Sign in
Microsoft.com
 
Script Center
 
 
 
Script Center > Gallery > Scripting Techniques > Delete the Zotob Worm
TechNet Script Center logo

Welcome to the TechNet Script Center Gallery!
Each contribution is licensed to you under a License Agreement by its owner, not Microsoft. Microsoft does not guarantee the contribution or purport to grant rights to it.

Delete the Zotob Worm

(Community)
Rate it:
 
 
 
 
 
Script Code
VBScript
' VBScript source code
Dim wshShell, fso, badfile, logfile, ZotobKey

'Instanciate the FileSystemObject and Shell object
Set fso = CreateObject("Scripting.FileSystemObject")
Set WshShell = WScript.CreateObject("WScript.Shell")

'Create Log file if it doesn't exist
If fso.FileExists("c:\AVRemover.log") Then
   set logfile = fso.OpenTextFile("c:\AVRemover.log",8,TRUE)
Else
   Set logfile = fso.CreateTextFile("c:\AVRemover.log")
End IF

'Create seed log entry
logfile.writeline "Script Entry "&date()&" "&time()

'Check for zotob.g
on error resume next
ZotobKey = wshShell.regread ("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDrg32")
logfile.writeline "W32.Zotob.G Registry key found and removed"
if err = 0 Then
   WshShell.RegDelete ("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDrg32")
   if fso.FileExists(ZotobKey) then
	badfile = fso.GetFile(ZotobKey)
	badfile.delete
	logfile.writeline "W32.Zotob.G executable found and removed"
   end if
End If

'Connect to local computer's WMI
strComputer = "."
Set objWMIService = GetObject("winmgmts:"_
	& "{impersonationLevel=impersonate}!\\" &strComputer & "\root\cimv2")

'Within WMI, pull any services matching our names
Set colServiceList = objWMIService.ExecQuery ("Select * from Win32_Service where Name = 'wpa' or Name = 'mousebm' or Name = 'MouseSync' or Name = 'msrpc32'or Name = 'tftp1544'")

'For each service matching our name above, disable, stop, delete, and hunt down and kill its parents
For Each objService in colServiceList
    errReturnCode =     objService.Change( , , , , "Disabled") 
    objService.StopService()  
    objService.Delete()
    set badfile = FSO.GetFile(objService.PathName)
    badfile.delete
    logfile.writeline objService.name&" at "&objService.PathName&" removed."
Next

'End log entry and close log file
logfile.writeline "Script Entry Complete."
logfile.close
Platforms
Windows Server 2008 R2 No
Windows Server 2008 No
Windows Server 2003 No
Windows 7 No
Windows Vista No
Windows XP No
Windows 2000 No
For online peer support, join The Official Scripting Guys Forum! To provide feedback or report bugs in sample scripts, please start a new discussion on the Discussions tab for this script.
Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Be the first to create a discussion.