BATCH file for manual removal of viruses

[tapsikret]

---

any body tried to manually remove a virus using BATCH files?

here is a sample..
please help me...
kani raman gud ang gihatag sa amoa.. then self study pa gyud.. amf!

Under SIC logs:



Check the following areas for unknown running processes / malwares:

1. AutoStart programs

2. Winlogon Notify

3. Active processes

4. File versions



Get the following details and verify if malicious thru yahoo / google:

1. Infected file w/ location

2. registry entries created



Examples:

winlogon.exe:224

-[CACHE]C:\WINDOWS\System32\awvvv.dll

-[CACHE]C:\WINDOWS\system32\winbbc32.dll

-[CACHE]C:\WINDOWS\system32\urqoljj.dll

Explorer.EXE:740

-[CACHE]C:\WINDOWS\System32\awvvv.dll

-[CACHE]C:\WINDOWS\System32\urqoljj.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks

{AEB6717E-7E19-11d0-97EE-00C04FD91972} =

{C3AE80DC-CE36-41E6-A011-E498F909614B} = ?¯

{8A61098D-612B-4EF2-943D-64E920684061} = ?¯

{435D08DD-665E-474F-B977-5EE75A2BDCB2} = ?¯

HKEY_CLASSES_ROOT\CLSID\{435D08DD-665E-474F-B977-5EE75A2BDCB2}\InprocServer32

(Default) = [CHECK]C:\WINDOWS\System32\urqoljj.dll

ThreadingModel = Both

HKEY_CLASSES_ROOT\CLSID\{E3C96D68-F316-4D93-B36B-71F6529F1454}\InprocServer32

(Default) = [CHECK]C:\WINDOWS\System32\awvvv.dll

ThreadingModel = Both

HKEY_CLASSES_ROOT\CLSID\{E64F0381-0053-4842-B3E5-08F6C4A0AEB6}\InprocServer32

(Default) = C:\WINDOWS\System32\dmhgmmrm.dll

ThreadingModel = Both





After you have identified and gathered all malicious files and registries, create a batch file with the commands below:



process.exe -s smss.exe

process.exe -k winlogon.exe Ã* kill processes that certain dll files are attached / are using to run

process.exe -k explorer.exe

process.exe -k qwinrmdt.exe

process.exe -k UNNMP.exe

process.exe -k s3minset.exe



attrib -r -a -s -h C:\WINDOWS\System32\wanywqoe.dll Ã* remove infected file’s attributes so you will be able to delete w/ denied access error

attrib -r -a -s -h C:\WINDOWS\System32\urqoljj.dll

attrib -r -a -s -h C:\WINDOWS\System32\awvvv.dll

attrib -r -a -s -h C:\WINDOWS\System32\dmhgmmrm.dll

attrib -r -a -s -h C:\WINDOWS\System32\pmnnl.dll

attrib -r -a -s -h C:\WINDOWS\system32\winbbc32.dll

attrib -r -a -s -h "C:\WINDOWS\system32\qwinrmdt.exe"

attrib -r -a -s -h "C:\WINDOWS\UNNMP.exe"

attrib -r -a -s -h "c:\progra~1\s3\uchromep\s3minset.exe"



regsvr32 /u /s C:\WINDOWS\System32\wanywqoe.dll Ã* unregister infected files

regsvr32 /u /s C:\WINDOWS\System32\urqoljj.dll

regsvr32 /u /s C:\WINDOWS\System32\awvvv.dll

regsvr32 /u /s C:\WINDOWS\System32\dmhgmmrm.dll

regsvr32 /u /s C:\WINDOWS\System32\pmnnl.dll

regsvr32 /u /s C:\WINDOWS\system32\winbbc32.dll



del /q C:\WINDOWS\System32\wanywqoe.dll Ã* delete infected files

del /q C:\WINDOWS\System32\urqoljj.dll

del /q C:\WINDOWS\System32\awvvv.dll

del /q C:\WINDOWS\System32\dmhgmmrm.dll

del /q C:\WINDOWS\System32\pmnnl.dll

del /q C:\WINDOWS\system32\winbbc32.dll

del /q "C:\WINDOWS\system32\qwinrmdt.exe"

del /q "C:\WINDOWS\UNNMP.exe"

del /q "c:\progra~1\s3\uchromep\s3minset.exe"



regedit /s remove2.reg Ã*call your separate registry file to remove registry entries created by malwares



winlogon.exe Ã* reload suspended and killed processes on top

explorer.exe

process.exe +r smss.exe





Create a registry file to remove registry entries that has been created by malwares



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run]

SystemRestoreStatus=- Ã* this is an auto start entry, by setting the value to – it deletes the entry



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]

{AEB6717E-7E19-11d0-97EE-00C04FD91972}=- --> by setting the value to – it deletes the entry

{C3AE80DC-CE36-41E6-A011-E498F909614B}=-

{8A61098D-612B-4EF2-943D-64E920684061}=-

{435D08DD-665E-474F-B977-5EE75A2BDCB2}=-



[-HKEY_CLASSES_ROOT\CLSID\{435D08DD-665E-474F-B977-5EE75A2BDCB2}] Ã* putting a – sign before the string deletes the entry

[-HKEY_CLASSES_ROOT\CLSID\{E3C96D68-F316-4D93-B36B-71F6529F1454}]

[-HKEY_CLASSES_ROOT\CLSID\{E64F0381-0053-4842-B3E5-08F6C4A0AEB6}]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall]

Enhanced Ads by Think-Adz=-

NMPUninstallKey=-



[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awvvv]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqoljj]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnnl]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winbbc32]

[tapsikret]

really need your help guys..
dont really know whick processes to kill and attributes to remove..
waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa !

for the system info file mentioned: http://www.trendmicro.com/download/sic.asp
or do start>run>msinfo32 and export the summary file..
help!!!!!

[cold_fusion]

Virus removal procedure is virus dependent.
You should first diagnose what virus do you have in order to know how to remove them.
It is like a doctor treating a patient of colds but giving him a cough medicine.