This is something I used to clean the welchia (?) virus last year - call
it with the name of the process to kill and the name of the computer.
(eg: CleanVirus("SVCHOST.EXE","computer01")
It's case sensitive deliberately; I found that the virus process always
used SVCHOST in caps whereas normal processes were lower case. Having
killed the process it deletes the file (which was always in
%windir%\system32\wins) and creates a dummy file to try and prevent
re-infection. If you know where the process is run from you could do
something similar. The file size check just prevents the dummy file from
being deleted if this is run again when the virus is not there.
Steve
sub CleanVirus(sFile,sComputer)
sWindir="\\" & sComputer & "\admin$\"
Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate}!\\" & sComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery ("Select * from
Win32_Process Where Name = '" & sFile & "'")
For Each objProcess in colProcessList
if objprocess.caption=sFile then
wscript.echo "Killing: " & sFile
objProcess.terminate
wscript.sleep 3000 'give it time to die!
end if
Next
if ofso.fileexists(sWindir & "system32\wins\" & sFile) then
set oFile=oFso.getfile(sWindir & "system32\wins\" & sFile)
if oFile.size>1000 then
oFile.attributes=0 ' clear all atts
sCmd="xcacls " & sWindir & "system32\wins\" &
sFile & " /g administrators:f /y"
oShell.run sCmd
oFile.delete
Set oFile=ofso.createtextfile(sWindir &
"system32\wins\" & sFile,True) 'stamp over bad file
oFile.write "dummy"
oFile.close
set oFile=oFso.getfile(sWindir &
"system32\wins\" & sFile)
oFile.attributes=1 'read only
sCmd="xcacls " & sWindir & "system32\wins\" &
sFile & " /g administrators:r /y"
oShell.run sCmd
end if
end if
end sub
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: 07 September 2004 16:05
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:logon script
The key keeps getting recreated as soon as i delete it and the process
won't let me kill it.
any suggestions on how to automoate the cleaning of such a worm without
going to each pc?
what do you guys usually do when a bunch of pc's get infected? do you
send your staff to each indivual pc?
is there a way to kill a process remotely and subvert the "access
denied" message?
can i run some utility that i can script which can kill a process no
matter what?
thanks
-----Original Message-----
From: Dale, Rick [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 07, 2004 10:22 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT:logon script
Tom,
I haven't tried this but it should work. Run this script then kill the
process that is running then delete the file.
~~~~~~SCRIPT START~~~~~~
Option Explicit
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "<INSERT COMPUTER HERE> <or . for local computer>"
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "software\microsoft\windows\currentversion\run\<NAME OF
REGKEY>"
oReg.DeleteKey HKEY_LOCAL_MACHINE, strKeyPath
~~~~~SCRIPT END~~~~~~
HTH
Rick
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, September 07, 2004 8:53 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT:logon script
Hi, I went on vacation and upon returning my network seems to have been
infected with worm_sypbot.dn(Trend Micro's name) . i have about 50
pc's(win2k/xp) infected and even though my symantec corp defs are up to
date, it can't clean the worm because its already running in mem.
i know it creates a reg entry in
hkey_local_machine\software\microsoft\windows\currentversion\run.
my question is, rather than go to 50 pc's and reboot in safe mode and do
a scan, can someone point me to a good vbscript that i can run as a
logon script to delete the reg entries.
unless someone out there has a better solution.
thanks alot
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
