'CWS Shield Dropper.vbs -- deletes the CoolWebSearch (CWS) shield-DLL from the registry 
'
'DO NOT REMOVE THIS HEADER!
'
'Copyright Andrew ARONOFF & Rossano FERRARIS, 29 September 2004
' http://www.silentrunners.org/sr_cwsremoval.html
'This script is provided without any warranty, either expressed or implied
'It may not be copied or distributed without permission
'** YOU RUN THIS SCRIPT AT YOUR OWN RISK! **
'HEADER ENDS HERE




Option Explicit

'objects: script, fso, Work Folder, Delete Instructions Text File,
' Delete Instructions File, File1, File2, Windows O/S (collection & object) 
Dim Wshso, Fso, oWorkFo, oDITF, oDIF, oFi1, oFi2, colWOS, oWOS

'variables: error number, URL, drive letter:, filename1, filename2
Dim intErrNum, strURL, strDrv, strFN1, strFN2 

'public variable: output type (MsgBox or Echo)
Public flagOut

Set Wshso = WScript.CreateObject("WScript.Shell")
Set Fso = CreateObject("Scripting.FileSystemObject")

'determine whether output is via MsgBox/PopUp or Echo
If InStr(LCase(WScript.FullName),"wscript.exe") > 0 Then
 flagOut = "W"  'WScript
ElseIf InStr(LCase(WScript.FullName),"cscript.exe") > 0 Then
 flagOut = "C"  'CScript
Else
  WScript.Echo "Neither WScript.exe nor CScript.exe was detected as " &_ 
  "the script host." & vbCRLF & Chr(34) & "Shield Dropper" & Chr(34) &_
  " will exit!"
End If  'script host

Const SysFolder = 1 : Const WinFolder = 0 : Const TempFolder = 2
Dim strOS : strOS = "Unknown"
Dim strOSLong : strOSLong = "Unknown"
Dim intMB  'MsgBox return value
Dim strFPSF : strFPSF = Fso.GetSpecialFolder(SysFolder).Path  'FullPathSystemFolder 
Dim strFPWF : strFPWF = Fso.GetSpecialFolder(WinFolder).Path  'FullPathWindowsFolder 
strDrv = Fso.GetDriveName (strFPWF)
Dim strSysVer  'Winver.exe version number

'Winver.exe is in \Windows under W98, but in \System32 for other O/S's
'trap GetFileVersion error for VBScript version < 5.1
On Error Resume Next
 If Fso.FileExists (strFPSF & "\Winver.exe") Then
  strSysVer = Fso.GetFileVersion(strFPSF & "\Winver.exe")
 Else
  strSysVer = Fso.GetFileVersion(strFPWF & "\Winver.exe")
 End If
 intErrNum = Err.Number
On Error Goto 0
Err.Clear

'if old VBScript version
If intErrNum <> 0 Then

 'store dl URL
 strURL = "http://tinyurl.com/7zh0"

 'if using WScript
 If flagOut = "W" Then

  'explain the problem
  intMB = MsgBox ("This script requires VBScript 5.1 or higher " &_
   "to run." & vbCRLF & vbCRLF & "The latest version of VBScript can " &_ 
   "be downloaded at: " & strURL & vbCRLF & vbCRLF &_
   "Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser to " &_ 
   "the download site or " & Chr(34) & "Cancel" & Chr(34) &_
   " to quit.", vbOKCancel + vbExclamation,"Unsupported VBScript Version!") 

  'if dl wanted now, send browser to dl site
  If intMB = 1 Then Wshso.Run strURL

 'if using CScript
 Else  'flagOut = "C"

  'explain the problem
  WScript.Echo Chr(34) & "Shield Dropper" & Chr(34) & " requires " &_
   "VBScript 5.1 or higher to run." & vbCRLF & vbCRLF &_
  "It can be downloaded at: " & strURL

 End If  'WScript or CScript?

 'quit the script
 WScript.Quit

End If  'error encountered?

'use WINVER.EXE file version to determine O/S
If Instr(Left(strSysVer,3),"4.1") > 0 Then
 strOS = "W9x" : strOSLong = "Windows 98"

ElseIf Instr(Left(strSysVer,5),"4.0.1") > 0 Then
 strOS = "NT4" : strOSLong = "Windows NT 4.0"

ElseIf Instr(Left(strSysVer,8),"4.0.0.95") > 0 Then
 strOS = "W9x" : strOSLong = "Windows 95"

ElseIf Instr(Left(strSysVer,3),"5.0") > 0 Then
 strOS = "W2K" : strOSLong = "Windows 2000"

ElseIf Instr(Left(strSysVer,3),"5.1") > 0 Then
 strOS = "WXP" : strOSLong = "Windows XP"

ElseIf Instr(Left(strSysVer,3),"4.9") > 0 Then
 strOS = "W9x" : strOSLong = "Windows Millennium"

ElseIf Instr(Left(strSysVer,3),"5.2") > 0 Then
 strOS = "WS2K3" : strOSLong = "Windows Server 2003"

Else

 If flagOut = "W" Then

  intMB = MsgBox ("The " & Chr(34) & "Shield Dropper" & Chr(34) & " script cannot " &_ 
   "determine the operating system." & vbCRLF & vbCRLF & "Click " &_
   Chr(34) & "OK" & Chr(34) & " to send an e-mail to the author, providing the following information:" &_
   vbCRLF & vbCRLF & "WINVER.EXE file version = " & strSysVer & vbCRLF & vbCRLF & "or click " & Chr(34) &_
   "Cancel" & Chr(34) & " to quit.",49,"O/S Unknown!")

  If intMB = 1 Then Wshso.Run "mailto:Andrew%20Aronoff%20" &_
   "<%73%64.%6F%73.%76%65%72.%65%72%72%6F%72@" &_
   "%73%69%6C%65%6E%74%72%75%6E%6E%65%72%73.%6F%72%67>" &_
   "?subject=Shield%20Dropper%20OS%20Version%20Error&body=" &_
   "WINVER.EXE%20file%20version%20=%20" & strSysVer

 Else  'flagOut = "C"

  WScript.Echo Chr(34) & "Shield Dropper" & Chr(34) & " cannot " &_ 
   "determine the operating system." & vbCRLF & vbCRLF & "This script will exit."

 End If

 WScript.Quit

End If

If strOS = "W9x" Or strOS = "WS2K3" Then _
 MBQ "The detected Operating System is " & Chr(34) & strOSLong &_
 Chr(34) & "." & vbCRLF & "This script can only run on " &_
 "Windows NT 4.0, Windows 2000, and Windows XP." &_
  vbCRLF & vbCRLF & "This script will exit.", vbOK + vbExclamation,"Wrong O/S!"

'check for Admin rights
intMB = MsgBox ("This script requires Administrator rights." & vbCRLF &_ 
 vbCRLF & "Are you logged on as an Administrator?", vbYesNo + _
 vbQuestion, "Are you an Administrator?")

If intMB = 7 Then WScript.Quit

'display procedure and request permission to proceed
intMB = MsgBox ("This script will: " & vbCRLF & vbCRLF &_
 "1. create the directory " & Chr(34) & strDrv & "\Shield Dropper" &_
  Chr(34) & vbCRLF &_
 "2. save a registry key to a file in the new directory" & vbCRLF &_
 "3. delete the registry key" & vbCRLF &_
 "4. restore the registry key without the CWS shield-DLL" & vbCRLF &_ 
 "5. reboot the system." & vbCRLF & vbCRLF &_
 "Press " & Chr(34) & "OK" & Chr(34) & " to continue, or" & vbCRLF &_
 Space(10) & Chr(34) & "Cancel" & Chr(34) & " to quit",_
 vbOKCancel + vbQuestion,"Delete the Shield-DLL or quit?")

'quit if Cancel button pushed
If intMB = 2 Then WScript.Quit

'create work folder if it doesn't exist
If Not Fso.FolderExists (strDrv & "\Shield Dropper") Then _
 Fso.CreateFolder (strDrv & "\Shield Dropper")

'display error if folder couldn't be created
If Not Fso.FolderExists (strDrv & "\Shield Dropper") Then _
 MBQ "The script could not create a folder on " & strDrv & " drive." &_
  vbCRLF & vbCRLF & "This script will exit!",_
  vbOK + vbCritical, "Folder creation error!"

'get the work folder
Set oWorkFo = Fso.GetFolder(strDrv & "\Shield Dropper")
'store saved key file name
strFN1 = oWorkFo.Path & "\Saved Key.reg"

'export HKLM\SW\MS\WNT\CV\W key to "Saved Key.reg"
Wshso.Run strFPWF & "\regedit /e " & Chr(34) & strFN1 & Chr(34) &_
 Space(1) & Chr(34) & "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" &_ 
 Chr(34),0,TRUE

'display error if file not saved
If Not Fso.FileExists (strFN1) Then _
 MBQ "The script could not save the registry key before it was deleted." &_
  vbCRLF & "You must be logged in as an Administrator." & vbCRLF & vbCRLF &_
  "This script will exit!", vbOK + vbCritical, "Registry key save error!"

'create text file with registry key delete instructions
Set oDITF = Fso.CreateTextFile (oWorkFo.Path & "\Delete Key.reg", TRUE)

'display error if file not created
If Not Fso.FileExists (oWorkFo.Path & "\Delete Key.reg") Then _
 MBQ "The script could not create the file with key deletion instructions." &_
  vbCRLF & vbCRLF & "This script will exit!",_
  vbOK + vbCritical, "File creation error!"

'write out contents of delete instructions file
oDITF.WriteLine "REGEDIT4" & vbCRLF
oDITF.WriteLine "[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]" 

'close the delete instructions file
oDITF.Close
Set oDITF=Nothing

'get the delete instructions file
Set oDIF = Fso.GetFile (oWorkFo.Path & "\Delete Key.reg")

'display error if size too small
If oDIF.Size < 88 Then _
 MBQ "The script could not add the key deletion instructions to the file it created." &_
  vbCRLF & vbCRLF & "This script will exit!",_
  vbOK + vbCritical, "File write error!"

'delete HKLM\SW\MS\WNT\CV\W key
Wshso.Run strFPWF & "\regedit /s " & Chr(34) & oWorkFo.Path &_
 "\Delete Key.reg" & Chr(34),0,TRUE

'check that key was deleted by re-exporting key contents to file and
'checking that file doesn't exist

'store export file name
strFN2 = oWorkFo.Path & "\Compare Key.reg"

'delete it if it exists already
If Fso.FileExists(strFN2) Then Fso.DeleteFile(strFN2)

'export *missing* HKLM\SW\MS\WNT\CV\W key to strFN2
Wshso.Run strFPWF & "\regedit /e " & Chr(34) & strFN2 & Chr(34) &_
 Space(1) & Chr(34) & "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" &_ 
 Chr(34),0,TRUE

'display error if export file was created, since key hadn't been deleted
If Fso.FileExists(strFN2) Then _
 MBQ "The script could not delete the Shield-DLL registry key." &_
  vbCRLF & "You must be logged in as an Administrator." &_
  vbCRLF & vbCRLF & "This script will exit!",_
  vbOK + vbCritical, "Registry key delete error!"

'delete the delete instructions file (housekeeping)
Fso.DeleteFile (oDIF)
Set oDIF=Nothing

'add back HKLM\SW\MS\WNT\CV\W key
Wshso.Run strFPWF & "\regedit /s " & Chr(34) & strFN1 & Chr(34),0,TRUE 

'export added HKLM\SW\MS\WNT\CV\W key to strFN2
Wshso.Run strFPWF & "\regedit /e " & Chr(34) & strFN2 & Chr(34) &_
 Space(1) & Chr(34) & "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" &_ 
 Chr(34),0,TRUE

'get saved key file & re-added key file
Set oFi1 = Fso.GetFile (strFN1)  'Saved Key.reg
Set oFi2 = Fso.GetFile (strFN2)  'Compare Key.reg

'display error if files not identical
If oFi1.Size <> oFi2.Size Then _
 MBQ "The script could not add the required registry key." &_
  vbCRLF & vbCRLF & "Add it by double-clicking on the file:" &_
  vbCRLF & strFN1 & vbCRLF & vbCRLF & "This script will exit!",_
  vbOK + vbCritical, "Registry key add error!"

'delete re-added key file (housekeeping)
Fso.DeleteFile (oFi2)  'Compare Key.reg
Set oFi2=Nothing

'propose reboot
intMB = MsgBox ("The PC must be rebooted to remove the Shield-DLL " &_
 "from memory." & vbCRLF & vbCRLF & "Press " & Chr(34) &_
 "OK" & Chr(34) & " to reboot or" & vbCRLF & Space(10) &_
 Chr(34) & "Cancel" & Chr(34) & " to quit.",_
 vbOKCancel + vbExclamation,"Reboot now?")

If intMB = 1 Then

 If strOS <> "NT4" Then 

  'use WMI to reboot
  Set colWOS = GetObject("winmgmts:{(Shutdown)}\root\cimv2")._
   InstancesOf("Win32_OperatingSystem")

  For Each oWOS In colWOS
   oWOS.Win32ShutDown ("6")
  Next

 Else  'WMI unavailable by default in NT4, so use NT4-specific method

  'create reboot INF file in Temporary folder
  Dim strFPTF : strFPTF = Fso.GetSpecialFolder(TempFolder).Path  'FullPathTempFolder 
  Set oFi2 = Fso.CreateTextFile (strFPTF & "\ntreboot.inf", TRUE)
  oFi2.WriteLine "[version]" & vbCRLF & "signature=$chicago$" & vbCRLF &_ 
   "[defaultinstall]"
  oFi2.Close

  'get the INF file
  Set oFi2 = Fso.GetFile(strFPTF & "\ntreboot.inf")

  'execute the INF to reboot
  Wshso.Run "rundll32 setupapi,InstallHinfSection DefaultInstall 1 " &_
   oFi2.Path,0,TRUE 

  'delete the INF file
  Fso.DeleteFile (oFi2)
  Set oFi2=Nothing

 End If  'NT4?

End If  'shutdown now?



'clean up
Set oWorkFo=Nothing
Set oFi1=Nothing
Set Fso=Nothing
Set Wshso=Nothing




'Message Box Quit
Sub MBQ (strMsg, strButtons, strTitle)

If flagOut = "W" Then
 MsgBox strMsg, strButtons, strTitle
Else
 WScript.Echo strMsg
End If

WScript.Quit

End Sub


'R00
'2004/09/28

'R01
'changed file name, corrected coded SR mailto address