What's new
By:
PinoyTechnician

This is a sample guest message. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

Tutorial: Manually Removing Shortcut Virus from any PC/LAPTOP with MS OS

rcn_PD29

rcn_PD29

Registered
Joined
Nov 17, 2014
Messages
50
Reaction score
0
Points
1
Location
Calapan City
first of all dapat may alam ka batch files at scripts
a: para ito sa nakahide na files and folders sa flash drive
1. create a new txt file
2. rename mo siya as .bat or vbs
3. right click choose edit
4. input the following:
@echo off
attrib -h -s -r -a /s /d f:*.*
@echo complete

note: palitan mo lang yung "f:" nung drive letter ng flash drive mo.

b. eto naman script para mapalitan ang attributes ng folders.
1. create a new txt file
2. rename mo siya as .vbs
3. right click choose edit
4. input the following:

' Reset the file attributes of All the Folder in a specific Drive
' Change Z: to the drive letter where you want the change will happen.

cDrive = "H:"

Set FSO = CreateObject("Scripting.FileSystemObject")
ShowSubfolders FSO.GetFolder(cDrive)
WScript.Echo "Done with fix."

Sub ShowSubFolders(Folder)
str = ""
For Each Subfolder in Folder.SubFolders
str = str & " " & Subfolder.Path
subFolder.Attributes = 0
ShowSubFolders Subfolder
Next
End Sub

c. eto yung pang hijack ng virus
1. create a new txt file
2. rename mo siya as .vbs
3. right click choose edit
4. input the following:

on Error Resume Next

Dim objShell, objFileSystem, objTextStream, objRegex
Dim colRegexMatches1, colRegexMatches2
Dim nReturnCode
Dim strIpFileText
Dim element, i

Dim Lista
Lista=array("n1de?ect.com","nide?ect.com","nlde?ect.com","j*.bat","m*.com","d*.com","copy.exe","host.exe",_
"a0*.com","ntdeiect.com","ntdelect.com", "u?de*.com","ntde1ect.com", "x*.com", "tio*.*",_
"80*.com","semo*.exe","autorun*.*","x*.exe","yl*.exe","qd*.cmd")


Set geekside=WScript.CreateObject("WScript.Shell")
Set objShell = WScript.CreateObject("WScript.Shell")
Set objFileSystem = CreateObject("Scripting.FileSystemObject")

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set colDrives = objFSO.Drives


Wscript.Echo "Remove malicious software amvo, avpo, n1detect y variants"
Wscript.Echo "Proccess of search and removing can take some seconds. Please be patient."


i=0
For Each objDrive in colDrives
If objDrive.IsReady = True Then
nret=geekside.Run("cmd /C attrib -s -h -r "&objDrive.DriveLetter&":\autorun.inf",0,TRUE)
Set objTextStream = objFileSystem.OpenTextFile(objDrive.DriveLetter&":\autorun.inf",1)
strIpFileText = objTextStream.ReadAll
objTextStream.Close
End If
Next


Set objRegex = new RegExp

objRegex.Pattern = "=\w+(.com|.bat|.exe|.pif|.scr|.svd|.dat|.tmp|.cmd)"
objRegex.Global = True
objRegex.IgnoreCase = True
Set colRegexMatches1 = objRegex.Execute(strIpFileText)



i=0
For Each element In colRegexMatches1
element = Replace(element,"=","")
WScript.Echo "Proceeding to remove file of virus :" & element
For Each objDrive in colDrives
If objDrive.IsReady = True Then
Wscript.Echo "Clean drive: " & objDrive.DriveLetter

nret=geekside.Run("cmd /C taskkill /f /im amvo.exe",0,TRUE)
nret=geekside.Run("cmd /C taskkill /f /im avpo.exe",0,TRUE)

nret=geekside.Run("cmd /C taskkill /f /im semo2x.exe.tmp",0,TRUE)
nret=geekside.Run("cmd /C taskkill /f /im semo2x.exe",0,TRUE)
nret=geekside.Run("cmd /C taskkill /f /im help.exe.tmp",0,TRUE)

nret=geekside.Run("cmd /C attrib -s -h -r " &objDrive.DriveLetter&":\" & element &"",0,TRUE)
nret=geekside.Run("cmd /C cd \ & del "&objDrive.DriveLetter&":\" & element & "/f /q /a",0,TRUE)
nret=geekside.Run("cmd /C cd \ & del "&objDrive.DriveLetter&":\autorun.inf",0,TRUE)

End If
Next
i = i + 1
Next


Set objRegex= Nothing
Set objTextStream = Nothing
Set objFileSystem = Nothing
Set objShell = Nothing

nret15=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\amvo*.*",0,TRUE)
nret16=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\avpo*.*",0,TRUE)
nret20=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\help.exe.tmp",0,TRUE)


nret56=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\semo*.*",0,TRUE)
nret60=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\semo*.*.*",0,TRUE)


nret23=geekside.Run("cmd /C del /f c:\windows\system32\amvo*.*",0,TRUE)
nret24=geekside.Run("cmd /C del /f c:\windows\system32\avpo*.*",0,TRUE)


nret57=geekside.Run("cmd /C del /f c:\windows\system32\semo*.*.*",0,TRUE)
nret59=geekside.Run("cmd /C del /f c:\windows\system32\semo*.*",0,TRUE)


WScript.Echo "Proceeding to restore registry to see Hidden Files"

nret31=geekside.Run("cmd /C reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v amva /f",0,TRUE)
nret32=geekside.Run("cmd /C reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v avpo /f",0,TRUE)

nret68=geekside.Run("cmd /C reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v avpa /f",0,TRUE)


nret33=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Hidden /t REG_DWORD /d 1 /f",0,TRUE)
nret43=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v SuperHidden /t REG_DWORD /d 1 /f",0,TRUE)
nret44=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v ShowSuperHidden /t REG_DWORD /d 1 /f",0,TRUE)


nret45=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Hidden /t REG_DWORD /d 1 /f",0,TRUE)
nret46=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v SuperHidden /t REG_DWORD /d 1 /f",0,TRUE)
nret47=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v ShowSuperHidden /t REG_DWORD /d 1 /f",0,TRUE)


nret34=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\ /v CheckedValue /t REG_DWORD /d 2 /f",0,TRUE)
nret35=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\ /v DefaultValue /t REG_DWORD /d 2 /f",0,TRUE)


nret36=geekside.Run("cmd /C reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\ /v CheckedValue /f",0,TRUE)
nret37=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\ /v CheckedValue /t REG_DWORD /d 1 /f",0,TRUE)
nret38=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\ /v DefaultValue /t REG_DWORD /d 2 /f",0,TRUE)


nret39=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\ /v CheckedValue /t REG_DWORD /d 0 /f",0,TRUE)
nret40=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\ /v DefaultValue /t REG_DWORD /d 0 /f",0,TRUE)

nret48=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ /v Type /t REG_SZ /d Group /f",0,TRUE)



nret61=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v NoFolderOptions /t REG_DWORD /d 0 /f",0,TRUE)
nret62=geekside.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v NoFolderOptions /t REG_DWORD /d 0 /f",0,TRUE)
nret63=geekside.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableRegistryTools /t REG_DWORD /d 0 /f",0,TRUE)


nret78=geekside.Run("cmd /C taskkill /f /im explorer.exe",0,TRUE)
nret79=geekside.Run("cmd /C start explorer.exe",0,TRUE)


nret15=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\amvo*.*",0,TRUE)
nret16=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\avpo*.*",0,TRUE)
nret20=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\help.exe.tmp",0,TRUE)



nret56=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\semo*.*.*",0,TRUE)
nret60=geekside.Run("cmd /C attrib -s -h -r c:\windows\system32\semo*.*",0,TRUE)


nret23=geekside.Run("cmd /C del /f c:\windows\system32\amvo*.*",0,TRUE)
nret24=geekside.Run("cmd /C del /f c:\windows\system32\avpo*.*",0,TRUE)


nret57=geekside.Run("cmd /C del /f c:\windows\system32\semo*.*.*",0,TRUE)
nret59=geekside.Run("cmd /C del /f c:\windows\system32\semo*.*",0,TRUE)


For Each objDrive in colDrives
If objDrive.IsReady = True Then
For X=0 to UBound(Lista)
nret=geekside.Run("cmd /C attrib -s -h -r "&objDrive.DriveLetter&":\"&Lista(X)&"",0,TRUE)
nret=geekside.Run("cmd /C cd \ & del "&objDrive.DriveLetter&":\" &Lista(X)& "/f /q /a",0,TRUE)
Next
End If
Next

WScript.Echo "Congratulations! Your computer is disinfected"

WScript. Quit(0)

d. eto naman yung Trojorm Removal Tool

1. create a new txt file
2. rename mo siya as .bat
3. right click choose edit
4. input the following:

@echo Trojorm Removal Tool v1.5
pause

path %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;


tskill bar311
tskill blastcln
tskill mveo
tskill password_viewer
tskill photos
tskill sscviihost
tskill services
tskill silentsoftech
tskill smss
tskill wscript

taskkill /f /im awkeygen.exe
taskkill /f /im boot.exe
taskkill /f /im calc.exe
taskkill /f /im ccprxy.exe
taskkill /f /im ctfmon.exe
taskkill /f /im exp1orer.exe
taskkill /f /im exiplorer.exe
taskkill /f /im "Funny UST Scandal.avi.exe"
taskkill /f /im iexp1ore.exe
taskkill /f /im iexplore.exe
taskkill /f /im iloveher.exe
taskkill /f /im jay.exe
taskkill /f /im killer.exe
taskkill /f /im knight.exe
taskkill /f /im krag.exe
taskkill /f /im ld.exe
taskkill /f /im netsvcs.exe
taskkill /f /im "new document.exe"
taskkill /f /im "new folder.exe"
taskkill /f /im pet32.exe
taskkill /f /im ravmone.exe
taskkill /f /im scvhosts.exe
taskkill /f /im scvshosts.exe
taskkill /f /im scvvhsot.exe
taskkill /f /im SecretStub.exe
taskkill /f /im spoclsv.exe
taskkill /f /im sscvihost.exe
taskkill /f /im svchosl.exe
taskkill /f /im svhost.exe
taskkill /f /im svhost32.exe
taskkill /f /im svohost.exe
taskkill /f /im svshost.exe
taskkill /f /im vhost.exe
taskkill /f /im wmiprvse.exe


REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 0 /f > nul
REG add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 0 /f > nul
REG delete "HKCU\Software\BARRY" /f >nul

REG add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t reg_sz /d "%SystemRoot%\system32\userinit.exe," /f >nul
REG delete "HKCU\Software\Microsoft\Command Processor" /v "autorun" /f >nul
REG delete "HKLM\Software\Microsoft\Command Processor" /v "autorun" /f >nul

echo.

rd /q /s c:\docume~1\admini~1\mydocu~1\ratedr~1
cd %userprofile%
del /f /a wintask.exe
cd..
cd alluse~1\startm~1\programs\startup
del /f /a lsass.exe
cd %userprofile%\startm~1\programs\startup
del /f /a ctfmon.exe
del startu~1.com
cd %userprofile%\applic~1\micros~1\intern~1\quickl~1
del intern~1.lnk
cd %userprofile%\locals~1\applic~1
del jalak-~1.com
rd /q /s dv6116~1
cd\docume~1\anggra~1\locals~1\applic~1
del jalak-~1.com
rd /q /s dv6156~1
cd\docume~1\locals~1\locals~1\applic~1
del jalak-~1.com
rd /q /s dv6191~1
rd /q /s dv6333~1
cd\docume~1\admini~1.use\locals~1\applic~1
del jalak-~1.com
rd /q /s dv6211~1
cd %userprofile%\locals~1\temp
del winlogon.exe
cd\progra~1\common~1\micros~1\msinfo

del /f /a c:\docume~1\admini~1\wintask.exe
del /f /a c:\docume~1\admini~1\templa~1\ld.exe
del /f /a c:\docume~1\admini~1\templa~1\ldup.exe
del /f /a c:\docume~1\admini~1\mydocu~1\myfold~1.com
del /f /a c:\docume~1\admini~1\mydocu~1\ratedr~1
del /f /a c:\docume~1\admini~1\mydocu~1\ratedr~1.com
del /f /a c:\docume~1\alluse~1\startm~1\programs\startup\dllhost.com

del /f /a exp1orer.exe
del /f /a noteped.exe
del /f /a redelbat.bat

del /f /a c:\aikelyu.html
del /f /a c:\iloveher.exe
del /f /a c:\SilentSoftecth.exe

del /f /a c:\FLEXLM\awkeygen.exe



del /f /a %windir%\_defau~1.pif
del /f /a %windir%\autorun.*
del /f /a %windir%\bar311.exe
del /f /a %windir%\FS6519.dll.vbs
del /f /a %windir%\funnyu~1.exe
del /f /a %windir%\iloveher.exe
del /f /a %windir%\infrom.dat
del /f /a %windir%\j6154022.exe
del /f /a %windir%\killer.exe
del /f /a %windir%\knight.exe
del /f /a %windir%\krag.exe
del /f /a %windir%\ld.exe
del /f /a %windir%\ldjs.txt
del /f /a %windir%\ldlist.txt
del /f /a %windir%\ldup.exe
del /f /a %windir%\lsass.exe
del /f /a %windir%\lsasse~1.exe
del /f /a %windir%\maskrider2001.vbs
del /f /a %windir%\mdm.exe
del /f /a %windir%\ms32dll.dll.vbs
del /f /a %windir%\ms.config`.exe
del /f /a %windir%\ntkros.dll
del /f /a %windir%\ntsys.exe
del /f /a %windir%\o4154027.exe
del /f /a %windir%\passwo~1.exe
del /f /a %windir%\pc-off.bat
del /f /a %windir%\photos~1.exe
del /f /a %windir%\ravmone.exe
del /f /a %windir%\scvvhsot.exe
del /f /a %windir%\services.exe
del /f /a %windir%\SecretStub.exe
del /f /a %windir%\smss.exe
del /f /a %windir%\sscviihost.exe
del /f /a %windir%\svchost.exe
del /f /a %windir%\svchost.ini
del /f /a %windir%\sy.exe
del /f /a %windir%\ttms*.dll.vbs
del /f /a %windir%\winlogon.exe
del /f /a %windir%\svhost.exe
del /f /a %windir%\svhost32.exe

del /f /a %windir%\system\111.exe
del /f /a %windir%\system\desktrukto.vbs
del /f /a %windir%\system\lsass.exe
del /f /a %windir%\system\svchosl.exe
del /f /a %windir%\system\svchost.exe
del /f /a %windir%\system\svchost32.exe
del /f /a %windir%\system\ymworm.exe

del /f /a %windir%\system32\__.*
del /f /a %windir%\system32\_exp1orer.exe
del /f /a %windir%\system32\_noteped.exe
del /f /a %windir%\system32\alecks.*
del /f /a %windir%\system32\autorun*.*
del /f /a %windir%\system32\amvo.exe
del /f /a %windir%\system32\amvo0.dll
del /f /a %windir%\system32\amvo1.dll
del /f /a %windir%\system32\avpo*.*
del /f /a %windir%\system32\azkaban.*
del /f /a %windir%\system32\blastclnnn.exe
del /f /a %windir%\system32\ccprxy.exe
del /f /a %windir%\system32\crss.exe
del /f /a %windir%\system32\destrukto.*
del /f /a %windir%\system32\dismgnt.exe
del /f /a %windir%\system32\dllhost.com
del /f /a %windir%\system32\dnscon70.dll
del /f /a %windir%\system32\exiplorer.exe
del /f /a %windir%\system32\explorer.vbs
del /f /a %windir%\system32\explorer.exe
del /f /a %windir%\system32\homepage.html
del /f /a %windir%\system32\imgkulot.*
del /f /a %windir%\system32\isass.exe
del /f /a %windir%\system32\kavo.exe
del /f /a %windir%\system32\kavo0.dll
del /f /a %windir%\system32\kavo1.dll
del /f /a %windir%\system32\kernel~1.vbs
del /f /a %windir%\system32\kernell.dll.vbs
del /f /a %windir%\system32\kulitut.*
del /f /a %windir%\system32\mgrShell.exe
del /f /a %windir%\system32\mma.bat
del /f /a %windir%\system32\mma.reg
del /f /a %windir%\system32\mma.vbs
del /f /a %windir%\system32\mstcpcon20.dll
del /f /a %windir%\system32\mveo.exe
del /f /a %windir%\system32\netmanage.dll
del /f /a %windir%\system32\netsvcs.exe
del /f /a %windir%\system32\netused.dll
del /f /a %windir%\system32\ntkros.dll
del /f /a %windir%\system32\ntsys.exe
del /f /a %windir%\system32\ofcpfwsvcs.exe
del /f /a %windir%\system32\S2pidwaraynon.html
del /f /a %windir%\system32\scvhost.exe
del /f /a %windir%\system32\scvhosts.exe
del /f /a %windir%\system32\scvshosts.exe
del /f /a %windir%\system32\scvvhsot.exe
del /f /a %windir%\system32\setting.ini
del /f /a %windir%\system32\silent~1.exe
del /f /a %windir%\system32\sscvihost.exe
del /f /a %windir%\system32\sscviihost.exe
del /f /a %windir%\system32\ssvichosst.exe
del /f /a %windir%\system32\svshost.exe
del /f /a %windir%\system32\svohost.exe
del /f /a %windir%\system32\test.*
del /f /a %windir%\system32\vhost.exe
del /f /a %windir%\system32\wincab.sys
del /f /a %windir%\system32\winkrnl.exe
del /f /a %windir%\system32\winscok.dll
del /f /a %windir%\system32\wmiprvse.exe
del /f /a %windir%\system32\wvcst.*
del /f /a %windir%\system32\x264~1.exe
del /f /a %windir%\system32\zllictbl.dat

del /f /a %windir%\system32\drivers\spoclsv.exe

rd /q /s %windir%\ac12594
rd /q /s %windir%\Ad22098
rd /q /s %windir%\an16554
rd /q /s %windir%\SY20118
rd /q /s %windir%\ugqe

del /f /a %windir%\setup\dllhost.com
rd /q /s %windir%\setup

rd /q /s %windir%\system\_sv_cmd_

rd /q /s %windir%\system32\n2847
rd /q /s %windir%\system32\n5619
rd /q /s %windir%\system32\n8127
rd /q /s %windir%\system32\s5421
rd /q /s %windir%\system32\s8787
rd /q /s %windir%\system32\s6939

rd /q /s %windir%\temp\_istmpi.dir

for %%i in (C D E F G H) do del /f /a %%i:\aikelyu.html
for %%i in (C D E F G H) do del /f /a %%i:\__.*
for %%i in (C D E F G H) do del /f /a %%i:\3g08.bat
for %%i in (C D E F G H) do del /f /a %%i:\3wcxx91.cmd
for %%i in (C D E F G H) do del /f /a %%i:\8ng8w.com
for %%i in (C D E F G H) do del /f /a %%i:\8ot8y86.exe
for %%i in (C D E F G H) do del /f /a %%i:\8u.com
for %%i in (C D E F G H) do del /f /a %%i:\adober.exe
for %%i in (C D E F G H) do del /f /a %%i:\alecks.*
for %%i in (C D E F G H) do del /f /a %%i:\autorun.*
for %%i in (C D E F G H) do del /f /a %%i:\azkaban.*
for %%i in (C D E F G H) do del /f /a %%i:\bacabr~1.txt
for %%i in (C D E F G H) do del /f /a %%i:\bar311.exe
for %%i in (C D E F G H) do del /f /a %%i:\boot.exe
for %%i in (C D E F G H) do del /f /a %%i:\copy.exe
for %%i in (C D E F G H) do del /f /a %%i:\d.com
for %%i in (C D E F G H) do del /f /a %%i:\desktop.exe
for %%i in (C D E F G H) do del /f /a %%i:\desktop.ini
for %%i in (C D E F G H) do del /f /a %%i:\destrukto.vbs
for %%i in (C D E F G H) do del /f /a %%i:\exiplorer.exe
for %%i in (C D E F G H) do del /f /a %%i:\exp1orer.exe
for %%i in (C D E F G H) do del /f /a %%i:\explorar.vbs
for %%i in (C D E F G H) do del /f /a %%i:\explorer.exe
for %%i in (C D E F G H) do del /f /a %%i:\folder.htt
for %%i in (C D E F G H) do del /f /a %%i:\funnyu~1.exe
for %%i in (C D E F G H) do del /f /a %%i:\FS6519.dll.vbs
for %%i in (C D E F G H) do del /f /a %%i:\g2p3s.exe
for %%i in (C D E F G H) do del /f /a %%i:\gwe(i~1.exe
for %%i in (C D E F G H) do del /f /a %%i:\h.cmd
for %%i in (C D E F G H) do del /f /a %%i:\h2.com
for %%i in (C D E F G H) do del /f /a %%i:\host.exe
for %%i in (C D E F G H) do del /f /a %%i:\iloveher.exe
for %%i in (C D E F G H) do del /f /a %%i:\ie.exe
for %%i in (C D E F G H) do del /f /a %%i:\imgkulot.*
for %%i in (C D E F G H) do del /f /a %%i:\infrom.exe
for %%i in (C D E F G H) do del /f /a %%i:\jay.exe
for %%i in (C D E F G H) do del /f /a %%i:\knight.exe
for %%i in (C D E F G H) do del /f /a %%i:\krag.exe
for %%i in (C D E F G H) do del /f /a %%i:\kragdor.log
for %%i in (C D E F G H) do del /f /a %%i:\kulitut.*
for %%i in (C D E F G H) do del /f /a %%i:\ldupver.txt
for %%i in (C D E F G H) do del /f /a %%i:\lsass.exe
for %%i in (C D E F G H) do del /f /a %%i:\maskrider2001.vbs
for %%i in (C D E F G H) do del /f /a %%i:\mma.bat
for %%i in (C D E F G H) do del /f /a %%i:\mma.reg
for %%i in (C D E F G H) do del /f /a %%i:\mma.vbs
for %%i in (C D E F G H) do del /f /a %%i:\MS32DLL.dll.vbs
for %%i in (C D E F G H) do del /f /a %%i:\msvcr71.dll
for %%i in (C D E F G H) do del /f /a %%i:\mswinsck.ocx
for %%i in (C D E F G H) do del /f /a %%i:\n1deiect.com
for %%i in (C D E F G H) do del /f /a %%i:\netsvcs.exe
for %%i in (C D E F G H) do del /f /a %%i:\newdoc~1.exe
for %%i in (C D E F G H) do del /f /a %%i:\newfol~1.exe
for %%i in (C D E F G H) do del /f /a %%i:\noteped.exe
for %%i in (C D E F G H) do del /f /a %%i:\ntde1ect.com
for %%i in (C D E F G H) do del /f /a %%i:\p3r1ud.exe
for %%i in (C D E F G H) do del /f /a %%i:\pet32.exe
for %%i in (C D E F G H) do del /f /a %%i:\poogs.vbs
for %%i in (C D E F G H) do del /f /a %%i:\pooh.vbs
for %%i in (C D E F G H) do del /f /a %%i:\ravmone.exe
for %%i in (C D E F G H) do del /f /a %%i:\ravmonlog
for %%i in (C D E F G H) do del /f /a %%i:\recycler.exe
for %%i in (C D E F G H) do del /f /a %%i:\rootfo~1.com
for %%i in (C D E F G H) do del /f /a %%i:\sender.vbs
for %%i in (C D E F G H) do del /f /a %%i:\sexvid~1.exe
for %%i in (C D E F G H) do del /f /a %%i:\scvhsot.exe
for %%i in (C D E F G H) do del /f /a %%i:\scvvhsot.exe
for %%i in (C D E F G H) do del /f /a %%i:\silent~1.exe
for %%i in (C D E F G H) do del /f /a %%i:\SilentSoftecth.exe
for %%i in (C D E F G H) do del /f /a %%i:\smss.exe
for %%i in (C D E F G H) do del /f /a %%i:\sqlserv.exe
for %%i in (C D E F G H) do del /f /a %%i:\SSCVIHOST.exe
for %%i in (C D E F G H) do del /f /a %%i:\SSCVIIHOST.exe
for %%i in (C D E F G H) do del /f /a %%i:\SSVICHOSST.exe
for %%i in (C D E F G H) do del /f /a %%i:\sxs.exe
for %%i in (C D E F G H) do del /f /a %%i:\t.exe
for %%i in (C D E F G H) do del /f /a %%i:\test.*
for %%i in (C D E F G H) do del /f /a %%i:\ttms*.dll.vbs
for %%i in (C D E F G H) do del /f /a %%i:\winconfig.dll.vbs
for %%i in (C D E F G H) do del /f /a %%i:\wsctf.exe
for %%i in (C D E F G H) do del /f /a %%i:\wvcst.*
for %%i in (C D E F G H) do del /f /a %%i:\x.com
for %%i in (C D E F G H) do del /f /a %%i:\xn1i9x.com
for %%i in (C D E F G H) do del /f /a %%i:\zelurm~1.exe
for %%i in (C D E F G H) do del /f /a %%i:\progra~1\intern~1\iexp1ore.exe
for %%i in (C D E F G H) do del /ah /ar /as %%i:\setup.exe
echo.

for %%i in (C D E F G H) do rd /q /s %%i:\$lddata$
for %%i in (C D E F G H) do rd /q /s %%i:\ms-dos
for %%i in (C D E F G H) do rd /q /s %%i:\ms.config
for %%i in (C D E F G H) do rd /q /s %%i:\msrm
for %%i in (C D E F G H) do rd /q /s %%i:\nt.config
for %%i in (C D E F G H) do rd /q /s %%i:\recycled
for %%i in (C D E F G H) do rd /q /s %%i:\rm
for %%i in (D E F G H) do rd /q /s %%i:\recycler\recycler
for %%i in (D E F G H) do rd /q /s %%i:\recycler
echo.



REG add "HKLM\Software\CLASSES\batfile\shell\edit\command" /ve /t reg_expand_sz /d "%SystemRoot%\System32\NOTEPAD.EXE %%1" /f >nul
REG add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t reg_sz /d "Explorer.exe" /f >nul
REG add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t reg_sz /d "%SystemRoot%\system32\userinit.exe," /f >nul
REG add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "LegalNoticeCaption" /t reg_sz /f >nul
REG add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "LegalNoticeText" /t reg_sz /f >nul


REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Hidden" /f >nul
REG add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v "CheckedValue" /t reg_dword /d 1 /f >nul
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 0 /f > nul
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 1 /f >nul
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 0 /f > nul
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 0 /f > nul
REG add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 0 /f > nul
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 0 /f >nul
REG add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 0 /f >nul
REG add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v HomePage /t REG_DWORD /d 0 /f >nul
REG add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t reg_sz /d "http://www.google.com.ph/intl/en/" /f >nul

REM ----------------------------------------------------
REM [Hidden Value = [1 = Show, 2 = Hide Files (Default)]
REM ----------------------------------------------------
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t reg_dword /d 1 /f >nul

REM ---------------------------------------------------------------------
REM [ShowSupperHidden Value = [1 = Show, 0 = Hide System Files (Default)]
REM ---------------------------------------------------------------------
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t reg_dword /d 1 /f >nul

REG delete "HKLM\Software\Microsoft\Windows\CurrentVersion" /v "RegisteredOrganization" /f >nul
REG delete "HKLM\Software\Microsoft\Windows\CurrentVersion" /v "RegisteredOwner" /f >nul
REG delete "HKLM\Software\Microsoft\Windows\CurrentVersion" /v "ProductId" /f >nul
REG delete "HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v "ProcessorNameString" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /ve /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "{random}" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "ctfmon.exe" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "ampli" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "amva" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "avpa" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "ccPrxy.exe" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Disk Knight" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Explorer" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "EXPLORER.EXE" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "f1761gta" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Firewall auto setup" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "FS6519" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "kava" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "krag" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Local Security Authority Service" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "maskrider" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "ms32dll" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MSConfig" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MSPetServ" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "N2328c" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "nav_x" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "nav_x" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "OfcpfwSvcs.exe" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "RavAV" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Runonce" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "S2pidwaraynon" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "scApp" /f
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "SilentSoftech" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "svchosl" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "svchost" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "svcshare" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "System File" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Task Manager" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "winconfig" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "WindowNT" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "winlogon.exe" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "WinRun" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "wsctf.exe" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "y1860ace" /f >nul
REG delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Yahoo Messenger" /f >nul
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Yahoo Messengger" /f >nul

REG delete "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /f >nul
REG delete "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Window Title" /f >nul
REG delete "HKLM\SYSTEM\ControlSet001\Services\dnscon" /f >nul
REG delete "HKLM\SYSTEM\ControlSet001\Services\NetManager" /f >nul
REG delete "HKLM\SYSTEM\ControlSet001\Services\PmApiService" /f >nul
REG delete "HKLM\SYSTEM\ControlSet002\Services\dnscon" /f >nul
REG delete "HKLM\SYSTEM\ControlSet002\Services\NetManager" /f >nul
REG delete "HKLM\SYSTEM\ControlSet002\Services\PmApiService" /f >nul
REG delete "HKLM\SYSTEM\CurrentControlSet\Services\dnscon" /f >nul
REG delete "HKLM\SYSTEM\CurrentControlSet\Services\NetManager" /f >nul
REG delete "HKLM\SYSTEM\CurrentControlSet\Services\PmApiService" /f >nul
REG delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "N2328c" /f >nul
REG delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "N2373c" /f >nul
REG delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "PolicyRun" /f >nul
REG delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "y1860ace" /f >nul
REG delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /ve /f >nul

______________________________
Getting back the attributes.
______________________________
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t reg_dword /d 0 /f >nul
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t reg_dword /d 2 /f >nul
REG add HCKU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "HideFileExt" /t reg_dword /d 1 /f >nul
echo.

msg %username% /w /time:15 WORMS, TROJANS AND VIRUSES HAS BEEN REMOVED!!!

@echo Thank You for using this Trojorm Removal Tool v1.5
pause

*remember: after saving, run as adminstrator.
use at your own risk, i am not held responsible for your actions.
 
You must log in or register to reply here.
Back
Top