Question

Locked

Batch file to delte local profiles

By leif.lynch ·
I'm in the army and I'm currently working on a batch file that would do all the steps to remove a worm that keeps showing up at a training site..
im stuck at the part that would either A: delete all local user profiles from the system, which would eliminate one of the files the worm uses to launch or B: a script that would navigate to
c:\Documents and Settings\user.name\local Setting\Application Data\Spool.exe for every user on the computer

being as local settings is a hidden file im sure i would need to disable the hidden attribute then possibly reenable it on the system so if you could include that in the script that would be wonderful.

Thanks

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Removal instructions:

This might help in your situation depending on the type of worm you have got.

Removal instructions:

If your system is infected with the worm first please download this REG file and install it (by double-clicking on it):

ftp://ftp.europe.f-secure.com/anti-virus/tools/sirc_dis.reg

This will remove the worm's reference from the EXE file startup key and the main worm's startup key in the Registry.

Warning! The system might become unusable if the worm's file is deleted without modifying the EXE file startup key first.

After that the system can be safely disinfected with F-Secure Anti-Virus. If for some reason the worm's file can't be deleted from Windows (locked file), then you have to exit to pure DOS and delete the worm's file manually or use a DOS-based scanner (F-Prot for DOS for example). Note that for 100% disinfection all worm's files needs to be deleted and Registry should be fixed (see above).

Additional Note: If a workstation was infected trough a network share '\windows\run32.exe' has to be renamed back to '\windows\rundll32.exe' after disinfection.

The extra line in 'autoexec.bat' file that starts the worm from \recycled\ folder should be removed also.

Network infection prevention:

If a network is infected and it is not possible to take it down to disinfect all workstations, the following method can prevent the worm from spreading to clean workstations:

In the \Recycled\ folder of a drive where Windows is installed, it is needed to create a dummy file with SIRC32.EXE name and read-only attribute.
More here:
http://www.f-secure.com/v-descs/sircam.shtml


Please post back if you have any more problems or questions.
If this information is useful, please mark as helpful. Thanks.

Collapse -

I know the removal

by leif.lynch In reply to Removal instructions:

I know which registry keys to delete and which ones to edit back to the original values.. im not asking how to remove the worm.. the worm is w32.mandaph it spreads through removable media and networked drives... though none of these systems have network drives set up on them they do have multiple intructors that have contracted the worm onto their flash drives and brought it home to infect their home system also. We have taken all the steps to insure that the unused usb ports are not operable.

What i am asking for is batch file to do what i stated earlier so i can merge it into a larger batch file that will remove every aspect of the worm being there... both file and registry..

Thank you

Collapse -

Its not always that simple

by Jacky Howe In reply to Batch file to delte local ...

For a start I don't think that you will be able to modify the Registry with a batch file while the Virus is active as all you will get is open with and an error.
<br>
Luckily the virus doesn't edit the registry entry for ?run as? so its possible to correct this situation.
<br><br>
First go to the location C:\WINDOWS
<br>
You'll find a file named regedit.exe.
<br>
Right click on the file and select run as,you can actually run any file this way but its cumbersome so we'll fix it.
<br>
Unselect the option ?Protect my computer and data.....?
<br>
your regedit is open.
<br><br>
I don't like your chances but you are welcome to try these on a test PC as you will probably have to modify them to suit.
<br><br>
One of these two should work to remove it from the Registry you will have to test them, name it del.reg.
<br><br>
Windows Registry Editor Version 5.00
<br><br>
[HKEY_CLASSES_ROOT\exefile\shell\open\command]<br>
@=-"c:\windows\system32\drivers\spools.exe \"%1\" %*"
<br><br>
Windows Registry Editor Version 5.00
<br><br>
[HKEY_CLASSES_ROOT\exefile\shell\open\command]<br>
@=-"C:\\WINDOWS\\system32\\drivers\\spools.exe \"%1\" %*"
<br><br>
<br><br>
This will add the right syntax to the Registry, name it add.reg
<br><br>
Windows Registry Editor Version 5.00
<br><br>
[HKEY_CLASSES_ROOT\exefile\shell\open\command]<br>
@="\"%1\" %*"
<br><br>

This is how the batch file is structured EXAMPLE:
<br><br>
@echo on<br>
C: regedit /s del.reg<br>
goto s2<br>
<br>
:S2<br>
C: regedit /s add.reg<br>
<br>
goto s3<br>
<br>
:S3<br>
C:<br>
del C:\WINDOWS\system32\drivers\spools.exe<br>
goto s4<br>
<br>
:S4<br>
C:<br>
del "%username%\local Setting\Application Data"\Spool.exe :User will have to logon for it to work.<br>
<br>
<b>OR</b><br>
<br>
cd "C:\Documents and Settings"<br>
del /s /q /f spools.exe :Could be dangerous if you make a mistake.<br>
goto end<br>
:END
<br><br>
Some anti virus programs are able to delete the virus but do not change the registry entry.
<br>
Leading to a situation where non of the programs can run. Opening any program gives the open with options.
<br>
<br>
NOTE: The virus when present in the system prevents the installation of most anti viruses
<br><br>
http://midnight-freak.blogspot.com/2008/06/w32mandaph-spoolsexe-cftmonexe.html
<br><br>
I have just checked Symantec's site and it has a few more registry entries that may need to be modified.
<br><br>
http://www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=3
<br><br>
This is how I would do it and once it is under control I would install MalwareBytes. Update it and run it in Safe Mode.
<br><br>
From another PC download and install these two programs and copy the the installed folders to a USB Stick.
<br><br>
Restart the PC in Safe Mode and run Sophos and then run Spybot.
<br><br>
Download Spybot - Search & Destroy 1.5.2 and install it. Update it. http://www.safer-networking.org/en/download/index.html
<br><br>

Download Sophos and the latest IDE Files. Install it and extract the IDE files to the C:\SAV32CLI folder.
<br><br>
http://www.sophos.com/support/knowledgebase/article/13251.html
<br><br>
Copy and paste the below two lines into Notepad and save the file to the USB Stick as sophos.bat, it will scan and remove. When the Scan has finished check the log file to see what it hasn't removed. You will normally find the answer to this via Google.
<br><br>
===============================
<br>
CD SAV32CLI
<br>
SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT
<br>
===============================
<br><br>
The Sophos SAV32CLI folder can be safely deleted after it is copied to USB.
<br><br>
Download Malwarebytes Anti-Malware, install it and update it and scan the PC in Safe Mode.
<br><br> http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe
<br><br>
< edit to add goto end >
<br><br>
<i>Keep us informed as to your progress if you require further assistance.</i>
<br><br>
<i>If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as <b>Helpful</b> so that others may benefit from the outcome.
</i>

Back to Windows Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums