Delete the Zotob Worm
Submitted By: JHluboky
Language: VBScript
Description: Cleans the Zotob from a system via the file system, registry, and service removal.
Script Code
' VBScript source code
Dim wshShell, fso, badfile, logfile, ZotobKey
'Instanciate the FileSystemObject and Shell object
Set fso = CreateObject("Scripting.FileSystemObject")
Set WshShell = WScript.CreateObject("WScript.Shell")
'Create Log file if it doesn't exist
If fso.FileExists("c:\AVRemover.log") Then
set logfile = fso.OpenTextFile("c:\AVRemover.log",8,TRUE)
Else
Set logfile = fso.CreateTextFile("c:\AVRemover.log")
End IF
'Create seed log entry
logfile.writeline "Script Entry "&date()&" "&time()
'Check for zotob.g
on error resume next
ZotobKey = wshShell.regread ("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDrg32")
logfile.writeline "W32.Zotob.G Registry key found and removed"
if err = 0 Then
WshShell.RegDelete ("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDrg32")
if fso.FileExists(ZotobKey) then
badfile = fso.GetFile(ZotobKey)
badfile.delete
logfile.writeline "W32.Zotob.G executable found and removed"
end if
End If
'Connect to local computer's WMI
strComputer = "."
Set objWMIService = GetObject("winmgmts:"_
& "{impersonationLevel=impersonate}!\\" &strComputer & "\root\cimv2")
'Within WMI, pull any services matching our names
Set colServiceList = objWMIService.ExecQuery ("Select * from Win32_Service where Name = 'wpa' or Name = 'mousebm' or Name = 'MouseSync' or Name = 'msrpc32'or Name = 'tftp1544'")
'For each service matching our name above, disable, stop, delete, and hunt down and kill its parents
For Each objService in colServiceList
errReturnCode = objService.Change( , , , , "Disabled")
objService.StopService()
objService.Delete()
set badfile = FSO.GetFile(objService.PathName)
badfile.delete
logfile.writeline objService.name&" at "&objService.PathName&" removed."
Next
'End log entry and close log file
logfile.writeline "Script Entry Complete."
logfile.close
Note: Not all scripts run on all versions of Windows.
For online peer support, join The Official Scripting Guys Forum! To provide feedback or report bugs in sample scripts or on the Script Center, please contact scripter@microsoft.com.
Disclaimer
This script is not supported under any Microsoft standard support program or service. The script is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the script and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the script be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the script or documentation, even if Microsoft has been advised of the possibility of such damages.
