' This script cleans up infected php pages ' http://thydzik.com/wordpress-hacked-broken-or-blank-refreshing-admindashboard/ ' Copyright 2009 Travis Hydzik (mail@thydzik.com) ' This program is free software: you can redistribute it and/or modify ' it under the terms of the GNU General Public License as published by ' the Free Software Foundation, either version 3 of the License, or ' (at your option) any later version. ' This program is distributed in the hope that it will be useful, ' but WITHOUT ANY WARRANTY; without even the implied warranty of ' MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ' GNU General Public License for more details. ' You should have received a copy of the GNU General Public License ' along with this program. If not, see . Set objWMIService = GetObject("winmgmts:\\" & "." & "\root\cimv2") strFolderName = Replace(Wscript.ScriptFullName, "\" & Wscript.ScriptName, "") Set colSubfolders = objWMIService.ExecQuery _ ("Associators of {Win32_Directory.Name='" & strFolderName & "'} " _ & "Where AssocClass = Win32_Subdirectory " _ & "ResultRole = PartComponent") Set colFiles = objWMIService.ExecQuery _ ("ASSOCIATORS OF {Win32_Directory.Name='" & strFolderName & "'} Where " _ & "ResultClass = CIM_DataFile") For Each objFile In colFiles If UCase(objFile.extension) = "PHP" Then removeFirstTwoLines objFile.Drive & objFile.Path & objFile.Filename & "." & objFile.extension End If Next For Each objFolder In colSubfolders GetSubFolders strFolderName Next MsgBox "Clean-up complete." Sub GetSubFolders(strFolderName) Set colSubfolders2 = objWMIService.ExecQuery _ ("Associators of {Win32_Directory.Name='" & strFolderName & "'} " _ & "Where AssocClass = Win32_Subdirectory " _ & "ResultRole = PartComponent") For Each objFolder2 In colSubfolders2 strFolderName = objFolder2.Name Set colFiles = objWMIService.ExecQuery _ ("ASSOCIATORS OF {Win32_Directory.Name='" & strFolderName & "'} Where " _ & "ResultClass = CIM_DataFile") For Each objFile In colFiles If UCase(objFile.extension) = "PHP" Then removeFirstTwoLines objFile.Drive & objFile.Path & objFile.Filename & "." & objFile.extension End If Next GetSubFolders strFolderName Next End Sub Sub logFile(strEntry) Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile("C:\cleanUpWordPressPHP.txt", 8, True) objTextFile.WriteLine strEntry objTextFile.Close Set objTextFile = Nothing Set objFSO = Nothing End Sub Sub removeFirstTwoLines(strDrivePathFileName) Set objFSO = CreateObject("Scripting.FileSystemObject") Set objInputFile = objFSO.OpenTextFile(strDrivePathFileName, 1, False) If Not objInputFile.AtEndOfStream Then Line = objInputFile.ReadLine If InStr(1, Line, "