ripdad Posted March 15, 2010 Share Posted March 15, 2010 (edited) Virus Cleaning Tool - Debugger - v2.01This Tool undoes the damage caused by a virus that modifies the registry with "Debugger Values" under:"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"which cause programs not to run.-EDIT-I've re-written this tool to accommodate for the different ways these viruses are writing to the registry.The count is now over 750 entries.No restrictions with this version, with the exception of #RequireAdmin.expandcollapse popup; Virus Cleaning Tool - Debugger - v2.01 #RequireAdmin Global $title = 'Virus Cleaning Tool - Debugger' Local $number = _Debugger(0); 0 = check if Debugger entries are present If $number = 0 Then MsgBox(8256, $title, 'Nothing Found') Exit EndIf If MsgBox(8228, $title, $number & ' Entries Found' & @CRLF & @CRLF & 'Clean?') = 7 Then Exit _Debugger(1); 1 = Delete Debugger ValueNames _DebuggerEx(); Delete Empty Keys MsgBox(8256, $title, 'Finished - Check DebuggerLog.txt for more info') Exit Func _Debugger($mode) Local $MainKey = 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' Local $ImageName, $ValueName = 'Debugger', $sCount = 0, $eCount = 0 Local $Logfile = @ScriptDir & '\DebuggerLog.txt' For $i = 1 To 10000 $ImageName = RegEnumKey($MainKey, $i) If @error <> 0 Then ExitLoop If $ImageName = 'Your Image File Name Here without a path' Then ContinueLoop RegRead($MainKey & '\' & $ImageName, $ValueName) If @error <> 0 Then ContinueLoop $sCount += 1 If $mode = 1 Then If RegDelete($MainKey & '\' & $ImageName, $ValueName) Then FileWriteLine($Logfile, 'Debugger Deleted: ' & $MainKey & '\' & $ImageName) ToolTip('Deleted: ' & $ImageName & '\' & $ValueName, 0, 0, $title, 1) Sleep(20) $i -= 1 Else $eCount += 1 FileWriteLine($Logfile, 'Error Deleting Debugger: ' & $MainKey & '\' & $ImageName) ToolTip('Error Deleting: ' & $ImageName & '\' & $ValueName, 0, 0, $title, 1) Sleep(20) EndIf EndIf Next ToolTip('') If $mode = 0 Then Return $sCount If RegRead($MainKey, $ValueName) Then RegDelete($MainKey, $ValueName) FileWriteLine($Logfile, 'Debugger Entries Cleaned: ' & $sCount - $eCount & @CRLF & 'Errors: ' & $eCount) EndFunc Func _DebuggerEx() Local $MainKey = 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' Local $ImageName, $sCount = 0, $eCount = 0, $Logfile = @ScriptDir & '\DebuggerLog.txt' For $i = 1 To 10000 $ImageName = RegEnumKey($MainKey, $i) If @error <> 0 Then ExitLoop If RegEnumVal($MainKey & '\' & $ImageName, 1) Then ContinueLoop If RegDelete($MainKey & '\' & $ImageName) Then $sCount += 1 ToolTip('Deleted Key: ' & $ImageName, 0, 0, $title, 1) Sleep(20) $i -= 1 Else $eCount += 1 ToolTip('Error Deleting Key: ' & $ImageName, 0, 0, $title, 1) Sleep(20) EndIf Next ToolTip('') FileWriteLine($Logfile, 'Empty Keys Deleted: ' & $sCount & @CRLF & 'Errors: ' & $eCount) EndFunc-Edit2-Below is minicode of above -- it has no prompts, no counting, no logging and no frills.It just does it, no questions asked ... except UAC of course. <grin>#RequireAdmin Local $k = 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' Local $n, $v = 'Debugger', $p = 'Your Image File Name Here without a path' If RegRead($k, $v) Then RegDelete($k, $v) For $i = 1 To 10000 $n = RegEnumKey($k, $i) If @error <> 0 Then ExitLoop If $n = $p Then ContinueLoop If RegRead($k & '\' & $n, $v) Then RegDelete($k & '\' & $n, $v) $i -= 1 EndIf If Not RegEnumVal($k & '\' & $n, 1) Then RegDelete($k & '\' & $n) Next Edited January 1, 2011 by ripdad "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward Link to comment Share on other sites More sharing options...
Fire Posted April 25, 2010 Share Posted April 25, 2010 (edited) Hi ripdad.Really this is awesome idea.5 starts from me for great idea.BTW i create GUI programm it is based on your idea.Here is: (I`m sorry it is not English language based because my English very awfull and i create this programm for my native.Anyway I want to say THANK YOU MAN for great idea.Binary & src can be found here for GUI:Download Binary (src included)edit: correction on urlReuploaded:(Contains all src again)http://qovluq.biz/uploads/1f30.rar MD5 SUM: http://qovluq.biz/uploads/1f301.md5 Edited December 31, 2010 by Fire [size="5"] [/size] Link to comment Share on other sites More sharing options...
ripdad Posted April 26, 2010 Author Share Posted April 26, 2010 Hi Sh3llC043r Thats a lot of code for such a small task. Nice gui and sound effects. And ... you're welcome. "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward Link to comment Share on other sites More sharing options...
ripdad Posted December 29, 2010 Author Share Posted December 29, 2010 Updated v2 - see first post "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward Link to comment Share on other sites More sharing options...
mesale0077 Posted December 29, 2010 Share Posted December 29, 2010 hi Fire link broken Download Binary (src included) give me new link thank you Link to comment Share on other sites More sharing options...
Fire Posted December 31, 2010 Share Posted December 31, 2010 mesale0077 Np dude link was updated.P.S Kardes Ulkeye Atesli Selamlar Happy New Year!4:41 31.12.2010 [size="5"] [/size] Link to comment Share on other sites More sharing options...
mesale0077 Posted December 31, 2010 Share Posted December 31, 2010 hi fire thank you P.S. Sağol kardeş sizlerede ateşli selamlar. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now