'This script written by Keith Price 4.25.08 keith@engr.oregonstate.edu 'Removes current incarnation of the GSPI worm. On Error Resume Next script_engine = LCase(Mid(WScript.FullName, InstrRev(WScript.FullName,"\")+1)) If Not script_engine="cscript.exe" Then Set objShell = CreateObject("WScript.Shell") objShell.Run "CSCRIPT.EXE """ & WScript.ScriptFullName & """" WScript.Quit End If Dim objWMIService, objProcess, colProcess Dim strComputer, strProcessKill strComputer = "." strProcessKill = "'WScript.exe'" Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Wscript.Echo "Killing all WScript processes..." Set colProcess = objWMIService.ExecQuery _ ("Select * from Win32_Process Where Name = " & strProcessKill ) For Each objProcess in colProcess objProcess.Terminate() Next Set objFS = CreateObject("Scripting.FileSystemObject") For Each flashdrive In objFS.drives If (flashdrive.drivetype = 1 Or flashdrive.drivetype = 2) And flashdrive.Path <> "A:" Then Wscript.Echo "Checking for Worm files on: " & flashdrive.Path & "..." set objFiles = objFS.GetFolder(flashdrive.Path & "\").Files For Each objFile in objFiles strName=LCase(objFile.Name) If Left(strName,4)="gspi" AND Right(strName,3)="vbs" Then Wscript.Echo " Deleting: " & objFile.Name 'If objFile.Attributes AND 1 then objFile.Attributes = 0 'End IF objFile.Delete End If If strname="autorun.inf" Then Wscript.Echo " Deleting: " & objFile.Name objFile.Attributes = 0 objFile.Delete End IF Next End If Next Wscript.Echo "Checking for Worm files in: C:\WINDOWS\..." set objFiles = objFS.GetFolder("C:\WINDOWS\").Files For Each objFile in objFiles strName=LCase(objFile.Name) If Left(strName,4)="gspi" AND Right(strName,3)="vbs" Then Wscript.Echo " Deleting: " & objFile.Name objFile.Attributes = 0 objFile.Delete End If Next Wscript.Echo "Fixing registry settings..." Set objShell = CreateObject("WScript.Shell") objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable", 0, "REG_DWORD" objShell.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer" objShell.RegDelete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connection Settings\Connwiz Admin Lock" objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", 0, "REG_DWORD" objShell.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title" objShell.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\MSConfig" objShell.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig" MsgBox "Finished cleaning!" 'WScript.Quit