Skip to content

Instantly share code, notes, and snippets.

@mrf345
Created May 5, 2018 12:19
Show Gist options
  • Save mrf345/8f99ed5ebebf9d3dc3b3847e7e3a613b to your computer and use it in GitHub Desktop.
Save mrf345/8f99ed5ebebf9d3dc3b3847e7e3a613b to your computer and use it in GitHub Desktop.
RMT trojan removal batch script for windows
@echo off
rem Latest update 13 march 2015 .. Fixing bug in retrieving files from USB
rem #head
:head
setlocal enabledelayedexpansion
:tm
rem The number of temproray files is 6
set /a sn=6
set /a an=an+1
if !an! gtr !sn! ( goto :body )
echo. > tm!an!
goto :tm
goto :body
:notify
if %1 equ 1 (
echo msgbox%2,64,%3 > tm.vbs
tm.vbs
)else if %1 equ 2 (
echo msgbox%2,48,%3 > tm.vbs
tm.vbs
)
del /q /a tm.vbs
goto :eof
rem #body
:body
setlocal
rem detect wather the computer is infected
for /f "delims=*" %%s in (pslist) do (
wmic process where name='%%s' get commandline | find "CommandLine"
if !errorlevel! equ 0 ( goto :infected )
)
:notinfected
call :notify 1 "You are lucky , your OS is not infected" "Skeptic"
goto :ucheck
:infected
call :notify 2 "Unfortantly for you the trojan has been detected on your OS" "Skeptic: Detection"
call :notify 1 "Skeptic will go through couple of tasks to delete it completly" "Skeptic: Tasks"
for /f "delims=*" %%s in ( pslist) do (
wmic process where name='%%s' get commandline> tm1
type tm1 | findrepl.bat /v /o:1:1 >> tm2
wmic process where name='%%s' get processid> tm1
type tm1 | findrepl.bat /v /o:1:1 >> tm3
rem delete files from startup folder
del /q /s /a /f "%USERPROFILE%\Start Menu\Programs\Startup\%%s"
)
for /f "delims=*" %%v in (tm3) do (
tskill.exe /A %%v
echo %%v has been killed
)
for /f "delims=*" %%v in (tm2) do (
del /Q %%v
echo %%v has been deleted
)
rem delete the left out files and the reg key
ping -n 10 0.0.0.0 > nul
del /q /f /a "%USERPROFILE%\--DOC-~1.EXE","%USERPROFILE%\--DOC-~1.EXE.bin"
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\--DOC-~1 /f
rmdir /s /q "%USERPROFILE%\Application Data\SecureBrowsing"
call :notify 1 "Congrats , The trojan has been wiped out" "Skeptic: Congrats"
endlocal
goto :ucheck
:ucheck
call :notify 1 "Skeptic going to check wather your removable drivers are infected" "Skeptic: check"
wmic logicaldisk get name > tm4
type tm4 | findrepl.bat /v /o:1:1 > tm5
for /f "delims=*" %%c in ('type tm5') do (
dir /a %%c\ | find "RMT"
if !errorlevel! equ 0 (
echo %%c >> tm6
goto :uinfected
)
)
:unotinfected
call :notify 1 "Good for you , your removable drivers are not infected" "Skeptic: checking result"
goto :end
:uinfected
Call :notify 2 "Your removable drivers are indeed infected , skeptic will go through couple procedures to remove the trojan and retrieve your files" "Skeptic: tasks"
for /f "delims=*" %%b in ('type tm6') do (
set rb=%%b
set nb=!rb: =!
echo !nb!
del /a /q !nb!\*.lnk,!nb!\*.exe,!nb!\*.EXE
for /f "delims=*" %%g in ('dir /b /a !nb!') do ( attrib !nb!\%%g -h -r -s )
for /f "delims=*" %%g in ('dir /b /a !nb!\RMT_UserData\') do ( move "!nb!\RMT_UserData\%%g" !nb!\. )
rmdir /q /s !nb!\RMT_UserData,!nb!\RMT_Core
)
call :notify 1 "Congrats , skeptic got rid of the trojan and retrieved your files" "Skeptic: congrats"
goto :end
rem #end
:end
rem delete tmp files
call :notify 1 "All done, press ok to delete couple temprory files and exit ." "Skeptic: All done"
:dtm
del /a /q tm!sn!
set /a sn=!sn!-1
if !sn! equ 0 (
goto :eof
)
goto :dtm
del /a /q /f *
exit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment