Das ist allerdings Blödsinn, weil das Virus angeblich die Datei Logon.bat sein soll
Nun verhält es sich so, dass diese Datei schon seit einiger Zeit das Anmeldescript meiner privaten (Spielwiesen)- Domäne bildet, welches per serverseitiger Gruppenrichtlinie ausgeführt wird, wenn sich ein authentifzierter Domänen- User mit seinem Client anmeldet.
Code: Alles auswählen
@ECHO OFF
COLOR 9
ECHO Logon- Script of Domain %USERDOMAIN% will start now !
ECHO Your Name is %USERNAME% !
ECHO Your Computer's name is %COMPUTERNAME% !
ECHO Your Operating System is %OS% !
ECHO ******************************
ECHO * Current time will be set ! *
ECHO ******************************
IF /I "%COMPUTERNAME%"=="win****server" (
ECHO The script will finish in this case because the name of the Computer is %COMPUTERNAME% & GOTO MARKE10
) ELSE ECHO Continue script...
REGEDIT /S \\WIN****SERVER\C:\logon\time.reg
REGEDIT /S \\WIN****SERVER\C:\logon\windowsupdate.reg
REGEDIT /S \\WIN****SERVER\C:\logon\foxitreader.reg
REGEDIT /S \\WIN****SERVER\C:\logon\access_allowed.reg
net time /setsntp:"win****server.****.home"
ECHO ******************
ECHO * Check folder ! *
ECHO ******************
IF EXIST C:\logon\****.vbs DEL C:\logon\*.*
IF NOT EXIST C:\logon\sleep.exe GOTO MARKE1
IF EXIST C:\logon\sleep.exe GOTO MARKE2
:MARKE1
MKDIR c:\logon
COPY \\WIN****SERVER\netlogon\logon.bat C:\logon\
COPY \\WIN****SERVER\logon\machlink.exe C:\logon
COPY \\WIN****SERVER\logon\sleep.exe C:\logon
COPY \\WIN****SERVER\logon\sleep_tick.wav C:\logon
COPY \\WIN****SERVER\logon\WindowBuster.exe C:\logon
COPY \\WIN****SERVER\logon\netdom.exe C:\logon
:MARKE2
ECHO ***********************************
ECHO * Internet- Gateway will be set ! *
ECHO ***********************************
netsh interface ip set address name="LAN-Verbindung" gateway=192.169.255.1 gwmetric=0
netsh interface ip set address name="LAN-Verbindung 2" gateway=192.169.255.1 gwmetric=0
netsh interface ip set address name="LAN-Verbindung 3" gateway=192.169.255.1 gwmetric=0
netsh interface ip set address name="LAN-Verbindung 4" gateway=192.169.255.1 gwmetric=0
netsh interface ip set address name="Local Area Connection" gateway=192.169.255.1 gwmetric=0
netsh interface ip set address name="Local Area Connection 2" gateway=192.169.255.1 gwmetric=0
netsh interface ip set address name="Local Area Connection 3" gateway=192.169.255.1 gwmetric=0
netsh interface ip set address name="Local Area Connection 4" gateway=192.169.255.1 gwmetric=0
netsh interface ip set address name="Wireless Network Connection" gateway=192.169.255.1 gwmetric=0
netsh interface ip set address name="Wireless Network Connection 2" gateway=192.169.255.1 gwmetric=0
netsh interface ip set address name="Wireless Network Connection 3" gateway=192.169.255.1 gwmetric=0
netsh interface ip set address name="Wireless Network Connection 4" gateway=192.169.255.1 gwmetric=0
ECHO *******************
ECHO * Link will set ! *
ECHO *******************
IF NOT EXIST %USERPROFILE%\Desktop\****.lnk (
c:\logon\MACHLINK.EXE -q:"\\win****server\****\****.xls" -z:"%USERPROFILE%\Desktop\****.lnk
) ELSE ECHO Link is already available !
ECHO Continue script...
:MARKE3
REM ECHO *****************************
REM ECHO * Install MS Office 2003... *
REM ECHO *****************************
REM IF EXIST c:\logon\office.cmd GOTO MARKE5
REM IF NOT EXIST c:\logon\office.cmd GOTO MARKE4
REM :MARKE4
REM COPY \\WIN2000SERVER\logon\office.cmd C:\logon
REM call c:\logon\office.cmd
:MARKE5
ECHO ********************************
ECHO * Network Printer Installation *
ECHO ********************************
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices" >> C:\logon\drucker.txt
find /I "\\win****server\Canon" c:\logon\drucker.txt
IF NOT %ERRORLEVEL% == 0 (
ECHO Device CANON not found and will install now !
rundll32 printui.dll,PrintUIEntry /q /in /n \\win****server\Canon
REM con2prt \\win****server\Canon
) ELSE ECHO Device Canon is already installed !
:MARKE6
find /I "\\win****server\Epson" c:\logon\drucker.txt
IF NOT %ERRORLEVEL% == 0 (
ECHO Device EPSON not found and will install now !
rundll32 printui.dll,PrintUIEntry /q /in /n \\win****server\Epson /y
REM con2prt \\win****server\Epson
) ELSE ECHO Device Epson is already installed
:MARKE7
del c:\logon\drucker.txt
ECHO ********************************
ECHO * Network Mapping Installation *
ECHO ********************************
IF /I "%COMPUTERNAME%"=="****" (
net use r: \\win****server\**** /persistent:yes
) ELSE ECHO Home drive has been mapped !
IF /I "%COMPUTERNAME%"=="****" (
net use r: \\win****server\**** /persistent:yes
) ELSE ECHO Home drive has been mapped !
IF /I "%COMPUTERNAME%"=="****" (
net use r: \\win****server\**** /persistent:yes
del \\win****server\logon\system.evt
xcopy \\****\logon\*.evt \\win****server\logon\
) ELSE ECHO Home drive has been mapped !
:MARKE8
REM ECHO ***************************
REM ECHO * Install Defrag... *
REM ECHO ***************************
REM IF EXIST c:\logon\defrag.cmd GOTO MARKE10
REM IF NOT EXIST c:\logon\defrag.cmd GOTO MARKE9
:MARKE9
REM COPY \\WIN2000SERVER\logon\defrag\defrag.cmd C:\logon
REM c:\logon\defrag.cmd
:MARKE10
REM ECHO ****************************************
REM ECHO * Update AVG Antivirenscanner... *
REM ECHO ****************************************
REM IF EXIST c:\logon\avg3.txt GOTO MARKE11
REM taskkill /F /IM avgemc.exe /T
REM taskkill /F /IM avgupsvc.exe /T
REM taskkill /F /IM avgamsvr.exe /T
REM taskkill /F /IM avgcc.exe /T
REM SET path="%systemdrive%\Programme\Grisoft\AVG Free\"
REM start /wait setup.exe /UNINSTALL /HIDE
REM start /wait \\win****server\logon\defrag\Sleep.exe /t:40 /m: Please remove old Antivirus- Software!
REM start /wait \\win****server\software\avg\avg75free.exe /HIDE
REM ECHO "Update sucessfully done!" >> %systemdrive%\logon\avg3.txt
REM start /wait \\win****server\logon\defrag\Sleep.exe /t:60 /m: Install new Antivirus- Software!
REM TYPE c:\logon\avg3.txt
REM start /wait \\win****server\logon\defrag\Sleep.exe /t:5 /m: Installation is finished!
REM SET path="%windir%\system32\"
REM shutdown -r
:MARKE11
IF EXIST %systemdrive%\logon\****.msi GOTO EOF
ECHO **********************************
ECHO * Install **** OnlineControl *
ECHO **********************************
copy \\win****server\logon\****.msi %systemdrive%\logon
start /wait %systemdrive%\logon\****.msi /qn
start /wait \\win****server\logon\defrag\Sleep.exe /t:5 /m: Logon script is finished!
:EOF
Es ist also zweifelsfrei kein Virus, wie dies nach Anmeldung eines Clients gemeldet wird...
Best regards,
TB