<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY

Published on
9,395 Points
3,395 Views
Last Modified:
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY
PROBLEM
      If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network.

In my case, the Eset client was able to pick up the virus but, it was not able to clean it successfully.  Eset created a stand alone tool that is executed from the command prompt that you can download here that handles removal nicely.
http://kb.eset.com/esetkb/index?page=content&id=SOLN2613

SOLUTION
This tool from ESET is great if you need to clean one pc and are in front of it.  To mass deploy and run it silently in the background do this:

1.      Create a network share that all users can read and write to, I called my \\server\merond

2.      Create four items in that folder.
a.      A new folder called logs
b.      A bat script named merond_remove_all.bat with the following line
\\server\merond\ESETMerondOCleaner.exe C:\ youradministratorpassword /user:yourdomain\administrator -v> \\server\merond\logs\%computername%.log 2>&1
c.      A copy of ESETMerondOCleaner.exe downloaded from eset
d.      A VBS script named merondremove.vbs with the following three lines
Set WshShell = WScript.CreateObject("WScript.Shell")
obj = WshShell.Run("\\server\merond\merond_remove_all.bat", 0)
set WshShell = Nothing

3.      In the Eset console, on the remote install tab, right click and click manage packages.  On the “Type” pull down select custom package, then click the create button in the middle of the dialog box.  Now click Add file and select your merondremove.vbs script.  On the package entry file select network share merondremove.vbs as well (it should autopopulate) then click create.  Click save as, give it a useful name like “merondremove” and click save.

4.      To run, in the same Remote install tab simply select your clients, right click, and push the installation.  Enter your domain credentials, click next, select the custom package you just created merondremove, next and finish.

Or as an alternate without eset you could create a login script or group policy that would look to the vbs file to execute.

5.      This step is optional, but if you have a large number of clients you can create a saved search (newer Os-es only- win7, 2008, etc) that will look at the logs folder for the term “org”.  If the search detects this then that computer had the file and was cleaned.  Eventually you will want to delete these files because they have the virus and are renamed making them useless.

Or, the manual way to check if the computers are still infected it to rescan the computer with eset.  **note that the scanner will still pick up the original file because it has been renamed with the .org file extension ie: word.exe.org


EXPLANATION
The .bat file
\\server\merond\ESETMerondOCleaner.exe C:\
This section states to run the EsetMerondOCleaner and scan the c:\ drive

youradministratorpassword /user:yourdomain\administrator
This line adds your domain username and password in plain text.  This is not a good IT practice but, I would recommend removing the virus then removing all these files from the IT share.  This line is required for newer machines like windows 7 because the cleaner needs elevated admin credentials to execute.

-v>
This is for verbose logging.

\\server\merond\logs\%computername%.log 2>&1
This line creates a log file of the computer name and deletes the previous log.  When fighting an outbreak like this you tend to re-run this script to make sure it is 100% gone.

The VBS script
This script calls up the .bat script and allows it to run silenly in the background.  There are probably better ways to do this but, google lead me to this simple three line code.

If you want to know if the tool is running you can look at the taskmanager and see if the process is running.


 

 eset taskmanager
0
Comment
Author:Philonator
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
0 Comments

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month