ripdad Posted January 24, 2012 Share Posted January 24, 2012 Weeds will take over the garden if left unattended. More ammunition for the battle ... expandcollapse popup; RegFix_Redirects v1.0 ; Released: January 24, 2012 by ripdad #RequireAdmin ; RegFix_FindRedirects() ; Func RegFix_FindRedirects() Local $title = 'RegFix_Redirects v1.0' Local $found, $sub, $subkey, $string, $val Local $type, $fVal, $dStr, $fStr, $detected = 0 Local $key = 'HKEY_USERS64' If @OSArch <> 'X64' Then $key = 'HKEY_USERS' ; ; Find Random Multiple Redirects (usually over 200 entries) For $n = 1 To 2 Switch $n Case 1; [type1] $type = '' Case 2; [type2] $type = '\shell\open\command' EndSwitch $dStr = '' $fStr = '' $found = 0 ; For $i = 1 To 10000 $subkey = RegEnumKey($key, $i) If @error <> 0 Then ExitLoop If StringRight($subkey, 8) <> '_Classes' Then ContinueLoop $string = '' ; For $j = 1 To 10000 $sub = RegEnumKey($key & '\' & $subkey, $j) If @error <> 0 Then ExitLoop $val = RegRead($key & '\' & $subkey & '\' & $sub & $type, '') If @error <> 0 Then ContinueLoop ; If $found Then If StringInStr($val, $fVal) Then $fStr &= '|[Type' & $n & '] ' & $key & '\' & $subkey & '\' & $sub & $type & ' (Default)=' & $val $dStr &= '|' & $key & '\' & $subkey & '\' & $sub EndIf Else $string &= '|' & $val; add value to string StringReplace($string, $val, ''); use to count If @extended > 20 Then; count occurrences of value $fVal = $val; copy value $found = 1; change mode $i = 0; reset loop 2 ExitLoop; restart loop 2 EndIf EndIf Next Next If $found Then $detected = True RegFix_DeleteRedirects($fStr, $dStr) EndIf Next $dStr = '' $fStr = '' $found = 0 ; ; [type3] - Find Known Single Redirects Local $a = StringSplit('.bat|.cmd|.com|.exe|.reg|ah|exefile|pezfile|secfile|sezfile', '|') For $i = 1 To 10000 $subkey = RegEnumKey($key, $i) If @error <> 0 Then ExitLoop If StringRight($subkey, 8) <> '_Classes' Then ContinueLoop ; For $j = 1 To 10000 $sub = RegEnumKey($key & '\' & $subkey, $j) If @error <> 0 Then ExitLoop ; For $n = 1 To $a[0] If $sub = $a[$n] Then $val = RegRead($key & '\' & $subkey & '\' & $sub, '') $fStr &= '|[Type3] ' & $key & '\' & $subkey & '\' & $sub & ' (Default)=' & $val $dStr &= '|' & $key & '\' & $subkey & '\' & $sub $found = 1 EndIf Next Next Next If $found Then $detected = True RegFix_DeleteRedirects($fStr, $dStr) EndIf $dStr = '' $fStr = '' $found = 0 ; ; [type4] - Find Debugger Redirects $key = 'HKEY_LOCAL_MACHINE64\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' If @OSArch <> 'X64' Then $key = StringReplace($key, '64', '') ; For $i = 1 To 10000 $subkey = RegEnumKey($key, $i) If @error <> 0 Then ExitLoop If $subkey = 'Your Image File Name Here without a path' Then ContinueLoop $val = RegRead($key & '\' & $subkey, 'Debugger') If @error <> 0 Then ContinueLoop ; If $val Then $fStr &= '|[Type4] ' & $key & '\' & $subkey & ' (Debugger)=' & $val $dStr &= '|' & $key & '\' & $subkey $found = 1 EndIf Next If $found Then $detected = True RegFix_DeleteRedirects($fStr, $dStr) EndIf ; If Not $detected Then MsgBox(8256, $title, 'Nothing Found' & @TAB & @TAB) EndFunc ; Func RegFix_DeleteRedirects($fStr, $dStr) Local $title = 'RegFix_Redirects v1.0' Local $a = StringSplit(StringTrimLeft($fStr, 1), '|') Local $gui = GUICreate($title, 600, 400, -1, -1, 0x00CF0000) Local $hLv = GUICtrlCreateListView('Redirects Found: ' & $a[0], 5, 5, 590, 370) For $i = 1 To $a[0] GUICtrlCreateListViewItem($a[$i], $hLv) Next GUICtrlSetResizing($hLv, 0x0066) GUICtrlSendMsg($hLv, 0x101E, 0, 900) GUICtrlSendMsg($hLv, 0x1036, 0x1, 0x1) GUISetState(@SW_SHOW, $gui) Do Until GUIGetMsg() = -3 GUIDelete($gui) ; ;Prompt: Yes/No If MsgBox(8228, $title, 'Delete Redirects?') <> 6 Then Return ; $a = StringSplit(StringTrimLeft($dStr, 1), '|') For $i = 1 To $a[0] RegDelete($a[$i]) Next EndFunc ; This script processes all user keys, including SYSTEM and NETWORK - and prompts before making any changes. Please let me know if any problems. "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward Link to comment Share on other sites More sharing options...
wraithdu Posted January 24, 2012 Share Posted January 24, 2012 This is really lacking description. If I need to read every line of your code and analyze your loops to figure out what this does, then I might as well have written it myself. Shed a bit more light on the problem you're solving maybe? Link to comment Share on other sites More sharing options...
ripdad Posted January 24, 2012 Author Share Posted January 24, 2012 Yeah, I know. Sorry. It suffices to say that it cleans up the aftermath of some nasty viruses. Here's one example near the bottom of this page: http://www.bleepingcomputer.com/virus-removal/remove-vista-internet-security-2012 Technicians who work with virus removal will know what it is. "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now