Anyone Remember…

I did an unexpected bit of malware cleanup today, and in the process found myself in the windows and then the system32 directory identifying offending DLL, EXE, DAT, INI, LOG and TXT files, primarily the first three, using old-fashioned DOS commands. You know, dir/ah for hidden files, dir/ah/p to pause if too many for one screen, dir/ah *.dll for the hidden DLL files, and also dir/od or dir/o-d/p in whatever combinations, to show newest files last, or first and pause after a screen, respectively.

Since it was clear that the bunches of oddly named files that had hidden and system attributes and very recent dates were put there by malware, active currently or not, but in case of errors, I was renaming them.

After a bit of:
attrib -s -h malfile.dll

ren malfile.dll malfiledll.not

I got tired of typing so much. So I spontaneously remembered my batch file skills, duh, and went to town. Better yet, I used the first way I ever learned of creating a new batch file, before I even learned (for shaky values of “learned” since it was so tricky) to use Edlin for editing them.

Anyone remember “copy con”?

It’s just the copy command, but applied to the “console to write a file. So at the prompt I typed:
copy con atsh.bat

After pressing enter, the regular prompt, C:yada yada>, goes away. Continuing, I typed:

attrib -s -h %1
ren %1 %1.not

Then pressed Ctrl-Z, which displays as ^Z, and pressed enter to save the file.

%1 Is the parameter passed into the batch file. So at the command prompt I could then type:

atsh aq6zyd.dll

That removed the system and hidden attributes and renamed the file to aq6zyd.dll.not, which is not precisely the naming convention I’d been using, but it still makes them of a nonsense “type” and clearly indicates they are the ones I renamed, whether for renaming back if mistaken, or deletion when clearly not needed.

The system in question was a serious mess. At first I couldn’t get into Control Panel. I never could get into Services, because it thinks IE 5.5 or higher is not installed.

Of course, this system is weird in that it’s XP Home and even when I am in safe mode command prompt as administrator, it locks me out of accessing some files and has some of the malware files in memory. The machine needed to be back in a hurry, so I returned it with no apparent malware running, but without certainty that it’s not there or isn’t going to come right back. It’s just not crippled and ought to go for a while. The thing really should be fdisked and reinstalled fresh.

The whole thing brought back memories of my early computer usage and messing with batch files. When the OS was DOS, or DOS and Windows 3.1, batch files really mattered. Before DOS Edit, I used copy con all the time.