Last active
January 3, 2022 02:53
-
-
Save J2TEAM/f8960cd4a00ed4323b95194303df9674 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#NoTrayIcon | |
#include <File.au3> | |
; Developed by Juno_okyo (J2TEAM) | |
; https://junookyo.blogspot.com/ | |
Global Const $PATH = @AppDataDir & '\' & @UserName | |
main() | |
Func main() | |
; Find miner.exe | |
Local $files = _FileListToArray($PATH, '*.exe', 1) | |
If Not @error Then | |
; Kill the process | |
For $i = 1 To $files[0] | |
If ProcessExists($files[$i]) Then ProcessClose($files[$i]) | |
Next | |
EndIf | |
; Kill the downloader | |
Local $processList = ProcessList() | |
For $i = 1 To $processList[0][0] | |
Local $processName = $processList[$i][0] | |
If StringLower(StringRight($processName, 8)) == '.mp4.exe' Then ProcessClose($processName) | |
Next | |
; Remove copied files of malware | |
Local $keyName = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' | |
Local $regValue = RegRead($keyName, 'GoogleUpdater') | |
If Not @error And StringInStr($regValue, $PATH) Then | |
RegDelete($keyName, 'GoogleUpdater') | |
EndIf | |
; Remove malware folder | |
DirRemove($PATH, 1) | |
; Remove malware extension | |
Local $extensions = _FileListToArray(@LocalAppDataDir & '\Google\Chrome\User Data\Default\Extensions', '*', 2, True) | |
If Not @error Then | |
; Close Chrome processes to remove extension | |
_ProcessCloseEx('chrome.exe') | |
For $i = 1 To $extensions[0] | |
; Get version | |
Local $folders = _FileListToArray($extensions[$i], '*', 2, True) | |
If Not @error Then | |
Local $extension = $folders[1] | |
Local $fp = FileOpen($extension & '\manifest.json') | |
Local $data = FileRead($fp) | |
FileClose($fp) | |
If StringInStr($data, 'Google Alonujur') Then DirRemove($extension, 1) | |
EndIf | |
Next | |
EndIf | |
MsgBox(64 + 262144, 'Done', 'Your computer has been cleaned!') | |
ShellExecute('https://www.facebook.com/groups/j2team.community/') | |
EndFunc | |
Func _ProcessCloseEx($sPID) | |
If IsString($sPID) Then $sPID = ProcessExists($sPID) | |
If Not $sPID Then Return SetError(1, 0, 0) | |
Return Run(@ComSpec & " /c taskkill /F /PID " & $sPID & " /T", @SystemDir, @SW_HIDE) | |
EndFunc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment