File Permissions and Batch Files

[coolego1]

Alright, so here's a weird question for you.

At my school there is a virus on the computers that copies itself from the local computer to any removable drive it can find attached to the computer, and thus spreads this way. The school does not have antivirus software because of the cost, and is not amenable to installing a free alternative. Their solution to everything is "just re-image the machine" which does not work if an infected flash drive is used repeatedly.

I have created a batch file that searches for the virus' files and deletes them, but there is one hitch. The computers at the school are on a Windows Domain and so students are given "User" accounts. One of the virus files places itself in the system directory, in this case (Windows XP) C:\windows\system32\. If I am in the command line or my batch file and type "dir" (list directory) I am unable to see the file, yet if I go through Windows Explorer, I can see the file. The same goes for the "del" command for deleting the file, making it very difficult to delete it automatically.

I am able to delete the file if I go through explorer, but not in the command line. Any ideas?

The pertinent part of the message is attached.

 

[Cogman]

Hmm, sounds strange. Is the file named the same thing? And how does the virus execute itself, copying usually is not enough.

My suggestion would be to first remove the registry or startup method used by the virus (msconfig is your friend) then reboot the computer and finally re-image the system. That might be your best bet for removing the virus.

 

[SilthDraeth]

My first thought is the file is a hidden file, and you have view hidden files enabled when viewing through explorer. I do not know if their is a contextual command to make the batch file view hidden files though.

 

[Cogman]

Originally posted by: SilthDraeth
My first thought is the file is a hidden file, and you have view hidden files enabled when viewing through explorer. I do not know if their is a contextual command to make the batch file view hidden files though.

Thats what I thought, but I don't know of any command line command that would do that. (in fact, I don't think windows supports hidden files so to speak) Perhaps it is actually a worm in explorer that is creating the file (thus the files doesn't exist until explorer browses there)

 

[coolego1]

The "DEL /F /Q /AH" command should force a delete quietly looking in hidden files. The only thing I can think of is a /AS switch to make it see "system" files. Also, the file does exist because the DOS Batch "IF EXISTS" command executes and finds it. Killing the running process should be trivial once I figure out which one it is, and I think I have, so that won't be an issue. Re-imaging is tricky because an infected flash drive just autoruns itself and reinstalls the worm.

 

[Apathetic]

Originally posted by: SilthDraeth
My first thought is the file is a hidden file, and you have view hidden files enabled when viewing through explorer. I do not know if their is a contextual command to make the batch file view hidden files though.

"ATTRIB -H somefile.txt" will clear the "hidden" flag from somefile.txt

Dave