Automated virus / spyware removal script: June 2010 (BROKEN)

[n7]

Is this something like Hiren's?

 

[Schadenfroh]

Originally posted by: n7
Is this something like Hiren's?

This is not a boot cd, but a script, it is made to run in "Safe Mode, Command Prompt Only" of your current Windows install. The script also runs automatically without user intervention for both the "scanonly" and "clean" flavors (if someone runs into a situation where this is not the case, let me know).

 

[Schadenfroh]

Script Updated:

• Changed the archive recursion depth limit argument on ClamWin (scans faster)
• Lowered the heuristic sensitivity argument on Panda (fewer false positives)

 

[Schadenfroh]

Script Updated:

• Removed ClamWin (due to excessive scantime, requests from the community, and no field reports of ClamWin finding anything missed by the other scanners (ClamWin scanned last)).
• Updated readme

 

[Mojoed]

Up.

Can't believe this thread fell so far.

 

[LOUISSSSS]

how long should the whole scanning process take? i know it varies from computer to computer, but how about a Q6600 w/ 2gb + a 150gb Raptor?

 

[Schadenfroh]

Originally posted by: LOUISSSSS
how long should the whole scanning process take? i know it varies from computer to computer, but how about a Q6600 w/ 2gb + a 150gb Raptor?

Fairly quick for that system, the main slowdowns came from ClamWin and Sophos, which have been removed from the script due to slow speed and no reports of them catching things that the others missed.

 

[LOUISSSSS]

i fell asleep, but the test took over 4 hours, i guess thats normal, i don't mind the time length.

but i finished it successfully and i'm still getting the same popups in IE.

the popups only open new windows in IE, but my default browser is mozilla. they are quite annoying.. any help?

 

[Schadenfroh]

i fell asleep, but the test took over 4 hours, i guess thats normal

Sounds about right, before I took out ClamWin and Sophos, people were reporting like 10 hours+ scan time.

Originally posted by: LOUISSSSS
i finished it successfully and i'm still getting the same popups in IE.

I assume that you used "clean"? Did you make sure all of the applications were updated? The definitions that shipped with Panda are really old and if you did not download the separate .sig file (dated early April, iirc) the detection rate for it goes downhill. I included a .bat file that one can just double click on to update A-Squared.

Other thoughts (if you did the above).

Download, install, and update superantispyware free edition.

Download, install, and update Kaspersky AntiVirus 7.0 trial.

Configure both to scan on their most thorough settings (scan archives, heuristics enabled, all file types, etc.) and make a pass with both of those, removing anything that they may find. Then, post a hijackthis log for review in a separate thread (that you create).

 

[Schadenfroh]

Script Updated:

• Fixed an issue where the results of A-Squared did not display.

 

[Corpun]

Great job with this tool. Running it removed a few pesky bugs I was having trouble removing from a friends system.

 

[boomerang]

Yes, thanks for all the hard work.

Is the a-squared Emergency USB Stick file new at the emsisoft site? It says it's always kept up to date. Just wondering if that could be used in place of the a-squared Command Line Scanner 4.0?

I have no idea. This stuff works great, but the mechanics of making it work is over my head.

 

[Schadenfroh]

Is the a-squared Emergency USB Stick file new at the emsisoft site? It says it's always kept up to date. Just wondering if that could be used in place of the a-squared Command Line Scanner 4.0?

It is something new, it was not around when I originally wrote the script. I suggest sticking with the command line version, as that is what the script was made to use. A-squared does a good job of keeping the command line scanner updated, most of the time (nearly all the time), I do not even have to update the definitions after I download the latest command-line A2.

 

[Sentinel]

Is there any reason that the screen would go blank with only the "safe mode" and computer info showing on the screen? Is it going to the next step?

I ran the clean option for about 4 hours.

 

[Schadenfroh]

Is there any reason that the screen would go blank with only the "safe mode" and computer info showing on the screen? Is it going to the next step?

The original console window should stay there, other console windows may pop-up, run and disappear , but the original console window should stay there until it is manually closed.

 

[redbeard1]

^

 

[Mojoed]

Originally posted by: redbeard1
^

I'm glad this thread was bumped! Possibly the best thread on all of AT. Should be a sticky imo!

 

[WT]

Yet another bump ! If you use it and haven't updated your dats/signatures for these scanners in a month or so, its a good time to do it.

 

[Mojoed]

Up!

 

[Schadenfroh]

Greetings guys,

The script package has been updated after over a year. The programs seemed to have matured a bit and the ReadMe (mostly) still had valid instructions despite application changes from the vendors.

Changes:

• Added Trend-Micro Anti-Spyware
• Increased sensitivity of heuristics of Panda (false positives no longer as bad of a problem)
• Enabled A-Squared's scan of NTFS alternate data streams (excessive scan time no longer a problem)
• Updated ReadMe
• Verified to work for both "scanonly" and "clean" using the updated ReadMe instructions in Windows 2000 Pro and Vista Business 32

Thank all of you for your kind words and interest in the script package. Let me know if you run into any problems with the new version or if you find free command-line Anti-Virus / Anti-Rootkit / Anti-Spyware tools that you would like to see added.

 

[CheeseMonster]

Firstly, thanks for generating such a useful script, been looking for something like this for some time but somehow missed this.

Apologies if this has been discussed before:
- Do you think there would be any way incorporating smitfraudfix into the queue? It's a very useful batch file in my experience and can remove many dns/ browser hijacks and much more where such awesome programs as superanti and malwarebytes have on rare occasion failed.

Thanks again for the prog!

 

[WildHorse]

``

 

[Schadenfroh]

Good evening,

The removal script will be two years old soon (launched 8/15/2007). To celebrate, I rewrote the entire script package!

Changes:

• Entire script package rewritten and reviewed
• Reduced the number of scripts
• Reporting of improper setup / missing applications
• Standard and max sensitivity modes added
• Reduction of false positives through testing of settings for individual supported applications (tweaked command-line arguments)
• Revamped interface
• Readme updated
• Now under the GNU GPL v3

Be sure to use the new "savrs scan" or "savrs clean" instead of the old commands. Add "max" to the end if you are feeling brave and want to use maximum sensitivity (although your chances of false positives go way up).

Originally posted by: CheeseMonster
- Do you think there would be any way incorporating smitfraudfix into the queue? It's a very useful batch file in my experience and can remove many dns/ browser hijacks and much more where such awesome programs as superanti and malwarebytes have on rare occasion failed.

Thanks again for the prog!

You are welcome and thanks for taking the time to offer feedback. I will examine smitfraudfix for possible future integration if it can be made to behave in a manner consistent with the rest of the script.

Your script is running on my main machine now. It's still running the first portion (a squared) and is already reporting 2 infections my Kaspersky (KIS) has not found (could be false positives, tbd).

A-Squared prior to SAVRS 1.0 RC was set to maximum sensitivity. After reports of false positives, I throttled it back. The false positives have been reduced at a price of scanning all drives with it (there was not a command to scan all drives without doing a max sensitivity scan). However, if you add "max" to the end of the command to start SAVRS, a-squared will scan all visible drives.

Your script appears to automatically scan all visible logical drives.

Some applications do (like Mcafee and Panda), unfortunately Trend only scans the system drive. A-Squared will scan all of the visible drives now only if you add the "max" argument to the startup command for SAVRS.

Sure would like to run your script on the True Crypt hidden drive if you know of a way.

I currently do not know of a way to do this.

Do you think your script would run and be effective if I run WinXP in safe mode with the Windows GUI instead of just the command prompt, and then opened a command prompt to run it?

Yes, it will work fine, but the main advantage of using command-line only is that some infections are easier to clean with fewer things running.

 

[szechuanpork]

very useful! thanks for your hard work. even for a novice like me, i found, after the initial difficulty of setting things up, everything went smoothly.

 

[BOLt]

Fantastic work. This script is currently doing its business on a friend's critical machine. Due to his system being "hosed" and running EXCEPTIONALLY SLOWLY, I suspect that if there is such thing as an "easy fix" for his computer, this will be it. I can't be bothered to babysit his machine for the hours it takes to do manual scans through his hard drive. THANKS!!!