Automated virus / spyware removal script: June 2010 (BROKEN)

[EvylRat]

This is a brilliant script. I've modified it a bit to use this program
http://blog.didierstevens.com/programs/usbvirusscan/
So when a USB key is installed, it runs the check on the Key. Autorun has been disabled via GPO.
My question is, anyone good on getting each scan to report if a virus was found via ERRORLEVEL? So, for example, you could write an EVENT log if a virus was found, or email the logs.

echo Possible virus found
eventcreate /l APPLICATION /so SAVRS /t WARNING /id 2 /d "Possible Virus found"
%LOGONSERVER%\path\postie -host:%SMTPhost% -to:%mailto% -from:SAVRS@%computername%.local -s:"%computername% - Virus Found" -nomsg -file:c:\SAVRS.log > nul

 

[EvylRat]

Here's what I've got so far.
It uses http://blog.didierstevens.com/programs/usbvirusscan/ and postie
I've removed the spyware scan, and I've removed ASquared because it kept crashing detecting the Eicar test string.
I was having a nightmare with errorlevels, so I decided to look through the logs for key words instead.

@ECHO OFF

REM SAVRS v1.0 RC
REM
REM Copyright 2009 Schadenfroh <quako33@comcast.net>
REM All trademarks and copyrights are the property of their respective owners.
REM
REM This file is part of Schadenfroh's Automated Virus Removal Script (SAVRS).
REM SAVRS is free software: you can redistribute it and/or modify
REM it under the terms of the GNU General Public License as published by
REM the Free Software Foundation, either version 3 of the License, or
REM (at your option) any later version.
REM
REM SAVRS is distributed in the hope that it will be useful,
REM but WITHOUT ANY WARRANTY; without even the implied warranty of
REM MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
REM GNU General Public License for more details.
REM
REM You should have received a copy of the GNU General Public License
REM along with SAVRS. If not, see <http://www.gnu.org/licenses/>.
REM

SETLOCAL EnableDelayedExpansion

set MailTo=theitguy@company.co.uk
set SMTPhost=exchangeservername

TITLE Schadenfroh's Automated Virus Removal Script (SAVRS)

CLS

ECHO SAVRS v1.0 RC
ECHO.
IF %1==clean (
ECHO Operations to be performed: Scan, Remove and Report
) ELSE (
ECHO Operations to be performed: Scan and Report
)
ECHO.

ECHO.

IF EXIST Mcafee/scan.exe (
IF %1==clean (
SET delArg=/program /del
) ELSE (
SET delArg=
)
SET scanArg=

ECHO Scanning with Mcafee
START "Mcafee" /wait /min C:\USBVirusScan\Mcafee\scan.exe %2 /all /allole /analyze /mime !scanArg! !delArg! /streams /sub /unzip /report C:\USBVirusScan\McafeeResults.txt
ECHO Mcafee pass complete

) ELSE (
ECHO Skipping Mcafee
)
ECHO.

IF EXIST Panda\Pavcl.exe (
IF %1==clean (
SET delArg=-del
) ELSE (
SET delArg=
)
set scanArg=-heu:2

ECHO Scanning with Panda
START "Panda" /wait /min C:\USBVirusScan\Panda\pavcl.exe %2 -auto -cmp -nos -aex -nob !scanArg! !delArg! -rpt:C:\USBVirusScan\PandaResults.txt
ECHO Panda pass complete
) ELSE (
ECHO Skipping Panda
)
ECHO.

IF EXIST TrendMicro\vscantm.bin (
IF %1==clean (
SET delArg=/d
) ELSE (
SET delArg=/nc
)
set scanArg=/vsgreyarea=[1;2;3;4;5;7;8]

ECHO Scanning with Trend Micro Anti-Virus
START "Trend Micro Anti-Virus" /wait /min C:\USBVirusScan\TrendMicro\vscantm.bin /nbpm /s !delArg! !scanArg! /LR=C:\USBVirusScan\TrendMicroResults.txt %2
ECHO Trend Micro Anti-Virus pass complete
) ELSE (
ECHO Skipping Trend Micro Anti-Virus
)

ECHO.

ECHO.
ECHO All scans have finished
ECHO.
SET VIR1=0
find "Found" C:\USBVirusScan\mcafeeresults.txt >nul
IF %ERRORLEVEL% EQU 0 set /a VIR1+=1
find "Found" C:\USBVirusScan\PandaResults.txt >nul
IF %ERRORLEVEL% EQU 0 set /a VIR1+=1
find "Found 0" C:\USBVirusScan\TrendMicroResults.txt >nul
IF %ERRORLEVEL% EQU 1 set /a VIR1+=1
copy C:\USBVirusScan\McafeeResults.txt + C:\USBVirusScan\PandaResults.txt + C:\USBVirusScan\TrendMicroResults.txt C:\USBVirusScan\SAVRS.txt /y >nul
IF %VIR1%==0 GOTO :NoVirus
ECHO Possible Virus found
eventcreate /l APPLICATION /so SAVRS /t WARNING /id 2 /d "Possible Virus found"
C:\USBVirusScan\postie -host:%SMTPhost% -to:administrator@company.co.uk -cc:%mailto% -from:SAVRS@%computername%.local -s:"%computername% - Virus Found" -nomsg -file:C:\USBVirusScan\SAVRS.txt > nul
REM TYPE C:\USBVirusScan\SAVRS.txt
:NoVirus
ENDLOCAL

 

[Schadenfroh]

Thanks EvylRat, I will look over it when I get the time... couple of exams this week and deadline pressure in the lab, graduate school is a pain

 

[Zorba]

I can't seem to get the updated panda signature files. When I try to download them I just get a readme file with this in it: "As I am not updating this signature anymore, please refer to www.pandasecurity.com to download regularly updated signatures." Everywhere I've been able to find the signatures on the website asks for a password.

 

[Schadenfroh]

Well crap, it looks like the signature updates require an account to download now:

http://download.cnet.com/Panda-Virus-Signature-File/3000-2239_4-166257.html

Anyone else able to confirm this about Panda and that there are no (legal) mirrors of the definition file? Looks like I might have to remove it from the script. Thanks for pointing this out, Zorba.

 

[DRONZER]

i tried the script butas i run the script it shows,

Asquared not found
( was unexpected at this time

 

[SunRey]

Thank You!

 

[Schadenfroh]

The script has been updated:
*Removed Panda (free command-line are no longer being updated by the company)
*Disabled Trend-Micro (setup process changed significantly, will likely put it back in future versions)
*Updated the readme file

Let me know if you guys find any problems, sorry for the feature reduction

 

[kevman]

Thank you for this, got hit with a Hijacker that redirected my firefox google results , gonna try this out now.

 

[timswim78]

Thanks for your work on this.

I'm running it tonight on a pair of computers that were hit with similar viruses that have resisted Microsoft Security Essentials and MalWareBytes.

Do you think that many viruses will get missed in the scan, now that Panda and Trend Micro are not in the mix?

 

[petrusbroder]

Bump!
Thanks very much. This script helped me to clean up one of my son's computer. :=

 

[mscdex0]

FWIW a couple of the URLs were defunct in the README.html. The a-squared link that worked for me was: http://download3.emsisoft.com/a2cmd.zip

The McAfee link is no longer available at all anywhere. I guess this means McAfee will have to be removed too?

 

[WT]

This usta be my #1 tool, and was by far my most effective and favorite spyware tool. Sad to see it dying a slow death at this point.

I got a laptop from a customer today that NEVER had an antivirus program on it ... customer got a 90 day trial and never felt the need to install even that, so after 1.5 years of crap, it finally took a dump and its now in my hands. I would have LOVED to run this on it and see what happens.

 

[LiathWW]

Hello, is this being updated anymore? I'd really love to see this updated as I have used it for quite a while, though I haven't updated it in a few months. Went to update today and now see that it is broken? Any hope for an update?

 

[Schadenfroh]

Hello, is this being updated anymore? I'd really love to see this updated as I have used it for quite a while, though I haven't updated it in a few months. Went to update today and now see that it is broken? Any hope for an update?

Sadly, Mcafee no longer has their free (beta) Windows command-line antivirus available, AFIK. Panda stills has the (free) command-line utility, but they no longer issue updates without a subscription to their command-line scanner. AFAIK, Sophos (SAV32CLI) and Trend-Micros (sysclean) only target a narrow range of viruses.

Unless I am mistaken about any of the above and people can provide me links to free (legally) Panda definitions or Mcafee windows command-line scanners, then I am not sure if much more can be done. These companies seem to be clamping down on free products.

If anyone knows of any free command-line applications that require no install that can be used to replaced them, then I will gladly consider updating this script in my spare time.

 

[LiathWW]

Well, there is ClamAV. I'm quite certain there is a 'portable' version.

Avira: http://www.avira.com/en/support-download-avira-antivir-command-line-scanner-scancl

Kaspersky: http://www.kaspersky.com/virus-removal-tools

It may be prudent to look into the free AV solutions, since I've been reading that lately they're becoming better than the paid ones due to larger customer bases, therefore larger base of virus activity reporting.

I'd recommend a teeny bit of expansion, to Spybot S&D. There is a command-line portable version. Certainly shouldn't hurt.

I'm sure there are others, but I'm on limited time right now, I might do some more research later on. Could probably even get my brain off the lazy chair and modify the script here.

Could expand it a bit using wget to update virus/malware definitions for tools that don't include that function, as well -- but it would still need manual updates for certain software.

 

[Schadenfroh]

Thanks LiathWW, avira used to not let you do recursive directory scans with their Windows command-line client. Hopefully, they lifted that restriction. I will play around with the Kaspersky Virus Removal Tool when I get back from work today.

Thanks for the tip about wget, I planned on adding that and an unzip tool in the next release. Hopefully, I can make TrendMicro's sysclean easier to setup via automation as well and I will put it back in there.

Hopefully, new life has been breathed into this. Thank you all for your interest in it.

 

[LiathWW]

Don't forget clamAV and spybot both are free, clam is open source.

ClamAV isn't the fastest, nor does it have the super-high detection rates, but it isn't bad, and it is constantly being improved. It has actually found a few virii here and there that mcaffey/norton didn't find. I just wish they'd figure out how to do real-time scanning and slightly better heuristics on windows... then put in a virus reporting facility so they can get better at finding new virii before they get huge.

SpybotS&D doesn't exactly qualify as a 'virus removal tool', but it does detect some things that AV doesn't, and some can have some very nasty habits and slow systems to a crawl.

I wonder if MSE has a stand-alone scanner somewhere... the detection rates are really good and its free (surprising from M$). Might have to look into that!
[edit] nevermind on the MSE deal. There isn't a way to use it without installing (at least not that I can find)

 

[Schadenfroh]

I used to have ClamAV Portable in the script, people complained about it taking too long to scan, so I removed it.

Microsoft uses MSE as a way to validate a Windows install, so I do not think they will have a standalone command-line scanner in the future.

 

[LiathWW]

I used to have ClamAV Portable in the script, people complained about it taking too long to scan, so I removed it.

Microsoft uses MSE as a way to validate a Windows install, so I do not think they will have a standalone command-line scanner in the future.

For #1, would use a CHOICE statement to set or not set it to run
For #2, since MSE isn't installed by default, how do they use it for validating? They have the wonderful WGA tool for that, along with one or two other validation systems in place. Didn't know that MSE did that too... yeesh talk about overboard!

Anyhow don't want to end up with the thread being crammed with crap. I emailed panda as I used this tool (and therefore PAVCL) quite often at the non-profit computer repair place I volunteer at. Sucks that they'd do that, as I used to recommend them quite often because they had a cli scanner. Oh well, I'll recommend MSE and clamwin now I'm not so hot for Avira or AVG, as they both seem to chew on systems. If they had free cli-based products that I end up using then they'll probably get some business from me though. Lots of people (and computers) come through the shop....

Coincidentally that is why I love SAVRS. It gets used in the shop more often than it should. Too many people bring in (or donate) computers with viruses all over 'em. Granted the ones that are brought in are usually sent to the DBAN station, but some we like to keep the original OEM OS on, as we need to save money and can't burn through the VLKs too fast.

 

[hank01]

SAVRS has saved a few PCs for me... I haven't needed it in quite a while but a friend just called, she fubared her PC and I figured I'd update my tools before I headed over to her PC and I'm kinda sad at some of what I've read, but also happy at the last few posts... hopefully this Swiss Army virus killer will be updated and happy soon... and if she gives me any cash I'll send some your way... if she just gives me cupcakes or cookies (she's an older grandmother-type) then I can send you a picture of me eating them