Hey Dana, it is important to delete temporary files, the user profile and the Windows Temp as follows:
1 .- Start / Run /% temp% accept
2 .- c: \ windows \ temp
should remove all files in those folders, but you can view these folders, using a script: a copy GrĂ¡balo as txt and *. vbs and then run
---------------------------------------------
On Error Resume Next
Dim objShell, objFileSystem, objTextStream, objRegex
Dim colRegexMatches1, colRegexMatches2
Dim nReturnCode
Dim strIpFileText
Dim element, i
Dim List
List = array ( "n1de? Ect.com, nide? Ect.com, nlde? Ect.com", "j *. bat", "m *. com", "*. com d" " copy.exe, host.exe ", _
"a0 *. com", "ntdeiect.com, ntdelect.com", "u? for *. com", "ntde1ect.com", "x *. com", "Uncle *.*",_
"80 *. com", "SEMO *. exe", "autorun *.*"," x *. exe", "yl *. exe", "qd *. cmd")
September geekside = WScript.CreateObject ( "WScript.Shell")
September objShell = WScript.CreateObject ( "WScript.Shell")
September objFileSystem = CreateObject ( "Scripting.FileSystemObject")
September objFSO = CreateObject ( "Scripting.FileSystemObject")
September colDrives = objFSO.Drives
Wscript.echo "Software provided by MyGeekSide.com for the removal of malware amvo, avpo, and variants n1detect"
Wscript.echo "The process of search and removal can take several seconds. Please be patient."
i = 0
For Each objDrive in colDrives
If objDrive.IsReady = True Then
NRET geekside.Run = ( "cmd / C attrib-s-h-r" & objDrive.DriveLetter & ": \ autorun.inf", 0, TRUE)
September objTextStream = objFileSystem.OpenTextFile (objDrive.DriveLetter & ": \ autorun.inf", 1)
StrIpFileText = objTextStream.ReadAll
ObjTextStream.Close
End If
Next
September = new RegExp objRegex
objRegex.Pattern = "= \ w + (. com |. bat |. exe |. pif |. scr |. svd |. dat |. tmp |. cmd)"
objRegex.Global = True
objRegex.IgnoreCase = True
September colRegexMatches1 = objRegex.Execute (strIpFileText)
i = 0
For Each element In colRegexMatches1
Element = Replace (element ,"=","")
Wscript.echo "Proceeding to delete virus file:" & element
For Each objDrive in colDrives
If objDrive.IsReady = True Then
Wscript.echo "Clear Drive:" & objDrive.DriveLetter
NRET geekside.Run = ( "cmd / C taskkill / f / im amvo.exe", 0, TRUE)
NRET geekside.Run = ( "cmd / C taskkill / f / im avpo.exe", 0, TRUE)
NRET geekside.Run = ( "cmd / C taskkill / f / im ckvo.exe", 0, TRUE)
NRET geekside.Run = ( "cmd / C taskkill / f / im kavo.exe", 0, TRUE)
NRET geekside.Run = ( "cmd / C taskkill / f / im semo2x.exe.tmp", 0, TRUE)
NRET geekside.Run = ( "cmd / C taskkill / f / im semo2x.exe", 0, TRUE)
NRET geekside.Run = ( "cmd / C taskkill / f / im help.exe.tmp", 0, TRUE)
NRET geekside.Run = ( "cmd / C attrib-s-h-r" & objDrive.DriveLetter & ": \" & element & "", 0, TRUE)
NRET geekside.Run = ( "cmd / C cd \ & the" objDrive.DriveLetter & & ": \" & element & "/ f / q / a", 0, TRUE)
NRET geekside.Run = ( "cmd / C cd \ & the" objDrive.DriveLetter & & ": \ autorun.inf", 0, TRUE)
End If
Next
I = i + 1
Next
September objRegex = Nothing
September objTextStream = Nothing
September objFileSystem = Nothing
September objShell = Nothing
nret15 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ amvo *.*", 0, TRUE)
nret16 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ avpo *.*", 0, TRUE)
nret20 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ help.exe.tmp", 0, TRUE)
nret15 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ KaVo *.*", 0, TRUE)
nret15 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ ckvo *.*", 0, TRUE)
nret56 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ SEMO *.*", 0, TRUE)
nret60 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ SEMO *.*.*", 0, TRUE)
nret23 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ amvo *.*", 0, TRUE)
nret24 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ avpo *.*", 0, TRUE)
nret24 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ KaVo *.*", 0, TRUE)
nret24 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ ckvo *.*", 0, TRUE)
nret57 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ SEMO *.*", 0, TRUE)
nret59 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ SEMO *.*.*", 0, TRUE)
nret31 = geekside.Run ( "cmd / C reg delete HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ / v amva / f", 0, TRUE)
nret32 = geekside.Run ( "cmd / C reg delete HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ / v avpo / f", 0, TRUE)
nret68 = geekside.Run ( "cmd / C reg delete HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ / v avpa / f", 0, TRUE)
nret68 = geekside.Run ( "cmd / C reg delete HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ / v kava / f", 0, TRUE)
nret68 = geekside.Run ( "cmd / C reg delete HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ / v ckvo / f", 0, TRUE)
nret68 = geekside.Run ( "cmd / C reg delete HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ / v ckva / f", 0, TRUE)
Wscript.echo "There will be resturar recording system to view hidden files"
nret33 = geekside.Run ( "cmd / C reg add HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ / v Hidden / t REG_DWORD / d 1 / f", 0, TRUE)
nret43 = geekside.Run ( "cmd / C reg add HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ / v SuperHidden / t REG_DWORD / d 1 / f", 0, TRUE)
nret44 = geekside.Run ( "cmd / C reg add HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ / v ShowSuperHidden / t REG_DWORD / d 1 / f", 0, TRUE)
nret45 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ / v Hidden / t REG_DWORD / d 1 / f", 0, TRUE)
nret46 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ / v SuperHidden / t REG_DWORD / d 1 / f", 0, TRUE)
nret47 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ / v ShowSuperHidden / t REG_DWORD / d 1 / f", 0, TRUE)
nret34 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ NOHIDDEN \ / CheckedValue v / t REG_DWORD / d 2 / f", 0, TRUE)
nret35 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ NOHIDDEN \ / v DefaultValue / t REG_DWORD / d 2 / f", 0, TRUE)
nret36 = geekside.Run ( "cmd / C reg delete HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL \ / CheckedValue v / f", 0, TRUE)
nret37 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL \ / CheckedValue v / t REG_DWORD / d 1 / f", 0, TRUE)
nret38 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL \ / v DefaultValue / t REG_DWORD / d 2 / f", 0, TRUE)
nret39 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden \ / CheckedValue v / t REG_DWORD / d 0 / f", 0, TRUE)
nret40 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden \ / v DefaultValue / t REG_DWORD / d 0 / f", 0, TRUE)
nret48 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ / v Type / t REG_SZ / d Group / f", 0, TRUE)
nret61 = geekside.Run ( "cmd / C reg add HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ / v NoFolderOptions / t REG_DWORD / d 0 / f", 0, TRUE)
nret62 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ / v NoFolderOptions / t REG_DWORD / d 0 / f", 0, TRUE)
nret63 = geekside.Run ( "cmd / C reg add HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System \ / v DisableRegistryTools / t REG_DWORD / d 0 / f", 0, TRUE)
nret78 = geekside.Run ( "cmd / C taskkill / f / im explorer.exe", 0, TRUE)
nret79 = geekside.Run ( "cmd / C start explorer.exe", 0, TRUE)
nret15 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ amvo *.*", 0, TRUE)
nret16 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ avpo *.*", 0, TRUE)
nret20 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ help.exe.tmp", 0, TRUE)
nret15 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ KaVo *.*", 0, TRUE)
nret15 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ ckvo *.*", 0, TRUE)
nret56 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ SEMO *.*", 0, TRUE)
nret60 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ SEMO *.*.*", 0, TRUE)
nret23 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ amvo *.*", 0, TRUE)
nret24 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ avpo *.*", 0, TRUE)
nret24 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ KaVo *.*", 0, TRUE)
nret24 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ ckvo *.*", 0, TRUE)
nret57 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ SEMO *.*", 0, TRUE)
nret59 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ SEMO *.*.*", 0, TRUE)
For Each objDrive in colDrives
If objDrive.IsReady = True Then
For X = 0 to UBound (List)
NRET geekside.Run = ( "cmd / C attrib-s-h-r" & objDrive.DriveLetter & ": \" & Lista (X )&"", 0, TRUE)
NRET geekside.Run = ( "cmd / C cd \ & the" objDrive.DriveLetter & & ": \" & Lista (X) & "/ f / q / a", 0, TRUE)
Next
End If
Next
Wscript.echo "Congratulations! Your computer is disinfected of viruses and their variants amvo"
Wscript.echo "
www.mygeekside.com"
WScript. Quit (0)
-------------------------------------------------- ------------------------------------