Sign in to follow this  
Followers 0
ripdad

RegFix_Redirects v1.0

3 posts in this topic

Weeds will take over the garden if left unattended.

More ammunition for the battle ...

; RegFix_Redirects v1.0
; Released: January 24, 2012 by ripdad
#RequireAdmin
;
RegFix_FindRedirects()
;
Func RegFix_FindRedirects()
    Local $title = 'RegFix_Redirects v1.0'
    Local $found, $sub, $subkey, $string, $val
    Local $type, $fVal, $dStr, $fStr, $detected = 0
    Local $key = 'HKEY_USERS64'
    If @OSArch <> 'X64' Then $key = 'HKEY_USERS'
    ;
    ; Find Random Multiple Redirects (usually over 200 entries)
    For $n = 1 To 2
        Switch $n
            Case 1; [type1]
                $type = ''
            Case 2; [type2]
                $type = '\shell\open\command'
        EndSwitch
        $dStr = ''
        $fStr = ''
        $found = 0
        ;
        For $i = 1 To 10000
            $subkey = RegEnumKey($key, $i)
            If @error <> 0 Then ExitLoop
            If StringRight($subkey, 8) <> '_Classes' Then ContinueLoop
            $string = ''
            ;
            For $j = 1 To 10000
                $sub = RegEnumKey($key & '\' & $subkey, $j)
                If @error <> 0 Then ExitLoop
                $val = RegRead($key & '\' & $subkey & '\' & $sub & $type, '')
                If @error <> 0 Then ContinueLoop
                ;
                If $found Then
                    If StringInStr($val, $fVal) Then
                        $fStr &= '|[Type' & $n & '] ' & $key & '\' & $subkey & '\' & $sub & $type & ' (Default)=' & $val
                        $dStr &= '|' & $key & '\' & $subkey & '\' & $sub
                    EndIf
                Else
                    $string &= '|' & $val; add value to string
                    StringReplace($string, $val, ''); use to count
                    If @extended > 20 Then; count occurrences of value
                        $fVal = $val; copy value
                        $found = 1; change mode
                        $i = 0; reset loop 2
                        ExitLoop; restart loop 2
                    EndIf
                EndIf
            Next
        Next
        If $found Then
            $detected = True
            RegFix_DeleteRedirects($fStr, $dStr)
        EndIf
    Next
    $dStr = ''
    $fStr = ''
    $found = 0
    ;
    ; [type3] - Find Known Single Redirects
    Local $a = StringSplit('.bat|.cmd|.com|.exe|.reg|ah|exefile|pezfile|secfile|sezfile', '|')
    For $i = 1 To 10000
        $subkey = RegEnumKey($key, $i)
        If @error <> 0 Then ExitLoop
        If StringRight($subkey, 8) <> '_Classes' Then ContinueLoop
        ;
        For $j = 1 To 10000
            $sub = RegEnumKey($key & '\' & $subkey, $j)
            If @error <> 0 Then ExitLoop
            ;
            For $n = 1 To $a[0]
                If $sub = $a[$n] Then
                    $val = RegRead($key & '\' & $subkey & '\' & $sub, '')
                    $fStr &= '|[Type3] ' & $key & '\' & $subkey & '\' & $sub & ' (Default)=' & $val
                    $dStr &= '|' & $key & '\' & $subkey & '\' & $sub
                    $found = 1
                EndIf
            Next
        Next
    Next
    If $found Then
        $detected = True
        RegFix_DeleteRedirects($fStr, $dStr)
    EndIf
    $dStr = ''
    $fStr = ''
    $found = 0
    ;
    ; [type4] - Find Debugger Redirects
    $key = 'HKEY_LOCAL_MACHINE64\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options'
    If @OSArch <> 'X64' Then $key = StringReplace($key, '64', '')
    ;
    For $i = 1 To 10000
        $subkey = RegEnumKey($key, $i)
        If @error <> 0 Then ExitLoop
        If $subkey = 'Your Image File Name Here without a path' Then ContinueLoop
        $val = RegRead($key & '\' & $subkey, 'Debugger')
        If @error <> 0 Then ContinueLoop
        ;
        If $val Then
            $fStr &= '|[Type4] ' & $key & '\' & $subkey & ' (Debugger)=' & $val
            $dStr &= '|' & $key & '\' & $subkey
            $found = 1
        EndIf
    Next
    If $found Then
        $detected = True
        RegFix_DeleteRedirects($fStr, $dStr)
    EndIf
    ;
    If Not $detected Then MsgBox(8256, $title, 'Nothing Found' & @TAB & @TAB)
EndFunc
;
Func RegFix_DeleteRedirects($fStr, $dStr)
    Local $title = 'RegFix_Redirects v1.0'
    Local $a = StringSplit(StringTrimLeft($fStr, 1), '|')
    Local $gui = GUICreate($title, 600, 400, -1, -1, 0x00CF0000)
    Local $hLv = GUICtrlCreateListView('Redirects Found: ' & $a[0], 5, 5, 590, 370)
    For $i = 1 To $a[0]
        GUICtrlCreateListViewItem($a[$i], $hLv)
    Next
    GUICtrlSetResizing($hLv, 0x0066)
    GUICtrlSendMsg($hLv, 0x101E, 0, 900)
    GUICtrlSendMsg($hLv, 0x1036, 0x1, 0x1)
    GUISetState(@SW_SHOW, $gui)
    Do
    Until GUIGetMsg() = -3
    GUIDelete($gui)
    ;
    ;Prompt: Yes/No
    If MsgBox(8228, $title, 'Delete Redirects?') <> 6 Then Return
    ;
    $a = StringSplit(StringTrimLeft($dStr, 1), '|')
    For $i = 1 To $a[0]
        RegDelete($a[$i])
    Next
EndFunc
;

This script processes all user keys, including SYSTEM and NETWORK

- and prompts before making any changes.

Please let me know if any problems.


"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites



This is really lacking description. If I need to read every line of your code and analyze your loops to figure out what this does, then I might as well have written it myself. Shed a bit more light on the problem you're solving maybe?

Share this post


Link to post
Share on other sites

Yeah, I know. Sorry.

It suffices to say that it cleans up the aftermath of some nasty viruses.

Here's one example near the bottom of this page:

http://www.bleepingcomputer.com/virus-removal/remove-vista-internet-security-2012

Technicians who work with virus removal will know what it is.


"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0