[THIN] Re: MSBLAST remove - AD Group Policy startup script.
- From: "Paul DeHaan" <wppad@xxxxxxxxx>
- To: <citrix@xxxxxxxxxx>, <magnus@xxxxxxxx>
- Date: Mon, 22 Sep 2003 17:30:07 -0400
Sure thing. Here you go... I attached it as .txt and a .zip files.
Hopefully one will make it through.
Regards,
Paul DeHaan CCNA, CCA...
Network Administrator
J.M. Huber Corp.
------------>
"The information transmitted is intended only for the person or entity
to
which it is addressed and may contain confidential, proprietary,
and/or
privileged material. Any review, retransmission, dissemination or
other use
of, or taking of any action in reliance upon, this information by
persons or
entities other than the intended recipient is prohibited. If you
received
this in error, please contact the sender and delete the material from
all
computers."
>>> magnus@xxxxxxxx 09/22/03 01:13PM >>>
Paul
Would you mind sending me theGPO script that you had sent to the list.
Outlook blocked it on me
Thanks
Magnus
'This script removes registry keys that start the different worms on reboot. It
then deletes the
'file below worm1, worm2, worm3, etc. Time, Computer Name, worm name, etc are
then logged to a file.
'
' Created By: Paul DeHaan
' J.M. Huber Corp.
' 8-19-2003
'####################
'Edit this path. The NT "Everyone" group must have write access to the path you
set.
Const txtLog = "\\Server\share\MSblastlog.txt"
'####################
on error resume next
'Set needed variables and objects
Dim WSHShell, WSHFso
Dim redel, regdel2, regdel3, regdel4, regdel5, strComputer
Dim worm1, worm2, worm3, worm4, worm5, worm6, worm7
Set WSHShell = WScript.CreateObject("WScript.Shell")
Set WSHFso = WScript.CreateObject("Scripting.FileSystemObject")
'remove registry keys that start worms on reboot
regdel = WshSHell.RegDelete
("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update")
regdel2 = WshSHell.RegDelete ("HKLM\SYSTEM\CurrentControlSet\Services\RPCPatch")
regdel3 = WshSHell.RegDelete ("HKLM\SYSTEM\CurrentControlSet\Services\RPCtftpd")
regdel4 = WshSHell.RegDelete
("HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrayX")
regdel5 = WshSHell.RegDelete
("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrayX")
'Set the path to the induvidual worm variant .exe's
systemroot = wshShell.ExpandEnvironmentStrings("%systemroot%")
worm1 = systemroot & "\system32\msblast.exe"
worm2 = systemroot & "\system32\penis32.exe"
worm3 = systemroot & "\system32\teekids.exe"
worm4 = systemroot & "\system32\wins\dllhost.exe"
worm5 = systemroot & "\system32\wins\svchost.exe"
worm6 = systemroot & "\system32\mspatch.exe"
worm7 = systemroot & "\WINPPR32.EXE"
'delete the file if it is found, then report it to log file.
If WSHFso.FileExists(worm1) Then
WSHFso.Deletefile worm1,True
logDelete (worm1)
End If
If WSHFso.FileExists(worm2) Then
WSHFso.Deletefile worm2,True
logDelete (worm2)
End If
If WSHFso.FileExists(worm3) Then
WSHFso.Deletefile worm3,True
logDelete (worm3)
End If
If WSHFso.FileExists(worm4) Then
WSHFso.Deletefile worm4,True
logDelete (worm4)
End If
If WSHFso.FileExists(worm5) Then
WSHFso.Deletefile worm5,True
logDelete (worm5)
End If
If WSHFso.FileExists(worm6) Then
WSHFso.Deletefile worm6,True
logDelete (worm6)
End If
If WSHFso.FileExists(worm7) Then
WSHFso.Deletefile worm7,True
logDelete (worm7)
End If
Set WSHShell = Nothing
Set WSHFso = Nothing
Sub logDelete(file)
'This procedure logs the time, computer name, user, worm file deleted, etc.
Dim WshNetwork, fs
Set wshNetwork = CreateObject("WScript.Network")
Set fs = CreateObject("Scripting.FileSystemObject")
Set logFile = fs.OpenTextFile (txtLog ,8, true)
logFile.writeline now & ", Deleted the file: " & file & ", Computer: " &
WshNetwork.ComputerName & _
", User: " & WshNetwork.UserName & vbcrlf
logFile.close
Set fs = Nothing
Set logFile = Nothing
Set WshNetwork = Nothing
End Sub
Wscript.quit
Other related posts:
