koorosh-soft
چهارشنبه 11 آبان 1390, 01:22 صبح
سلام دوستان
چه جوری میشه از داخل یه متن مثلا این :
</div>
<div id="ctl00_cphMainContent_pnlPrevention">
<span><a class='descriptor'><strong>Minimum scan engine: </strong></a>8.900<br /><a class='descriptor'><strong>First VSAPI Pattern File: </strong></a>7.958.07<br /><a class='descriptor'><strong>First VSAPI Pattern Release Date: </strong></a>08 Apr 2011<br /><div><p><b>Step 1</b></p><p><u>For Windows ME and XP users</u>, before doing any scans, please make sure you <a href="http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VNAME=Disabling%2FEnabling+System+Res tore&Page" target="_blank">disable <i>System Restore</i></a> to allow full scanning of your computer.</p></div><div><p><b>Step 2</b></p><p>Identify and delete files detected as WORM_RIMECUD.CP using either the Startup Disk or Recovery Console <div id="Step2">[ <a href="#" onClick='javascript: return showHide("Step2-close","Step2Info","Step2");' title="This solution provides a basic guide in removing unwanted AUTORUN.INF files/content that are added by malware.">Learn more</a> ]</div><div id="Step2-close" style="display:none">[ <a href="#" onClick='javascript: return showHide("Step2-close","Step2Info","Step2");' title="Close ">Back</a> ]</div><div id="Step2Info" style="display:none; padding:10px; border: dotted 1px Gray; "><p><i>To identify and delete the malware/grayware/spyware file:</i></p> <p>• For <u>Windows 98 and ME</u> systems users:</p> <ol> <li>Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware/spyware files detected.</li> <li>Click Start>Settings>Control Panel.</li> <li>In the Control Panel, double-click <i>Add/Remove Programs</i>. Click on the Startup Disk tab.</li> <li>Insert a working floppy disk and the Windows installation CD, and then click the Create Disk button to create the Startup Disk. Note that this deletes the contents of the floppy disk.</li> <li>Restart the system with the Startup Disk. </li> <li>In the command prompt, locate the folder where the malware files are detected.</li> <li>In the folder, type the following and press Enter:<br> <b>del {Malware/Grayware/Spyware file name}</b></li> <li>Restart the system normally.</li> </ol> <p>• For <u>Windows NT, 2000, XP, Server 2003, and Vista</u> systems users:</p> <ol> <li>Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware/spyware files detected.</li> <li>Insert your Windows Installation CD in your CD-rom.</li> <li>Press the restart button of your computer.</li> <li>When prompted, press any key to boot from the CD.</li> <li>When prompted on the Main Menu, type <b>r</b> to enter the recovery console.<br> (Note: On Windows 2000, after pressing <b>r</b>, type <b>c</b> to choose the Recovery Console in the repair options screen.)</li> <li>When prompted, type your administrator password to log on.</li> <li>Once logged in, type the drive that contains Windows in the command prompt that appears, then press Enter.</li> <li>Type the drive that contains Windows, then press Enter.</li> <li>Type the following, then press Enter:<br> <b>del {Malware/Grayware/Spyware path and file name}</b></li> <li>Repeat the above procedure for all files detected earlier.</li> <li>Type <b>exit</b> to restart the system normally.</li> </ol></div></p></div><div><p><b>Step 3</b></p><p><!-- ########## Removing-Added-Registry-Entries ########## do not remove/edit this tag--> Delete this registry value <div id="Step3">[ <a href="#" onClick='javascript: return showHide("Step3-close","Step3Info","Step3");' title="This step allows you to delete the registry value created by the malware.">Learn more</a> ]</div><div id="Step3-close" style="display:none">[ <a href="#" onClick='javascript: return showHide("Step3-close","Step3Info","Step3");' title="Close ">Back</a> ]</div> <p><b><font color="red">Important:</font></b> Editing the <i>Windows Registry</i> incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this <a href="http://support.microsoft.com/kb/256986/EN-US/" target="_blank">Microsoft article</a> first before modifying your computer"s registry.</p> <!--OPTIONAL <p><b>*Note:</b> You need the value of the CLSID key from Step {step # here}.</p> --> <br> </font><ul><li> In <i>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</i><ul style='list-style-type:circle'><li><b>Taskman = %User Profile%\{random characters}.exe</b></li></ul></ul><div id="Step3Info" style="display:none; padding:10px; border: dotted 1px Gray; "><!-- ########## Removing Autostart Entries from the Registry - Known Registry Name ########## --> <p><i>To delete the registry value this malware created:</i></p> <ol> <li>Open Registry Editor. To do this, click Start>Run, type <i>regedit</i> in the text box provided, then press Enter.</li> <li> In the left panel of the Registry Editor window, double-click the following:<br> HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Winlogon </li><li> In the right panel, locate and delete the entry:<br> <b>Taskman = %User Profile%\{random characters}.exe</b> </li> </li><li>Close Registry Editor.</li></ol> <!--Supplement: Use only when applicable. Suggest after the removal of ALL autostart entries.--></div></p></div><div><p><b>Step 4</b></p><p>Search and delete <i>AUTORUN.INF</i> files created by WORM_RIMECUD.CP that contain these strings <div id="Step4">[ <a href="#" onClick='javascript: return showHide("Step4-close","Step4Info","Step4");' title="This solution provides a basic guide in removing unwanted AUTORUN.INF files/content that are added by malware.">Learn more</a> ]</div><div id="Step4-close" style="display:none">[ <a href="#" onClick='javascript: return showHide("Step4-close","Step4Info","Step4");' title="Close ">Back</a> ]</div> <b><blockquote>[AutoRun]<br>USEAUTOPLAY=1<br>shellexcute=crnizec/webnovac.exe<br>Shellgori<br>shell\Explore\command=crnizec/webnovac.exe<br>shell\Open\command=crnizec/webnovac.exe<br>icon=crnizec/webnovac.exe<br>open=crnizec/webnovac.exe<br>action=Open folder to view files using Windows Explorer</blockquote></b><div id="Step4Info" style="display:none; padding:10px; border: dotted 1px Gray; "><p><i>To identify and delete</i> AUTORUN.INF <i>files created:</i></p> <ol> <li>Right-click the <i>Start</i> button then choose <i>Search...</i> or <i>Find...</i>, depending on the version of Windows you are running.</li> <li>In the Named input box, type:<br> <b>AUTORUN.INF</b></li> <li>In the <i>Look in:</i> drop-down list, select a drive, then press Enter.</li> <li>Select the file, then open using <i>Notepad</i>.</li> <li>Check if the following lines are present in the file:<br> <b><b>[AutoRun]<br>USEAUTOPLAY=1<br>shellexcute=crnizec/webnovac.exe<br>Shellgori<br>shell\Explore\command=crnizec/webnovac.exe<br>shell\Open\command=crnizec/webnovac.exe<br>icon=crnizec/webnovac.exe<br>open=crnizec/webnovac.exe<br>action=Open folder to view files using Windows Explorer</b></b></li> <li>If the lines are present, delete the file.</li> <li>Repeat steps 3 to 6 for the remaining <i>AUTORUN.INF</i> files in other remaining removable drives.</li> <li>Close <i>Search Results</i>.</li> </ol></div></p></div><div><p><b>Step 5</b></p><p>Search and delete this folder <div id="Step5">[ <a href="#" onClick='javascript: return showHide("Step5-close","Step5Info","Step5");' title="This step allows you to search and delete the folder created by this malware/grayware/spyware.">Learn more</a> ]</div><div id="Step5-close" style="display:none">[ <a href="#" onClick='javascript: return showHide("Step5-close","Step5Info","Step5");' title="Close ">Back</a> ]</div> Please make sure you check the <i>Search Hidden Files and Folders</i> checkbox in the More advanced options option to include all hidden folders in the search result.<br> <ul><li>{drive letter}:\crnizec</li></ul><div id="Step5Info" style="display:none; padding:10px; border: dotted 1px Gray; "><!-- ########## Deleting the Malware Folder(s) - Known Folder Name ########## --> <p><i>To delete the malware/grayware/spyware folder:</i></p> <ol> <li>Right-click Start then click <i>Search...</i> or <i>Find...</i>, depending on the version of Windows you are running.</li> <li>In the Named input box, type:<br> <b><ul> <ul><li><b>{drive letter}:\crnizec</b></li></ul> </ul></b> <li>In the <i>Look In</i> drop-down list, select <i>My Computer</i>, then press Enter.</li> <li>Once located, select the folder then press SHIFT+DELETE to permanently delete the folder.</li> </ol></div></p></div><div><p><b>Step 6</b></p><p>Scan your computer with your Trend Micro product to delete files detected as WORM_RIMECUD.CP If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this <a href="https://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1035847&id=EN-1035847" target="_blank">Knowledge Base page</a> for more information.<br></p></div><br/><a id="surveylink1" href="/archive/survey/survey.asp?sourcetype=2&vname=WORM_RIMECUD.CP" class="threatencyclopedialinks" target="_blank" rel="floatbox" rev="width:595 height:600 scrollbar=yes" style="color:#5091CD; font-weight: bold;">Did this description help? Tell us how we did.</a></span>
</div>
<div class="closepanel">
<a href='#' onclick='javascript: return showHide("Solution2","SolutionInfo","Solution1");' title='Close'>
<img src="/css/us/images/VEimages/closepanel.jpg" border="0"/></a>
</div>
</div>
<div class="separatorbottom"></div>
</div>
</div>
<div id="ctl00_cphMainContent_dvInfoSection" style="font-size:12px"><a class='descriptor'><strong>Analysis By: </strong></a>Karl Dominguez<br /></div>
</div>
</div>
یک سری تکست ها رو جدا کرد مثلا open=crnizec/webnovac.exe رو بریزیم تو یه متغیر ! :متفکر: یا چیز های دیگه منظور اینه که یه عبارت مثل : open=XXXXX رو از متن جدا کنیم که طول و نوع X ها معلوم نیست
چه جوری میشه از داخل یه متن مثلا این :
</div>
<div id="ctl00_cphMainContent_pnlPrevention">
<span><a class='descriptor'><strong>Minimum scan engine: </strong></a>8.900<br /><a class='descriptor'><strong>First VSAPI Pattern File: </strong></a>7.958.07<br /><a class='descriptor'><strong>First VSAPI Pattern Release Date: </strong></a>08 Apr 2011<br /><div><p><b>Step 1</b></p><p><u>For Windows ME and XP users</u>, before doing any scans, please make sure you <a href="http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VNAME=Disabling%2FEnabling+System+Res tore&Page" target="_blank">disable <i>System Restore</i></a> to allow full scanning of your computer.</p></div><div><p><b>Step 2</b></p><p>Identify and delete files detected as WORM_RIMECUD.CP using either the Startup Disk or Recovery Console <div id="Step2">[ <a href="#" onClick='javascript: return showHide("Step2-close","Step2Info","Step2");' title="This solution provides a basic guide in removing unwanted AUTORUN.INF files/content that are added by malware.">Learn more</a> ]</div><div id="Step2-close" style="display:none">[ <a href="#" onClick='javascript: return showHide("Step2-close","Step2Info","Step2");' title="Close ">Back</a> ]</div><div id="Step2Info" style="display:none; padding:10px; border: dotted 1px Gray; "><p><i>To identify and delete the malware/grayware/spyware file:</i></p> <p>• For <u>Windows 98 and ME</u> systems users:</p> <ol> <li>Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware/spyware files detected.</li> <li>Click Start>Settings>Control Panel.</li> <li>In the Control Panel, double-click <i>Add/Remove Programs</i>. Click on the Startup Disk tab.</li> <li>Insert a working floppy disk and the Windows installation CD, and then click the Create Disk button to create the Startup Disk. Note that this deletes the contents of the floppy disk.</li> <li>Restart the system with the Startup Disk. </li> <li>In the command prompt, locate the folder where the malware files are detected.</li> <li>In the folder, type the following and press Enter:<br> <b>del {Malware/Grayware/Spyware file name}</b></li> <li>Restart the system normally.</li> </ol> <p>• For <u>Windows NT, 2000, XP, Server 2003, and Vista</u> systems users:</p> <ol> <li>Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware/spyware files detected.</li> <li>Insert your Windows Installation CD in your CD-rom.</li> <li>Press the restart button of your computer.</li> <li>When prompted, press any key to boot from the CD.</li> <li>When prompted on the Main Menu, type <b>r</b> to enter the recovery console.<br> (Note: On Windows 2000, after pressing <b>r</b>, type <b>c</b> to choose the Recovery Console in the repair options screen.)</li> <li>When prompted, type your administrator password to log on.</li> <li>Once logged in, type the drive that contains Windows in the command prompt that appears, then press Enter.</li> <li>Type the drive that contains Windows, then press Enter.</li> <li>Type the following, then press Enter:<br> <b>del {Malware/Grayware/Spyware path and file name}</b></li> <li>Repeat the above procedure for all files detected earlier.</li> <li>Type <b>exit</b> to restart the system normally.</li> </ol></div></p></div><div><p><b>Step 3</b></p><p><!-- ########## Removing-Added-Registry-Entries ########## do not remove/edit this tag--> Delete this registry value <div id="Step3">[ <a href="#" onClick='javascript: return showHide("Step3-close","Step3Info","Step3");' title="This step allows you to delete the registry value created by the malware.">Learn more</a> ]</div><div id="Step3-close" style="display:none">[ <a href="#" onClick='javascript: return showHide("Step3-close","Step3Info","Step3");' title="Close ">Back</a> ]</div> <p><b><font color="red">Important:</font></b> Editing the <i>Windows Registry</i> incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this <a href="http://support.microsoft.com/kb/256986/EN-US/" target="_blank">Microsoft article</a> first before modifying your computer"s registry.</p> <!--OPTIONAL <p><b>*Note:</b> You need the value of the CLSID key from Step {step # here}.</p> --> <br> </font><ul><li> In <i>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</i><ul style='list-style-type:circle'><li><b>Taskman = %User Profile%\{random characters}.exe</b></li></ul></ul><div id="Step3Info" style="display:none; padding:10px; border: dotted 1px Gray; "><!-- ########## Removing Autostart Entries from the Registry - Known Registry Name ########## --> <p><i>To delete the registry value this malware created:</i></p> <ol> <li>Open Registry Editor. To do this, click Start>Run, type <i>regedit</i> in the text box provided, then press Enter.</li> <li> In the left panel of the Registry Editor window, double-click the following:<br> HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Winlogon </li><li> In the right panel, locate and delete the entry:<br> <b>Taskman = %User Profile%\{random characters}.exe</b> </li> </li><li>Close Registry Editor.</li></ol> <!--Supplement: Use only when applicable. Suggest after the removal of ALL autostart entries.--></div></p></div><div><p><b>Step 4</b></p><p>Search and delete <i>AUTORUN.INF</i> files created by WORM_RIMECUD.CP that contain these strings <div id="Step4">[ <a href="#" onClick='javascript: return showHide("Step4-close","Step4Info","Step4");' title="This solution provides a basic guide in removing unwanted AUTORUN.INF files/content that are added by malware.">Learn more</a> ]</div><div id="Step4-close" style="display:none">[ <a href="#" onClick='javascript: return showHide("Step4-close","Step4Info","Step4");' title="Close ">Back</a> ]</div> <b><blockquote>[AutoRun]<br>USEAUTOPLAY=1<br>shellexcute=crnizec/webnovac.exe<br>Shellgori<br>shell\Explore\command=crnizec/webnovac.exe<br>shell\Open\command=crnizec/webnovac.exe<br>icon=crnizec/webnovac.exe<br>open=crnizec/webnovac.exe<br>action=Open folder to view files using Windows Explorer</blockquote></b><div id="Step4Info" style="display:none; padding:10px; border: dotted 1px Gray; "><p><i>To identify and delete</i> AUTORUN.INF <i>files created:</i></p> <ol> <li>Right-click the <i>Start</i> button then choose <i>Search...</i> or <i>Find...</i>, depending on the version of Windows you are running.</li> <li>In the Named input box, type:<br> <b>AUTORUN.INF</b></li> <li>In the <i>Look in:</i> drop-down list, select a drive, then press Enter.</li> <li>Select the file, then open using <i>Notepad</i>.</li> <li>Check if the following lines are present in the file:<br> <b><b>[AutoRun]<br>USEAUTOPLAY=1<br>shellexcute=crnizec/webnovac.exe<br>Shellgori<br>shell\Explore\command=crnizec/webnovac.exe<br>shell\Open\command=crnizec/webnovac.exe<br>icon=crnizec/webnovac.exe<br>open=crnizec/webnovac.exe<br>action=Open folder to view files using Windows Explorer</b></b></li> <li>If the lines are present, delete the file.</li> <li>Repeat steps 3 to 6 for the remaining <i>AUTORUN.INF</i> files in other remaining removable drives.</li> <li>Close <i>Search Results</i>.</li> </ol></div></p></div><div><p><b>Step 5</b></p><p>Search and delete this folder <div id="Step5">[ <a href="#" onClick='javascript: return showHide("Step5-close","Step5Info","Step5");' title="This step allows you to search and delete the folder created by this malware/grayware/spyware.">Learn more</a> ]</div><div id="Step5-close" style="display:none">[ <a href="#" onClick='javascript: return showHide("Step5-close","Step5Info","Step5");' title="Close ">Back</a> ]</div> Please make sure you check the <i>Search Hidden Files and Folders</i> checkbox in the More advanced options option to include all hidden folders in the search result.<br> <ul><li>{drive letter}:\crnizec</li></ul><div id="Step5Info" style="display:none; padding:10px; border: dotted 1px Gray; "><!-- ########## Deleting the Malware Folder(s) - Known Folder Name ########## --> <p><i>To delete the malware/grayware/spyware folder:</i></p> <ol> <li>Right-click Start then click <i>Search...</i> or <i>Find...</i>, depending on the version of Windows you are running.</li> <li>In the Named input box, type:<br> <b><ul> <ul><li><b>{drive letter}:\crnizec</b></li></ul> </ul></b> <li>In the <i>Look In</i> drop-down list, select <i>My Computer</i>, then press Enter.</li> <li>Once located, select the folder then press SHIFT+DELETE to permanently delete the folder.</li> </ol></div></p></div><div><p><b>Step 6</b></p><p>Scan your computer with your Trend Micro product to delete files detected as WORM_RIMECUD.CP If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this <a href="https://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1035847&id=EN-1035847" target="_blank">Knowledge Base page</a> for more information.<br></p></div><br/><a id="surveylink1" href="/archive/survey/survey.asp?sourcetype=2&vname=WORM_RIMECUD.CP" class="threatencyclopedialinks" target="_blank" rel="floatbox" rev="width:595 height:600 scrollbar=yes" style="color:#5091CD; font-weight: bold;">Did this description help? Tell us how we did.</a></span>
</div>
<div class="closepanel">
<a href='#' onclick='javascript: return showHide("Solution2","SolutionInfo","Solution1");' title='Close'>
<img src="/css/us/images/VEimages/closepanel.jpg" border="0"/></a>
</div>
</div>
<div class="separatorbottom"></div>
</div>
</div>
<div id="ctl00_cphMainContent_dvInfoSection" style="font-size:12px"><a class='descriptor'><strong>Analysis By: </strong></a>Karl Dominguez<br /></div>
</div>
</div>
یک سری تکست ها رو جدا کرد مثلا open=crnizec/webnovac.exe رو بریزیم تو یه متغیر ! :متفکر: یا چیز های دیگه منظور اینه که یه عبارت مثل : open=XXXXX رو از متن جدا کنیم که طول و نوع X ها معلوم نیست