Automated virus / spyware removal script: June 2010 (BROKEN)

[Schadenfroh]

Schadenfroh's Automated Virus Removal Script (SAVRS)
v1.1 , June, 2010

Disclaimer: I am not affiliated with any of these companies in any way. This is not intended as a sufficient replacement for a knowledgeable user performing malware removal, but rather a tool for said user.

I suggest against using "savrs clean max" on a critical machine. It is suggested that you run "savrs scan" and research the log results of the scanners before trying to remove anything, using "savrs clean max" (automated removal at max sensitivity) can be dangerous, considering the possibility of false positives.

On a clean machine:
1. Download the script package and unzip it to a place where you can get to it easily.
2. Examine the enclosed readme.html for details on how to setup the antimalware tools that this script package utilizes.

Once you have setup the kit (via the instructions in the readme file), you should be able to take it around to many different computers as it copies itself over when initialized. Several notepad popups will appear minimized as each pass is complete with the log of the scan. It should not require any user intervention for the scans / removal process once you start it. Please let me know if a bug causes it to halt unexpectedly.

Script uses the command line versions of:

• CCleaner ("savrs clean" and "savrs clean max" only)
• A-Squared
• Mcafee (latest public beta definitions)
• Panda
• Trend Micro Anti-Virus (select viruses)
• Trend Micro Anti-Spyware (select spyware)

I am looking to improve this, please post any thoughts you have in regards to the command line arguments that I am using or what tools you would like to be added (that can be used in an automated fashion with command line arguments only and is free to home users).

For more information about malware removal and prevention, please see the Security Resource Thread.

I have been notified that the links in the readme are dead and some of the tools linked might have been discontinued. I will investigate this at a later time, in the meantime this tool should be considered non-working.

 

[MadAmos]

Thanks Schadenfroh ,for your time on this :beer: once it is field tested as working I vote for a sticky for this!

Amos

 

[mechBgon]

sweet

 

[surikas]

Thanks! What a brilliant idea.

 

[Schadenfroh]

Testing my next release right now (before I add it to the OP), you can download it here. Password is "UseAtYourOwnRisk" without the quotation marks. Examine the readme for instructions on how to set it up.

I cant get F-Secure's dos scanner to work correctly and scan the entire C: and to not hang (lock up rather) at the end, if anyone can figure out the correct order / arrangements of arguments, it would help.

New features (of the August 21, 2007 version of the script):

• Sophos scanner
• Clam scanner
• Trend Micro scanner (should not require user intervention anymore)
• Removal of riskware purging arguments from certain AV products, hopefully they will no longer delete VNC clients and such (I still need to test this)
• Better folder organization
• Better instructions
• Logs will "popup" when the script is complete

 

[lusher]

Interesting. Kind of duplicates http://www.pctipp.ch/downloads..._av_scanning_tool.html

 

[Schadenfroh]

Originally posted by: lusher
Interesting. Kind of duplicates http://www.pctipp.ch/downloads..._av_scanning_tool.html

I did not rip them off (if that is what you are thinking). Mine does not even have an interface and I have a number of tools in mine that they do not have in theirs. I wish that I could read German (page translators only go so far), any idea how they were able to get a command line version of Kaspersky for free?

I actually found that site after I wrote my original script, it is what lead me to discover the command line version of Sophos.

 

[Oakenfold]

Thanks man! :thumbsup:
I'll have to try this over the weekend on a virtual pc.

 

[Schadenfroh]

Alright, just finished testing the new one in my virtual machine. It works MUCH better and uses several more tools.

 

[Oakenfold]

Originally posted by: Schadenfroh
Alright, just finished testing the new one in my virtual machine. It works MUCH better and uses several more tools.

Awesome, this will make de-bugging machines cake!
I'll have to try it on the mother in law's rig, she's always got some kind of nasty stuff on there.

 

[Schadenfroh]

Originally posted by: Oakenfold

Originally posted by: Schadenfroh
Alright, just finished testing the new one in my virtual machine. It works MUCH better and uses several more tools.

Awesome, this will make de-bugging machines cake!
I'll have to try it on the mother in law's rig, she's always got some kind of nasty stuff on there.

Be aware that it takes a LONG time to run. A slower (infected) machine started scanning at 10 AM, was still running after leaving it be at 5PM (was only on the CLAM part).... but at least it should be very thorough. But, so far the thing has been picking off the malware like hotcakes.

I need to work on a scaled back one that either only scans certain files (with limits to archive depth) and/or reduced number of scanners.

I guess the way to go right now would be to start up several using the same disk / flash drive and letting them run overnight while you sleep.

 

[lusher]

Originally posted by: Schadenfroh

Originally posted by: lusher
Interesting. Kind of duplicates http://www.pctipp.ch/downloads..._av_scanning_tool.html

I did not rip them off (if that is what you are thinking).

[/quote]

Of course not, it's a very common and obvious idea, and they weren't even the first to think of it. I recall running into a similar script posted years ago in a newsgroup as well.

any idea how they were able to get a command line version of Kaspersky for free?

No idea, I haven't actually run the thing.

 

[Schadenfroh]

Happy to say that the script has been field tested on several older (infected) machines now by a family member and he reports success. Know that this script also takes a considerable amount of time to scan / clean. The best approach seems to be to get several going at once and leave them running overnight. If the machines are in safe mode command prompt only, then it is quick and easy to get several going using the same CD.

 

[Nocturnal]

Is this similar to the way ComboFix or SmitFraudFix works?

 

[Relayer]

I'm gonna give it a whirl tomorrow. Thanks.

 

[canalcrab]

The link to the TrendMicro scanner is NG. It would be helpful to have the actual filename in the readme file so it could be tracked down each time TM changes it's structure. If I figure it out I'll post it.

But I am still searching and will give this script a run for it's money on a nasty system ASAP! Thanks for the script, and even more thanks for the consolidated security thread!

 

[Schadenfroh]

Originally posted by: canalcrab
The link to the TrendMicro scanner is NG. It would be helpful to have the actual filename in the readme file so it could be tracked down each time TM changes it's structure. If I figure it out I'll post it.

But I am still searching and will give this script a run for it's money on a nasty system ASAP! Thanks for the script, and even more thanks for the consolidated security thread!

Trend changed the link to the page.

Definition files:
http://www.trendmicro.com/download/pattern.asp

The .com file mentioned can be found here:
http://www.trendmicro.com/ftp/products/tsc/sysclean.com

I have an updated script on my system, but I have yet to test it on my virtual machine and I will not upload the new script without testing it first.

 

[canalcrab]

Thanks much, got it and will set things up to run tonite!

 

[NYCSTE2003]

this is great. ive recently run into problems after removing an infection from my computer and posted a help thread here. but this program sounds great im too afraid to test it yet though without more peeps commenting

 

[Schadenfroh]

Script and included readme updated, let me know if you guys run into anything that needs to be fixed or added

 

[Schadenfroh]

Updated script now posted (fixed an issue with the Sophos script)

 

[Schadenfroh]

Ack, I have had to perform 3 updates recently, hopefully this one will last a while. Using feedback from the field testers that I have given this to, I have decided to rearrange the order of the scanning a bit. The readme had to be updated in several places to fix outdated instructions that were somehow overlooked.

Not much has changed in the script itself, so I went ahead and uploaded it, will test it overnight... but nothing in the actual removal script has changed in this update other than the order of scanning.

Let me know if the instructions in the readme are not clear and/or how to improve them. I really wish that I could just host the entire thing (with all of the scanners included), but the AV makers would probably slap a lawsuit on me for illegal redistribution or something. :Q

Also, I am seeking suggestions on whether or not I should kill the verbose on the individual scanners (they will not display what files they are scanning) and only have the results popup in notepad at the end. Currently, almost all of them are set to verbose.

 

[NYCSTE2003]

hey i downloaded the older version gotta get newer one again but yea i was wondering there are no actual files in there haha. so do you download them before you scan or how does that part work i even read the directions and im confused.


edit. read the new readme file and it says exactly what to do gahh lots of downloading ill get around to testing it tomm for sure.

let me know if all works out. great idea.


another edit. perhaps if possible direct links to downloadable files rather then including the files which you havent done cuz yes im sure the companies would get mad.

space out instructions alittle bit maybe just a suggestion isnt that important

im on last step getting trend micro files together

maybe some kinda update abilty to check latest versions and let you know if they arent up to date or something? (toomuch to ask i know just throwing the idea down)

 

[Schadenfroh]

space out instructions alittle bit maybe just a suggestion isnt that important

Sounds good, maybe an easy to use .html file in addition to the .txt file?

direct links to downloadable files

Would not work with several programs (trendmicro comes to mind), their file names for the definitions change with each release.

maybe some kinda update abilty to check latest versions and let you know if they arent up to date or something?

Beyond the scope of the script, I have thought about creating a .NET application that would allow you to customize the script (basically a windows form that allows you to pick what scanning options and programs you would like to use), provide specific instructions based on which options you picked and finally generate the .bat file after your preferences have been set, but I think that most people would prefer just the script, as I am sure they would not like downloading another program just to generate it (even if the source code for it was posted).

 

[NYCSTE2003]

ok well i stopped the progrma early on the last test. last test was Microsoft Malicious Software Removal Tool -KB890830-V1.32 i gaveup cuz they test alone was taking longer then 1hour this morning and i was stuck in safemode.

the entire test ran about almost 9hours and again i stopped early. the test had no interuptions for the most part damn thats long time haha.

some of the programs did remove some files let me find some.

a2 found bunch of cookies thats it.
avast couldnt scan one file otherwise things were fine
claimwin found nothing
mcafee found
-E:\BackUp\Programs\Free Programs 695 mb\tightvnc-1.2.9-setup.exe ... Found application RemAdm-TightVNC. (this program im sure is fine)
-C:\WINDOWS\system32\drivers\etc\wtf15\spsexec.exe ... Found application RemAdm-ProcLaunch. (sounds bad but dont know)
-C:\Documents and Settings\user\Start Menu\Programs\EA GAMES\Battlefield 1942\Play BF1942 Online with GameSpy Arcade!.url ... Found application Adware-Url.gen. (prob fine since gamespy is legit
-C:\Documents and Settings\All Users\Start Menu\Programs\EA GAMES\Battlefield 1942\Play BF1942 Online with GameSpy Arcade!.url ... Found application Adware-Url.gen. (prob fine since gamespy is legit)

sophos
->>> Virus 'Mal/Keylog-A' found in file C:\Program Files\Panda Security\NanoScan\Engine\psnflg.dll
Removal successful
>>> Virus fragment 'W95/Whog-878b' found in file C:\Program Files\Panda Security\TotalScan\pskavs.dll
Removal successful
>>> Virus 'Mal/IRCBot-C' found in file C:\Program Files\Trillian\trillian.exe
Removal successful
>>> PUA 'NetCat' (of type Remadmin) found in file C:\WINDOWS\system32\drivers\etc\wtf15\pnc.exe

trend micro most annoying results log to read haha found nothing i think

just wnated to share what the program found. deleted. what could cause problems etc.

also wanted to add that the microsoft scanner never showed a log or progress bar or anyhting to see what it was doing. not sure if you had same issues