Ok, I know I'm asking for the world here... I've had some basic experience with VBScript prior to getting to where I am. On average I remove 3 to 4 maleware programs running on remote systems every day and while I realize the futility of trying to scrub them clean... I do try to bring them back to being functional. For sometime I've had the following idea that I'd like to do but it's beyond my skill.... Here's the pseudo code I have created:
 

Option Explicit 
On Error Resume Next
 
Dim ScanFolder ProcessInformation ProcessFound PID
 
Delete all Files and Folders in %temp%                                                  
   ' Including Hidden Files Folders
 
Search %temp% for Exe                                              
  ' Including Hidden Exe               
IF Exe found THEN                               
               Taskill Exe                               
               Delete Exe
               ELSE do Nothing
END IF 
 
Check Windows Version
                IF XP THEN
                                 ScanFolder = C:\Documents and Settings
                 ELSE
                                ScanFolder = C:\Users
                END IF
 
Search ScanFolder for EXE files ' Including Hidden and System Exe
                IF found THEN
                                ProcessFound = File.exe
                                Get Data on file
                                ' Data here is refering to Description, Image Path Name, Owner, Company
                                ' Name, etc. Things that can help identify it.
                                Get ProcessID
                                 PID = ProcessID
                                ProcessInformation = Data
      Display "The following process was locate:" ProcessFound & ProcessInformation &                                "Would you like to Delete the process? Warning this cannot be Undone! If you are unsure Please Click Unsure to end the process."
 
                                Prompt Yes, No, Unsure
                                IF Yes THEN
                                                Taskkill PID
                                                Delete ProcessFound
                                                Display "Would you like to continue?"  
                                 Prompt Yes, No                                                               
                                 IF Yes THEN continue process
                                                 ELSE end process
                                  IF No, THEN
                                                 Go to next EXE file
                                IF Unsure THEN
                                                Taskkill PID
                                                Display "Did ending the process help?"
                                                Prompt Yes, No
                                                                IF Yes THEN
                                                                                Delete ProcessFound
                                                                IF No THEN
                                                                                Do nothing and continue process
                                                                END IF
END IF

Some VBScript Diety out there can assist in creating this... you will have made my productivity go through the roof and I will personally vouch for you at the gates of heaven ^_^ (does bribary work here???? lol)

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Community Chosen Answer

2

To be honest, much as dugullett said, this is highly unlikely to clean the machines.  I don't see this saving you time and effort.  It is just hiding the problem, and will make things worse in the long run.  You have two general options to clean malware.

1. Reformat and redeploy.  This is the guarantee.  Often you will find if you take other steps, such as creating a standardized image and utilizing a good backup schema, this is the fastest way to deal with machines that get infected.  You can greatly reduce the infection rate with good security products including antivirus, anti-malware, firewalls, network access control, IDS/IPS, etc.

2. We are IT professionals.  We like to tinker with things.  You can investigate the malware, and figure out how to remove it manually or with a program.  With many infections, we can figure it out ourselves and get things clean to the point of reasonable mitigated risk.  I've found Symantec writes some great automated removal tools and instructions that you can run as one-offs, or script.

  My observation, however, is that you are past the reasonable tinkering stage if you are tired of doing it and at the point where you want to automate the removal.  If that's the case, you are probably just wasting your time trying to write your own automated removal tools in an attempt to save time.  The ways to save time are to find and shut down the sources of the infections (which if you are at the point of writing scripts to remove these things, I highly recommend you look for the source, as it is likely on your network, the result of policy violations, or the result of a lack of controls), and to use the professional resources out there to get you out of the malware removal business and back to your actual job.

Answered 06/05/2012 by: philologist
Red Belt

  • I tend to agree with both of you. That just removing the exe's is no where near a resolution. I'm not thinking it is. There's not much I can do about policy violations, I work for large pharma companies and their reps in the field. The aim of this script is not to 'clean' the system, but to bring the system back to some level of functionality. Someone higher up than I struck a deal and every laptop has McAfee installed. While this does limit some attacks, most people in the field do not keep their definitions up to date and or simply don't care. The idea behind removing the exe is to bring the system back to some level of use wherein an analyst or tech is able to remote in and update McAfee and install/run malwarebytes... or whatever program is in vogue at the time. The idea that every laptop is to be mailed in, re-imaged, databases spooled from servers, etc. is not cost effective. I have to do these things, (remove exe's, update existing definitions, run scans, install more software if need be, run scans, etc..) prior to resorting to them shipping the laptops in. Which is why I was hoping to find a way to make it easier to do at least some part of the work.

    But thank's for the reply's. It's great that people are actually out there reading these requests!
Please log in to comment

Answers

1

This could probably work, but I would be more afraid of what's being left on the machine after the executables are removed. A lot of malware starts itself backup even if the exe is removed it justs creates a new one.

I would look into better scans on your AV. I also like to use http://www.malwarebytes.org/.

Answered 06/05/2012 by: dugullett
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity
Admin Script Editor
Admin Script Editor is an integrated scripting environment available free here at ITNinja

Share