You are not logged in.
- Topics: Active | Unanswered
#1 21 Apr 2016 21:10
- Hackoo
- Member
- Registered: 05 Feb 2015
- Posts: 21
[Solved] How to show properly a balloontip ?
Hi 
I'm writing a cleaner for some known virus key like ( "vbs" ,"vbe" ,"wsf", "a3x", "VBScript.Encode" ) from the registry.
i want to add a BalloonTip in powershell with this script but, there is something wrong !
I don't know how to remove the icon from the taskbar ?
This a draft it is not yet optimized !
@echo off
Color 1A & Mode con cols=80 lines=8
Set Pattern="\.vbs"^
^ "\.vbe"^
^ "\.wsf"^
^ "\.a3x"^
^ "VBScript.Encode"^
^ "\winlogon\.bat"
Set Key="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"^
^ "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"^
^ "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"^
^ "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
For %%P in (%Pattern%) Do (
For %%K in (%Key%) Do (
Cls
echo(
echo(
Echo ***************************** Scan *****************************
echo %%K
Echo ****************************************************************
Call :PS_Sub 'Warning' 10 '" Please wait... "' "' Scan is in progress.... %%K'" 'Warning'
Call :Delete_Virus_Key %%K %%P "%TmpLogFile%"
)
)
exit /b
::*************************************************************************
:Delete_Virus_Key <Key> <Pattern> <LogFile>
Setlocal enabledelayedexpansion
for /f "delims=REG_SZ" %%I in (
'reg query "%~1" /s^|findstr /ic:"%~2"'
) Do (
If %ErrorLevel% NEQ 1 (
Set KeyName="%%~I"
(
Call:Trim !keyName!
Title Deleting Run key: !keyName!
echo Deleting Run key: !keyName!
echo reg delete "%~1" /v !keyName! /f
echo(
echo *****************************
echo reg delete "%~1" /v "!keyName!" /f
echo *****************************
echo(
)>>"%~3"
rem Call :PS_Sub 'Warning' 100 '"!KeyName!"' "'Delete !KeyName!'" 'Warning'
) else (
Set KeyName="%%~I"
Call:Trim !keyName!
Title Deleting Run key: !keyName!
echo Deleting Run key: !keyName!
echo reg delete "%~1" /v !keyName! /f
echo(
echo *****************************
echo reg delete "%~1" /v "!keyName!" /f
echo *****************************
echo(
)>>"%~3"
)
)
EndLocal
Exit /b
::*************************************************************************
:Trim <String>
(
echo Wscript.echo Trim("%~1"^)
)>"%tmp%\%~n0.vbs"
for /f "delims=" %%a in ('Cscript /nologo "%tmp%\%~n0.vbs"') do (
set "KeyName=%%a"
)
exit /b
::**************************************************************************
:PS_Sub $notifyicon $time $title $text $icon
PowerShell ^
[reflection.assembly]::loadwithpartialname('System.Windows.Forms') ^| Out-Null; ^
[reflection.assembly]::loadwithpartialname('System.Drawing') ^| Out-Null; ^
$notify = new-object system.windows.forms.notifyicon; ^
$notify.icon = [System.Drawing.SystemIcons]::%1; ^
$notify.visible = $true; ^
$notify.showballoontip(%2,%3,%4,%5)
%End PowerShell%
exit /B
::*************************************************************************Last edited by Hackoo (22 Apr 2016 16:14)
Offline
#2 22 Apr 2016 08:12
- bluesxman
- Member
- From: UK
- Registered: 29 Dec 2006
- Posts: 1,129
Re: [Solved] How to show properly a balloontip ?
Not sure your PowerShell is correct. I wrote the following based on the link below, works fine for me (NB - needs a valid icon location to function).
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon
$objNotifyIcon.Icon = "D:\Documents\My Pictures\Icons\cmd.ico"
$objNotifyIcon.BalloonTipIcon = "Error"
$objNotifyIcon.BalloonTipText = "A file needed to complete the operation could not be found."
$objNotifyIcon.BalloonTipTitle = "File Not Found"
$objNotifyIcon.Visible = $True
$objNotifyIcon.ShowBalloonTip(10000)https://technet.microsoft.com/en-us/lib … 2147217396
For a start I think you are not setting up the object properties and are trying to pass a bunch of params to "showballoontip" whereas it reports to me that it only takes one -- the time in millseconds. Also it appears you are attempting to tell it to show for "10" milliseconds, where I assume you meant 10 seconds -- it's unlikely to respect that anyway (see the article linked).
Last edited by bluesxman (22 Apr 2016 08:16)
cmd | *sh | ruby | chef
Offline
#3 22 Apr 2016 16:13
- Hackoo
- Member
- Registered: 05 Feb 2015
- Posts: 21
Re: [Solved] How to show properly a balloontip ?
Thank you for your reply and i solved my problem here : http://stackoverflow.com/questions/3678 … 8#36796778
Offline
#4 23 Apr 2016 06:06
- foxidrive
- Member
- Registered: 04 Apr 2013
- Posts: 339
Re: [Solved] How to show properly a balloontip ?
I'm writing a cleaner for some known virus key
This is what your code is passing to the routine and the temp file variable is not even defined here.
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "\.vbs" ""
Call :Delete_Virus_Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "\.vbs" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" "\.vbs" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "\.vbs" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "\.vbe" ""
Call :Delete_Virus_Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "\.vbe" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" "\.vbe" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "\.vbe" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "\.wsf" ""
Call :Delete_Virus_Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "\.wsf" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" "\.wsf" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "\.wsf" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "\.a3x" ""
Call :Delete_Virus_Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "\.a3x" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" "\.a3x" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "\.a3x" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "VBScript.Encode" ""
Call :Delete_Virus_Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "VBScript.Encode" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" "VBScript.Encode" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "VBScript.Encode" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "\winlogon\.bat" ""
Call :Delete_Virus_Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "\winlogon\.bat" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" "\winlogon\.bat" ""
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "\winlogon\.bat" ""
Last edited by foxidrive (23 Apr 2016 06:07)
Offline
#5 23 Apr 2016 07:40
- Hackoo
- Member
- Registered: 05 Feb 2015
- Posts: 21
Re: [Solved] How to show properly a balloontip ?
Hackoo wrote:I'm writing a cleaner for some known virus key
This is what your code is passing to the routine and the temp file variable is not even defined here.
Call :Delete_Virus_Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "\.vbs" ""
Call :Delete_Virus_Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "\.vbs" ""
.......
As i said before i paste some code and it is still a draft but here is the whole code :
@echo off
Title Hackoo Virus Cleaner to delete virus key from registry by Hackoo 2016
Mode con cols=90 lines=5
cls & color 0A & echo.
:::::::::::::::::::::::::::::::::::::::::
:: Automatically check & get admin rights
:::::::::::::::::::::::::::::::::::::::::
Set "TmpLogFile=%Tmp%\TmpLogkey.txt"
Set "LogFile=%UserProfile%\Desktop\Hackoo_Virus_Clean_%UserName%_Log.txt"
If Exist %TmpLogFile% Del %TmpLogFile%
If Exist %LogFile% Del %LogFile%
REM --> Check for permissions
Reg query "HKU\S-1-5-19\Environment" >%TmpLogFile% 2>&1
REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
Echo.
ECHO **************************************
ECHO Running Admin shell... Please wait...
ECHO **************************************
goto UACPrompt
) else ( goto gotAdmin )
:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
set params = %*:"=""
echo UAC.ShellExecute "cmd.exe", "/c ""%~s0"" %params%", "", "runas", 1 >> "%temp%\getadmin.vbs"
"%temp%\getadmin.vbs"
del "%temp%\getadmin.vbs"
exit /B
:gotAdmin
::::::::::::::::::::::::::::
:: START ::
::::::::::::::::::::::::::::
:menuLOOP
cls
Title Hackoo Virus Cleaner to delete virus key from registry by Hackoo 2016
Color 1A & Mode con cols=80 lines=12
echo(
echo(
echo( ********************* Menu ************************
echo(
for /f "tokens=2* delims=_ " %%A in ('"findstr /b /c:":menu_" "%~f0""') do (
echo %%A %%B )
echo(
echo( ***************************************************
set choice=
echo( & set /p choice=Make a choice or hit ENTER to quit: || GOTO :EOF
echo( & call :menu_[%choice%]
GOTO:menuLOOP
::*******************************************************************************
:menu_[1] Scan the computer and Clean the Registry
Color 9A & Mode con cols=100 lines=5
Set Msg="Hackoo Virus Cleaner is Starting Now ... Please wait... Scan is in progress..."
echo(
echo **********************************************************************************
echo %Msg%
echo **********************************************************************************
Call :Speak %Msg%
Call :PS_Sub 'information' 10 '"Hackoo Virus Cleaner is Starting Now ... "' "'Please wait... Scan is in progress....'" 'info' 4
cls & Mode con cols=75 lines=5
(
Echo Hackoo_Virus_Cleaner v1.0
Echo.
Echo **************************** General info ****************************
Echo.
Echo Running under: %username% on profile: %userprofile%
Echo Computer name: %computername%
Echo.
Echo Operating System:
wmic os get caption | findstr /v /r /c:"^$" /c:"^Caption"
Echo Boot Mode:
wmic COMPUTERSYSTEM GET BootupState | find "boot"
Echo Antivirus software installed:
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName | findstr /v /r /c:"^$" /c:"displayName"
Echo.
Echo Executed on: %date% @ %time%
Echo.
Echo **************************** Drive info *******************************
Echo.
Echo Listing currently attached drives:
wmic logicaldisk get caption,description,volumename | find /v ""
Echo.
Echo Physical drives information:
for /F "tokens=1-3" %%A in ('fltmc volumes^|find ":"') do echo %%A %%B %%C
Echo.
Echo ************************ Disinfection info ****************************
Echo.
)>"%TmpLogFile%"
echo "Deleting BronCoder.wsf Virus"
echo "Deleting BronCoder.wsf Virus" >>"%TmpLogFile%"
Del /s /f /q "%Temp%\BronCoder.wsf" >>"%TmpLogFile%" 2>&1
set process="cscript.exe" "wscript.exe" "rundll32.exe" ^
^ "explorar.exe" "AutoIt3.exe" "compiled.exe" "MozillaFirefox.exe" "GoogleChrome.exe" ^
^ "srvicas.exe" "servicas.exe" "njw0rm.exe" "njrat.exe" "Intel(R)TCP.exe" ^
^ "Intel(TM)SD.exe" "mshta.exe" "Intel(R)B1.exe" "Intel(R)P15.exe"
For %%a in (%process%) Do ( Call :KillMyProcess %%a )
Set Pattern="\.vbs"^
^ "\.vbe"^
^ "\.wsf"^
^ "\.a3x"^
^ "\winlogon\.bat"
Set Key="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"^
^ "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"^
^ "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"^
^ "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
Color 9B & Mode con cols=100 lines=5
For %%P in (%Pattern%) Do (
For %%K in (%Key%) Do (
Cls
echo(
echo(
echo(
Echo ***************************** Scanning in progress *****************************
echo %%K
Echo ********************************************************************************
Rem Call :PS_Sub 'Warning' 1 '"Scanning Registry Key for %%P... "' ""%%K"" 'Warning' 2
Call :Delete_Virus_Key %%K %%P "%TmpLogFile%"
)
)
Cmd /U /C Type "%TmpLogFile%" > "%LogFile%"
If Exist "%LogFile%" start "" "%LogFile%"
exit /b
::*************************************************************************
:Delete_Virus_Key <Key> <Pattern> <LogFile>
Setlocal enabledelayedexpansion
for /f "delims=REG_SZ" %%I in (
'reg query "%~1" /s^|findstr /ic:"%~2"'
) Do (
If %ErrorLevel% NEQ 1 (
Set KeyName="%%~I"
(
Call:Trim !keyName!
Title Deleting Run key: "!keyName!"
echo(
echo Deleting Run key: "!keyName!"
echo reg delete "%~1" /v "!keyName!" /f
echo(
echo *****************************
reg delete "%~1" /v "!keyName!" /f
echo *****************************
echo(
)>>"%~3"
Call :Speak "A Virus was found : !KeyName! on "%~1" "
Call :PS_Sub 'Warning' 1 '"A Virus was found : !KeyName!"' "'A Virus was found : !KeyName! on "%~1"'" 'Warning' 3
)
)
)
EndLocal
Exit /b
::*************************************************************************
:Trim <String>
(
echo Wscript.echo Trim("%~1"^)
)>"%tmp%\%~n0.vbs"
for /f "delims=" %%a in ('Cscript /nologo "%tmp%\%~n0.vbs"') do (
set "KeyName=%%a"
)
exit /b
::**************************************************************************
:PS_Sub $notifyicon $time $title $text $icon $Timeout
PowerShell ^
[reflection.assembly]::loadwithpartialname('System.Windows.Forms') ^| Out-Null; ^
[reflection.assembly]::loadwithpartialname('System.Drawing') ^| Out-Null; ^
$notify = new-object system.windows.forms.notifyicon; ^
$notify.icon = [System.Drawing.SystemIcons]::%1; ^
$notify.visible = $true; ^
$notify.showballoontip(%2,%3,%4,%5); ^
Start-Sleep -s %6; ^
$notify.Dispose()
%End PowerShell%
exit /B
::*************************************************************************
:menu_[2] Clean USB Drive and restore hidden files
for /f "tokens=2" %%i in ('wmic logicaldisk where "drivetype=2" ^|find /i ":"') do (Set MyUSB=%%i)
cls
setlocal ENABLEDELAYEDEXPANSION
set _drive=%MyUSB%
If Exist !_drive! (
cls
echo.
echo #########################################################
echo Your usb key is connected as !_drive!
echo #########################################################
echo.
pause
Cls
echo(
Echo Removing malicious files/unhiding files... Please wait, this may take a while...
del /s /f /q !_drive!\*.lnk>>"%TmpLogFile%"2>&1
attrib -s -h -a -r /s /d !_drive!\*.*
Explorer "!_drive!\"
) ELSE (
cls
color 0C
echo.
echo #########################################################
echo Your usb key is not detected
echo #########################################################
echo.
pause
)
Goto:MenuLoop
::*************************************************************************
:menu_[3] Check Run key and open the scan report
Mode con cols=100 lines=5 & color 9E
Cls
echo(
echo(
Echo(
ECHO **********************************************
ECHO Please wait..... We generate the report.....
ECHO **********************************************
Call :Speak "Please wait . . . We generate the report !"
Call :PS_Sub 'Warning' 100 '"Please wait . . . "' "'Please wait . . . We generate the report !'" 'Warning' 5
For %%K in (%key%) Do Call :Check_Key %%K %TmpLogFile%
(
Echo.
Echo ******************************************************************************
echo "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
Dir /b "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
Echo.
Echo ******************************************************************************
Echo.
TASKLIST /V /FO List
Echo.
Echo ******************************************************************************
)>>%TmpLogFile% 2>&1
(
Echo ******************************************************************************
Echo STARTUP List
Echo ******************************************************************************
)>>%TmpLogFile% 2>&1
REM Command suggested by FreeBooter
wmic /APPEND:%TmpLogFile% STARTUP get /format:list>Nul
(
Echo.
Echo ******************************************************************************
Echo Process List
Echo ******************************************************************************
)>>%TmpLogFile% 2>&1
rem WMIC /APPEND:%TmpLogFile% PROCESS GET Caption,CommandLine>Nul
powershell.exe Get-WmiObject Win32_Process ^| select ProcessID,ProcessName,Handle,commandline,ExecutablePath ^| Out-File -Append %TmpLogFile% -Encoding ascii
(
Echo.
Echo ******************************************************************************
Echo Scheduled task list
Echo ******************************************************************************
Schtasks /query /fo LIST
)>>%TmpLogFile% 2>&1
Cmd /U /C Type %TmpLogFile% > %LogFile%
Start "" %LogFile%
Goto:MenuLoop
::**********************************************
:menu_[4] Download Microsoft Safety Scanner
Cls
Mode con cols=100 lines=5 & color 9E
echo(
Set "URL32=http://definitionupdates.microsoft.com/download/definitionupdates/safetyscanner/x86/msert.exe"
Set "URL64=http://definitionupdates.microsoft.com/download/definitionupdates/safetyscanner/amd64/msert.exe"
Set "Location=%userprofile%\Desktop\msert.exe
Set RegQry=HKLM\Hardware\Description\System\CentralProcessor\0
REG Query %RegQry% > checkOS.txt
Find /i "x86" < CheckOS.txt > StringCheck.txt
If %ErrorLevel% NEQ 1 (
Echo "This is 32 Bit Operating system"
pause
Title Downloading Microsoft Safety Scanner ...
Call :PS_Sub 'information' 10 '"Downloading Microsoft Safety Scanner ... "' "'Please wait... Downloading Microsoft Safety Scanner....'" 'info' 4
Call :Download "%URL32%" "%Location%"
) ELSE (
Title Downloading Microsoft Safety Scanner ...
Call :PS_Sub 'information' 10 '"Downloading Microsoft Safety Scanner ... "' "'Please wait... Downloading Microsoft Safety Scanner....'" 'info' 4
Echo "This is 64 Bit Operating System"
pause
Call :Download "%URL64%" "%Location%"
)
Del checkOS.txt & del StringCheck.txt
Start "" "%Location%"
Goto:MenuLoop
::**********************************************
:Check_Key
reg QUERY %1 >nul 2>&1
(
if %errorlevel% equ 0 ( reg QUERY %1 /s
) else ( echo %1 ===^> Not found
)
) >>%2 2>&1
Exit /b
::**********************************************
:KillMyProcess
cls
Taskkill /IM "%~1" /F >>"%TmpLogFile%" 2>&1
echo(
echo(
echo **********************************************
echo Try Killing "%~1"
echo **********************************************
Timeout /T 1 /Nobreak>nul
Rem Call :PS_Sub 'Warning' 1 '"Killing "%~1""' "'Try Killing "%~1"'" 'Warning' 2
Exit /b
::**********************************************
:Speak <msg>
Cls
echo(
(
echo WScript.StdOut.Write +vbTab+"******************************************************************************" + vbcrlf
echo strText=wscript.arguments(0^)
echo intTextLen = Len(strText^)
echo intPause = 100
echo WScript.StdOut.Write vbTab
echo For x = 1 to intTextLen
echo strTempText = Mid(strText,x,1^)
echo WScript.StdOut.Write strTempText
echo WScript.Sleep intPause
echo Next
echo wscript.echo vbcrlf +vbTab+ "******************************************************************************"
echo Set Voice=CreateObject("SAPI.SpVoice"^)
echo voice.speak strText
)>%tmp%\%~n0.vbs
@cscript.EXE /noLogo "%tmp%\%~n0.vbs" "%~1"
Exit /B
::**************************************************************
:Download <URL> <Location>
Set URL="%~1"
Set Location="%~2"
If Exist "%~2" Del "%~2"
Bitsadmin /transfer "Download" "%~1" "%~2"
Exit /b
::**************************************************************
:EOFLast edited by Hackoo (24 Apr 2016 15:56)
Offline