-2

I work for a IT consulting company and one of our clients got hit with a virus that created a bunch of random exe files on the PC and then it created services to try to run those files automatically. I've since removed the virus from all machines, but there are a lot of orphaned services left I need to remove.

All in all there are 4,000 unique services combined from all of the computers at their facility. The services are random numbers and I am hoping to find a way to remove them with a script of some sort, but I can't figure out how to do a wildcard for the commands I know....

I've tried

 reg delete hklm\system\currentcontrolset\services\1*

and

 sc delete \\pcname 1*

without any luck. Any help would be appreciated so I don't have to go to each machine (again) and manually delete the services. Sorry I am always learning new scripts by going out and seeing what other people have created, but I can't find anything to even build off of for this situation.

Thank you in advance.

MackMan
  • 129
  • 3
  • 15
  • 1
    Back up the data and re-image their systems; otherwise employ somebody to do a professional job. Stop messing with things you don't understand... – Compo Jan 28 '18 at 23:27

3 Answers3

0

We can imagine a script that get all services names and check if the name is numeric, if so delete the service :

@echo off
SETLOCAL ENABLEDELAYEDEXPANSION

for /f "tokens=1 delims= " %%a in ('tasklist') do (
     set "$service=%%a"
     echo !$service:.exe=! | findstr "^[-][1-9][0-9]*$ ^[1-9][0-9]*$ ^0$">nul && call:delete %%a || echo %%a is not numeric
     )
exit/b

:delete
echo %1 is Numeric
echo here the command to delete the service (%1)echo off

Put the command to remove the service in the :delete label

Using @Endoro's solution to check if a value is Numeric :

SachaDee
  • 9,245
  • 3
  • 23
  • 33
0
@echo off
setlocal
set "root_key=HKLM\system\currentcontrolset\services"

for /f "tokens=5 delims=\" %%A in ('reg query "%root_key%"') do (
    call :check_key "%%~A"
    if errorlevel 1 call :del_key "%%~A"
)
goto :eof


:check_key
setlocal enabledelayedexpansion
set "filtered="
set "original=%~1"
if not defined original exit /b 0

for /f "delims=0123456789" %%A in ("!original!") do set "filtered=%%~A"
if not defined filtered exit /b 1
exit /b 0


:del_key
echo "%~1"
rem sc stop "%~1"
rem sc delete "%~1"
goto :eof

Use of reg query to loop through the services key. The 5th token delimited after \ is the key name of the service.

call :check_key with the for loop delimits on digits 0 to 9. If filtered is not defined, then only digits existed in the key name so it will exit the label setting errorlevel 1.

If errorlevel 1 is caught in the main for loop, then call :del_key runs sc stop to stop the service and sc delete deletes the service key. Remove the rem before the sc commands to enable them.

Created for local machine use though some minor changes could do remote use.

michael_heath
  • 5,262
  • 2
  • 12
  • 22
0

You can use a VbScript for that, simple, first instance the WMI service:

Computer = "." 'IP or Network Name ("." is Local host)
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & Computer & "\root\cimv2") 'If your user have the access

or.. if you need use other user.

Computer = "." 'IP or Network Name
UserAndDomain = ".\Administrator" 'Account WITH domain "\"
Pass = "" ' Account Password
Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = objSWbemLocator.ConnectServer(Computer, "Root\CIMv2", UserAndDomain , Pass)

Now obtain the Services Collection:

Set colServices = objWMIService.ExecQuery("Select * from Win32_Service") ' Where Name ='" & strServiceName & "'" or "Like = 'Someting%'"
'Or 
Set colServices = objSWbemServices.InstancesOf("Win32_Service")

And then to delete:

For Each Service in colServices
    If IsNumeric(Service.Name) Then 'Or other condition.
        Service.Delete
    End If
Next
Ricardo Galain
  • 152
  • 6