Sure thing. Here you go... I attached it as .txt and a .zip files. Hopefully one will make it through. Regards, Paul DeHaan CCNA, CCA... Network Administrator J.M. Huber Corp. ------------> "The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers." >>> magnus@xxxxxxxx 09/22/03 01:13PM >>> Paul Would you mind sending me theGPO script that you had sent to the list. Outlook blocked it on me Thanks Magnus
'This script removes registry keys that start the different worms on reboot. It then deletes the 'file below worm1, worm2, worm3, etc. Time, Computer Name, worm name, etc are then logged to a file. ' ' Created By: Paul DeHaan ' J.M. Huber Corp. ' 8-19-2003 '#################### 'Edit this path. The NT "Everyone" group must have write access to the path you set. Const txtLog = "\\Server\share\MSblastlog.txt" '#################### on error resume next 'Set needed variables and objects Dim WSHShell, WSHFso Dim redel, regdel2, regdel3, regdel4, regdel5, strComputer Dim worm1, worm2, worm3, worm4, worm5, worm6, worm7 Set WSHShell = WScript.CreateObject("WScript.Shell") Set WSHFso = WScript.CreateObject("Scripting.FileSystemObject") 'remove registry keys that start worms on reboot regdel = WshSHell.RegDelete ("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update") regdel2 = WshSHell.RegDelete ("HKLM\SYSTEM\CurrentControlSet\Services\RPCPatch") regdel3 = WshSHell.RegDelete ("HKLM\SYSTEM\CurrentControlSet\Services\RPCtftpd") regdel4 = WshSHell.RegDelete ("HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrayX") regdel5 = WshSHell.RegDelete ("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrayX") 'Set the path to the induvidual worm variant .exe's systemroot = wshShell.ExpandEnvironmentStrings("%systemroot%") worm1 = systemroot & "\system32\msblast.exe" worm2 = systemroot & "\system32\penis32.exe" worm3 = systemroot & "\system32\teekids.exe" worm4 = systemroot & "\system32\wins\dllhost.exe" worm5 = systemroot & "\system32\wins\svchost.exe" worm6 = systemroot & "\system32\mspatch.exe" worm7 = systemroot & "\WINPPR32.EXE" 'delete the file if it is found, then report it to log file. If WSHFso.FileExists(worm1) Then WSHFso.Deletefile worm1,True logDelete (worm1) End If If WSHFso.FileExists(worm2) Then WSHFso.Deletefile worm2,True logDelete (worm2) End If If WSHFso.FileExists(worm3) Then WSHFso.Deletefile worm3,True logDelete (worm3) End If If WSHFso.FileExists(worm4) Then WSHFso.Deletefile worm4,True logDelete (worm4) End If If WSHFso.FileExists(worm5) Then WSHFso.Deletefile worm5,True logDelete (worm5) End If If WSHFso.FileExists(worm6) Then WSHFso.Deletefile worm6,True logDelete (worm6) End If If WSHFso.FileExists(worm7) Then WSHFso.Deletefile worm7,True logDelete (worm7) End If Set WSHShell = Nothing Set WSHFso = Nothing Sub logDelete(file) 'This procedure logs the time, computer name, user, worm file deleted, etc. Dim WshNetwork, fs Set wshNetwork = CreateObject("WScript.Network") Set fs = CreateObject("Scripting.FileSystemObject") Set logFile = fs.OpenTextFile (txtLog ,8, true) logFile.writeline now & ", Deleted the file: " & file & ", Computer: " & WshNetwork.ComputerName & _ ", User: " & WshNetwork.UserName & vbcrlf logFile.close Set fs = Nothing Set logFile = Nothing Set WshNetwork = Nothing End Sub Wscript.quit