On Error Resume Next
Dim WshShell, FSO, SystemRoot, bInfected, strMessage, MyFile(4)

Set WshShell = WScript.CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")

bInfected = False

SystemRoot = WshShell.RegRead("HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRoot")

SystemRoot = SystemRoot & ""

MyFile(0) = "netwatch.exe"
MyFile(1) = "eml.tmp"
MyFile(2) = "exe.tmp"
MyFile(3) = "zip.tmp"
MyFile(4) = "cnfrm.exe"

strMessage = "The following indications of infection were found." & vbCR & vbCR

X = ""
X = WshShell.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetWatch32")

If X = "%Windir%\netwatch.exe" Then
    strMessage = strMessage & "Registry entry for Netwatch.exe found" & vbcr
    bInfected = True
End If

X = ""
X = WshShell.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cnfrm")
If X = "%Windir%\cnfrm.exe" Then
    strMessage = strMessage & "Registry entry for cnfrm.exe found" & vbcr
    bInfected = True
End If

X = ""
X = WshShell.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cnfrm32")
If X = "%Windir%\cnfrm.exe" Then
    strMessage = strMessage & "Registry entry for cnfrm.exe found" & vbcr
    bInfected = True
End If

For Each Process in GetObject("winmgmts:"). _
    ExecQuery ("select * from Win32_Process where name='netwatch.exe' OR name = 'cnfrm.exe'")
    Process.terminate(0)
    strMessage = strMessage & name & " found running - terminated" & vbCR
    bInfected = True
Next

For I = 0 to UBound(MyFile)
    tmpfile = SystemRoot & "\" & MyFile(I)
    If FSO.FileExists(tmpfile) = True Then
        bInfected = True
        strMessage = strMessage & MyFile(I) & " found in " & SystemRoot & vbcr
    End If
Next

If bInfected = False Then
	
    strMessage = strMessage & "None"
    msgbox strMessage, 0, "Nothing found"

Else
    
    Y = msgbox(strmessage & "Disinfect this system?", vbYesNo,"Infection Found")
	If Y = 6 Then
	   For Each Process in GetObject("winmgmts:"). _
               ExecQuery ("select * from Win32_Process where name='netwatch.exe' OR name = 'cnfrm.exe'")
               Process.terminate(0)
           Next
           For I = 0 to UBound(MyFile)
               tmpfile = SystemRoot & "\" & MyFile(I)
               FSO.DeleteFile tmpfile, true
           Next
           WshShell.RegDelete("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetWatch32")
           WshShell.RegDelete("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cnfrm")
           WshShell.RegDelete("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cnfrm32")
        End IF
End If

Set WshShell = Nothing
Set FSO = Nothing