Solved Cleaning REG RunOnce with batch

Mobile computing solutions Mini itx pfse...
December 4, 2015 at 23:57:46
Specs: Windows XP, HexaCore AMD FX-6100, 1400 MHz (7 x 200) / 4gb DDR
Hi, yesterday I almost got a nasty surprise something tried to launch (Thankfully it failed this time) during system shutdown on my XP machine, Maybe a low threat item but could easily have been more series (PUA/WinWrapper.iona) I have several XP machines one is a server I use my Autoclean batch file to clean out junk but upto now it does not really do any (Specialized) registry cleaning, after I restarted my machine today Avira alerted me to a Trojan that had tried to infect my pc so what ever that key was had somehow infiltrated the run-once command in my registry. Or some other method as I saw a banner appear during shutdown so any idea as to how this could have launches and how to stop unwelcome surprises by showing a list of deferred qued installs via batch is appreciated.

Is their some code I can add to my batch cleaning script that will clean out the runonce before my Batch initiates an auto shutdown ? As XP is no longer supported by MS and their are no more security updates I see their is a greater benefit than a negative one by preventing things from running via this key unless of coarse I install software manually in which case I simply avoid running my batch cleaning script. As Christmas approaches it is the time of year for multiple threats being unleashes as is always the case around Christmas any help much appreciated thanks.

Regards, Ort

If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb

message edited by Ortorea


See More: Cleaning REG RunOnce with batch

Report •


#1
December 5, 2015 at 10:57:22
✔ Best Answer
These three widely used and safe little freebies often unearth a lot:
(run them in the order given)

AdwCleaner:
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. Use the "Scan" button, followed by the "Cleaning" button.

Junkware Removal Tool (JRT)
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run JRT. It might appear to have stopped at times or flash the screen but sit tight until it has finished.

MalwareBytes:
https://www.malwarebytes.org/
Download the free version.
Install and Run the program but before doing its Scan go to "Settings > Detection and Protection" and put a checkmark in "Scan for rootkits". Quarantine anything it finds.

Please copy/paste the logs on here. Even if the symptoms go away further checks might be necessary to ensure your computer is properly clean.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#2
December 5, 2015 at 11:22:17
Thanks Derek will do, however already used up my free trial of MalwareBytes :( but will run the free version.

Ort

If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb


Report •

#3
December 5, 2015 at 12:06:19
The free version is just fine.

Always pop back and let us know the outcome - thanks


Report •

Related Solutions

#4
December 5, 2015 at 20:42:25
Dear Derek,
Again thanks for your help, but for the moment I hit a snag I always run new software in the VMWARE machine first it has a copy of my windows XP on there and for some reason it froze up the vmware version of windows, so will try it in the morning in safe mode as I have had too many things open today ongoing stuff I did not want to close out while still working on.

I did run the free online scanner Housecall Launcher. which found and removed 2 items, albeit my main solution required is to incorporate into my Autoclean.bat tool I have been writing a couple years now, I just thought a way to prevent stuff sneaking into RunOnce will be handy as I always run my batch cleaning tool each day prior to shutdown anyway.

Will submit a follow-up tomorrow thanks Derek.

Regards, ort

If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb


Report •

#5
December 6, 2015 at 05:12:11
OK fine, whenever you are ready and able.

Always pop back and let us know the outcome - thanks


Report •

#6
December 7, 2015 at 00:55:11
Dear Derek,
The software you gave me is too destructive it removed features from my browser I need such as Startpage my home page, and fb_purity which blocks annoying unwanted facebook popups normally cleaning these things is not a problem as it is easily re-installed but as XP is no longer supported by many software vendors and the options of re-installing is not always an easy option due to new version's being incompatible with XP this now forces me to do a roll back and use a much older backup image of my hard drive please consider this when providing cleaning tools to XP users as it can make things worse. This is precisely the reason why I use custom scripts to clean out or prevent things I don't want before they happen.

Ort

If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb


Report •

#7
December 7, 2015 at 07:33:21
That's interesting, they are widely used on Security forums generally and we don't run into complaints on Computing.Net's security forum (take a look). I've been using them on my own XP and am still doing so. Were both ADWCleaner and JRT destructive or was it just one of them? ADW gives options so you don't have to let it remove everything it finds.

I can see why they might see custom scripts as suspicious but nothing else.

The problem with trying to remove infections manually is that they have upped their game considerably over the years and there are multiple variants of every "nasty", re-spawning and hiding themselves etc. It is no longer feasible to try to combat sophisticated malware programs by hand so it has become a matter of fighting software with software. If personal scripts get removed in the process they can be readily put back.

EDIT:
As for RunOnce, sure you can export the registry entry containing whatever happens to be valid there for your particular software mix. This can be used to replace the contents if it changes, either manually or automatically on startup. Your script just deletes all then adds back your previously exported lines. Any new legitimate program that starts there would have to be added when necessary. I imagine you know how to do this but if not export your RunOnce entry, post it on here, and I'll have a look at it for you.

I would emphasise though, that viruses are now written by criminal gangs. This sort of piecemeal approach is limited and something that applied to times gone by. I well remember doing so. Viruses and the like enter in various place, not just via RunOnce - the writers keep themselves well aware of our attempts to prevent them. It's a sad fact that "the bad guys are always ahead of the good guys.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#8
December 7, 2015 at 08:30:36
As an aside you might wish to see these, which I wrote specifically for XP:

http://www.computing.net/howtos/sho...

http://www.computing.net/howtos/sho...

Always pop back and let us know the outcome - thanks


Report •

#9
December 7, 2015 at 09:30:45
Hi Derek,
Well ADWCleaner froze up on my virtual machine or crashed the virtual machine as I had to send a reset command to it and decided not to risk it on my host PC, and JRT removed some things I did not want removing this is why I said destructive, as I have security add on's that for some reason jrt saw as a threat. Not sure why. I o know that Mark Zuckerberg of facebook does not like FB_Purity add on as he has been trying to block it, but it is a balance in my view of being spied on by facebook or using FB_Purity to limit the number of advertising/gimmicks/un-wanted features facebook throws at us. Personally even though their are those who consider some tools as vicious and others not often boils down to corporate interests who gains on the profit margin.

It would have been preferable for JRT.exe to give the end user a choice if to proceed or not with the removals, with a bit more information on what they were. But aside from that I have no longer got the problem now I as decided to go the easier route and restored my PC from a MACRIUM REFLECT image of my C: drive I made last October so all is back as it should be now.

I don't want you to think I am ungrateful for your time on this as I am, but my key request was for a way to simply include some code in my existing batch file to sniff out qued installs via autorun or other suspicius scripts that might be lurking in AUTORUN area's of my OS.

I will certainly take a look at drop my rights thanks Derek, but I also have the option of just using the virtual machine for sufing the web which is even safer :)

Ort

If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb


Report •

#10
December 7, 2015 at 10:37:18
I have the same gripe as you about JRT - there ought to be user options. However it does generally have a good record on the Security forum. No idea why ADW gave trouble - I use it myself all the time, without issue, on several computers (but not using a virtual machine).

I agree with you generally of-course about using a virtual machine, also sandboxes.

SpywareBlaster is worth a look because it just blocks known bad websites.

I'm no longer quite so convinced about SuperAntiSpyware because MalwareBytes now covers most of what SAS does. I used to use Emsisoft (as was A Squared) but again MWB now seems to cover what that does too.

Good hunting.

Always pop back and let us know the outcome - thanks


Report •

#11
December 7, 2015 at 11:35:50
Thanks Derek,
Well I got the "DropMyRights" Installed from GRC.com and because I frequently do system restores I added some lines to my persistent batch code so that now when ever I do a system restore it will always re-appear on my desktop ;) I also found the developers website and a zip containing some pre-made shortcuts these are handy so I put them in a folder called NOT-AS-ADMIN.

Thanks for that :o)

Ort

My Batch resides on a drives that is never restored

Code I added below.

if not exist C:\DropMyRights.exe if exist DropMyRights.exe copy DropMyRights.exe C:\DropMyRights.exe
if not exist "C:\Program Files\DropMyRights" md "C:\Program Files\DropMyRights" && if exist DropMyRights.exe copy DropMyRights.exe "C:\Program Files\DropMyRights\DropMyRights.exe"
if not exist "%USERPROFILE%\Desktop\NOT-AS-ADMIN\*" md "%USERPROFILE%\Desktop\NOT-AS-ADMIN" && if exist "NOT-AS-ADMIN\*" copy "NOT-AS-ADMIN\*" "%USERPROFILE%\Desktop\NOT-AS-ADMIN\*"

If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb


Report •

#12
December 7, 2015 at 12:48:44
Hi Ort

Yep, we all do things our own merry little ways. I popped all my original shortcuts in a folder called "Admin (Risk)" then remade the ones for normal use work through DMR. The reason I put DMR itself right on the C drive was to make the shortcuts easy peasy to make. It's worth keeping a copy of that DMR download somewhere because it might vanish sometime, although I recall there used to be some other similar ideas and methods around.

D

Always pop back and let us know the outcome - thanks


Report •

#13
December 7, 2015 at 13:36:23
Derek,
Yes agreed I thought about having in in my root folder but, I really don't have that many risk wares on this pc, I tend to let my server which is a separate machine take care of ftp, and torrent stuff to be on the safe side and NEVER use that laptop for surfing the web anyway it is just a server so no browser worries, and my ftp server has a black hole administrator account that goes nowhere with a password so long it might take a week to type it and in fancy characters :)

I sent control flags from this machine to the other one to control it's behavior. However I wrote automation scripts for the server that take care of most things automatically if for instance certain processes memory use appear to be stagnant a batch file schedules disk checks, and cleaning scans and does an automatic reboot their are several batch files called from a single que.bat if your interested I could zip them up and email them to you. I stick them on my server for your retrieve, it has been a long term project over the last 7 years making additions, subtractions and changes to them. Most people might be confused by what the batch files do as some is unique to my purposes like running an assistant ATLAS program that launches automatically when it detects my flight simulator is running on my main pc, and closing it when the flight sim closes.

Ort

If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb


Report •

#14
December 7, 2015 at 15:09:51
Ort

My usage of batch and reg files seems to have dropped off over the years, although I still have a few running on Win 8.1 (my workhorse machine). On Win 98 & XP I used to reset everything so that instead of always going back to "last location" (what I believe is MS madness) I simply reset to standard locations. That means "until I run the reset" they do indeed go to last location. Mostly that's not the place I usually want to keep going back to forever more though.

Same in the registry. Sure, I have put some locations in Favorites but usually I want to go right back to the top of the registry rather than the last place I went to. Fortunately CCleaner looks after that so I haven't had to concoct anything.

I also use AutoHotkey. I don't regard myself as a master of any of these but I usually manage to get things to do whatever I'm after.

You probably have a BAT to EXE program on board. In the past I've not been happy with those I've found but this one I spotted recently works well:
http://www.f2ko.de/en/b2e.php

D

Always pop back and let us know the outcome - thanks


Report •

#15
December 7, 2015 at 15:34:52
Derek,
Yes I got a bat2exe but according to virustotal it has payloads embedded in it makes me feel unsafe using it, I will get your recommendation and try it after doing a virus-total scan :) thank you

Ort

PS, Just ran VIRUSTOTAL on it and it does not look safe here is the result:
http://www.securityxploded.com/viru...

AVG OpenCandy.020 20151206
AVware Trojan.Win32.Generic!BT 20151206
Avast Win32:Adware-gen [Adw] 20151206
Baidu-International Adware.Win32.OpenCandy.A 20151206
Bkav HW64.packed.9BFE 20151205
DrWeb Adware.OpenCandy.182 20151206
ESET-NOD32 a variant of Win32/OpenCandy.A potentially unsafe 20151206
Fortinet Riskware/OpenCandy 20151204
GData Win32.Application.OpenCandy.O 20151206
K7AntiVirus Unwanted-Program ( 004bb62e1 ) 20151202
K7GW Unwanted-Program ( 004bb62e1 ) 20151202
McAfee Artemis!668559D9C765 20151206
McAfee-GW-Edition Artemis!668559D9C765 20151206
Rising PE:Trojan.Injector!1.9DEE [F] 20151205
TrendMicro PAK_Generic.005 20151206
VIPRE Trojan.Win32.Generic!BT 20151206
ViRobot Adware.Opencandy.2860537[h] 20151206
Zillya Adware.OutBrowse.Win32.67326


If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb

message edited by Ortorea


Report •

#16
December 7, 2015 at 18:43:59
I assume you ran it on the zip file. MalwareBytes found nothing. I prefer to use the VirusTotal's own website. this one:
https://www.virustotal.com/
but at a glance the results are the same or similar to yours on the zip file.

I didn't install anything. All I used is the 32 bit Portable exe file out of the zip filie "Bat_To_Exe_Converter.exe".
This on its own did a lot better on VirusTotal, only two rather obscure virus checkers reckoned they found something - these:
Rising PE:Trojan.Injector!1.9DEE [F] 20151207
Zillya Adware.OutBrowse.Win32.67326

It was security that I was unhappy about in the past with bat to exe converters. I am now wondering if, as far as the portable is concerned, they are false positives, in that whenever certain virus checkers see BAT_to_EXE they pick things out of their data bases - like a blacklist on the "name".

Whatever, steer clear of it if you are not happy obviously. If you should be tempted then the portable does the job without "installing" the converter program.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#17
December 7, 2015 at 19:13:24
Hi Derek,
Ahh well I never extracted it until now, just scanned the zip, but yes the Portable seems better I suppose it might be safe to use in the virtual machine thanks.

I just scanned one I have had for quite some times at 444 kb it appears clean can't remember where I got it from will see if theirs an Authors address. http://www.f2ko.de/en/index.php

Oh never mind this seems to be the same link you sent me :(

Ort

If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb

message edited by Ortorea


Report •

#18
December 7, 2015 at 19:35:54
The converter on there links to the same site I gave you, so unless I'm reading you wrongly you are already using it.

Always pop back and let us know the outcome - thanks


Report •

#19
December 7, 2015 at 20:18:28
Derek,
No this one is much older 5 years old had it long time but don't really use it to be honest but it's there if I need it, if I recall I made some files about 5 years ago that when created were also flagged as having exploits so stopped using it. However scans today on this old version say it's clean, so most likely it has some sort of injector that pulls stuff from the web when it creates a bat to exe file.

Name: Bat To Exe Converter
Version: 1.5.1.0
License: Freeware
Last modified: 2010-11-18
Size: 444 KB

Ort

PS, I think we kind of gone off topic here if theirs any more to chat we should do PM

If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb


Report •

#20
December 8, 2015 at 06:12:08
Yes, we've wandered.

We could make a reg script to empty RunOnce, as per my #7. The downside is that something could still creep into it between runs of the script, doing its damage and moving on. Then of-course there are other places of entry.

Always pop back and let us know the outcome - thanks


Report •

#21
December 8, 2015 at 16:21:52
Hi Derek,
I have a lot of batch files some have reg scripts already that others helped me with but none using runonce keys this is why I was a bit stuck as It needs to be something that can go in my public batch that others may use of later OS versions too.

Ort

If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb


Report •

#22
December 8, 2015 at 18:36:09
I'm pretty sure the RunOnce keys are common across systems (subject to check) so I don't anticipate that would be an issue.

My idea was to use a reg file script to delete the RunOnce keys then replace them with the keys and entries that were originally there. The original entries would be part of the reg file. This would effectively reset RunOnce, thereby getting shot of any intruders that had come along since the last script run. The reg file to do this "swap" could be called from some general batch script if necessary.

The above is not difficult to do but there is a big snag if you want to go public with it. There will be quite a variation between computers in terms of what entries are legitimately in their RunOnce keys, depending upon individual software mixes. These could also change.

I don't see a safe way around this, so let's see if anyone on here can think of some quite different approach (although they've been pretty quiet so far).

Always pop back and let us know the outcome - thanks


Report •

#23
December 8, 2015 at 18:59:13
Hi Derek,
I can see the points your making are valid but then my Batch cleaning script it primarily for cleaning a system before finishing and shutting down for the day and is not meant to be run after say running software updates or at times when pending updates are waiting to be applied. My focus is for junk removal, so clearly I could put this as an optional function with ARE YOUR SURE ? before it being run or skipped in automation mode.

Ort

If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb


Report •

#24
December 8, 2015 at 21:22:55
OK so something like:

REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /ve

to find the contents ?

My exported RunOnce key is
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

Ort

If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb

message edited by Ortorea


Report •

#25
December 9, 2015 at 04:49:01
The plot thickens, as they say.

There is more variation between systems than I thought. My Win 8.1 has six RunOnce entries, two of which are in areas I don't fully understand. There is some variation between XP and later systems, also a difference between 32 bit and 64 bit.

Makes me think it would prove complex (if not risky) trying to produce anything global.

Always pop back and let us know the outcome - thanks


Report •

#26
December 9, 2015 at 09:25:55
OK, No worries Derek,
I got a little side tracked by another problem, I need a fix for this script it moves FOLDERS as well as files, I just want to move zero byte files any idea's

@echo off & setLocal enableDELAYedeXpansioN
echo Please Wait ....
for /f "tokens=* delims= " %%a in ('dir/b/s') do (
if %%~Za equ 0 move "%%a" f:\Temp > nul 2> nul
)

Ort

PS I figured it out Just use the ARCHIVE /a
('dir/a/b/s')


If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb

message edited by Ortorea


Report •

#27
December 9, 2015 at 12:25:23
"I got a little side tracked by another problem"
Me too, see PM.

Always pop back and let us know the outcome - thanks


Report •

#28
December 9, 2015 at 13:30:25
No Problem Derek its all fine :o)

Ort

If Dreams Come True Oleg Would be Famous so far he's very shy, so much for Being Famous ;) http://tinyurl.com/pnenqgb


Report •


Ask Question