HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY
PROBLEM
If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network.
In my case, the Eset client was able to pick up the virus but, it was not able to clean it successfully. Eset created a stand alone tool that is executed from the command prompt that you can download here that handles removal nicely.
http://kb.eset.com/esetkb/
SOLUTION
This tool from ESET is great if you need to clean one pc and are in front of it. To mass deploy and run it silently in the background do this:
1. Create a network share that all users can read and write to, I called my \\server\merond
2. Create four items in that folder.
a. A new folder called logs
b. A bat script named merond_remove_all.bat with the following line
\\server\merond\ESETMerond
c. A copy of ESETMerondOCleaner.exe downloaded from eset
d. A VBS script named merondremove.vbs with the following three lines
Set WshShell = WScript.CreateObject("WScr
obj = WshShell.Run("\\server\mer
set WshShell = Nothing
3. In the Eset console, on the remote install tab, right click and click manage packages. On the “Type” pull down select custom package, then click the create button in the middle of the dialog box. Now click Add file and select your merondremove.vbs script. On the package entry file select network share merondremove.vbs as well (it should autopopulate) then click create. Click save as, give it a useful name like “merondremove” and click save.
4. To run, in the same Remote install tab simply select your clients, right click, and push the installation. Enter your domain credentials, click next, select the custom package you just created merondremove, next and finish.
Or as an alternate without eset you could create a login script or group policy that would look to the vbs file to execute.
5. This step is optional, but if you have a large number of clients you can create a saved search (newer Os-es only- win7, 2008, etc) that will look at the logs folder for the term “org”. If the search detects this then that computer had the file and was cleaned. Eventually you will want to delete these files because they have the virus and are renamed making them useless.
Or, the manual way to check if the computers are still infected it to rescan the computer with eset. **note that the scanner will still pick up the original file because it has been renamed with the .org file extension ie: word.exe.org
EXPLANATION
The .bat file
\\server\merond\ESETMerond
This section states to run the EsetMerondOCleaner and scan the c:\ drive
youradministratorpassword /user:yourdomain\administr
This line adds your domain username and password in plain text. This is not a good IT practice but, I would recommend removing the virus then removing all these files from the IT share. This line is required for newer machines like windows 7 because the cleaner needs elevated admin credentials to execute.
-v>
This is for verbose logging.
\\server\merond\logs\%comp
This line creates a log file of the computer name and deletes the previous log. When fighting an outbreak like this you tend to re-run this script to make sure it is 100% gone.
The VBS script
This script calls up the .bat script and allows it to run silenly in the background. There are probably better ways to do this but, google lead me to this simple three line code.
If you want to know if the tool is running you can look at the taskmanager and see if the process is running.
PROBLEM
If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network.
In my case, the Eset client was able to pick up the virus but, it was not able to clean it successfully. Eset created a stand alone tool that is executed from the command prompt that you can download here that handles removal nicely.
http://kb.eset.com/esetkb/
SOLUTION
This tool from ESET is great if you need to clean one pc and are in front of it. To mass deploy and run it silently in the background do this:
1. Create a network share that all users can read and write to, I called my \\server\merond
2. Create four items in that folder.
a. A new folder called logs
b. A bat script named merond_remove_all.bat with the following line
\\server\merond\ESETMerond
c. A copy of ESETMerondOCleaner.exe downloaded from eset
d. A VBS script named merondremove.vbs with the following three lines
Set WshShell = WScript.CreateObject("WScr
obj = WshShell.Run("\\server\mer
set WshShell = Nothing
3. In the Eset console, on the remote install tab, right click and click manage packages. On the “Type” pull down select custom package, then click the create button in the middle of the dialog box. Now click Add file and select your merondremove.vbs script. On the package entry file select network share merondremove.vbs as well (it should autopopulate) then click create. Click save as, give it a useful name like “merondremove” and click save.
4. To run, in the same Remote install tab simply select your clients, right click, and push the installation. Enter your domain credentials, click next, select the custom package you just created merondremove, next and finish.
Or as an alternate without eset you could create a login script or group policy that would look to the vbs file to execute.
5. This step is optional, but if you have a large number of clients you can create a saved search (newer Os-es only- win7, 2008, etc) that will look at the logs folder for the term “org”. If the search detects this then that computer had the file and was cleaned. Eventually you will want to delete these files because they have the virus and are renamed making them useless.
Or, the manual way to check if the computers are still infected it to rescan the computer with eset. **note that the scanner will still pick up the original file because it has been renamed with the .org file extension ie: word.exe.org
EXPLANATION
The .bat file
\\server\merond\ESETMerond
This section states to run the EsetMerondOCleaner and scan the c:\ drive
youradministratorpassword /user:yourdomain\administr
This line adds your domain username and password in plain text. This is not a good IT practice but, I would recommend removing the virus then removing all these files from the IT share. This line is required for newer machines like windows 7 because the cleaner needs elevated admin credentials to execute.
-v>
This is for verbose logging.
\\server\merond\logs\%comp
This line creates a log file of the computer name and deletes the previous log. When fighting an outbreak like this you tend to re-run this script to make sure it is 100% gone.
The VBS script
This script calls up the .bat script and allows it to run silenly in the background. There are probably better ways to do this but, google lead me to this simple three line code.
If you want to know if the tool is running you can look at the taskmanager and see if the process is running.
