' --------------------------------------------------------------------
' Script VBS d'éradication de GATOR (spyware installé avec DivX V5)
'
' JC BELLAMY © 2002
' --------------------------------------------------------------------
Const  HKEY_CLASSES_ROOT  = &H80000000 
Const  HKEY_CURRENT_USER  = &H80000001 
Const  HKEY_LOCAL_MACHINE = &H80000002 
Const  HKEY_USERS         = &H80000003 
Const  SW_SHOWNORMAL=1 

Dim net, shell, user, computer, args, fso, objRegistry,wmiLocator,wmiNameSpace
Dim StdIn, StdOut
Set StdIn  = WScript.StdIn
Set StdOut = WScript.StdOut
Set net    = Wscript.CreateObject("WScript.Network")
Set shell  = WScript.CreateObject("WScript.Shell")
Set fso    = WScript.CreateObject("Scripting.FileSystemObject")
Set args   = Wscript.Arguments
Set wmiLocator = CreateObject("WbemScripting.SWbemLocator")
Set wmiNameSpace = wmiLocator.ConnectServer("", "root\default")
Set objRegistry = wmiNameSpace.Get("StdRegProv")


TestHost true
'
message=          "Eradication du spyware GATOR"  & VBCRLF
message=message & "JCB © 2002"  & VBCRLF
message=message & "----------------------------" & VBCRLF
message=message & "Ce script va détecter l'existence de GATOR" & VBCRLF
message=message & "et le désinstaller le cas échéant" & VBCRLF
wscript.echo message
StdOut.Write "Voulez-vous continuer (O/N) ? : "
rep = StdIn.ReadLine
If len(rep)=0 then rep="N"
rep=ucase(left(rep,1))
If (rep<>"O") and (rep<>"Y") Then WScript.Quit
wscript.echo "Veuillez patienter..."
message=""

' Test d'existence du processus initial de Gator
On Error Resume Next
trickler=shell.RegRead("HKEY_LOCAL_MACHINE\software\Gator.com\Trickler\AppPath")
If Err.Number=0 Then
	p=InstrRev(trickler,"\")
	ProcessName=mid(trickler,p+1)
	KillProcess ProcessName
	DelFile trickler
	end if

KillProcess "GMT.exe"
KillProcess "CMESys.exe"

delkey HKEY_CLASSES_ROOT,  "clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}\"
delkey HKEY_LOCAL_MACHINE, "software\Gator.com\"
delkey HKEY_LOCAL_MACHINE, "software\GatorTest\"
delkey HKEY_LOCAL_MACHINE, "software\microsoft\windows\currentversion\stashedgef"
delkey HKEY_LOCAL_MACHINE, "software\microsoft\windows\currentversion\stashedgmg"
delkey HKEY_LOCAL_MACHINE, "software\microsoft\windows\currentversion\run\cmesys"

dir1=shell.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")
dir2=shell.ExpandEnvironmentStrings("%USERPROFILE%")
GatorFolder="GAIN"

trouve=false
explore dir1
trouve=false
explore dir2
If not trouve Then AddMessage "Dossier de démarrage de GATOR non trouvé"

DelFolder shell.ExpandEnvironmentStrings("%TEMP%") & "\fsg_tmp"
DelFolder shell.ExpandEnvironmentStrings("%CommonProgramFiles%") & "\CMEII"
DelFolder shell.ExpandEnvironmentStrings("%CommonProgramFiles%") & "\GMT"

DelFile shell.ExpandEnvironmentStrings("%windir%") & "\GatorPatch.log"
DelFile shell.ExpandEnvironmentStrings("%windir%") & "\GatorPdpSetup.log"

AddMessage VBCRLF & "*** GATOR éradiqué ***"
wscript.echo Message

Wscript.quit
'----------------------------------------------------------------------
Sub DelKey(hive,key)
KeyName=HiveName(hive) & key
Dim lRC
lRC = objRegistry.DeleteKey(Hive,key)
If lRC<>0 Then lRC=DelAllSubkey(hive,key)
If lRC<>0 Then
	AddMessage "Clef non trouvée ou impossible à supprimer :" & VBCRLF & "  " & KeyName 
else
	AddMessage "Clef supprimée :" & VBCRLF & "  " & KeyName
	End If
end sub
' -------------------------------------
Function DelAllSubkey(hive,key)
Dim lRC,sNames
On Error Resume Next
lRC = objRegistry.EnumKey(hive,key,sNames)
For Each sKeyName In sNames
	If Err.Number <> 0 Then Exit For
	lRC = DelAllSubkey(hive,key & "\" & sKeyName)
	Next
On Error Goto 0
DelAllSubkey=objRegistry.DeleteKey(Hive,key)
End Function
'----------------------------------------------------------------------
Sub DelFile(filespec)
On Error Resume Next
if fso.FileExists(filespec) then 
	fso.DeleteFile filespec,true
	If Err.Number<>0 Then
		AddMessage Err.description & " dans la suppression du fichier" & vbcrlf & "  " & filespec
	else
		AddMessage "Fichier supprimé : " & vbcrlf & "  " & filespec
		end if
else
	AddMessage "Fichier " & filespec & " inexistant"
	end if
end sub
'----------------------------------------------------------------------
Function HiveName(hive)
Select Case hive
	Case HKEY_CLASSES_ROOT  
		HiveName="HKEY_CLASSES_ROOT\"
	Case HKEY_CURRENT_USER
		HiveName="HKEY_CURRENT_USER\"
	Case HKEY_LOCAL_MACHINE
		HiveName="HKEY_LOCAL_MACHINE\"
	Case HKEY_USERS
		HiveName="HKEY_USERS\"
	Case else
		HiveName="?\"
	End Select
End Function
'----------------------------------------------------------------------
Sub DelFolder(folderspec)
Dim fd,collf
if fso.FolderExists(folderspec) then 
	On Error Resume Next
	fso.DeleteFolder folderspec,true 
	If err.Number<>0 Then
		AddMessage Err.description & " dans la suppression du dossier" & vbcrlf & "  " & folderspec
	else
		AddMessage "Dossier supprimé : " & vbcrlf & "  " & folderspec
		end if
	On error Goto 0			
else
	AddMessage "Dossier " & folderspec & " inexistant"
	end if
end sub
'----------------------------------------------------------------------
Sub Explore(dir) 
If trouve then exit sub
dim f, collf, subf
set f=fso.getfolder(dir)
If ucase(f.name)=ucase(GatorFolder) Then 
	trouve=true
	DelFolder f.path
Else
	set collf=f.SubFolders 
	For each subf in collf
		Explore subf.path
		Next
	End If
End Sub
'----------------------------------------------------------------------
Sub AddMessage(msg) 
Message=Message & VBCRLF & msg
End Sub
'----------------------------------------------------------------------
Sub KillProcess(ProcessName)
On Error Resume Next
Dim ProcessSet, Process
Set ProcessSet=GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf _
	("Win32_process")
for each Process in ProcessSet
	If ucase(Process.Name)=uCase(ProcessName) Then
		result=Process.terminate(0)
		If result<>0 Then 
			AddMessage "Erreur terminaison processus " & ProcessName & " code " & result
		Else
			AddMessage "Processus " & ProcessName & " correctement terminé"
			End if
		End If
	Next
End Sub
'----------------------------------------------------------------------
'Sous-programme de test du moteur
'Vu les sorties générées, c'est CSCRIPT (et non pas WSCRIPT)
'qui doit être utilisé de préférence
Sub TestHost(force)
dim rep
strappli=lcase(Wscript.ScriptFullName)
strFullName =lcase(WScript.FullName)
i=InStr(1,strFullName,".exe",1)
j=InStrRev(strFullName,"\",i,1)
strCommand=Mid(strFullName,j+1,i-j-1)
if strCommand<>"cscript" then
	If force then 
		Init="Ce script doit être lancé avec CSCRIPT"
	Else
		Init="Il est préférable de lancer ce script avec CSCRIPT"
		End If
	rep=MsgBox(Init & VBCRLF & _
	"Cela peut être rendu permanent avec la commande" & VBCRLF & _
	"cscript //H:CScript //S /Nologo" & VBCRLF & _
	"Voulez-vous que ce soit fait automatiquement?", _
	vbYesNo + vbQuestion,strappli)
	if rep=vbYes  then 
		nomcmd="setscript.bat"
		Set ficcmd = fso.CreateTextFile(nomcmd)
		ficcmd.writeline "@echo off"
		ficcmd.writeline "cscript //H:CScript //S /Nologo"
		ficcmd.writeline "pause"
		params=""
		For i = 0 To nbargs-1 
			params=params & " " & args(i)
			next
		ficcmd.writeline chr(34) & strappli & chr(34) & params
		ficcmd.writeline "pause"
		ficcmd.close
		shell.Run nomcmd, SW_SHOWNORMAL,true
		force=true
		end if
    If force then WScript.Quit
	end if
end sub
'--------------------------------------------------------------------