Can someone who knows way more than I assisted me with the following script?
Ok, I know I'm asking for the world here... I've had some basic experience with VBScript prior to getting to where I am. On average I remove 3 to 4 maleware programs running on remote systems every day and while I realize the futility of trying to scrub them clean... I do try to bring them back to being functional. For sometime I've had the following idea that I'd like to do but it's beyond my skill.... Here's the pseudo code I have created:
Option Explicit
On Error Resume Next
Dim ScanFolder ProcessInformation ProcessFound PID
Delete all Files and Folders in %temp%
' Including Hidden Files Folders
Search %temp% for Exe
' Including Hidden Exe
IF Exe found THEN
Taskill Exe
Delete Exe
ELSE do Nothing
END IF
Check Windows Version
IF XP THEN
ScanFolder = C:\Documents and Settings
ELSE
ScanFolder = C:\Users
END IF
Search ScanFolder for EXE files ' Including Hidden and System Exe
IF found THEN
ProcessFound = File.exe
Get Data on file
' Data here is refering to Description, Image Path Name, Owner, Company
' Name, etc. Things that can help identify it.
Get ProcessID
PID = ProcessID
ProcessInformation = Data
Display "The following process was locate:" ProcessFound & ProcessInformation & "Would you like to Delete the process? Warning this cannot be Undone! If you are unsure Please Click Unsure to end the process."
Prompt Yes, No, Unsure
IF Yes THEN
Taskkill PID
Delete ProcessFound
Display "Would you like to continue?"
Prompt Yes, No
IF Yes THEN continue process
ELSE end process
IF No, THEN
Go to next EXE file
IF Unsure THEN
Taskkill PID
Display "Did ending the process help?"
Prompt Yes, No
IF Yes THEN
Delete ProcessFound
IF No THEN
Do nothing and continue process
END IF
END IF
Some VBScript Diety out there can assist in creating this... you will have made my productivity go through the roof and I will personally vouch for you at the gates of heaven ^_^ (does bribary work here???? lol)
Answers (2)
To be honest, much as dugullett said, this is highly unlikely to clean the machines. I don't see this saving you time and effort. It is just hiding the problem, and will make things worse in the long run. You have two general options to clean malware.
1. Reformat and redeploy. This is the guarantee. Often you will find if you take other steps, such as creating a standardized image and utilizing a good backup schema, this is the fastest way to deal with machines that get infected. You can greatly reduce the infection rate with good security products including antivirus, anti-malware, firewalls, network access control, IDS/IPS, etc.
2. We are IT professionals. We like to tinker with things. You can investigate the malware, and figure out how to remove it manually or with a program. With many infections, we can figure it out ourselves and get things clean to the point of reasonable mitigated risk. I've found Symantec writes some great automated removal tools and instructions that you can run as one-offs, or script.
My observation, however, is that you are past the reasonable tinkering stage if you are tired of doing it and at the point where you want to automate the removal. If that's the case, you are probably just wasting your time trying to write your own automated removal tools in an attempt to save time. The ways to save time are to find and shut down the sources of the infections (which if you are at the point of writing scripts to remove these things, I highly recommend you look for the source, as it is likely on your network, the result of policy violations, or the result of a lack of controls), and to use the professional resources out there to get you out of the malware removal business and back to your actual job.
Comments:
-
I tend to agree with both of you. That just removing the exe's is no where near a resolution. I'm not thinking it is. There's not much I can do about policy violations, I work for large pharma companies and their reps in the field. The aim of this script is not to 'clean' the system, but to bring the system back to some level of functionality. Someone higher up than I struck a deal and every laptop has McAfee installed. While this does limit some attacks, most people in the field do not keep their definitions up to date and or simply don't care. The idea behind removing the exe is to bring the system back to some level of use wherein an analyst or tech is able to remote in and update McAfee and install/run malwarebytes... or whatever program is in vogue at the time. The idea that every laptop is to be mailed in, re-imaged, databases spooled from servers, etc. is not cost effective. I have to do these things, (remove exe's, update existing definitions, run scans, install more software if need be, run scans, etc..) prior to resorting to them shipping the laptops in. Which is why I was hoping to find a way to make it easier to do at least some part of the work.
But thank's for the reply's. It's great that people are actually out there reading these requests! - Unreadhyperion 12 years ago
This could probably work, but I would be more afraid of what's being left on the machine after the executables are removed. A lot of malware starts itself backup even if the exe is removed it justs creates a new one.
I would look into better scans on your AV. I also like to use http://www.malwarebytes.org/.