需要帮助尝试完全删除"病毒pertection软件"

时间:2016-03-16 13:47:13

标签: powershell

我工作的公司正在转向使用新的病毒防护软件。我的任务是编写将删除旧病毒软件的工具,因为标准卸载似乎并没有删除整个软件包。我搜索了Stack Overflow,发现了许多不同的例子,说明如何使这个工具的不同部分工作,并将它们组合在一起,试图制作一个可用的产品。出于某种原因,我还没弄明白,我似乎无法获得任何工作。以下是我到目前为止的情况:

# This section launches Powershell as Admin

PS> Start-Process powershell -Verb runAs

if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit }

PS >Read-Host "Press ENTER"
Press ENTER:

# This section uninstalls Vipre from the program files

$app = Get-WmiObject -Class Win32_Product | Where-Object { 
$_.Name -match "VIPRE BUSINESS AGNET" 
}

$app.Uninstall()

PS >Read-Host "Press ENTER"
Press ENTER:

# This section searches the Registry for all instances of Vipre and VIPRE BUSINESS AGENT and deletes them

gci HKLM: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) 
-match "Vipre") { $_.PsPath} } | Remove-Item  

gci HKCR: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) 
-match "Vipre") { $_.PsPath} } | Remove-Item  

gci HKCU: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) 
-match "Vipre") { $_.PsPath} } | Remove-Item 

gci HKU: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) 
-match "Vipre") { $_.PsPath} } | Remove-Item    


gci HKLM: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) 
-match "VIPRE BUSINESS AGENT") { $_.PsPath} } | Remove-Item  

gci HKCR: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) 
-match "VIPRE BUSINESS AGENT") { $_.PsPath} } | Remove-Item  

gci HKCU: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) 
-match "VIPRE BUSINESS AGENT") { $_.PsPath} } | Remove-Item 

gci HKU: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) 
-match "VIPRE BUSINESS AGENT") { $_.PsPath} } | Remove-Item  

PS >Read-Host "Press ENTER"
Press ENTER:

我有一个暂停,"按Enter键"尝试看看它之前的命令是什么,甚至看起来并没有起作用。当屏幕闪烁时,我可以看出有错误被抛出,然后就消失了。

我的问题是:

我做错了什么?是否存在语法错误,它们是什么?

感谢您的帮助。

编辑更新

我的文件现在看起来像这样:

# This section launches Powershell as Admin

{ Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -verb RunAs; exit }

$code = {

# This section uninstalls Vipre from the program files

    $App = Get-WmiObject -Class Win32_Product -Filter 'Name like %"VIPRE BUSINESS AGENT"%"'
if ($App) 
{
$App.Uninstall()
}


# This section searches the Registry for all instances of Vipre and VIPRE BUSINESS AGENT and deletes them

Get-ChildItem HKLM: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'Vipre') { $_.PsPath} } | Remove-Item  

Get-ChildItem HKCR: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'Vipre') { $_.PsPath} } | Remove-Item  

Get-ChildItem HKCU: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'Vipre') { $_.PsPath} } | Remove-Item 

Get-ChildItem HKU: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'Vipre') { $_.PsPath} } | Remove-Item    


Get-ChildItem HKLM: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'VIPRE BUSINESS AGENT') { $_.PsPath} } | Remove-Item  

Get-ChildItem HKCR: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'VIPRE BUSINESS AGENT') { $_.PsPath} } | Remove-Item  

Get-ChildItem HKCU: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'VIPRE BUSINESS AGENT') { $_.PsPath} } | Remove-Item 

Get-ChildItem HKU: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'VIPRE BUSINESS AGENT') { $_.PsPath} } | Remove-Item  

}

$bytes = [System.Text.Encoding]::Unicode.GetBytes($code)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell.exe -executionpolicy bypass -noprofile -noexit -verb runas -encodedCommand $encodedCommand

PowerShell脚本似乎至少试图立即运行,但随后抛出错误:

-verb : The term '-verb' is not recognized as the name of a cmdlet,function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1
+ -verb runas -encodedCommand DQAKACAAIAAgAA0ACgAjACAAVABoAGkAcwAgAHMAZ ...
+ ~~~~~
    + CategoryInfo          : ObjectNotFound: (-verb:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

我尝试从脚本的顶部和底部删除-verb,这会导致PowerShell给我一些需要遵循RUNAS的命令。

2 个答案:

答案 0 :(得分:0)

这可行 - 但我不知道第一个if语句应该做什么:

    # This section launches Powershell as Admin


if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit }


$code = {
    Read-Host 'Press ENTER'
    Press ENTER:

    # This section uninstalls Vipre from the program files

    $app = Get-WmiObject -Class Win32_Product | Where-Object { 
        $_.Name -match 'VIPRE BUSINESS AGNET'  ##Typo 'AGNET'?
    }

    $app.Uninstall()

    Read-Host 'Press ENTER'
    Press ENTER:

    # This section searches the Registry for all instances of Vipre and VIPRE BUSINESS AGENT and deletes them

    Get-ChildItem HKLM: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'Vipre') { $_.PsPath} } | Remove-Item  

    Get-ChildItem HKCR: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'Vipre') { $_.PsPath} } | Remove-Item  

    Get-ChildItem HKCU: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'Vipre') { $_.PsPath} } | Remove-Item 

    Get-ChildItem HKU: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'Vipre') { $_.PsPath} } | Remove-Item    


    Get-ChildItem HKLM: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'VIPRE BUSINESS AGENT') { $_.PsPath} } | Remove-Item  

    Get-ChildItem HKCR: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'VIPRE BUSINESS AGENT') { $_.PsPath} } | Remove-Item  

    Get-ChildItem HKCU: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'VIPRE BUSINESS AGENT') { $_.PsPath} } | Remove-Item 

    Get-ChildItem HKU: -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match 'VIPRE BUSINESS AGENT') { $_.PsPath} } | Remove-Item  

    Read-Host 'Press ENTER'
    Press ENTER:
}

$bytes = [System.Text.Encoding]::Unicode.GetBytes($code)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell.exe -executionpolicy bypass -noprofile -noexit -verb runas -encodedCommand $encodedCommand

答案 1 :(得分:0)

伙计,对不起,但你的代码很乱......

几点评论:

1。这不是执行powershell代码的正确方法...将代码文本保存到.PS1文件,然后在远程计算机上执行,如下所示:

powershell -ExecutionPolicy Bypass -NoProfile -File \\share\script.ps1

2. 如果您想检查管理员权限,请在代码中执行此操作,

if (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))

{
  ## if the user is admin the code will be executed
}

else
{
throw "This code must be run with admin privileges"
}

3。使用Get-WMIObject -Filter参数 - 它会比Where-Object快得多

$App = Get-WmiObject -Class Win32_Product -Filter 'Name like %"VIPRE BUSINESS AGNET"%"'
    if ($App) 
    {
    $App.Uninstall()
    }

4. 不要搜索整个注册表以查找此密钥,如Ansgar建议的那样,请向供应商查询特定密钥,请参阅第四章 - "删除VIPRE代理商的注册表条目"在以下链接中的供应商站点上:

https://support.threattracksecurity.com/support/solutions/articles/1000070667-how-to-manually-remove-a-vipre-business-agent

相关问题
最新问题