Idiot proof removal of junk?

[DevNull]

Hello all,

Around my family we have noticed an enormous amount of activity from a
new trojan based on the SpyAxe stuff of a few weeks ago.
Basically while not as annoying as the SpyAxe attack itself, this
malware has alot of trash associated with it.

A large percentage of my friends and family seem to have come down with
this within the last few days leading me to believe it may be spreading
via IM or email. (Which is all we really have in common)

Everyone is now properly Firewalled and has a proper Virus Scan
installed, enabled and paid up.
The Virus Scan is just now detecting the BHO part as some sort of
"puper" variant, which of course is leading to the inevitable phone
calls.

I would like to send everyone a single script or small set of scripts
to automate the removal process, and make sure that this mess is taken
care of properly.
Especially considering that the official stance on this from the virus
removal companies is "It's not malware in the traditional sense so what
you have now is all you'll get at least for the near future".
Switching is out of the question, if I threw anything different onto
these machines, I'm sure some of the users would die of a heart-attack.

Anyways, thus far I have managed to create one script on my own and
wholesale plagarize another.
The first one just basically automagically downloads and extracts the
latest deffinitions files from my AV company, as well as thier current
DOS mode engine (meant for large network deployment, so it's extremely
current).
The other deletes some files that the DOS scan seems to ignore, or not
notice, then procedes to remove the associated registry entries that I
have found thus far.

Thats great except for most of my family is computer illiterate and I
work 12+ hours per day, I just don't have much time or patience to
teach grandma, grandpa, aunts, uncles, cousins etc how to run the first
script in normal mode, then boot into safe mode find the scripts and
run the second one.

What I need to figure out is how I can, from within the first script,
convince windows to boot into safe mode with command prompt.
Then have it run the second script.
Then (most likely from within the second script), set things back to
normal and reboot the computer into the default boot mode, when the all
clear is given.

Everything I have done is in 2 old school batch files, which I will
gladly share.
I am also not opposed to turning them into WSH scripts, if it would
make the difference, I mostly would just need to learn it really quick
(shouldn't be much problem I'm pretty proficient at JavaScript, and I
hear they are pretty similar).

If anyone is interested in what I have written/borrowed thus far please
drop a line in here and I will gladly show the code, not that it's much
to look at.

So can anyone please help me idiot proof this process a bit? Is what
I'm asking even achievable in a scripting only (aka non-compiled)
environment.

Thanx in advance.

p.s. Everyone is (now) running fully patched Windows XP SP2

 

[David H. Lipman]

From: "DevNull" <[email protected]>

| Hello all,
|
| Around my family we have noticed an enormous amount of activity from a
| new trojan based on the SpyAxe stuff of a few weeks ago.
| Basically while not as annoying as the SpyAxe attack itself, this
| malware has alot of trash associated with it.
|
| A large percentage of my friends and family seem to have come down with
| this within the last few days leading me to believe it may be spreading
| via IM or email. (Which is all we really have in common)
|
| Everyone is now properly Firewalled and has a proper Virus Scan
| installed, enabled and paid up.
| The Virus Scan is just now detecting the BHO part as some sort of
| "puper" variant, which of course is leading to the inevitable phone
| calls.
|
| I would like to send everyone a single script or small set of scripts
| to automate the removal process, and make sure that this mess is taken
| care of properly.
| Especially considering that the official stance on this from the virus
| removal companies is "It's not malware in the traditional sense so what
| you have now is all you'll get at least for the near future".
| Switching is out of the question, if I threw anything different onto
| these machines, I'm sure some of the users would die of a heart-attack.
|
| Anyways, thus far I have managed to create one script on my own and
| wholesale plagarize another.
| The first one just basically automagically downloads and extracts the
| latest deffinitions files from my AV company, as well as thier current
| DOS mode engine (meant for large network deployment, so it's extremely
| current).
| The other deletes some files that the DOS scan seems to ignore, or not
| notice, then procedes to remove the associated registry entries that I
| have found thus far.
|
| Thats great except for most of my family is computer illiterate and I
| work 12+ hours per day, I just don't have much time or patience to
| teach grandma, grandpa, aunts, uncles, cousins etc how to run the first
| script in normal mode, then boot into safe mode find the scripts and
| run the second one.
|
| What I need to figure out is how I can, from within the first script,
| convince windows to boot into safe mode with command prompt.
| Then have it run the second script.
| Then (most likely from within the second script), set things back to
| normal and reboot the computer into the default boot mode, when the all
| clear is given.
|
| Everything I have done is in 2 old school batch files, which I will
| gladly share.
| I am also not opposed to turning them into WSH scripts, if it would
| make the difference, I mostly would just need to learn it really quick
| (shouldn't be much problem I'm pretty proficient at JavaScript, and I
| hear they are pretty similar).
|
| If anyone is interested in what I have written/borrowed thus far please
| drop a line in here and I will gladly show the code, not that it's much
| to look at.
|
| So can anyone please help me idiot proof this process a bit? Is what
| I'm asking even achievable in a scripting only (aka non-compiled)
| environment.
|
| Thanx in advance.
|
| p.s. Everyone is (now) running fully patched Windows XP SP2


There is no idiot proof method !

The fact people shouldn't be getting infected with malware but they do based upon their own
actions. Using IM software just makes getting infected that much easier. One *MUST*
practice Safe Hex to protect their computer assets and data.

http://www.claymania.com/safe-hex.html


Two part reply...

Part 1
----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html



Part 2
---------


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[M and D]

"So can anyone please help me idiot proof this process a bit?"

No such animal, because computers are not for idiots.

I am not for a second saying your family are idiots. I means 'idiots' in the generic. To use a computer safely you need knowledge and awareness of the problems you're facing on the internet. Otherwise, all the software and programming in the world is useless. In my opinion, anyone who is not able and willing to learn how to protect themself on the internet should stick to Nintendo (or Xbox, since this is a Microsoft forum.)

Steven

 

[DevNull]

Ok I want to thank you both for your replies, but they both missed the
whole point of my question.
And thats probably my fault.
#1 This group appears to be for newbie type questions for windows,
whereas my question was more or less an advanced scripting question.
#2 By mentioning the malady I think I blinded everyone to the general
point of the question.

The jist of my question was more or less, CAN the following be done.
Run a script that does something, then reboot the computer to the
command prompt, have it start running something else, then set things
back to normal and reboot again.

I will go try to find a scripting group to seek my answers there.
Man this would be so much easier if windows still had an autoexec.bat
file
Thanks again and have a windowful day!
Regards

DevNULL

 

[David H. Lipman]

From: "DevNull" <[email protected]>

| Ok I want to thank you both for your replies, but they both missed the
| whole point of my question.
| And thats probably my fault.
| #1 This group appears to be for newbie type questions for windows,
| whereas my question was more or less an advanced scripting question.
| #2 By mentioning the malady I think I blinded everyone to the general
| point of the question.
|
| The jist of my question was more or less, CAN the following be done.
| Run a script that does something, then reboot the computer to the
| command prompt, have it start running something else, then set things
| back to normal and reboot again.
|
| I will go try to find a scripting group to seek my answers there.
| Man this would be so much easier if windows still had an autoexec.bat
| file
| Thanks again and have a windowful day!
| Regards
|
| DevNULL

Anything can be scripted if you know what you are looking for.

The Multi AV Scanning Tool was scriopted by me and is in the LiXtart interpreted code.

noahdfear's SmitFraud and SpyAxe removal tool is based upon a few utilities and is scripted
in the Command Batch interpreted language.