Try using pskill from sysinternals to kill the process. Jordan
-----Original Message----- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 07, 2004 9:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:logon script The key keeps getting recreated as soon as i delete it and the process won't let me kill it. any suggestions on how to automoate the cleaning of such a worm without going to each pc? what do you guys usually do when a bunch of pc's get infected? do you send your staff to each indivual pc? is there a way to kill a process remotely and subvert the "access denied" message? can i run some utility that i can script which can kill a process no matter what? thanks -----Original Message----- From: Dale, Rick [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 07, 2004 10:22 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:logon script Tom, I haven't tried this but it should work. Run this script then kill the process that is running then delete the file. ~~~~~~SCRIPT START~~~~~~ Option Explicit const HKEY_LOCAL_MACHINE = &H80000002 strComputer = "<INSERT COMPUTER HERE> <or . for local computer>" Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv") strKeyPath = "software\microsoft\windows\currentversion\run\<NAME OF REGKEY>" oReg.DeleteKey HKEY_LOCAL_MACHINE, strKeyPath ~~~~~SCRIPT END~~~~~~ HTH Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, September 07, 2004 8:53 AM To: ActiveDir (E-mail) Subject: [ActiveDir] OT:logon script Hi, I went on vacation and upon returning my network seems to have been infected with worm_sypbot.dn(Trend Micro's name) . i have about 50 pc's(win2k/xp) infected and even though my symantec corp defs are up to date, it can't clean the worm because its already running in mem. i know it creates a reg entry in hkey_local_machine\software\microsoft\windows\currentversion\run. my question is, rather than go to 50 pc's and reboot in safe mode and do a scan, can someone point me to a good vbscript that i can run as a logon script to delete the reg entries. unless someone out there has a better solution. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
