Win98se.

Whilst in msconfig to disable something in the start up folder I decided to check the what was in the Auto exec.bat (I keep this and sys config disabled) and found the the following sitting in there. As I say every thing in here was disabled. (here hoping the attachment works) so see attachment for the details as regards JOE:confused:

AVG run daily and clean and kept upto date. SpyBot run once a week (kept upto date) shows clean. SpywareBlaster run every two days shows clean. Ad-aware6 run weekly shows clean.

Almost forgot. Also do a DOS virus scan once evry 10days or so

No sign of an attachment, but I am guessing that Joe is a trojan or virus... Given the delete instructions, it certainly sounds malicious. Sounds like your virus scans are either corrupt or not picking up for some reason.

Actually, that looks like part of a registry cleanup script.

It would take, export the registry, thereby compacting it and put an uncommon extension on the exported files. Then it would delete the current registry files. Then rename the new cleaned ones back to .dat files (that is what Copy line does). It also has a failsafe, the first line.....If not exist system.joe goto a:...so if that file isn't found it would do nothing (at least this part).

I imagine that if this ran at boot up as part of an autoexec it take about 1/2 hour or more to get through, and if it (complete script) calls for a reboot at the end it would continually loop.

Any way not some thing that needs to be part of an autoexec file.

Thanks guys

mjc - safe enough to manually edit the autoexec and remove then?

Open it in Notepad and remove to your hearts desire.

Cheers mjc

Of academic interest only, but does anyone know what the /Z parameter is for after the DELETE commands in that partial script??

Can only guess that it is for enabling/disabling a confirmation prompt or something like that but I cannot find a reference to it.

Possibly of even more academic interest: I thought the command was DEL , not delete! Certainly on my boxes, delete is not recognised.

Curiouser and curiouser said Alice :D

David

I think it would be safe to assume that the /Z command line switch tells the program to perform it’s function without prompting the user for Y/N

The Delete command would as MJC said be part of the REG cleaner script/program

Keep the "Academic" interest's coming. Hopefully someone will give an answer. Out of idiotic curiosity I am tempted to run it and find what happens. Who says that you have to be sane to use a computer? :D But temptation was put int he way of mankind to help him learn (usually painfully) so maybe I won't run it after all.

The /Z switch is bogus.

The delete command is bogus.

Try either one in DOS Prompt/Command Prompt Window in Windows or on a straight DOS 6.2 computer (yes I still have one of those) and it will NOT WORK.

If you try to delete a file with the delete command you get

BAD COMMAND OR FILENAME

If you listen to David Eaton, and you should, the correct command is DEL or also ERASE will work. If try to execute the command as written, you will get:

ILLEGAL SWITCH

The only way this works if this is a virus/worm that provides it's own
delete.exe or delete.com to actually delete the files in question.

That being said, I would definitely remove said lines from autoexec.bat.
Before doing so, I would view all hidden files and see if there is JOE folder. Existence of the folder is evidence of an active infection with a worm/virus.

Ernie, Have you tried a search for a file called "delete.*? Just to satisfy my academic :) curiosity?

If you find one then for the love of (insert favourite deity here ) DO NOT execute it!

And are there any files named *.joe?

Looking more like a trojan/worm every time .


David

Reading over again, I still think it looks like part of a cleanup script, possibly an example. The one thing that is strange for a virus/trojan is that it checks to see if any .joe files exist. If the don't exist then it won't do the delete (whatever it is...)

Also look for not only a delete.exe, but a delete.bat, or .com. Also look for a file called A.

I;m not saying that it can't be used maliciously, but since it is in a disabled Autoexec it can be easily cleaned, by just deleting the entries for it.

"Assuming" delete /z can delete the file indicated on the same line (via a delete.xxx executable) then one could interpret that there might have been three .joe files (user.joe, system.joe and classes.joe) of which the existence of one assumes that all three are there. If they exist then the next four lines would "delete" user.dat, system.dat and classes.dat and then copy the three .joe files in their place. If they don't exist then there is a jump to A (marked as :A) on the last line and the delete and copy would not occur.

?? :D

More or less, I had a registry tool that exprted/cleaned the registry by edoing just that, first it exported the reg files (which autmatically compacts them). Then it gave the exports a "safe" name (something unique to this script and unlikely to have any other system files named the same thing). Finally it removed the old ones, then copied the cleaned files, renaming them in the process...

One other thing, in a 9x system there are only user.dat and system .dat, so this seems to be an NT item, or at least NT compatible.

Classes.dat is part of the windows regisrty along with User.dat and System.dat. Classes.dat was added for Win ME.

I know it is part of it now, just wasn't sure when....