Killing 'Nircmd.com'
PUSHD "C:\32788R22FWJFW\"
IF NOT EXIST C:\Windows\system32\cmd.exe GOTO Not_NT
VER 1>OsVer
"C:\Windows\system32\Find.exe" "5.2." OsVer
---------- OSVER
IF 1 == 0 GOTO Not_NT
"C:\Windows\system32\Find.exe" "5.1.2" OsVer
---------- OSVER
IF 1 == 0 GOTO NT
"C:\Windows\system32\Find.exe" "5.00.2" OsVer
---------- OSVER
IF 1 == 0 GOTO NT
=============================================
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\loretta\AppData\Roaming
CFLDR=32788R22FWJFW
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RHODES-PC
ComSpec=C:\Windows\system32\cmd.execf
DFSTRACINGON=FALSE
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\loretta
KMD=CF25560.exe
LOCALAPPDATA=C:\Users\loretta\AppData\Local
LOGONSERVER=\\RHODES-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\32788R22FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.CFEXE;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
RKEY_=hklm\software\microsoft\windows nt\currentversion\windows
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\
sfxcmd="C:\Users\loretta\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EE0KH90F\ComboFix[1].exe"
sfxname=C:\Users\loretta\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EE0KH90F\ComboFix[1].exe
SYSTEM=C:\Windows\system32
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\loretta\AppData\Local\Temp
TMP=C:\Users\loretta\AppData\Local\Temp
TRACE_FORMAT_SEARCH_PATH=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
USERDOMAIN=rhodes-pc
USERNAME=loretta
USERPROFILE=C:\Users\loretta
windir=C:\Windows
=============================================
IF NOT DEFINED sfxname GOTO END
IF EXIST C:\cfDebug.cmd DEL /A/F C:\cfDebug.cmd
CALL sfx.cmd
IF EXIST OsVer00 CALL :Vista
REN OsVer00 Vista.mac
COPY /Y /B C:\Windows\system32\sc.exe C:\Windows\system32\swsc.exe
1 file(s) copied.
HANDLE csrss.exe.mui 1>MUI00
SED -r "/.*(.:\\.*)\\[^\\]*$/!d; s//\1/" MUI00 | SED -r -n "G; s/\n/&&/; /^([ -~]*\n).*\n\1/d; s/\n//; h; P" 1>MUI
FOR /F "TOKENS=*" %G IN (MUI) DO @(
IF EXIST "%~G\sc.exe.mui" COPY /Y /B "%~G\sc.exe.mui" "%~G\swsc.exe.mui"
IF EXIST "%~G\cmd.exe.mui" (
SWXCACLS "%~G\cmd.exe.mui" /OA /Q
SWXCACLS "%~G\cmd.exe.mui" /P /GA:F /GS:F /GP:X /GU:X /Q
COPY /Y "%~G\cmd.exe.mui" "%~G\CF25560.exe.mui"
SWXCACLS "%~G\cmd.exe.mui" /g SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:f /GA:X /GS:X /GP:X /GU:X /Q
SWXCACLS "%~G\cmd.exe.mui" /o SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 /Q
)
)
1 file(s) copied.
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 (C)
Ownerchange for "C:\Windows\System32\en-US\cmd.exe.mui" to Administrators group was successful
1 file(s) copied.
DEL /Q MUI0?
GOTO :EOF
IF /I "C:\32788R22FWJFW" NEQ "C:\32788R22FWJFW" GOTO Abort
IF EXIST "C:\Users\loretta\AppData\Local\Temp\32788R22FWJFW32788R22FWJFW.log" DEL "C:\Users\loretta\AppData\Local\Temp\32788R22FWJFW32788R22FWJFW.log"
(
SET "FileName=ComboFix[1]"
SET "FilePath=C:\Users\loretta\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EE0KH90F\"
)
SET FileName 1>FileName
GREP -isqx "FileName=[-[:alnum:]@.]*" FileName || (
CALL NIRCMD INFOBOX "You cannot rename ComboFix as %FileName%~n~nPlease use another name, preferbaly made up of alphanumeric characters" ""
GOTO END
)
IF EXIST "C:\Windows\system32\cmd.execf" MOVE /Y "C:\Windows\system32\cmd.execf" "C:\Users\loretta\AppData\Local\Temp"
1 file(s) moved.
CD ..
IF DEFINED cfldr RD /S/Q "32788R22FWJFW"
