'Remove Registry entries and files from kwbot worm 'xp_clean_kwbot.vbs '© Doug Knox - 04/05/2003 'Downloaded from http://www.dougknox.com On Error Resume Next 'Prevents errors from values that don't exist Set WshShell = WScript.CreateObject("WScript.Shell") 'Delete Local Machine autorun registry values WshShell.RegDelete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemSAS" WshShell.RegDelete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CMD" WshShell.RegDelete "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemSAS" WshShell.RegDelete "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\CMD" WshShell.RegDelete "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\SystemSAS" WshShell.RegDelete "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\CMD" WshShell.RegDelete "HKLM\Software\Krypton\" 'Delete Default User autorun registry values WshShell.RegDelete "HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Runonce\SystemSAS" WshShell.RegDelete "HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Runonce\CMD" 'Delete Current User autorun registry values WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\SystemSAS" WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\CMD" 'Rewrite the correct Shell value WshShell.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","explorer.exe" 'Delete entries that cause Kazaa and Imesh users to share the folders created below. WshShell.RegDelete "HKCU\Software\Kazaa\LocalContent\Dir0" WshShell.RegDelete "HKCU\Software\Kazaa\LocalContent\Dir1" WshShell.RegDelete "HKCU\Software\Kazaa\LocalContent\Dir2" WshShell.RegDelete "HKCU\Software\Kazaa\LocalContent\Dir3" WshShell.RegDelete "HKCU\Software\Kazaa\LocalContent\Dir4" WshShell.RegDelete "HKCU\Software\Kazaa\LocalContent\Dir5" WshShell.RegDelete "HKCU\Software\Kazaa\LocalContent\Dir6" WshShell.RegDelete "HKCU\Software\Kazaa\LocalContent\Dir7" WshShell.RegDelete "HKCU\Software\Kazaa\LocalContent\Dir8" WshShell.RegDelete "HKCU\Software\Kazaa\LocalContent\Dir9" WshShell.RegDelete "HKCU\Software\iMesh\Client\LocalContent\Dir0" WshShell.RegDelete "HKCU\Software\iMesh\Client\LocalContent\Dir1" WshShell.RegDelete "HKCU\Software\iMesh\Client\LocalContent\Dir2" WshShell.RegDelete "HKCU\Software\iMesh\Client\LocalContent\Dir3" WshShell.RegDelete "HKCU\Software\iMesh\Client\LocalContent\Dir4" WshShell.RegDelete "HKCU\Software\iMesh\Client\LocalContent\Dir5" WshShell.RegDelete "HKCU\Software\iMesh\Client\LocalContent\Dir6" WshShell.RegDelete "HKCU\Software\iMesh\Client\LocalContent\Dir7" WshShell.RegDelete "HKCU\Software\iMesh\Client\LocalContent\Dir8" WshShell.RegDelete "HKCU\Software\iMesh\Client\LocalContent\Dir9" 'Delete possible temp folders that the worm creates. Set fso = CreateObject("Scripting.FileSystemObject") Set tfolder = fso.GetSpecialFolder(0) X = fso.DeleteFolder(tfolder & "\UserTemp",True) X = fso.DeleteFolder(tfolder & "\User32",True) 'display message Message = "Your system should be cleaned" & vbCR Message = Message & "of the remnants of the KWbot.worm" X = MsgBox(Message, vbOKOnly, "Done") Set WshShell = Nothing Set fso = Nothing