https://junookyo.blogspot.com/2017/12/phan-tich-ma-doc-facebook-messenger.html

Remove-malware.au3

#NoTrayIcon
#include <File.au3>

; Developed by Juno_okyo (J2TEAM)
; https://junookyo.blogspot.com/

Global Const $PATH = @AppDataDir & '\' & @UserName

main()

Func main()
	; Find miner.exe
	Local $files = _FileListToArray($PATH, '*.exe', 1)

	If Not @error Then
		; Kill the process
		For $i = 1 To $files[0]
			If ProcessExists($files[$i]) Then ProcessClose($files[$i])
		Next
	EndIf

	; Kill the downloader
	Local $processList = ProcessList()

	For $i = 1 To $processList[0][0]
		Local $processName = $processList[$i][0]
		If StringLower(StringRight($processName, 8)) == '.mp4.exe' Then ProcessClose($processName)
	Next

	; Remove copied files of malware
	Local $keyName = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'
	Local $regValue = RegRead($keyName, 'GoogleUpdater')

	If Not @error And StringInStr($regValue, $PATH) Then
		RegDelete($keyName, 'GoogleUpdater')
	EndIf

	; Remove malware folder
	DirRemove($PATH, 1)

	; Remove malware extension
	Local $extensions = _FileListToArray(@LocalAppDataDir & '\Google\Chrome\User Data\Default\Extensions', '*', 2, True)

	If Not @error Then

		; Close Chrome processes to remove extension
		_ProcessCloseEx('chrome.exe')

		For $i = 1 To $extensions[0]

			; Get version
			Local $folders = _FileListToArray($extensions[$i], '*', 2, True)

			If Not @error Then
				Local $extension = $folders[1]
				Local $fp = FileOpen($extension & '\manifest.json')
				Local $data = FileRead($fp)
				FileClose($fp)

				If StringInStr($data, 'Google Alonujur') Then DirRemove($extension, 1)
			EndIf
		Next
	EndIf

	MsgBox(64 + 262144, 'Done', 'Your computer has been cleaned!')
	ShellExecute('https://www.facebook.com/groups/j2team.community/')
EndFunc

Func _ProcessCloseEx($sPID)
    If IsString($sPID) Then $sPID = ProcessExists($sPID)
    If Not $sPID Then Return SetError(1, 0, 0)

    Return Run(@ComSpec & " /c taskkill /F /PID " & $sPID & " /T", @SystemDir, @SW_HIDE)
EndFunc