InUse Destroyer script

From: Andrew Aronoff (ntbugtraq_at_AARONOFF.COM)
Date: 12/06/04

  • Next message: http-equiv_at_excite.com: "Address Bar Spoophing for the Pheeshies: IntotheNet Explorer 6" 
    Date:         Mon, 6 Dec 2004 20:16:32 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Hello,

    I've written the "InUse Destroyer.vbs" script (IUD). IUD allows in-use
    files to be scheduled for deletion or replacement at reboot. Yes,
    there are other utilities that do that, but AFAIK, unlike IUD, they
    don't work under all Windows versions (W95, W98, NT4, W2K & WXP).

    I wrote IUD to easily schedule registry hives to be replaced at boot
    by versions in which spyware launch points have been suppressed. I
    also use it to delete spyware files, including AppInit_DLLs infectors.

    The IUD script:

    1. will replace but won't delete a registry hive

    2. accepts any number of deletions and replacements

    3. appends its instructions to any existing instructions

    4. detects if an append is in progress and displays this in all
       windows with the ">>" symbol

    5. optionally reboots the system when done.

    The script is written in VBScript and requires WMI (and Admin rights)
    for NT4 or higher. (WMI is not required under W98.) Please note that
    it does *not* handle Unicode file names. The GUI is in VBScript -- I
    opted to avoid an IE interface because the script targets infected
    systems and use of IE on an infected system is reckless.

    IUD can be downloaded here:
    http://www.silentrunners.org/InUse%20Destroyer.vbs

    or here: http://tinyurl.com/6qjah

    Its MD5 hash is: C9D1BF1ED265365C65737B08BDC1017A

    regards, Andy

                                  ----------
          To identify everything that starts up with Windows, download
                  "Silent Runners.vbs" at www.silentrunners.org
                                  ---------- 

    --
Editor's Note: The 43rd Most Powerful Person in Networking says...
Register today to take the TruSecure ICSA exam by 12/31/04  at
<http://www.2test.com> ,  use promo code "CT1204" and you will pay just
$221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
for international delivery.
Visit <https://ticsa.trusecure.com>  for complete details regarding the
TICSA credential and to take the free sample exam.
--
  • Next message: http-equiv_at_excite.com: "Address Bar Spoophing for the Pheeshies: IntotheNet Explorer 6"