' esta es la version "descifrada" de elirestr.vbs. "Cortesia" de SantInfo. Despues de ejecutarlo es probable que sea necesario ' reloguearse ya que parece que algunos componentes del sistema parecen "cachear" valores de las claves ' OJO, algunos malwares parecen modificar los valores del registro en logueo (inutilizando el fin de este script entre relogueos) y otros ' los setean continuamente (asi inutilizando completamente este script) ' para ver los valores de estas claves antes y/o despues de ejecutar este script ejecute elirestr-claves.vbs file="claves-modificas.txt" Dim objFileSystem, objOutputFile ' crea los handlers a un archivo para salida Set objFileSystem = CreateObject("Scripting.fileSystemObject") Set objOutputFile = objFileSystem.OpenTextFile(file,8, TRUE) On Error Resume Next Set Sgh=WScript.CreateObject("WScript.Shell") r=MsgBox("Este Proceso Restaura los tipos de archivo:" & VbCrLf _ & " exefile, comfile, cmdfile, batfile, piffile, scrfile y regfile." & VbCrLf & VbCrLf _ & "Y elimina Restricciones del Sistema." & VbCrLf & VbCrLf _ & "Pulse Aceptar para continuar.", vbOKCancel, _ "AntiMW VBS Tools v0.01 CopyLeft 2008" ) If r=vbCancel Then WScript.Quit call logSet("HKEY_CLASSES_ROOT\.exe\", "exefile") Sgh.RegWrite "HKEY_CLASSES_ROOT\.exe\", "exefile" call logRes(err.number, err.description) call logSet("HKEY_CLASSES_ROOT\.com\", "comfile") Sgh.RegWrite "HKEY_CLASSES_ROOT\.com\", "comfile" call logRes(err.number, err.description) call logSet("HKEY_CLASSES_ROOT\.cmd\", "cmdfile") Sgh.RegWrite "HKEY_CLASSES_ROOT\.cmd\", "cmdfile" call logRes(err.number, err.description) call logSet("HKEY_CLASSES_ROOT\.bat\", "batfile") Sgh.RegWrite "HKEY_CLASSES_ROOT\.bat\", "batfile" call logRes(err.number, err.description) call logSet("HKEY_CLASSES_ROOT\.pif\", "piffile") Sgh.RegWrite "HKEY_CLASSES_ROOT\.pif\", "piffile" call logRes(err.number, err.description) call logSet("HKEY_CLASSES_ROOT\.scr\", "scrfile") Sgh.RegWrite "HKEY_CLASSES_ROOT\.scr\", "scrfile" call logRes(err.number, err.description) call logSet("HKEY_CLASSES_ROOT\.reg\", "regfile") Sgh.RegWrite "HKEY_CLASSES_ROOT\.reg\", "regfile" call logRes(err.number, err.description) call logSet("HKEY_CLASSES_ROOT\exefile\shell\open\command\", chr(34) & "%1" & chr(34) & " %*" ) Sgh.RegWrite "HKEY_CLASSES_ROOT\exefile\shell\open\command\", chr(34) & "%1" & chr(34) & " %*" call logRes(err.number, err.description) call logSet("HKEY_CLASSES_ROOT\comfile\shell\open\command\", chr(34) & "%1" & chr(34) & " %*" ) Sgh.RegWrite "HKEY_CLASSES_ROOT\comfile\shell\open\command\", chr(34) & "%1" & chr(34) & " %*" call logRes(err.number, err.description) call logSet("HKEY_CLASSES_ROOT\cmdfile\shell\open\command\", chr(34) & "%1" & chr(34) & " %*" ) Sgh.RegWrite "HKEY_CLASSES_ROOT\cmdfile\shell\open\command\", chr(34) & "%1" & chr(34) & " %*" call logRes(err.number, err.description) call logSet("HKEY_CLASSES_ROOT\batfile\shell\open\command\", chr(34) & "%1" & chr(34) & " %*" ) Sgh.RegWrite "HKEY_CLASSES_ROOT\batfile\shell\open\command\", chr(34) & "%1" & chr(34) & " %*" call logRes(err.number, err.description) call logSet("HKEY_CLASSES_ROOT\piffile\shell\open\command\", chr(34) & "%1" & chr(34) & " %*" ) Sgh.RegWrite "HKEY_CLASSES_ROOT\piffile\shell\open\command\", chr(34) & "%1" & chr(34) & " %*" call logRes(err.number, err.description) call logSet("HKEY_CLASSES_ROOT\scrfile\shell\open\command\", chr(34) & "%1" & chr(34) & " /S") Sgh.RegWrite "HKEY_CLASSES_ROOT\scrfile\shell\open\command\", chr(34) & "%1" & chr(34) & " /S" call logRes(err.number, err.description) call logSet("HKEY_CLASSES_ROOT\regfile\shell\open\command\", "regedit.exe " & chr(34) & "%1" & chr(34) ) Sgh.RegWrite "HKEY_CLASSES_ROOT\regfile\shell\open\command\", "regedit.exe " & chr(34) & "%1" & chr(34) call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" 'Restricciones de ficheros call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges" 'Pestaÿña "Web", propiedades de pantalla call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose" ) Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose" 'Cerrar Windows call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel" ) Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel" 'Panel de Control y propiedades de pantalla call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop" ) Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop" 'Escritorio call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind" ) Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind" 'Opciÿón "Buscar", Menÿú de Inicio call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions" ) Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions" 'Opciÿónes de Carpeta call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogoff") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogoff" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun" ) Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun" 'Opciÿón "Ejecutar", Menÿú de Inicio call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolder") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolder" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu" ) Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu" 'Menu de propiedades del escritorio call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoFileSharingControl") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoFileSharingControl" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoNetSetup") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoNetSetup" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoNetSetupIDPage") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoNetSetupIDPage" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoNetSetupSecurityPage") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoNetSetupSecurityPage" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" 'Ejecucion del REGEDIT.EXE call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr" 'Ejecucion del Administrador de Tareas call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage" 'Pestaÿña "Apariencia", propiedades de pantalla call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage" 'Pestaÿña "Fondo", propiedades de pantalla call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispSettingsPage") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispSettingsPage" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoSecCpl") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoSecCpl" call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper" 'Configuraciÿón del WallPaper call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage" ) Sgh.RegDelete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage" 'Botones de la Pagina de Inicio del IE call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\disableCMD" ) Sgh.RegDelete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\disableCMD" 'Ejecucion del CMD.EXE o COMMAND.COM call logRes(err.number, err.description) call logDel("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled") Sgh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled" call logRes(err.number, err.description) call logDel("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\SFCDisable") Sgh.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\SFCDisable" 'Ejecucion del SFC.EXE call logRes(err.number, err.description) call logDel("HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig") Sgh.RegDelete "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig" 'Configuraciÿón "Restaurar Sistema" call logRes(err.number, err.description) call logDel("HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore\DisableSR" ) Sgh.RegDelete "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore\DisableSR" 'Pestaÿña "Restaurar Sistema", propiedades del Sistema call logRes(err.number, err.description) call logDel("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ierk8243\") Sgh.RegDelete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ierk8243\" call logRes(err.number, err.description) call logDel("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\") Sgh.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\" call logRes(err.number, err.description) call logDel("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\") Sgh.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\" call logRes(err.number, err.description) MsgBox "Proceso terminado. Ver archivo " & file sub logSet(clave,valor) objOutputFile.WriteLine("seteando la clave: " & VbCrLf & _ clave & VbCrLf & "a:" & VbCrLf & _ valor) end sub sub logDel(clave) objOutputFile.WriteLine("Eliminando la clave: " & VbCrLf & _ clave) end sub sub logRes(num, desc) if num <> 0 then objOutputFile.WriteLine("ERROR (o clave/nombre valor no existe): " & VbCrLf & _ num & ":" & desc) else objOutputFile.WriteLine("Valor/clave seteado o eliminado con exito!") end if end sub