Blog

Simple Virus Cleaner

This is a little batch file that should aid in the cleanup of computers that have been locked out by malware.

Its a work in progress, so check back as this script evolves.
Please let us know if your experiences with this script as I will continue to work on it.

*** NOTE:
This will clean-out your start-up programs.
They will be backed up into a registry file so you can restore them later once the virus is removed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
@echo off
echo Creating backup folder...
mkdir backups
 
echo Removing policy restrictions...
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRun /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 0 /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /f
 
echo Backing up Startup Applications...
reg export HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "backups\HKCU Runs.reg"
reg export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "backups\HKLM Runs.reg"
 
echo Removing Startup Applications...
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f
 
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f
 
echo Removing RunOnce entries...
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /f
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /f
 
echo Showing Hidden Files...
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f
 
echo Repairing Explorer Shell...
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d Explorer.exe /f
reg delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell" /f
 
echo Repairing Safemode...
reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell /t REG_SZ /d "cmd.exe" /f
 
echo Rebooting...
shutdown /f /r /t 00

Posted in: Scripts

Leave a Comment (0) ↓

Leave a Comment