Eradication.ps1

# A script that will safely remove adversary footholds on systems. 
# 
# Be sure to replace your observables down below. Be careful not to
# included LOLBINs as they cannot be safely killed this way. Use
# Kill-Threads.ps1 for those.
#
# Used with great success during CF20
#
# Author: Eric Capuano

Write-Host "Beginning Eradication..."
# Stop malicious services
​
$services = `
"VolumeShadowCopyService"
​
Foreach ($service in $services) {
if (Get-Service $service -ErrorAction SilentlyContinue)
    {
        Stop-Service -Name $service -Force
        Remove-Service -Name $service
        Write-Host "Killing service - $($service)"
    }
}
​
# Kill malicious processes
​
$processes = `
"GoogleUpdateBroker",`
"JavaUpdateScheduler",`
"Googleupdate",`
"vscsvc",`
"Winx"
​
Foreach ($process in $processes) {
if (Get-Process $process -ErrorAction SilentlyContinue)
    {
        Stop-Process -Name $process -Force
        Write-Host "Killing process - $($process)"
    }
}
​
# Delete malware
​
$files = `
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\JavaUpdateScheduler.exe",`
"C:\Users\chloe.huang\AppData\Local\Google\Googleupdate.exe",`
"C:\Users\chloe.huang\AppData\Local\Google\Chrome\GoogleUpdateBroker.exe",`
"c:\windows\system32\vscsvc.exe",`
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\JavaUpdateScheduler.exe",`
"c:\users\susan.olsen\appdata\local\Microsoft\Windows\winx\winx.exe"
​
Foreach ($file in $files) {
if (Test-Path $file -PathType leaf)
    {
        Remove-Item $file
        Write-Host "Deleting File - $($file)"
    }
}
​
Write-Host "Eradication complete!"