Threaded Mode | Linear Mode

ajcis55 · 04-23-2010, 11:29 AM

Having to rid 2-3 computers per week of malware/scareware got me motivated to simplify things. And I needed something that wouldn't need to be installed that could provide quick information to the most important stuff that I need to know to quickly remove most any malware I come across. So, I wrote this. It does quite a few things:

Code:

Close the Explorer processes, rundll32.exe, and ave.exe

Disable and re-enable System Restore (which will also delete the checkpoints)

Delete everything in windows\temp

Delete everything in userprofile\local settings\temp

Delete everything in userprofile\local settings\temp internet files

Echo out what's left in these 3 folders

Output the proxy that Internet explorer is using (if any)

Show any suspicious files/folders in the program files directory (ones with spy, virus, or defend in the name)

List current IE add-ons (per downloaded program files, so it's incomplete)

List programs set to start with windows via HKLM\software\...\run\

List programs set to start with windows via HKCU\software\...\run\

Show the service set to start with Authentication Packages (sometimes malware sneaks in with msv1_0)

List any dll and exe files that were created in the last 3 days

Re-enable task manager

Re-enable registry - however, if the registry was disabled, you will need to reboot and re-run this tool

Clear out any bad exe associations

When done, it will open up the log file, and a command prompt (just in case explorer is still infected)

It is quite small. A batch file does most of the work. To kill the processes, I have included Process.exe. I know some computers have taskkill available, but I wanted to make sure I killed it on every computer. Forfiles.exe is also included because it enables you to find files that have been created/modified within a specific time frame. The script is set to search for exe's and dll's created in the last 3 days. Rather than deleting them immediately, it lists them so you can figure out which ones you actually need to delete.

The zip is attached. Simply extract it to any USB drive and use it where ever. I don't think there's going to be any problem with malware blocking any of these files from running.

Please feel free to make any suggestions for the script. I've tried to throw in everything that I can think of that can provide the needed information to quickly get rid of malware.

***Back_track*** · 04-23-2010, 12:05 PM

This sir, is very impressive. A step up from most windows scripting I've seen!

***drdebcol*** · 04-23-2010, 07:04 PM

That is great. I skimmed through code. I think that collecting all the tricks was the heaviest job. I know some of these tricks, but not all of them lol
The job that you did with Registry is awesome. Also vb scripts are great. Re-enabling of System Restore is interesting trick, that is very helpful.
Maybe you can make it to set new System restore Checkpoint. That is only suggestion that i have.

ajcis55 · 04-23-2010, 10:03 PM

Dr D, when System Restore is re-enabled, Windows automatically creates a new checkpoint. That already solves the problem for me. Smile

***drdebcol*** · 04-24-2010, 03:50 AM

(04-23-2010 10:03 PM)ajcis55 Wrote: Dr D, when System Restore is re-enabled, Windows automatically creates a new checkpoint. That already solves the problem for me.

Okay, i didn't know that fact. That definitely solves the problem !