFiles
IF EXIST($x)
DEL /F /S /Q $x
IF @ERROR = 0
? "$x Was Successfully Deleted!" + @CRLF
ELSE
? "$x Was NOT Deleted!" + @CRLF
ENDIF
ELSE
? "$x Did NOT Exist!" + @CRLF
ENDIF
NEXT
IF EXIST ($ProgFiles + "\Common Files\WinFixer 2005")
DEL /F /S /Q $ProgFiles + "\Common Files\WinFixer 2005"
? "Common Files -> WinFixer 2005 was successfully completed." + @CRLF
ELSE
? "Common Files -> WinFixer 2005 didn't exist!" + @CRLF
ENDIF
IF EXIST ($ProgFiles + "\WinFixer 2005")
DEL /F /S /Q $ProgFiles + "\WinFixer 2005"
? "Program Files -> WinFixer 2005 was successfully completed." + @CRLF
ELSE
? "Program Files -> WinFixer 2005 didn't exist!" + @CRLF
ENDIF
;************************************************
;************** UDFs **************************
;************************************************
FUNCTION KillRegKeys($key)
IF KEYEXIST($key)
DELKEY($key)
IF @ERROR = 0
? "$key Successfully Deleted." + @CRLF
ELSE
? "$key Was NOT Deleted!" + @CRLF
ENDIF
ELSE
? "$key Did NOT Exist!" + @CRLF
ENDIF
ENDFUNCTION
Function PList($PC)
Dim $PC,$Query,$ProcList
$Query = 'Select * from Win32_Process'
$objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\"+$PC+"\root\cimv2")
If @error
? @Serror+' on '+$PC ?
Exit @error
Endif
$Processes = $objWMIService.ExecQuery($Query)
for each $process in $Processes
$ProcList = $ProcList + $Process.name + '|'
next
$PList=Split($ProcList,'|')
EndFunction
FUNCTION KillFile($File)
;***** $File = A combination of the path and the variable
IF EXIST ($File)
IF RIGHT($File, 4) = ".dll"
SHELL '%COMSPEC% /e:1024 /c regsvr32 /s $File'
IF @ERROR = 0
? "$File Successfully Unregistered" + @CRLF
del $File
IF @ERROR = 0
? "$File Successfully Deleted" + @CRLF
ELSE
? "$File Was NOT Deleted!" + @CRLF
ENDIF
ELSE
del $File
IF @ERROR = 0
? "$File Successfully Unregistered!" + @CRLF
ELSE
? "$File Was NOT Unregistered!" + @CRLF
ENDIF
ENDIF
ELSE
? "$File Didn't Exist" + @CRLF
ENDIF
ENDFUNCTION
FUNCTION EnumProcess($exe, optional $terminate, optional $Computer)
Dim $winmgmts, $ExecQuery, $Process, $id, $getobject, $
if not $computer $computer=@wksta endif
$winmgmts="winmgmts:{impersonationLevel=impersonate}!//$COMPUTER"
select
case val($exe)>0
$ExecQuery="select * from Win32_Process where ProcessId='$exe'"
$GetObject=GetObject($winmgmts).ExecQuery($ExecQuery)
For each $Process in $GetObject
if $terminate $=$Process.Terminate endif
$EnumProcess = $Process.name
next
$GetObject=''
case vartype($exe)=8
$ExecQuery="select * from Win32_Process where Name='$exe'"
$GetObject=GetObject($winmgmts).ExecQuery($ExecQuery)
For each $Process in $GetObject
if $terminate $=$Process.Terminate endif
$id=$Process.ProcessId
$EnumProcess = "$Id" + "|" + "$EnumProcess"
Next
$EnumProcess=left($EnumProcess,len($EnumProcess)-1)
$GetObject=''
case 1
exit 1
endselect
ENDFUNCTION
