Sign in to follow this  
Followers 0
Iznogoud

Delete files on reboot

15 posts in this topic

I need to delete some files before windows get started. So this must be something like Delete file on reboot option.

I found a topic of Larry wich suggested using a DLLcall, but somehow i do not get it to work.

Topic:

http://www.autoitscript.com/forum/index.ph...p;hl=MoveFileEx

Example code wich i used:

DLLCall("kernel32.dll","int","MoveFileEx","str","C:\Windows\System32\Winlogon2.exe","ptr",0,"int",5)

Reason:

Stupid spyware/virus infections keep corrupting the Winlogon.exe and i am fixing this with a live cd but i have read it could be done by AutoIT or at least with the DLLcall of MoveFileEx.

This would save me allot of time.

I am doing something wrong but what?

Share this post


Link to post
Share on other sites



Don't the keys in RunServices run before the user logs in?

I think Services run as 'SYSTEM' before the user is logged in....

Does this still apply to XP??? Can somebody verify this for me?

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

I have found another good link to mention.

http://www.diamondcs.com.au/freeutilities/dellater.php

This is an application does the same but after deletion it gives an Succes pop up.

I read an a forum that a user has deleted the Succes error and re-compiled it. This was possible because the application is open source.

The only problem is the file is a .ASM file. Wich i do not no how to re-compile it. So maybe someone could help me with this if the DLL call in AutoIT is to difficult.

Code of the .ASM file

;#################################
;#       DelLater v1.0       #
;#  For Win 95/98/ME/2K/XP/2003  #
;# Copyright (C) 2003, DiamondCS #
;#  http://www.diamondcs.com.au  #
;# Donated to the public domain. #
;#################################
;
; DESCRIPTION:
; DelLater allows you to mark files to be deleted the
; next time Windows starts. This is useful for times
; when a file can't be deleted because it's in use,
; and this is the method used by anti-virus scanners
; when they're unable to delete files for that reason.
; 
; All efforts were made to ensure that DelLater adheres
; to the guidelines outlined in the MoveFileEx documents
; (Platform SDK - Microsoft Developer Network), including
; using two seperate methods as required (one for
; 95/98/ME, the other for NT/2K/XP/2003).
; http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/base/movefileex.asp
 
 
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
 
.data
sTitle   db 'DelLater',0
sError   db 'Unable to mark this file for deletion',0
sMoved   db 'File marked for deletion after reboot',0
sExist   db 'File not found',0
sText   db 'Usage: dellater.exe <filename>',0
sWininit db '\wininit.ini',0
sGroup   db 'rename',0
sNull   db 'NUL',0
sWindir  db 270 dup(0)
wfd   WIN32_FIND_DATA <?>
osvi     OSVERSIONINFO <>
 
.code
_entrypoint:
call GetCommandLineA

;## Process the cmdline
cmp  byte ptr [eax], 22h
je   paramNext2
paramNext1:
inc  eax
cmp  byte ptr [eax], 20h
je   paramLast
cmp  byte ptr [eax], 0
je   NoParams
jmp paramNext1
paramNext2:
inc  eax
cmp  byte ptr [eax], 22h
je   EndParams
jmp  paramNext2
EndParams:
inc  eax
paramLast:
cmp  byte ptr [eax], 0
je   NoParams
inc  eax
cmp  byte ptr [eax], 0
je   NoParams
 
;## Parameters found, check if file exists
push eax;preserve eax
push offset wfd
push eax
call FindFirstFile
cmp eax, INVALID_HANDLE_VALUE
jne MarkFile
pop eax
push 10h
push offset sExist
push eax
push 0h
call MessageBoxA
jmp CodeEnd

MarkFile:

;## Check OS version
mov osvi.dwOSVersionInfoSize, 148
push offset osvi
call GetVersionEx
cmp dword ptr [osvi.dwPlatformId], VER_PLATFORM_WIN32_NT
je WinNT
cmp dword ptr [osvi.dwMajorVersion], 4
jne WinNT

Win9x:
;## Win95/98/ME method
push 270
push offset sWindir
call GetWindowsDirectory
push offset sWininit
push offset sWindir
call lstrcat
pop eax
push eax
push 260
push eax
push eax
call GetShortPathName
pop eax
push eax
push offset sWindir
push eax
push offset sNull
push offset sGroup
call WritePrivateProfileString
cmp eax, 0
je Failed
jmp Success

;## WinNT/2K/XP/2003 method
WinNT:
pop eax
push eax;preserve eax
push MOVEFILE_DELAY_UNTIL_REBOOT
push NULL
push eax;Filename
call MoveFileEx
cmp eax, 0
je  Failed

Success:
pop eax
push 40h
push offset sMoved
push eax
push 0h
call MessageBoxA
jmp CodeEnd

Failed: 
pop eax
push 10h
push offset sError
push eax
push 0h
call MessageBoxA
jmp CodeEnd
 
;## No parameters specified, display usage info
NoParams:
push 40h
push offset sTitle
push offset sText
push 0h
call MessageBoxA
CodeEnd:
invoke ExitProcess, 0
end _entrypoint
 
;## Program end.

Offcourse i hope it is possible with the DLL call in AutoIT. So if someone has the time and the effort to help me, please...

Edited by Iznogoud

Share this post


Link to post
Share on other sites

ASM anybody?

As far as i have read, you can compile ASM files in Visual Basic and such more applications.

But i stick with my first case, the DLL call of Harry is possible because he would not post it if it was not working correctly.

A few examples would clear things up.

Share this post


Link to post
Share on other sites

It's very interesting if Autoit can remove files on reboot ...

Has someone an idea about this ??


[right]Sorry for my poor english(dictionary beside)[/right][center]Search before ask will helping the community of AutoIt.[/center][center]...seeking in the search forum and help-file's, with all the most answer's that i need. Hope for you too.[/center]

Share this post


Link to post
Share on other sites

Ya it will be fine if we can delete files on startup before starting any other program.

does anybody knows how to delete files at startup ?

Share this post


Link to post
Share on other sites

And it will resolve our problem too...

then i can write the virus remover continually ^^


[right]Sorry for my poor english(dictionary beside)[/right][center]Search before ask will helping the community of AutoIt.[/center][center]...seeking in the search forum and help-file's, with all the most answer's that i need. Hope for you too.[/center]

Share this post


Link to post
Share on other sites

#12 ·  Posted (edited)

Wow Mr.Bert will come to survive us (Joke^^)...

Thank's for helping Bert :)

Yub(I didn't know about this word but it call like some um or yes ..i like it ^^) these are Registry keys that the most virus start to run... (or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run)

but in my case it's work in another way. And i being to study the virus... again

But i'm testing the virus on my notebook and it is inoperative ....waiting for repair after then i can analyze it later...

but is there only this way with Registry Keys to resolve this problem ??

Edited by Basicz

[right]Sorry for my poor english(dictionary beside)[/right][center]Search before ask will helping the community of AutoIt.[/center][center]...seeking in the search forum and help-file's, with all the most answer's that i need. Hope for you too.[/center]

Share this post


Link to post
Share on other sites

Well you would have to have the program run on startup, then detect when Windows is rebooting then delete files :)

Sorry but can you explain it a little more about your solution ^^


[right]Sorry for my poor english(dictionary beside)[/right][center]Search before ask will helping the community of AutoIt.[/center][center]...seeking in the search forum and help-file's, with all the most answer's that i need. Hope for you too.[/center]

Share this post


Link to post
Share on other sites

@JamesBrooks

uhm... did you mean that i create a remove program and set it startup..

and when windows boots then remove the virus...

did i understand it correct???


[right]Sorry for my poor english(dictionary beside)[/right][center]Search before ask will helping the community of AutoIt.[/center][center]...seeking in the search forum and help-file's, with all the most answer's that i need. Hope for you too.[/center]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0