:menu2 echo =======================MENU================================================ echo Option 1: Start Scan echo Option 2: HJT log Analysis echo Option 3: Process Manager echo Ortion 4: Edit hostsfile echo Option 5: Cookie Cleanup echo Option 6: About... echo Option 7: Manage Quarantine echo Option 8: Exit echo Choose 1, 2, 3, 4, 5, 6, 7 or 8 choice /c:12345678 if errorlevel 8 goto end if errorlevel 7 GOTO qurantinemanagement if errorlevel 6 GOTO info if errorlevel 5 goto cookiecleanup if errorlevel 4 goto hostsmgr if errorlevel 3 goto processlist if errorlevel 2 goto HJT if errorlevel 1 GOTO scan :end cls echo =========================================================================== set Optionone="quit?" set /p Optionone=%Optionone% (y,n) : if '%Optionone%'=='y' exit if '%Optionone%'=='n' goto menu echo. echo That was not a valid choice :HJT if not exist "HJT analyzer.exe" goto hjtanalyzer echo Option 1: use external log file analyzer echo Option 2: use built-in log file analyzer choice /:12 if errorlevel 2 goto hjtanalyzer if errorlevel 1 "HJT analyzer.exe" :processlist cls echo =================Process Manager=========================================== echo @echo off > pl.bat echo echo =================Process List============================================== >> pl.bat echo tasklist >> pl.bat echo echo =========================================================================== >> pl.bat echo pause >> pl.bat echo pl.bat >> pl.bat start pl.bat echo Option 1: kill a process echo Option 2: start a task echo Option 3: start task manager echo Option 4: return to menu choice /c:1234 if errorlevel 4 goto menu if errorlevel 3 "%systemroot%\system32\taskmgr.exe" if errorlevel 2 goto startaprocess if errorlevel 1 goto killaprocess goto processlist :startaprocess echo step1: enter the paths of the exacutables of any files you want to start (each must go on a new line, precead all batchfiles with call) > temp.bat echo step2: save and exit >> temp.bat edit temp.bat call temp.bat /wait del temp.bat goto processlist :killaprocess echo step1: enter the name of the process you want to kill after /IM (you can kill multiple processes at a time) > temp.bat echo step2: save and exit >> temp.bat echo. >> temp.bat echo taskkill /im [enter process to kill] >> temp.bat edit temp.bat call temp.bat /wait del temp.bat goto processlist :scan cls echo this scanner will try to remove some common malicious files from your echo computer echo. echo this scanner should be run as an administrator and works best in safemode echo. echo infected files will be quarantined in c:\quarantine pause :scan2 echo ==================SCAN COMMENCING========================================== :Adware.IEPlugin if exist "C:\WINDOWS\wupdt.exe" goto Adware.IEPlugin2 goto alcanworm :adware.ieplugin2 echo adware.ieplugin detected! set Option38="Quarantine all infected files? (y,n)" set /p Option38=%Option38% (y,n) : if '%Option38%'=='y' goto adware.ieplugin3 if '%Option38%'=='n' goto alcanworm echo. echo That was not a valid choice goto adware.ieplugin2 :adware.ieplugin3 @xcopy "C:\WINDOWS\wupdt.exe" c:\quarantine\c\windows\wupdt.exe.infected del "C:\WINDOWS\wupdt.exe" echo adware.ieplugin removed! pause :alcanworm if exist "C:\Program Files\MsConfigs\MsConfigs.exe" goto alcanworm2 if exist "C:\Program Files\MsUpdate\MsUpdate.exe" goto alcanworm2 if exist "C:\Program Files\winsupdater\winsupdater.exe" goto alcanworm2 if exist "C:\Program Files\MsMovies\MsMovies.exe" goto alcanworm2 goto argobot-bm :alcanworm2 echo alcan worm detected! set Option5="Quarantine all infected files? (y,n)" set /p Option5=%Option5% (y,n) : if '%Option5%'=='y' goto alcanworm3 if '%Option5%'=='n' goto argobot-bm echo. echo That was not a valid choice goto alcanworm2 :alcanworm3 @xcopy "c:\program files\msconfigs\*.*" "c:\quarantine\c\program files\msconfigs\*.*.infected" @xcopy "c:\program files\msupdate\*.*" "c:\quarantine\c\program files\msconfigs\*.*.infected" @xcopy "C:\Program Files\winsupdater\*.*" "C:\quarantine\c\program files\winsupdater\*.*.infected" del "c:\program files\msconfigs\*.*" del "c:\programfiles\msupdate\*.*" del "C:\Program Files\winsupdater\*.*" del "C:\Program Files\MsMovies\MsMovies.exe" del "C:\Program Files\MsMovies\*.*" echo alcanworm removed! pause :argobot-bm if exist "C:\WINDOWS\system32\services\wmplayer.exe" goto Agobot-Bm2 goto blockchecker :argobot-bm2 echo argobot-bm detected! set Option32="Quarantine all infected files? (y,n)" set /p Option32=%Option32% (y,n) : if '%Option32%'=='y' goto argobot-bm3 if '%Option32%'=='n' goto blockchecker echo. echo That was not a valid choice goto argobot-bm2 :arogobot-bm3 @Xcopy "c:\windows\system\services\wmplayer.exe" "c:\quarantine\c\windows\system\services\wmplayer.exe" del "c:\windows\system\services\wmplayer.exe" echo argobot-bm removed! pause :blockchecker if exist "C:\WINDOWS\system32\navshext.dll" goto blockchecker2 if exist "C:\Program Files\Block Checker\block-checker.exe" goto blockchecker2 goto coolwebsearch :blockchecker2 echo blockchecker detected! set Option6="Quarantine all infected files? (y,n)" set /p Option6=%Option6% (y,n) : if '%Option6%'=='y' goto blockchecker3 if '%Option6%'=='n' goto CoolWebsearch echo. echo That was not a valid choice goto blockchecker2 :blockchecker3 @xcopy "C:\WINDOWS\system32\navshext.dll" "C:\quarantine\c\windows\system32\navshext.dll.infected" @xcopy "C:\Program Files\Block Checker\*.*" "C:\quarantine\c\program files\block checker\*.*.infected" del "C:\WINDOWS\system32\navshext.dll" del "C:\Program Files\Block Checker\*.*" echo blockchecker removed! pause :CoolWebSearch if exist "C:\DOCUME~1\USER\LOCALS~1\Temp\sp.html" goto coolwebsearch2 if exist "C:\WINDOWS\System32\pab.dll" goto coolwebsearch2 if exist "C:\WINDOWS\TEMP\se.dll/sp.html" goto coolwebsearch2 if exist "C:\WINDOWS\TEMP\SE.Dll,DllInstall" goto coolwebsearch2 if exist "C:\WINDOWS\System32\paytime.exe" goto coolwebsearch2 goto homesearch :coolwebsearch2 echo coolwebsearch detected! set Option7="Quarantine all infected files? (y,n)" set /p Option7=%Option7% (y,n) : if '%Option7%'=='y' goto coolwebsearch3 if '%Option7%'=='n' goto homesearch echo. echo That was not a valid choice goto coolwebsearch2 :coolwebsearch3 @xcopy "C:\DOCUMENTS AND SETTINGS\USER\LOCALSYSTEM\Temp\sp.html" "C:\quarantine\c\documents and settings\localsystem\temp\sp.html.infected" @xcopy "C:\WINDOWS\System32\pab.dll" "C:\quarantine\c\windows\system32\pab.dll.infected" @xcopy "C:\WINDOWS\TEMP\SE.Dll,DllInstall\*.*" "C:\quarantine\c\windows\temp\se.dll,dllinstall\*.*.infected" @xcopy "C:\WINDOWS\System32\paytime.exe" "C:\quarantine\c\windows\system32\paytime.exe.infected" del "C:\DOCUMENTS AND SETTINGS\USER\LOCALSYSTEM\Temp\sp.html" del "C:\WINDOWS\System32\pab.dll" del "C:\WINDOWS\TEMP\SE.Dll,DllInstall\*.*" del "C:\WINDOWS\System32\paytime.exe" echo coolwebsearch removed! pause :homesearch if exist "C:\WINDOWS\system32\javazu32.exe" goto homesearch2 if exist "C:\WINDOWS\system32\sysum32.exe" goto homesearch2 goto CODBOT-YBACKDOORTROJAN :homesearch2 echo homesearch! set Option8="Quarantine all infected files? (y,n)" set /p Option8=%Option8% (y,n) : if '%Option8%'=='y' goto homesearch3 if '%Option8%'=='n' goto CODBOT-YBACKDOORTROJAN echo. echo That was not a valid choice goto homesearch2 :homesearch3 @xcopy "C:\WINDOWS\system32\javazu32.exe" "C:\quarantine\c\windows\system32\javazu32.exe.infected" @xcopy "C:\WINDOWS\system32\sysum32.exe" "C:\quarantine\c\windows\system32\sysum32.exe.infected" del "C:\WINDOWS\system32\javazu32.exe" del "C:\WINDOWS\system32\sysum32.exe" echo homesearch removed! pause :CODBOT-YBACKDOORTROJAN if exist "C:\WINDOWS\System32\netddesv.exe" goto CODBOT-YBACKDOORTROJAN2 goto EGroup.ASDPlugin :CODBOT-YBACKDOORTROJAN2 echo CODBOT-YBACKDOORTROJAN2! set Option9="Quarantine all infected files? (y,n)" set /p Option9=%Option9% (y,n) : if '%Option9%'=='y' goto CODBOT-YBACKDOORTROJAN3 if '%Option9%'=='n' goto EGroup.ASDPlugin echo. echo That was not a valid choice pause goto codbot-YBACKDOORTROJAN2 :codbot-YBACKDOORTROJAN3 @xcopy "C:\WINDOWS\System32\netddesv.exe" "C:\quarantine\c\windows\system32\netddesv.exe.infected" del "C:\WINDOWS\System32\netddesv.exe" echo CODBOT-YBACKDOORTROJAN removed! pause :EGroup.ASDPlugin if exist "C:\WINDOWS\system32\dbaccess.exe" goto EGroup.ASDPlugin2 if exist "C:\WINDOWS\system32\geaccess.exe" goto EGroup.ASDPlugin2 if exist "C:\WINDOWS\system32\dsldbaccess.exe" goto EGroup.ASDPlugin2 if exist "C:\WINDOWS\system32\adult1.exe" goto EGroup.ASDPlugin2 if exist "C:\WINDOWS\system32\Xadult1.exe" goto EGroup.ASDPlugin2 if exist "C:\WINDOWS\system32\temp532.exe" goto EGroup.ASDPlugin2 if exist "C:\WINDOWS\system32\country.exe" goto EGroup.ASDPlugin2 goto e2give :EGroup.ASDPlugin2 echo EGroup.ASDPlugin3 detected! set Option10="Quarantine all infected files? (y,n)" set /p Option10=%Option10% (y,n) : if '%Option10%'=='y' goto EGroup.ASDPlugin3 if '%Option10%'=='n' goto E2give echo. echo That was not a valid choice pause goto EGroup.ASDPlugin2 :EGroup.ASDPlugin3 @xcopy "C:\WINDOWS\system32\dbaccess.exe" "C:\quarantine\c\windows\system32\dbaccess.exe.infected" @xcopy "C:\WINDOWS\system32\geaccess.exe" "C:\quarantine\c\windows\system32\geaccess.exe.infected" @xcopy "C:\WINDOWS\system32\dsldbaccess.exe" "C:\quarantine\c\windows\system32\dsldbaccess.exe.infected" @xcopy "C:\WINDOWS\system32\*adult1.exe" "C:\quarantine\c\windows\system32\*adult1.exe.infected" @xcopy "C:\WINDOWS\system32\temp532.exe" "C:\quarantine\c\windows\system32\temp532.exe.infected" @xcopy "C:\WINDOWS\system32\country.exe" "C:\quarantine\c\windows\system32\country.exe.infected" del "C:\WINDOWS\system32\dbaccess.exe" del "C:\WINDOWS\system32\geaccess.exe" del "C:\WINDOWS\system32\dsldbaccess.exe" del "C:\WINDOWS\system32\*adult1.exe" del "C:\WINDOWS\system32\temp532.exe" del "C:\WINDOWS\system32\country.exe" echo EGroup.ASDPlugin removed! pause :E2Give if exist "C:\Program Files\E2G\IeBHOs.dll" goto e2give2 goto elitebar :e2give2 echo e2give infection detected! set Option11="Quarantine all infected files? (y,n)" set /p Option11=%Option11% (y,n) : if '%Option11%'=='y' goto EGroup.ASDPlugin3 if '%Option11%'=='n' goto E2give echo. echo That was not a valid choice pause goto e2give2 :e2give3 @xcopy "C:\Program Files\E2G\*.*" "C:\quarantine\program files\e2g\*.*.infected" del "C:\Program Files\E2G\*.*" echo E2Give detected! pause :elitebar if exist "C:\WINDOWS\system32\elite\*.*" goto elitebar2 goto esbot :elitebar2 echo e2give infection detected! set Option12="Quarantine all infected files? (y,n)" set /p Option12=%Option12% (y,n) : if '%Option12%'=='y' goto elitebar3 if '%Option12%'=='n' goto esbot echo. echo That was not a valid choice pause goto elitebar2 :elitebar3 @xcopy "c:\WINDOWS\system32\elite*.*" "c:\quarantine\c\windows\system32\elite*.*.infected" del "C:\WINDOWS\system32\elite\*.*" echo elitebar detected! pause :esbot if exist "C:\WINDOWS\iTunesMusic.exe" goto esbot2 if exist "C:\WINDOWS\wkssvc.exe" goto esbot2 if exist "C:\WINDOWS\winmgc.exe" goto esbot2 if exist "C:\WINDOWS\pwnsvc.exe" goto esbot2 if exist "C:\WINDOWS\aim.exe" goto esbot2 if exist "C:\WINDOWS\aims.exe" goto esbot2 if exist "C:\WINDOWS\sdktemp.exe" goto esbot2 if exist "C:\WINDOWS\System32\mousemm.exe" goto esbot2 if exist "C:\WINDOWS\System32\mousecrm.exe" goto esbot2 if exist "C:\WINDOWS\mousesync.exe" goto esbot2 if exist "C:\WINDOWS\System32\mousebm.exe" goto esbot2 if exist "C:\WINDOWS\system32\wpa.exe" goto esbot2 if exist "C:\WINDOWS\System32\ssl.exe" goto esbot2 if exist "C:\WINDOWS\System32\wupnp.exe" goto esbot2 goto porattrojan :esbot2 echo esbot detected! set Option13="Quarantine all infected files? (y,n)" set /p Option13=%Option13% (y,n) : if '%Option13%'=='y' goto esbot3 if '%Option13%'=='n' goto porattrojan echo. echo That was not a valid choice pause goto esbot2 :esbot3 @xcopy "C:\WINDOWS\iTunesMusic.exe" "C:\quarantine\c\windows\iTunesMusic.exe.infected" @xcopy "C:\WINDOWS\wkssvc.exe" "C:\quarantine\c\windows\wkssvc.exe.infected" @xcopy "C:\WINDOWS\winmgc.exe" "C:\quarantine\c\windows\winmgc.exe" @xcopy "C:\WINDOWS\pwnsvc.exe" "C:\quarantine\c\windows\pwnsvc.exe.infected" @xcopy "C:\WINDOWS\aim*.exe" "C:\quarantine\c\windows\aim*.exe.infected" @xcopy "C:\WINDOWS\sdktemp.exe" "C:\quarantine\c\windows\sdktemp.exe.infected" @xcopy "C:\WINDOWS\System32\mouse*.exe" c:\quarantine\c\windows\system32\mouse*.exe.infected @xcopy "C:\WINDOWS\system32\wpa.exe" "C:\quarantine\c\windows\system32\wpa.exe.infected" @xcopy "C:\WINDOWS\System32\ssl.exe" "C:\quarantine\c\windows\system32\ssl.exe.infected" @xcopy "C:\WINDOWS\System32\wupnp.exe" "C:\quarantine\c\windows\system32\wupnp.exe.infected" del "C:\WINDOWS\iTunesMusic.exe" del "C:\WINDOWS\wkssvc.exe" del "C:\WINDOWS\winmgc.exe" del "C:\WINDOWS\pwnsvc.exe" del "C:\WINDOWS\aim*.exe" del "C:\WINDOWS\sdktemp.exe" del "C:\WINDOWS\System32\mouse*.exe" del "C:\WINDOWS\system32\wpa.exe" del "C:\WINDOWS\System32\ssl.exe" del "C:\WINDOWS\System32\wupnp.exe" echo esbot removed! pause :porattrojan if exist "C:\WINDOWS\system32\fservice.exe" goto porattrojan2 if exist "C:\WINDOWS\system32\avpx32.exe" goto porattrojan2 if exist "C:\WINDOWS\SYSTEM32\fuxx32.dll" goto porattrojan2 if exist "C:\WINDOWS\SYSTEM32\cert32.dll" goto porattrojan2 goto ieaccess :porattrojan2 echo porattrojan detected! set Option14="Quarantine all infected files? (y,n)" set /p Option14=%Option14% (y,n) : if '%Option14%'=='y' goto porattrojan3 if '%Option14%'=='n' goto ieaccess echo. echo That was not a valid choice pause goto porattrojan2 :porattrojan3 @xcopy "C:\WINDOWS\system32\fservice.exe" "C:\quarantine\c\windows\system32\fservice.exe.infected" @xcopy "C:\WINDOWS\system32\avpx32.exe" "C:\quarantine\c\windows\system32\avpx32.exe.infected" @xcopy "C:\WINDOWS\SYSTEM32\avpe32.dll" "C:\quarantine\c\windows\system32\avpe32.dll.infected" @xcopy "C:\WINDOWS\SYSTEM32\fuxx32.dll" "C:\quarantine\c\windows\system32\fuxx32.dll.infected" @xcopy "C:\WINDOWS\SYSTEM32\cert32.dll" "C:\quarantine\c\windows\system32\cert32.dll.infected" del "C:\WINDOWS\system32\fservice.exe" del "C:\WINDOWS\system32\avpx32.exe" del "C:\WINDOWS\SYSTEM32\avpe32.dll" del "C:\WINDOWS\SYSTEM32\fuxx32.dll" del "C:\WINDOWS\SYSTEM32\cert32.dll" echo porat trojan removed! pause :ieaccess if exist "C:\WINDOWS\system32\temp532.exe" goto ieaccess2 if exist "C:\WINDOWS\system32\surfya.exe" goto ieaccess2 goto istbar :ieaccess2 echo IEACCESS dialer detected! set Option15="Quarantine all infected files? (y,n)" set /p Option15=%Option15% (y,n) : if '%Option15%'=='y' goto ieaccess3 if '%Option15%'=='n' goto istbar echo. echo That was not a valid choice pause goto ieaccess2 :ieaccess3 @xcopy "C:\WINDOWS\system32\temp532.exe" "C:\quarantine\c\windows\system32\temp532.exe.infected" @xcopy "C:\WINDOWS\system32\surfya.exe" "C:\quarantine\c\windows\system32\surfya.exe.infected" del "C:\WINDOWS\system32\temp532.exe" del "C:\WINDOWS\system32\surfya.exe" echo IEACCESS dialer removed! pause :istbar if exist "C:\WINDOWS\opxpmqpc.exe" goto istbar2 if exist "C:\Program Files\ISTsvc\istsvc.exe" goto istbar2 if exist "C:\Program Files\ISTsvc\*.*" goto istbar2 goto moviepipe :istbar2 echo istbar detected! set Option16="Quarantine all infected files? (y,n)" set /p Option16=%Option16% (y,n) : if '%Option16%'=='y' goto istbar3 if '%Option16%'=='n' goto moviepipe echo. echo That was not a valid choice pause goto istbar2 :istbar3 @xcopy "C:\WINDOWS\opxpmqpc.exe" "C:\quarantine\windows\opxpmqpc.exe.infected" @xcopy "C:\Program Files\ISTsvc\*.*" "C:\quarantine\program files\istsvc\*.*.infected" del "C:\WINDOWS\opxpmqpc.exe" del "C:\Program Files\ISTsvc\*.*" echo istbar pause :moviepipe if exist "C:\Program Files\p2pnetworks\mpp2pl.exe" goto moviepipe2 goto win-eto/snapx :moviepipe2 echo moviepipe detected! set Option17="Quarantine all infected files? (y,n)" set /p Option17=%Option17% (y,n) : if '%Option17%'=='y' goto moviepipe3 if '%Option17%'=='n' goto win-eto/snapx echo. echo That was not a valid choice pause goto moviepipe2 :moviepipe3 @xcopy "C:\Program Files\p2pnetworks\*.*" "C:\quarantine\program files\p2pnetworks\*.*.infected" del "C:\Program Files\p2pnetworks\*.*" echo moviepipe removed! pause :win-eto/snapx if exist "C:\WINDOWS\System32\T23GPB~1.DLL" goto win-eto/snapx if exist "C:\WINDOWS\System32\sysbho.exe" goto win-eto/snapx if exist "C:\WINDOWS\System32\bszkwrhwcmbjthd.exe" goto win-eto/snapx goto Nail/Aurora/DSR :win-eto/snapx2 echo win-eto/snapX detected! set Option18="Quarantine all infected files? (y,n)" set /p Option18=%Option18% (y,n) : if '%Option18%'=='y' goto win-eto/snapx3 if '%Option18%'=='n' goto Nail/Aurora/DSR echo. echo That was not a valid choice pause goto win-eto/snapx2 :win-eto/snapX3 @xcopy "C:\WINDOWS\System32\sysbho.exe" "C:\quarantine\c\windows\system32\sysbho.exe.infected" @xcopy "C:\WINDOWS\System32\bszkwrhwcmbjthd.exe" "C:\quarantine\c\windows\system32\bszkwrhwcmbjthd.exe.infected" del "C:\WINDOWS\System32\sysbho.exe" del "C:\WINDOWS\System32\bszkwrhwcmbjthd.exe" echo win-eto/snapX removed! pause :Nail/Aurora/DSR if exist "C:\WINDOWS\Nail.exe" goto Nail/Aurora/DSR2 if exist "C:\WINDOWS\dsr.dll" goto Nail/Aurora/DSR2 if exist "C:\WINDOWS\Bolger.dll" goto Nail/Aurora/DSR2 if exist "C:\WINDOWS\svcproc.exe" goto Nail/Aurora/DSR2 goto new.net :Nail/Aurora/DSR2 echo Nail/Aurora/DSR detected! set Option19="Quarantine all infected files? (y,n)" set /p Option19=%Option19% (y,n) : if '%Option19%'=='y' goto Nail/Aurora/DSR3 if '%Option19%'=='n' goto new.net echo. echo That was not a valid choice pause goto Nail/Aurora/DSR2 :Nail/Aurora/DSR3 @xcopy "C:\WINDOWS\Nail.exe" "C:\quarantine\c\windows\Nail.exe.infected" @xcopy "C:\WINDOWS\dsr.dll" "C:\quarantine\c\windows\dsr.dll.infected" @xcopy "C:\WINDOWS\Bolger.dll" "C:\quarantine\c\windows\Bolger.dll.infected" @xcopy "C:\WINDOWS\svcproc.exe" "C:\quarantine\c\windows\svcproc.exe.infected" del "C:\WINDOWS\Nail.exe" del "C:\WINDOWS\dsr.dll" del "C:\WINDOWS\Bolger.dll" del "C:\WINDOWS\svcproc.exe" echo Nail/Aurora/DSR removed! pause :new.net if exist "C:\Program Files\NewDotNet\*.*" goto New.net2 if exist "C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL" goto New.net2 if exist "C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL" goto New.net2 if exist "c:\program files\newdotnet\newdotnet6_38.dll" goto New.net2 goto purityscan :new.net2 echo New.Net detected! set Option20="Quarantine all infected files? (y,n)" set /p Option20=%Option20% (y,n) : if '%Option20%'=='y' goto new.net3 if '%Option20%'=='n' goto purityscan echo. echo That was not a valid choice pause goto new.net2 :new.net3 @xcopy "C:\Program Files\NewDotNet\*.*" "C:\quarantine\program files\newdotnet\*.*.infected" del "C:\Program Files\NewDotNet\*.*" echo new.net removed! pause :purityscan if exist "c:\windows\system32\?racle\m?dtc.exe" goto purityscan2 goto qoologic :purityscan2 echo purityscan detected! set Option21="Quarantine all infected files? (y,n)" set /p Option21=%Option21% (y,n) : if '%Option21%'=='y' goto purityscan3 if '%Option21%'=='n' goto qoologic echo. echo That was not a valid choice pause goto purityscan2 :purityscan3 @xcopy "c:\windows\system32\?racle\m?dtc.exe" "c:\quarantine\c\windows\system32\m?dtc.exe.infected" del "c:\windows\system32\?racle\m?dtc.exe" echo purityscan removed! pause :qoologic if exist "C:\WINDOWS\SYSTEM\DATADX.DLL" goto qoologic if exist "C:\WINDOWS\system32\wfqhc.exe" goto qoologic if exist "C:\WINDOWS\system32\poemr.exe" goto qoologic if exist "C:\WINDOWS\System32\fifoke.exe" goto qoologic if exist "C:\WINDOWS\system32\dmonwv.dll" goto qoologic goto pokerrootkit :qoologic2 echo Qoologic detected! set Option22="Quarantine all infected files? (y,n)" set /p Option22=%Option22% (y,n) : if '%Option22%'=='y' goto qoologic3 if '%Option22%'=='n' goto pokerrootkit echo. echo That was not a valid choice pause goto qoologic2 :qoologic3 @xcopy "C:\WINDOWS\SYSTEM\DATADX.DLL" "c:\quarantine\c\windows\system\DATADX.DLL.infected" @xcopy "C:\WINDOWS\system32\wfqhc.exe" "C:\quarantine\c\windows\system32\wfqhc.exe.infected" @xcopy "C:\WINDOWS\system32\poemr.exe "C:\quarantine\c\windows\system32\poemr.exe.infected" @xcopy "C:\WINDOWS\System32\fifoke.exe" "C:\quarantine\c\windows\system32\fifoke.exe.infected" @xcopy "C:\WINDOWS\system32\dmonwv.dll" "C:\quarantine\c\windows\system32\dmonwv.dll.infected" del "C:\WINDOWS\SYSTEM\DATADX.DLL" del "C:\WINDOWS\system32\wfqhc.exe" del "C:\WINDOWS\system32\poemr.exe" del "C:\WINDOWS\System32\fifoke.exe" del "C:\WINDOWS\system32\dmonwv.dll" echo Qoologic removed! pause :pokerrootkit if exist "C:\WINDOWS\System32\utlsrv.exe" goto pokerrootkit goto sasser :pokerrootkit2 echo poker rootkit detected! set Option23="Quarantine all infected files? (y,n)" set /p Option23=%Option23% (y,n) : if '%Option23%'=='y' goto pokerrootkit3 if '%Option23%'=='n' goto sasser echo. echo That was not a valid choice pause goto pokerrootkit2 :pokerrootkit3 @xcopy "C:\WINDOWS\System32\utlsrv.exe" "C:\quarantine\c\windows\system32\utlsrv.exe.infected" del "C:\WINDOWS\System32\utlsrv.exe" echo poker rootkit removed! pause :sasser if exist "C:\WINDOWS\avserve2.exe" goto sasser2 if exist "C:\WINDOWS\avserve.exe" goto sasser2 goto smitfraud :sasser2 echo sasser virus detected! set Option24="Quarantine all infected files? (y,n)" set /p Option24=%Option24% (y,n) : if '%Option24%'=='y' goto sasser3 if '%Option24%'=='n' goto smitfraud echo. echo That was not a valid choice pause goto sasser2 :sasser3 @xcopy "C:\WINDOWS\avserve*.exe" "C:\quarantine\c\windows\avserve*.exe.infected" del "C:\WINDOWS\avserve*.exe" echo sasser virus removed! pause :smitfraud if exist "C:\WINDOWS\ssytem32\winapi32.dll" goto Smitfraud2 if exist "C:\Program Files\MIT\MIT.dll" goto Smitfraud2 if exist "C:\WINDOWS\System32\adobepnl.dll" goto Smitfraud2 if exist "C:\Program Files\Crysalys media\cm.dll" goto Smitfraud2 if exist "C:\WP.EXE" goto Smitfraud2 if exist "C:\WINDOWS\zloader3.exe" goto Smitfraud2 if exist "C:\WINDOWS\System32\msmsgs.exe" goto Smitfraud2 if exist "C:\Program Files\SpySheriff\SpySheriff.exe" goto Smitfraud2 if exist "C:\winstall.exe" goto Smitfraud2 if exist "C:\WINDOWS\system32\hookdump.exe" goto Smitfraud2 if exist "C:\Program Files\PSGuard\PSGuard.exe" goto Smitfraud2 if exist "C:\Program Files\WinHound\WinHound.exe" goto Smitfraud2 if exist "C:\WINDOWS\system32\runsrv32.exe" goto Smitfraud2 if exist "C:\Program Files\Anti-Virus-Pro\App.exe" goto Smitfraud2 if exist "C:\WINDOWS\xpupdate.exe" goto Smitfraud2 if exist "C:\Program Files\BraveSentry\BraveSentry.exe" goto Smitfraud2 if exist "C:\Program Files\SpyGuard\spyguard.exe" goto Smitfraud2 if exist "C:\Program Files\SpyGuard\spyguard_monitor.exe" goto Smitfraud2 if exist "C:\WINDOWS\SYSTEM\ibm00001exe" goto Smitfraud2 if exist "C:\WINDOWS\system32\paytime.exe" goto Smitfraud2 if exist "C:\Program Files\SpySheriff\SpySheriff.exe" goto Smitfraud2 if exist "C:\Program Files\SpywareBot\SpywareBot.exe" goto Smitfraud2 if exist "C:\Program Files\SpywareQuake\SpywareQuake.exe" goto Smitfraud2 if exist "C:\Program Files\SpyQUake2.com\Spy-Quake2.exe" goto smitfraud2 if exist "C:\WINDOWS\system32\susp.exe" echo Smitfraud detected! if exist "C:\Program Files\SpywareSheriff\spywaresheriff.exe" goto Smitfraud2 if exist "C:\Program Files\SpywareStrike\SpywareStrike.exe" goto Smitfraud2 if exist "C:\Program Files\TitanShield Antispyware\titanshield.exe" goto Smitfraud2 if exist "C:\Program Files\SpyAxe\spyaxe.exe" goto Smitfraud2 if exist "C:\WINDOWS\System32\wldr.dll" goto Smitfraud2 goto sonyrootkit :smitfraud2 echo smitfraud detected! set Option25="Quarantine all infected files? (y,n)" set /p Option25=%Option25% (y,n) : if '%Option25%'=='y' goto smitfraud3 if '%Option25%'=='n' goto sonyrootkit echo. echo That was not a valid choice pause goto smitfraud2 :smitfraud3 @xcopy "C:\Program Files\MIT\MIT.dll" "C:\quarantine\program files\mit\MIT.dll.infected" @xcopy "C:\WINDOWS\System32\adobepnl.dll" "C:\quarantine\c\windows\system32\adobepnl.dll.infected" @xcopy "C:\Program Files\Crysalys media\cm.dll" "C:\quarantine\c\program files\crysalys media\cm.dll.infected" @xcopy "C:\WP.EXE" "C:\quarantine\c\WP.EXE.infected" @xcopy "C:\WINDOWS\zloader3.exe" "C:\quarantine\c\windows\zloader3.exe.infected" @xcopy "C:\WINDOWS\System32\msmsgs.exe" "C:\quarantine\c\windows\system32\msmsgs.exe.infected" @xcopy "C:\Program Files\SpySheriff\*.*" "C:\quarantine\c\program files\spysheriff\*.*.infected" @xcopy "C:\winstall.exe" "C:\quarantine\c\winstall.exe.infected" @xcopy "C:\WINDOWS\system32\hookdump.exe" "C:\quarantine\c\windows\system32\hookdump.exe.infected" @xcopy "C:\Program Files\PSGuard\*.*" "C:\quarantine\c\program files\psguard\*.*.infected" @xcopy "C:\Program Files\WinHound\*.*" "C:\quarantine\c\program files\winhound\*.*.infected" @xcopy "C:\WINDOWS\system32\runsrv32.exe" "C:\quarantine\c\windows\system32\runsrv32.exe.infected" @xcopy "C:\Program Files\Anti-Virus-Pro\*.*" "C:\quarantine\c\program files\anti-virus-pro\*.*.infected" @xcopy "C:\WINDOWS\xpupdate.exe" "C:\quarantine\c\windows\xpupdate.exe.infected" @xcopy "C:\Program Files\BraveSentry\*.*" "C:\quarantine\c\program files\bravesentry\*.*.infected" @xcopy "C:\Program Files\SpyGuard\*.*" "C:\quarantine\c\program files\spyguard\*.*.infected" @xcopy "C:\WINDOWS\SYSTEM\ibm00001exe" "C:\quarantine\c\windows\system\ibm00001.exe.infected" @xcopy "C:\Program Files\SpywareBot\*.*" "C:\quarantine\c\program files\spywarebot\*.*.infected" @xcopy "C:\Program Files\Spy*ake*\*.*" "C:\quarantine\c\program files\spy*ake*\*.*.infected" @xcopy "C:\WINDOWS\system32\susp.exe" "C:\quarantine\c\windows\system32\susp.exe.infected" @xcopy "C:\Program Files\SpywareStrike\*.*" "C:\quarantine\c\program files\spywarestrike\*.*.infected" @xcopy "C:\Program Files\TitanShield*\*.*" "C:\quarantine\c\program files\titanshield*\*.*.infected" @xcopy "C:\Program Files\spyaxe\*.*" "C:\quarantine\c\program files\spyaxe\*.*.infected" del "C:\Program Files\MIT\MIT.dll" del "C:\WINDOWS\System32\adobepnl.dll" del "C:\Program Files\Crysalys media\cm.dll" del "C:\WP.EXE" del "C:\WINDOWS\zloader3.exe" del "C:\WINDOWS\System32\msmsgs.exe" del "C:\Program Files\SpySheriff\*.*" del "C:\winstall.exe" del "C:\WINDOWS\system32\hookdump.exe" del "C:\Program Files\PSGuard\PSGuard.exe" del "C:\Program Files\WinHound\*.*" del "C:\WINDOWS\system32\runsrv32.exe" del "C:\Program Files\Anti-Virus-Pro\*.*" del "C:\WINDOWS\xpupdate.exe" del "C:\Program Files\BraveSentry\*.*" del "C:\Program Files\SpyGuard\*.*" del "C:\WINDOWS\SYSTEM\ibm00001exe" del "C:\Program Files\SpySheriff\*.*" del "C:\Program Files\SpywareBot\*.*" del "C:\Program Files\Spy*ake*\*.*" del "C:\WINDOWS\system32\susp.exe" del "C:\Program Files\SpywareStrike\*.*" del "C:\Program Files\TitanShield*\*.*" del "C:\Program Files\SpyAxe\*.*" echo smitfraud removed! pause :sonyrootkit if exist "C:\WINDOWS\CDProxyServ.exe" goto Sony Rootkit2 goto spywaresoftstop :sonyrootkit2 echo sony rootkit detected! set Option39="Quarantine all infected files? (y,n)" set /p Option39=%Option39% (y,n) : if '%Option39%'=='y' goto sonyrootkit3 if '%Option39%'=='n' goto sonyrootkit echo. echo That was not a valid choice pause goto smitfraud2 :sonyrootkit3 @xcopy "C:\WINDOWS\CDProxyServ.exe c:\quarantine\c\windows\cdproxyserv.exe.infected" del "C:\WINDOWS\CDProxyServ.exe" echo sony rootkit removed! pause :spywaresoftstop if exist "C:\WINDOWS\system32\kerneld16.exe" goto spywarestopsoft2 if exist "C:\Program Files\Spyware Soft Stop\Spyware Soft Stop.exe" goto spywarestopsoft2 if exist "C:\WINDOWS\SYSTEM32\notifysb.dll" goto spywarestopsoft2 goto startpage.O :spywarestopsoft2 echo spywarestopsoft detected! set Option26="Quarantine all infected files? (y,n)" set /p Option26=%Option26% (y,n) : if '%Option26%'=='y' goto spywarestopsoft3 if '%Option26%'=='n' goto startpage.O echo. echo That was not a valid choice pause goto spywarestopsoft2 :spywarestopsoft3 @xcopy "C:\WINDOWS\system32\kerneld16.exe" "C:\quarantine\c\windows\system32\kerneld16.exe.infected" @xcopy "C:\WINDOWS\SYSTEM32\notifysb.dll" "C:\quarantine\c\windows\system32\notifysb.dll.infected" del "C:\WINDOWS\system32\kerneld16.exe" del "C:\WINDOWS\SYSTEM32\notifysb.dll" echo spywarestopsoft removed! pause :startpage.O if exist "C:\WINDOWS\bhoass.dll" goto startpage.O2 if exist "C:\WINDOWS\xmllib.dll" goto startpage.O2 if exist "C:\WINDOWS\atlass.dll" goto startpage.O2 if exist "C:\WINDOWS\System32\TASKMGRU.EXE" goto startpage.O2 if exist "C:\WINDOWS\System32\MSIMN32.EXE" goto startpage.O2 if exist "C:\WINDOWS\System32\SMSSU.EXE" goto startpage.O2 if exist "C:\WINDOWS\System32\Tmntsrv32.EXE" goto startpage.O2 if exist "C:\WINDOWS\System32\ALG32.EXE" goto startpage.O2 if exist "C:\WINDOWS\System32\SPOOLSVU.EXE" goto startpage.O2 if exist "C:\WINDOWS\System32\ALGU.EXE" goto startpage.O2 if exist "C:\WINDOWS\System32\SPOOLSV32.EXE" goto startpage.O2 goto surfsidekick :startpage.O2 echo startpage.O detected! set Option27="Quarantine all infected files? (y,n)" set /p Option27=%Option27% (y,n) : if '%Option27%'=='y' goto startpage.O3 if '%Option27%'=='n' goto surfsidekick echo. echo That was not a valid choice pause goto startpage.O2 :startpage.O3 @xcopy "C:\WINDOWS\bhoass.dll" "C:\quarantine\c\windows\bhoass.dll.infected" @xcopy "C:\WINDOWS\xmllib.dll" "C:\quarantine\c\windows\xmllib.dll.infected" @xcopy "C:\WINDOWS\atlass.dll" "C:\quarantine\c\windows\atlass.dll.infected" @xcopy "C:\WINDOWS\System32\TASKMGRU.EXE" "C:\quarantine\c\windows\system32\TASKMGRU.EXE.infected" @xcopy "C:\WINDOWS\System32\MSIMN32.EXE" "C:\quarantine\c\windows\system32\MSIMN32.EXE.infected" @xcopy "C:\WINDOWS\System32\SMSSU.EXE" "C:\quarantine\c\windows\system32\SMSSU.EXE.infected" @xcopy "C:\WINDOWS\System32\Tmntsrv32.EXE" "C:\quarantine\c\windows\system32\Tmntsrv32.EXE.infected" @xcopy "C:\WINDOWS\System32\ALG32.EXE" "C:\quarantine\c\windows\system32\ALG32.EXE.infected" @xcopy "C:\WINDOWS\System32\SPOOLSVU.EXE" "C:\quarantine\c\windows\system32\SPOOLSVU.EXE.infected" @xcopy "C:\WINDOWS\System32\ALGU.EXE" "C:\quarantine\c\windows\system32\ALGU.EXE.infected" @xcopy "C:\WINDOWS\System32\SPOOLSV32.EXE" c:\quarantine\c\windows\system32\spoopsv32.infected del "C:\WINDOWS\bhoass.dll" del "C:\WINDOWS\xmllib.dll" del "C:\WINDOWS\atlass.dll" del "C:\WINDOWS\System32\TASKMGRU.EXE" del "C:\WINDOWS\System32\MSIMN32.EXE" del "C:\WINDOWS\System32\SMSSU.EXE" del "C:\WINDOWS\System32\Tmntsrv32.EXE" del "C:\WINDOWS\System32\ALG32.EXE" del "C:\WINDOWS\System32\SPOOLSVU.EXE" del "C:\WINDOWS\System32\ALGU.EXE" del "C:\WINDOWS\System32\SPOOLSV32.EXE" echo startpage.O removed! pause :surfsidekick if exist "C:\Program Files\SurfSideKick\SskBho.dll" goto surfsidekick2 if exist "C:\Program Files\SurfSideKick\Ssk.exe" goto surfsidekick2 if exist "C:\Program Files\SurfSideKick 3\Ssk.exe" goto surfsidekick2 if exist "C:\Program Files\Common Files\VCClient\VCClient.exe" goto surfsidekick2 if exist "C:\Program Files\Common Files\VCClient\VCMain.exe" goto surfsidekick2 goto ultimatefixer :surfsidekick2 echo surfsidekick detected! set Option28="Quarantine all infected files? (y,n)" set /p Option28=%Option28% (y,n) : if '%Option28%'=='y' goto surfsidekick3 if '%Option28%'=='n' goto ultimatefixer echo. echo That was not a valid choice pause goto surfsidekick2 :surfsidekick3 @xcopy "C:\Program Files\SurfSideKick*\*.*" c:\quarantine\c\program files\surfsidekick*\*.*.infected @xcopy "C:\Program Files\Common Files\VCClient\*.*" c:\quarantine\c\program files\commonfiles\vcclient\*.*.infected del "C:\Program Files\SurfSideKick*\*.*" del "C:\Program Files\Common Files\VCClient\*.*" echo surfsidekick detected! pause :ultimatefixer if exist "C:\WINDOWS\system32\scchk32.exe" goto UltimateFixer2 goto vundo :ultimatefixer2 goto ultimatefixer detected! set Option29="Quarantine all infected files? (y,n)" set /p Option29=%Option29% (y,n) : if '%Option29%'=='y' goto ultimatefixer3 if '%Option29%'=='n' goto vundo echo. echo That was not a valid choice pause goto ultimatefixer2 :ultimatefixer3 @xcopy "C:\WINDOWS\system32\scchk32.exe" c:\quarantine\c\windows\system32\scchk32.infected del "C:\WINDOWS\system32\scchk32.exe" echo ultimatefixer removed! pause :vundo if exist "C:\WINDOWS\system32\service.dll" goto vundo2 if exist "C:\WINDOWS\system32\gcpdxljp.dll" goto Vundo2 if exist "C:\WINDOWS\system32\ssqrolj.dll" goto Vundo2 if exist "C:\WINDOWS\System\Restore\StateMgr.exe" goto Vundo2 goto wareout :vundo2 goto vundo detected! set Option30="Quarantine all infected files? (y,n)" set /p Option30=%Option30% (y,n) : if '%Option30%'=='y' goto vundo3 if '%Option30%'=='n' goto wareout echo. echo That was not a valid choice pause goto vundo2 :vundo3 @xcopy "C:\WINDOWS\system32\service.dll" c:\quarantine\c\windows\system32\service.dll.infected @xcopy "C:\WINDOWS\system32\gcpdxljp.dll" c:\quarantine\c\windows\system32\gcpdxljp.dll.infected @xcopy "C:\WINDOWS\system32\ssqrolj.dll" c:\quarantine\c\windows\system32\ssqrolj.dll.infected @xcopy "C:\WINDOWS\System\Restore\StateMgr.exe" c:\quarantine\c\windows\system\restore\statemgr.exe.infected del "C:\WINDOWS\system32\service.dll" del "C:\WINDOWS\system32\gcpdxljp.dll" del "C:\WINDOWS\system32\ssqrolj.dll" del "C:\WINDOWS\System\Restore\StateMgr.exe" echo vundo removed pause :wareout if exist "C:\WINDOWS\HCLEAN32.EXE" goto WareOut2 if exist "C:\WINDOWS\System32\dmcup.exe" goto WareOut2 if exist "C:\Program Files\WareOut\WareOut.exe" goto WareOut2 if exist "C:\Program Files\WareOut\WareOut.exe" goto WareOut2 if exist "C:\PROGRA~1\Toolbar\TBPS.exe" goto Websearch2 goto websearch :wareout2 goto wareout detected! set Option31="Quarantine all infected files? (y,n)" set /p Option31=%Option31% (y,n) : if '%Option31%'=='y' goto wareout3 if '%Option31%'=='n' goto websearch echo. echo That was not a valid choice pause goto wareout2 :wareout3 @xcopy "C:\WINDOWS\HCLEAN32.EXE" c:\quarantine\hclean32.exe.infected @xcopy "C:\WINDOWS\System32\dmcup.exe" c:\quarantine\c\windows\system32\dmcup.exe.infected @xcopy "C:\Program Files\WareOut\*.*" c:\quarantine\c\program file\wareout\*.*.infected @xcopy "c:\program files\toolbar\*.*" c:\quarantine\c\program files\toolbar\*.*.infected @xcopy "c:\program files\toolbar\*\*.*" c:\quarantine\program files\*\*.*.infected del "C:\WINDOWS\HCLEAN32.EXE" del "C:\WINDOWS\System32\dmcup.exe" del "C:\Program Files\WareOut\*.*" rd "c:\program files\toolbar\" /s echo wareout removed pause :websearch if exist "C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" goto Websearch2 if exist "C:\PROGRA~1\Toolbar\toolbar.dll" goto Websearch2 if exist "C:\PROGRA~1\Tollbar\TBPSSvc.exe" goto Websearch2 goto websiteviewer :websearch2 goto websearch detected! set Option33="Quarantine all infected files? (y,n)" set /p Option33=%Option33% (y,n) : if '%Option33%'=='y' goto websearch3 if '%Option33%'=='n' goto websiteviewer echo. echo That was not a valid choice pause goto websearch2 :websearch3 @xcopy "c:\program files\myweb*\" "c:\quarantine\c\program files\myweb*\*.*.infected" @xcopy "C:\program files\toolbar\" "c:\quarantine\c\program files\toolbar\" del "c:\program files\myweb*\*.*" echo websearch removed! pause :websiteviewer if exist "C:\WINDOWS\system32\prvdi1.exe" goto Websiteviewer2 goto winfixer :websiteviewer2 goto websiteviewer detected! set Option34="Quarantine all infected files? (y,n)" set /p Option34=%Option34% (y,n) : if '%Option34%'=='y' goto webviewer3 if '%Option34%'=='n' goto winfixer echo. echo That was not a valid choice pause goto websiteviewer2 :websiteviewer3 @xcopy "C:\WINDOWS\system32\prvdi1.exe" c:\quarantine\c\windows\system32\prvdi1.exe.infected del "C:\WINDOWS\system32\prvdi1.exe" echo websiteviewer removed! :winfixer if exist "C:\Program Files\WinFixer 2005\wfx5.exe" goto Winfixer2 if exist "C:\WINDOWS\AppPatch\msvcun.dll" goto Winfixer2 goto w32.delf.pa :winfixer2 goto winfixer detected! set Option35="Quarantine all infected files? (y,n)" set /p Option35=%Option35% (y,n) : if '%Option35%'=='y' goto winfixer3 if '%Option35%'=='n' goto w32.delf.pa echo. echo That was not a valid choice pause goto winfixer2 :winfixer3 @xcopy "C:\WINDOWS\AppPatch\msvcun.dll" c:\quarantine\c\windows\appatch\mscun.dll.infected @xcopy "C:\Program Files\WinFixer 2005\wfx5.exe" "c:\quarantine\C\Program Files\WinFixer 2005\wfx5.exe" del "C:\WINDOWS\AppPatch\msvcun.dll" rd "C:\Program Files\WinFixer 2005\" /s echo winfixer removed! pause :W32.Delf.pa if exist "C:\WINDOWS\q842468_disk.dll" goto W32.Delf.pa2 if exist "C:\WINDOWS\system32\winstyle2.dll" goto W32.Delf.pa2 if exist "C:\WINDOWS\slassac.dll" goto W32.Delf.pa2 if exist "C:\WINDOWS\system32\prflbmsgp32.dll" goto W32.Delf.pa2 if exist "C:\WINDOWS\system32\st3.dll" goto W32.Delf.pa2 if exist "C:\WINDOWS\adsldpbd.dll" goto W32.Delf.pa2 if exist "C:\WINDOWS\q842468_disk.dll" goto W32.Delf.pa2 if exist "C:\WINDOWS\q10948125.dll" goto W32.Delf.pa2 if exist "C:\WINDOWS\system32\winstyle2.dll" goto W32.Delf.pa2 if exist "C:\WINDOWS\system32\winstyle32.dll" goto W32.Delf.pa2 goto wintools :w32.delf.pa2 goto w32.delf.pa detected! set Option36="Quarantine all infected files? (y,n)" set /p Option36=%Option36% (y,n) : if '%Option36%'=='y' goto w32.delf.pa3 if '%Option36%'=='n' goto wintools echo. echo That was not a valid choice pause goto w32.delf.pa2 :w32.delf.pa @xcopy "C:\WINDOWS\system32\st3.dll" c:\quarantine\c\windows\system32\st3.dll.infected @xcopy "C:\WINDOWS\adsldpbd.dll" c:\quarantine\c\windows\adslapbd.dll.infected @xcopy "C:\WINDOWS\q842468_disk.dll" c:\quarantine\c\windows\q842468_disk.dll.infected @xcopy "C:\WINDOWS\q10948125.dll" c:\quarantine\c\windows\q10948125.dll.infected @xcopy "C:\WINDOWS\system32\winstyle*.dll" c:\quarantine\c\windows\system32\winstyle2.dll.infected @xcopy "C:\WINDOWS\q126578.dll" c:\quarantine\c\windows\q126578.dll.infected del "C:\WINDOWS\system32\st3.dll" del "C:\WINDOWS\adsldpbd.dll" del "C:\WINDOWS\q842468_disk.dll" del "C:\WINDOWS\q10948125.dll" del "C:\WINDOWS\system32\winstyle*.dll" del "C:\WINDOWS\q126578.dll" echo W32.delf.pa pause :wintools if exist "C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll" goto WinTools2 if exist "C:\PROGRA~1\COMMON~1\WinTools\WinToolsA.exe" goto WinTools2 if exist "C:\Program Files\Common Files\WinTools\WinToolsS.exe" goto WinTools2 goto restart? :wintools2 goto wintools detected! set Option37="Quarantine all infected files? (y,n)" set /p Option37=%Option37% (y,n) : if '%Option37%'=='y' goto wintools3 if '%Option37%'=='n' goto restart? echo. echo That was not a valid choice pause goto wintools2 :wintools3 @xcopy "C:\Program Files\Common Files\WinTools\*.*" c:\quarantine\c\program files\common files\wintools\*.*.infected del "C:\Program Files\Common Files\WinTools\*.* :restart? cls echo =========================================================================== set Optionone="restart now?" set /p Optionone=%Optionone% (y,n) : if '%Optionone%'=='y' goto restart if '%Optionone%'=='n' goto menu echo. echo That was not a valid choice goto scan6 :restart shutdown /f /r exit :info cls echo ===============INFECTIONS DETECTED========================================= echo alcan worm echo blockchecker echo coolwebsearch echo CWS paytime echo home search echo CODBOT-Y backdoor trojan echo egroup.ASDplugin echo e2give echo elitebar echo esbot worm echo porat trojan echo haxdoor trojan echo IEACCESS dialer echo ISTbar echo look2me/VX2 echo LOP.com echo mediapipe movie scam echo win-eto/snapX echo W32/RBOT-SI echo MSN messenger worm echo nail/aurora/DSR bundle echo new.net echo peper trojan pause cls echo qoologic variants echo RBClac poker rootkit echo sasser virus echo smitfraud echo spyware soft stop echo startpage.O trojan echo surfsidekick echo ultimate defender (not all varients detected) echo vundo/vertuamundo (not all varients detected) echo wareout echo websearch echo website viewer echo website tracer echo winfixer echo W32.deft.pa echo wintools echo argobot-bm worm echo adware.IEplugin echo sony rootkit echo =========================================================================== echo continue to credits? pause cls echo =====================CREDITS=============================================== echo created by Tom Wright (twright@antimalwaresupport.co.uk) echo with the help of Matt Quarmby (webmaster@antimalwaresupport.co.uk) echo based on a hijackthis logfile analyzer created by Matt Quarmby echo WANT TO HELP? email either of us pause GOTO menu :qurantinemanagement cls echo ===============Quarantine Management======================================= echo Option 1: View Quarantine echo Option 2: Restore All Files echo Option 3: Clear Quarantine echo Option 4: Return To Menu choice /c:1234 if errorlevel 4 goto menu if errorlevel 3 goto clear if errorlevel 2 goto restore if errorlevel 1 goto Qmanager :Qmanager cls tree c:\quarantine /f pause goto qurantinemanagement :restore @xcopy "c:\quarantine\c\program files\msconfigs\*.*.infected" "c:\program files\msconfigs\*.*" @xcopy "c:\quarantine\c\program files\msconfigs\*.*.infected" "c:\program files\msupdate\*.*" @xcopy "C:\quarantine\c\program files\winsupdater\*.*.infected" "C:\Program Files\winsupdater\*.*" @xcopy "C:\quarantine\c\windows\system32\navshext.dll.infected" "C:\WINDOWS\system32\navshext.dll" @xcopy "C:\quarantine\c\program files\block checker\*.*.infected" "C:\Program Files\Block Checker\*.*" @xcopy "C:\quarantine\c\documents and settings\localsystem\temp\sp.html.infected" "C:\DOCUMENTS AND SETTINGS\USER\LOCALSYSTEM\Temp\sp.html" @xcopy "C:\quarantine\c\windows\system32\pab.dll.infected" "C:\WINDOWS\System32\pab.dll" @xcopy "C:\quarantine\c\windows\temp\se.dll,dllinstall\*.*.infected" "C:\WINDOWS\TEMP\SE.Dll,DllInstall\*.*" @xcopy "C:\quarantine\c\windows\system32\paytime.exe.infected" "C:\WINDOWS\System32\paytime.exe" @xcopy "C:\quarantine\c\windows\system32\javazu32.exe.infected" "C:\WINDOWS\system32\javazu32.exe" @xcopy "C:\quarantine\c\windows\system32\sysum32.exe.infected" "C:\WINDOWS\system32\sysum32.exe" @xcopy "C:\quarantine\c\windows\system32\netddesv.exe.infected" "C:\WINDOWS\System32\netddesv.exe" @xcopy "C:\quarantine\c\windows\system32\dbaccess.exe.infected" "C:\WINDOWS\system32\dbaccess.exe" @xcopy "C:\quarantine\c\windows\system32\geaccess.exe.infected" "C:\WINDOWS\system32\geaccess.exe" @xcopy "C:\quarantine\c\windows\system32\dsldbaccess.exe.infected" "C:\WINDOWS\system32\dsldbaccess.exe" @xcopy "C:\quarantine\c\windows\system32\*adult1.exe.infected" "C:\WINDOWS\system32\*adult1.exe" @xcopy "C:\quarantine\c\windows\system32\temp532.exe.infected" "C:\WINDOWS\system32\temp532.exe" @xcopy "C:\quarantine\c\windows\system32\country.exe.infected" "C:\WINDOWS\system32\country.exe" @xcopy "C:\quarantine\program files\e2g\*.*.infected" "C:\Program Files\E2G\*.*" @xcopy "C:\quarantine\c\windows\system32\elite\*.*" "C:\WINDOWS\system32\elite\*.*" @xcopy "c:\quarantine\c\windows\system32\elite*.*.infected" "c:\WINDOWS\system32\elite*.*" @xcopy "C:\quarantine\c\windows\iTunesMusic.exe.infected" "C:\WINDOWS\iTunesMusic.exe" @xcopy "C:\quarantine\c\windows\wkssvc.exe.infected" "C:\WINDOWS\wkssvc.exe" @xcopy "C:\quarantine\c\windows\winmgc.exe" "C:\WINDOWS\winmgc.exe" @xcopy "C:\quarantine\c\windows\pwnsvc.exe.infected" "C:\WINDOWS\pwnsvc.exe" @xcopy "C:\quarantine\c\windows\aim*.exe.infected" "C:\WINDOWS\aim*.exe" @xcopy "C:\quarantine\c\windows\sdktemp.exe.infected" "C:\WINDOWS\sdktemp.exe" @xcopy c:\quarantine\c\windows\system32\mouse*.exe.infected "C:\WINDOWS\System32\mouse*.exe" @xcopy "C:\quarantine\c\windows\system32\wpa.exe.infected" "C:\WINDOWS\system32\wpa.exe" @xcopy "C:\quarantine\c\windows\system32\ssl.exe.infected" "C:\WINDOWS\System32\ssl.exe" @xcopy "C:\quarantine\c\windows\system32\wupnp.exe.infected" "C:\WINDOWS\System32\wupnp.exe" @xcopy "C:\quarantine\c\windows\system32\fservice.exe.infected" "C:\WINDOWS\system32\fservice.exe" @xcopy "C:\quarantine\c\windows\system32\avpx32.exe.infected" "C:\WINDOWS\system32\avpx32.exe" @xcopy "C:\quarantine\c\windows\system32\avpe32.dll.infected" "C:\WINDOWS\SYSTEM32\avpe32.dll" @xcopy "C:\quarantine\c\windows\system32\fuxx32.dll.infected" "C:\WINDOWS\SYSTEM32\fuxx32.dll" @xcopy "C:\quarantine\c\windows\system32\cert32.dll.infected" "C:\WINDOWS\SYSTEM32\cert32.dll" @xcopy "C:\quarantine\c\windows\system32\surfya.exe.infected" "C:\WINDOWS\system32\surfya.exe" @xcopy "C:\quarantine\windows\opxpmqpc.exe.infected" "C:\WINDOWS\opxpmqpc.exe" @xcopy "C:\quarantine\program files\istsvc\*.*.infected" "C:\Program Files\ISTsvc\*.*" @xcopy "C:\quarantine\program files\p2pnetworks\*.*.infected" "C:\Program Files\p2pnetworks\*.*" @xcopy "C:\quarantine\c\windows\system32\sysbho.exe.infected" "C:\WINDOWS\System32\sysbho.exe" @xcopy "C:\quarantine\c\windows\system32\bszkwrhwcmbjthd.exe.infected" "C:\WINDOWS\System32\bszkwrhwcmbjthd.exe" @xcopy "C:\quarantine\c\windows\Nail.exe.infected" "C:\WINDOWS\Nail.exe" @xcopy "C:\quarantine\c\windows\dsr.dll.infected" "C:\WINDOWS\dsr.dll" @xcopy "C:\quarantine\c\windows\Bolger.dll.infected" "C:\WINDOWS\Bolger.dll" @xcopy "C:\quarantine\c\windows\svcproc.exe.infected" "C:\WINDOWS\svcproc.exe" @xcopy "C:\quarantine\program files\newdotnet\*.*.infected" "C:\Program Files\NewDotNet\*.*" @xcopy "C:\quarantine\c\windows\system32\l?ass.exe" "C:\WINDOWS\System32\l?ass.exe" @xcopy "c:\quarantine\c\windows\system32\m?dtc.exe.infected" "c:\windows\system32\?racle\m?dtc.exe" @xcopy "c:\quarantine\c\windows\system\DATADX.DLL.infected" "C:\WINDOWS\SYSTEM\DATADX.DLL" @xcopy "C:\quarantine\c\windows\system32\wfqhc.exe.infected" "C:\WINDOWS\system32\wfqhc.exe" @xcopy "C:\quarantine\c\windows\system32\poemr.exe.infected" "C:\WINDOWS\system32\poemr.exe @xcopy "C:\quarantine\c\windows\system32\fifoke.exe.infected" "C:\WINDOWS\System32\fifoke.exe" @xcopy "C:\quarantine\c\windows\system32\dmonwv.dll.infected" "C:\WINDOWS\system32\dmonwv.dll" @xcopy "C:\quarantine\c\windows\system32\utlsrv.exe.infected" "C:\WINDOWS\System32\utlsrv.exe" @xcopy "C:\quarantine\c\windows\avserve*.exe.infected" "C:\WINDOWS\avserve*.exe" @xcopy "C:\Program Files\MIT\MIT.dll" "C:\quarantine\program files\mit\MIT.dll.infected" @xcopy "C:\quarantine\c\windows\system32\adobepnl.dll.infected" "C:\WINDOWS\System32\adobepnl.dll" @xcopy "C:\quarantine\c\program files\crysalys media\cm.dll.infected" "C:\Program Files\Crysalys media\cm.dll" @xcopy "C:\quarantine\c\WP.EXE.infected" "C:\WP.EXE" @xcopy "C:\quarantine\c\windows\zloader3.exe.infected" "C:\WINDOWS\zloader3.exe" @xcopy "C:\quarantine\c\windows\system32\msmsgs.exe.infected" "C:\WINDOWS\System32\msmsgs.exe" @xcopy "C:\quarantine\c\program files\spysheriff\*.*.infected" "C:\Program Files\SpySheriff\*.*" @xcopy "C:\quarantine\c\winstall.exe.infected" "C:\winstall.exe" @xcopy "C:\quarantine\c\windows\system32\hookdump.exe.infected" "C:\WINDOWS\system32\hookdump.exe" @xcopy "C:\quarantine\c\program files\psguard\*.*.infected" "C:\Program Files\PSGuard\*.*" @xcopy "C:\quarantine\c\program files\winhound\*.*.infected" "C:\Program Files\WinHound\*.*" @xcopy "C:\quarantine\c\windows\system32\runsrv32.exe.infected" "C:\WINDOWS\system32\runsrv32.exe" @xcopy "C:\quarantine\c\program files\anti-virus-pro\*.*.infected" "C:\Program Files\Anti-Virus-Pro\*.*" @xcopy "C:\quarantine\c\windows\xpupdate.exe.infected" "C:\WINDOWS\xpupdate.exe" @xcopy "C:\quarantine\c\program files\bravesentry\*.*.infected" "C:\Program Files\BraveSentry\*.*" @xcopy "C:\quarantine\c\program files\spyguard\*.*.infected" "C:\Program Files\SpyGuard\*.*" @xcopy "C:\quarantine\c\windows\system\ibm00001.exe.infected" "C:\WINDOWS\SYSTEM\ibm00001exe" @xcopy "C:\quarantine\c\program files\spywarebot\*.*.infected" "C:\Program Files\SpywareBot\*.*" @xcopy "C:\quarantine\c\program files\spy*ake*\*.*.infected" "C:\Program Files\Spy*ake*\*.*" @xcopy "C:\quarantine\c\windows\system32\susp.exe.infected" "C:\WINDOWS\system32\susp.exe" @xcopy "C:\quarantine\c\program files\spywarestrike\*.*.infected" "C:\Program Files\SpywareStrike\*.*" @xcopy "C:\quarantine\c\program files\titanshield*\*.*.infected" "C:\Program Files\TitanShield*\*.*" @xcopy "C:\quarantine\c\windows\system32\kerneld16.exe.infected" "C:\WINDOWS\system32\kerneld16.exe" @xcopy "C:\quarantine\c\windows\system32\notifysb.dll.infected" "C:\WINDOWS\SYSTEM32\notifysb.dll" @xcopy "C:\quarantine\c\windows\bhoass.dll.infected" "C:\WINDOWS\bhoass.dll" @xcopy "C:\quarantine\c\windows\xmllib.dll.infected" "C:\WINDOWS\xmllib.dll" @xcopy "C:\quarantine\c\windows\atlass.dll.infected" "C:\WINDOWS\atlass.dll" @xcopy "C:\quarantine\c\windows\system32\TASKMGRU.EXE.infected" "C:\WINDOWS\System32\TASKMGRU.EXE" @xcopy "C:\quarantine\c\windows\system32\MSIMN32.EXE.infected" "C:\WINDOWS\System32\MSIMN32.EXE" @xcopy "C:\quarantine\c\windows\system32\SMSSU.EXE.infected" "C:\WINDOWS\System32\SMSSU.EXE" @xcopy "C:\quarantine\c\windows\system32\Tmntsrv32.EXE.infected" "C:\WINDOWS\System32\Tmntsrv32.EXE" @xcopy "C:\quarantine\c\windows\system32\ALG32.EXE.infected" "C:\WINDOWS\System32\ALG32.EXE" @xcopy "C:\quarantine\c\windows\system32\SPOOLSVU.EXE.infected" "C:\WINDOWS\System32\SPOOLSVU.EXE" @xcopy "C:\quarantine\c\windows\system32\ALGU.EXE.infected" "C:\WINDOWS\System32\ALGU.EXE" @xcopy c:\quarantine\c\windows\system32\spoopsv32.infected "C:\WINDOWS\System32\SPOOLSV32.EXE" @xcopy c:\quarantine\c\program files\surfsidekick*\*.*.infected "C:\Program Files\SurfSideKick*\*.*" @xcopy c:\quarantine\c\program files\vcclient\*.*.infected "C:\Program Files\Common Files\VCClient\*.*" @xcopy c:\quarantine\c\windows\system32\scchk32.infected "C:\WINDOWS\system32\scchk32.exe" @xcopy c:\quarantine\c\windows\system32\service.dll.infected "C:\WINDOWS\system32\service.dll" @xcopy c:\quarantine\c\windows\system32\gcpdxljp.dll.infected "C:\WINDOWS\system32\gcpdxljp.dll" @xcopy c:\quarantine\c\windows\system32\ssqrolj.dll.infected "C:\WINDOWS\system32\ssqrolj.dll" @xcopy c:\quarantine\c\windows\system\restore\statemgr.exe.infected "C:\WINDOWS\System\Restore\StateMgr.exe" @xcopy c:\quarantine\hclean32.exe.infected "C:\WINDOWS\HCLEAN32.EXE" @xcopy c:\quarantine\c\windows\system32\dmcup.exe.infected "C:\WINDOWS\System32\dmcup.exe" @xcopy c:\quarantine\c\program file\wareout\*.*.infected "C:\Program Files\WareOut\*.*" @xcopy c:\quarantine\c\program files\toolbar\*.*.infected "c:\program files\toolbar\*.*" @xcopy c:\quarantine\program files\*\*.*.infected "c:\program files\toolbar\*\*.*" @xcopy c:\quarantine\c\program files\myweb*\*.*.infected "c:\program files\myweb*\*.*" @xcopy c:\quarantine\c\windows\system32\prvdi1.exe.infected "C:\WINDOWS\system32\prvdi1.exe" @xcopy c:\quarantine\c\windows\appatch\mscun.dll.infected "C:\WINDOWS\AppPatch\msvcun.dll" @xcopy c:\quarantine\c\windows\system32\st3.dll.infected "C:\WINDOWS\system32\st3.dll" @xcopy c:\quarantine\c\windows\adslapbd.dll.infected "C:\WINDOWS\adsldpbd.dll" @xcopy c:\quarantine\c\windows\q842468_disk.dll.infected "C:\WINDOWS\q842468_disk.dll" @xcopy c:\quarantine\c\windows\q10948125.dll.infected "C:\WINDOWS\q10948125.dll" @xcopy c:\quarantine\c\windows\system32\winstyle2.dll.infected "C:\WINDOWS\system32\winstyle2.dll" @xcopy c:\quarantine\c\windows\q126578.dll.infected "C:\WINDOWS\q126578.dll" @xcopy c:\quarantine\c\program files\common files\wintools\*.*.infected "C:\Program Files\Common Files\WinTools\*.*" @xcopy c:\quarantine\c\windows\system32\services\wmplayer.exe.infected "C:\WINDOWS\system32\services\wmplayer.exe" @xcopy c:\quarantine\c\windows\wupdt.exe.infected "C:\WINDOWS\wupdt.exe" @xcopy c:\quarantine\c\windows\cdproxyserv.exe.infected "C:\WINDOWS\CDProxyServ.exe :clear set optiontwo="Clear Quarantine?" set /p optiontwo=%optiontwo% (y,n) : if '%optiontwo%'=='y' GOTO clear2 if '%optiontwo%'=='n' goto qurantinemanagement echo. echo That was not a valid choice goto clear :clear2 rd "c:\quarantine\" /q /s md "c:\quarantine\" echo Quarantine Cleared! pause goto qurantinemanagement :cookiecleanup set Optionthree="delete cookies?" set /p Optionthree=%Optionthree% (y,n) : if '%Optionthree%'=='y' goto cookiecleanup2 if '%Optionthree%'=='n' goto menu echo. echo That was not a valid choice goto cookiecleanup :cookiecleanup2 cls echo REMOVING COOKIES... del c:\windows\cookies\*.* del c:\windows\tempor~1\*.* del c:\temp\*.* del c:\windows\temp\tempor~1\*.* del c:\windows\temp\cookies\*.* del c:\windows\temp\history\*.* cls echo COOKIES REMOVED! pause goto menu :hostsmgr edit "c:\windows\system32\drivers\etc\hosts" goto menu @echo off :HJTanalyzer cls echo =======================HJT Analyzer======================================= echo Adware.IEPlugin echo. find "O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe" "hijackthis.log" echo ............................................... echo. pause cls echo =======================HJT Analyzer======================================= echo alcan worm echo. find "F0 -" "hijackthis.log" find "O4 - HKLM\..\Run: [MsConfigs] C:\Program Files\MsConfigs\MsConfigs.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [MsConfigs] C:\Program Files\MsConfigs\MsConfigs.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [p2pnetwork] p2pnetwork.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [p2pnetwork] p2pnetwork.exe" "hijackthis.log" find "O4 - HKLM\..\RunServices: [p2pnetwork] p2pnetwork.exe" "hijackthis.log" find "C:\Program Files\MsUpdate\MsUpdate.exe /auto" "hijackthis.log" find "O4 - HKLM\..\Run: [ms-update] scvhost.exe" "hijackthis.log" find "C:\Program Files\winsupdater\winsupdater.exe /auto" "hijackthis.log" find "O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto" "hijackthis.log" find "O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto" "hijackthis.log" find "O4 - HKLM\..\Run: [virtual-ie] winlogi.exe" "hijackthis.log" find "O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [MS DATABASE] MSDATA32.EXE" "hijackthis.log" find "" "hijackthis.log" find "O4 - HKLM\..\RunServices: [MS DATABASE] MSDATA32.EXE" "hijackthis.log" echo ............................................... echo. pause cls echo =======================HJT Analyzer======================================= echo blockchecker echo. find "O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\system32\navshext.dll" "hijackthis.log" find "O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo coolwebsearch echo. find "R1 - HKLM\Sofware\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\USER\LOCALS~1\Temp\sp.html" "hijackthis.log" find "R0 - HKLM\Sofware\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\USER\LOCALS~1\Temp\sp.html" "hijackthis.log" find "R1 - HKLM\Software\Microsoft\Internet Explorer\Main,StartPage = about:blank" "hijackthis.log" find "R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure" "hijackthis.log" find "R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure" "hijackthis.log" find "O18 - Filter: text/html - {C6053F28-AF9D-4A4B-AD7C-87A6F58F7045} - C:\WINDOWS\System32\pab.dll" "hijackthis.log" find "O18 - Filter: text/plain - {C6053F28-AF9D-4A4B-AD7C-87A6F58F7045} - C:\WINDOWS\System32\pab.dll" "hijackthis.log" find "R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html" "hijackthis.log" find "O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.Dll,DllInstall" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo CWS paytime echo. find "R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php" "hijackthis.log" find "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php" "hijackthis.log" find "R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php" "hijackthis.log" find "R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php" "hijackthis.log" find "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php" "hijackthis.log" find "R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php" "hijackthis.log" find "O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe" "hijackthis.log" find "O16 - DPF: {08F9B026-4ECE-0B2B-59ED-60DD2C2D155D} - http://69.31.82.260/1/gdnUS10.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Home Search infection echo. find "R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\" "hijackthis.log" find "O23 - Service: Workstation NetLogon Service - Unknown owner - C:\WINDOWS\system32\javazu32.exe (file missing)" "hijackthis.log" find "O23 - Service: Remote Procedure Call (RPC) Helper" "hijackthis.log" find "O23 - Service: Network Security Service (NSS) - Unknown owner - C:\WINDOWS\system32\sysum32.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo CODBOT-Y BACKDOOR TROJAN detected echo. find "O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINDOWS\System32\netddesv.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Derbiz EGroup.ASDPlugin Trojan echo. find "O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\dbaccess.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\geaccess.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\dsldbaccess.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\adult1.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\Xadult1.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\temp532.exe -N" "hijackthis.log" find "O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\country.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo e2give infection echo. find "O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll" "hijackthis.log" find "O20 - AppInit_DLLs: iniwin32.dll" "hijackthis.log" find "O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\system32\elite" "hijackthis.log" find "O4 - HKLM\..\Run: [etbrun] C:\WINDOWS\system32\elite" "hijackthis.log" find "O4 - HKLM\..\Run: [antiware] C:\WINDOWS\system32\elite" "hijackthis.log" find "O4 - HKLM\..\Run: [lsass] C:\WINDOWS\system32\elite" "hijackthis.log" find "O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\system32\elite" "hijackthis.log" find "C:\WINDOWS\etb\pokpoka" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo esbot infection echo. find "O23 - Service: iTunes Music Service (iTunesMusic) - Apple - C:\WINDOWS\iTunesMusic.exe" "hijackthis.log" find "O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe" "hijackthis.log" find "O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe" "hijackthis.log" find "O23 - Service: Windows Management Construct (winmgmc) - Unknown owner - C:\WINDOWS\winmgc.exe" "hijackthis.log" find "O23 - Service: Windows Update Service -Unknown owner - C:\WINDOWS\pwnsvc.exe" "hijackthis.log" find "O23 - Service: AOL Instant Messenger (AIM) - Unknown owner - C:\WINDOWS\aim.exe" "hijackthis.log" find "O23 - Service: AOL Instant Messenger - Unknown owner - C:\WINDOWS\aims.exe" "hijackthis.log" find "O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe" "hijackthis.log" find "O23 - Service: Mouse Movement Monitor (mousemm) - Unknown owner - C:\WINDOWS\System32\mousemm.exe" "hijackthis.log" find "O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe" "hijackthis.log" find "O23 - Service: Microsoft Windows Service - Unknown owner - C:\WINDOWS\mousesync.exe" "hijackthis.log" find "O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINDOWS\System32\mousebm.exe" "hijackthis.log" find "O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINDOWS\system32\wpa.exe" "hijackthis.log" find "O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINDOWS\System32\ssl.exe" "hijackthis.log" find "O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINDOWS\System32\wupnp.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo FService Porat Trojan echo. find "F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe" "hijackthis.log" find "F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Haxdoor Trojan echo. find "O4 - HKLM\..\Run: [secboot] C:\WINDOWS\system32\avpx32.exe" "hijackthis.log" find "O4 - Global Startup: winlogin.exe" "hijackthis.log" find "O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll" "hijackthis.log" find "O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll" "hijackthis.log" find "O20 - Winlogon Notify: avpi32 - C:\WINDOWS\SYSTEM32\avpi32.dll" "hijackthis.log" find "O20 - Winlogon Notify: fuxx32 - C:\WINDOWS\SYSTEM32\fuxx32.dll" "hijackthis.log" find "O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Hotoffers hijacker echo. find "R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findyourcouple.com" "hijackthis.log" find "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192" "hijackthis.log" find "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0179" "hijackthis.log" find "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchzoomer.com" "hijackthis.log" find "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/" "hijackthis.log" find "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supersearchs.com" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo IEACCESS dialer echo. find "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = community.surfya.com/" "hijackthis.log" find "O4 - HKLM\..\Run: [IEACCESS] C:\WINDOWS\system32\temp532.exe -N" "hijackthis.log" find "O4 - HKLM\..\Run: [IEACCESS] C:\WINDOWS\system32\surfya.exe -N" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo ISTbar infection echo. find "C:\WINDOWS\opxpmqpc.exe" "hijackthis.log" find "C:\Program Files\ISTsvc\istsvc.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Look2Me/VX2 infection echo. find "O1 - Hosts: 69.20.16.183" "hijackthis.log" find "msg116.dll" "hijackthis.log" find "Check O20 - Winlogon Notify!" "hijackthis.log" find "msg117.dll" "hijackthis.log" find "msg118.dll" "hijackthis.log" find "msg119.dll" "hijackthis.log" find "msg120.dll" "hijackthis.log" find "msg121.dll" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo LOP.com infection echo. find "O2 - BHO: (no name) - {33F90BED-63C3-B0FC-3758-5F7957985D0A} - C:\DOCUME~1\" "hijackthis.log" find "O4 - HKLM\..\Run: [IdleDateHopeLoud]" "hijackthis.log" find "O4 - HKLM\..\Run: [MessengerPlus" "hijackthis.log" find "O4 - HKLM\..\Run: [SoftGrim]" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Mediapipe movie scam echo. find "O4 - HKLM\..\Run: [Mediapipe P2P Loader] C:\Program Files\p2pnetworks\mpp2pl.exe /H" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Win-eto/SnapX redirect echo. find "R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9" "hijackthis.log" find "R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://superspider.com/greg/sp.php" "hijackthis.log" find "R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://superspider.com /greg/sp.php" "hijackthis.log" find "R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com /hp.htm?id=31865" "hijackthis.log" find "R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://win-eto.com /hp.htm?id=31865" "hijackthis.log" find "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com /hp.htm?id=31403" "hijackthis.log" find "R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com /hp.htm?id=31403" "hijackthis.log" find "O2 - BHO: (no name) - {467FAEB2-5F5B-Bc81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\T23GPB~1.DLL" "hijackthis.log" find "O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [Control Handler] C:\WINDOWS\System32\bszkwrhwcmbjthd.exe" "hijackthis.log" find "O15 - Trusted Zone: *.greg-search.com" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo RBOT-SI WORM infection echo. find "O4 - HKLM\..\Run: [Windows Media Player] msa.exe" "hijackthis.log" find "O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe" "hijackthis.log" find "O4 - HKCU\..\Run: [Windows Media Player] msa.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo MSN Messenger Worm [W32.Chod.D] echo. find "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamingunderground.us/index.php" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Nail/Aurora infection echo. find "R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=" "hijackthis.log" find "F2 - REG:system.ini Shell=Explorer.exe C:\WINDOWS\Nail.exe" "hijackthis.log" find "O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AEC59} - C:\WINDOWS\dsr.dll" "hijackthis.log" find "O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D9-1645A0B08410} - C:\WINDOWS\Bolger.dll" "hijackthis.log" find "O23 - Service: Ssytem Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo New.net infection echo. find "O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\" "hijackthis.log" find "O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s" "hijackthis.log" find "O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s" "hijackthis.log" find "O10 - Hijacked Internet access by New.Net" "hijackthis.log" find "O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Peper Trojan echo. find "Peper" "hijackthis.log" echo ............................................... echo. pause cls echo =======================HJT Analyzer======================================= echo PurityScan echo. find "O4 - HKCU\..\Run: [Cswxlghb] C:\WINDOWS\System32\l?ass.exe" "hijackthis.log" find "c:\windows\system32\?racle\m?dtc.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Qoologic Trojan echo. find "O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart" "hijackthis.log" find "O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart" "hijackthis.log" find "O4 - HKLM\..\Run: [KavSvc]" "hijackthis.log" find "O4 - HKLM\..\Run: [Narrator]" "hijackthis.log" find "O4 - HKLM\..\Run: [winsync]" "hijackthis.log" find "F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wfqhc.exe" "hijackthis.log" find "F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ibwlntp.exe" "hijackthis.log" find "F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\poemr.exe" "hijackthis.log" find "F2 - REG:system.ini: UserInit=userinit.exe,ajlpdrd.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [fajgkc] C:\WINDOWS\System32\fifoke.exe reg_run" "hijackthis.log" find "O4 - HKLM\..\Run: [bwqhm] C:\WINDOWS\System32\fifoke.exe reg_run" "hijackthis.log" find "O4 - HKLM\..\Run: [bwqhm] C:\WINDOWS\System32\fifoke.exe reg_run" "hijackthis.log" find "O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll" "hijackthis.log" find "O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll" "hijackthis.log" find "O9 - Extra 'Tools' menuitem: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo RBClac [Win32.Small.la] Poker Rootkit echo. find "O4 - HKLM\..\Run: [Comclg32] C:\WINDOWS\System32\utlsrv.exe /Comclg32.dll" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Sasser virus echo. find "O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [avserve.exe] C:\WINDOWS\avserve.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Smitfraud and variants echo. find "R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1" "hijackthis.log" find "R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1" "hijackthis.log" find "R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Customize Search = http://www.oneclicksearches.com/search.php?qq=%1" "hijackthis.log" find "R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesearches.com/search.php?qq=%1" "hijackthis.log" find "F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe" "hijackthis.log" find "O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a}" "hijackthis.log" find "O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - " "hijackthis.log" find "O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}" "hijackthis.log" find "O2 - BHO: Nothing - {b0398eca-0bcd-4645-9261-5e9dc70248d0}" "hijackthis.log" find "{00000000-59D4-4008-9058-080011001200}" "hijackthis.log" find "{00000000-C1EC-0345-6EC2-4D0300000000}" "hijackthis.log" find "{3ceff6cd-6f08-4e4d-bccd-ff7415288c3b}" "hijackthis.log" find "O2 - BHO: winapi32.BHO - {62E2E094-F989-48C6-B947-6E79DA2294F9} - C:\WINDOWS\ssytem32\winapi32.dll" "hijackthis.log" find "{7b55bb05-0b4d-44fd-81a6-b136188f5deb}" "hijackthis.log" find "{8333c319-0669-4893-a418-f56d9249fca6}" "hijackthis.log" find "{e52dedbb-d168-4bdb-b229-c48160800e81}" "hijackthis.log" find "{ffd2825e-0785-40c5-9a41-518f53a8261f}" "hijackthis.log" find "O2 - BHO: CM BHO - {6379A99A-9102-446C-A837-0623E1810D75}" "hijackthis.log" find "O2 - BHO: MIT BHO - {6379A99A-9102-446C-A837-0623E1810D75} -" "hijackthis.log" find "{00000000-F09C-02B4-6EC2-AD0300000000}" "hijackthis.log" find "O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-80342AFACFB1} - C:\WINDOWS\System32\adobepnl.dll" "hijackthis.log" find "{9c691a33-7dda-4c2f-be4c-c176083f35cf}" "hijackthis.log" find "O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - " "hijackthis.log" find "O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - " "hijackthis.log" find "O3 - Toolbar: CM Band - {159C2£51-9823-11D2-8DDC-D84A1B4ACD4D} - " "hijackthis.log" find "O3 - Toolbar: MIT Band - {159C2£51-9823-11D2-8DDC-D84A1B4ACD4D} - " "hijackthis.log" find "O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE" "hijackthis.log" find "O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\zloader3.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe" "hijackthis.log" find "O4 - HKCU\..\Run: [SpySheriff]" "hijackthis.log" find "O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe" "hijackthis.log" find "O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [PSGuard]" "hijackthis.log" find "O4 - HKLM\..\Run: [WinHound]" "hijackthis.log" find "O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe" "hijackthis.log" find "O4 - HKCU\..\Run: [Anti-Virus-Pro]" "hijackthis.log" find "O4 - HKCU\..\Run: [Windows update loader] C:\WINDOWS\xpupdate.exe" "hijackthis.log" find "O4 - HKCU\..\Run: [BraveSentry]" "hijackthis.log" find "O4 - HKCU\..\Run: [The Spy Guard]" "hijackthis.log" find "O4 - HKCU\..\Run: [The Spy Guard Monitor]" "hijackthis.log" find "O4 - HKCU\..\Run: [Shell] C:\WINDOWS\SYSTEM\ibm00001exe" "hijackthis.log" find "O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe" "hijackthis.log" find "O4 - HKCU\..\Run: [SpySheriff]" "hijackthis.log" find "O4 - HKLM\..\Run: [SpywareBot]" "hijackthis.log" find "O4 - HKLM\..\Run: [SpywareQuake]" "hijackthis.log" find "O4 - HKLM\..\Run: [SpyQuake2.com]" "hijackthis.log" find "O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe" "hijackthis.log" find "O4 - Startup: spywaresheriff.lnk = " "hijackthis.log" find "O4 - HKLM\..\Run: [SpywareStrike]" "hijackthis.log" find "O4 - Startup: titanshield.lnk = " "hijackthis.log" find "O4 - HKLM\..\Run: [SpyAxe]" "hijackthis.log" find "O9 - Extra button: Microsoft Antispyware helper - {4D186D89-32DB-439E-A37D-50511D6393C7} - (file missing) (HKCU)" "hijackthis.log" find "O9 - Extra button: Microsoft Antispyware helper - {4D186D89-32DB-439E-A37D-50511D6393C7} - C:\WNDOWS\System32\wldr.dll" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Sony Rootkit infection (XCP CD) echo. find "O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe" "hijackthis.log" find "O16 - DPF: {4EA7C4C5-C5C0-4F5C-A008-8293505F71CC} (CodeSupport Control) - http://www.xcp-aurora.com/clients\SoftwareUpdate.cab" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Spyware Soft Stop echo. find "O4 - HKLM\..\Run: [Systems] C:\WINDOWS\system32\kerneld16.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [Spyware Soft Stop] C:\Programn Files\Spyware Soft Stop\Spyware Soft Stop.exe" "hijackthis.log" find "O20 - Winlogon Notify: s_reg - C:\WINDOWS\SYSTEM32\notifysb.dll" "hijackthis.log" find "Spyware Soft Stop Winlogon notify absent" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Startpage.O Trojan echo. find "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home" "hijackthis.log" find "R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home" "hijackthis.log" find "O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll" "hijackthis.log" find "O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll" "hijackthis.log" find "O2 - BHO: ATDPClass - {E3D3AFEE-2172-4ef5-8509-1638AFFF0374} - C:\WINDOWS\atlass.dll" "hijackthis.log" find "O2 - BHO: ATDPClass - {E3D3AFEE-2172-4ef5-8509-1638AFFF0374} - C:\WINDOWS\atlass.dll" "hijackthis.log" find "O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE" "hijackthis.log" find "O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE" "hijackthis.log" find "O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE" "hijackthis.log" find "O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE" "hijackthis.log" find "O4 - HKCU\..\Run: [ALG32] C:\WINDOWS\System32\ALG32.EXE" "hijackthis.log" find "O4 - HKCU\..\Run: [SPOOLSVU] C:\WINDOWS\System32\SPOOLSVU.EXE" "hijackthis.log" find "O4 - HKCU\..\Run: [ALGU] C:\WINDOWS\System32\ALGU.EXE" "hijackthis.log" find "O4 - HKCU\..\Run: [SPOOLSV32] C:\WINDOWS\System32\SPOOLSV32.EXE" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo SurfSideKick infection echo. find "R3 - URLSearchHook: (no name) - {000AB005-FF12-42C2-8DF5-39E12E5F9C91} - C:\Program Files\SurfSideKick\SskBho.dll" "hijackthis.log" find "O4 - HKCU\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe" "hijackthis.log" find "O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe" "hijackthis.log" find "O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe" "hijackthis.log" find "O20 - AppInit_DLLs: repairs.dll" "hijackthis.log" find "O20 - AppInit_DLLs: repairs302972943.dll" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo ultimatefixer infection echo. find "O4 -HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Vundo/Virtumonde Trojan echo. find "O2 - BHO: CATLEvents Object" "hijackthis.log" find "O2 - BHO: MSEvents Object" "hijackthis.log" find "O2 - BHO: ATLDistrib Object" "hijackthis.log" find "O2 - BHO: CIEPI Object - {F85E86D8-F796-AAA2-26664A98A42C} - C:\WINDOWS\system32\service.dll" "hijackthis.log" find "O2 - BHO: CIEPI Object - {F85E86D8-F796-AAA2-26664A98A42C} - C:\WINDOWS\system32\service.dll" "hijackthis.log" find "O2 - BHO: (no name) {549B5CA7-4A86-11D7-A4DF-000874180BB3} -(no file)" "hijackthis.log" find "O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\gcpdxljp.dll (file missing)" "hijackthis.log" find "O2 - BHO: (no name) - {A1F5BF91-2BAE-400E-B5CC-C96427AB099E} - C:\WINDOWS\system32\ssqrolj.dll (file missing)" "hijackthis.log" find "O4 - HKLM\..\Run: [*" "hijackthis.log" find "O4 - HKLM\..\RunOnce: [*" "hijackthis.log" find "O4 - HKCU\..\RunOnce: [*" "hijackthis.log" find "O2O - Winlogon Notify: imgps" "hijackthis.log" find "O20 - Winlogon Notify: req" "hijackthis.log" find "O20 - Winlogon Notify: taskfont" "hijackthis.log" find "O20 - Winlogon Notify: service - service.dll" "hijackthis.log" find "O20 - Winlogon Notify: ssqrolj - ssqrolj.dll (file missing)" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo WareOut infection echo. find "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff+19" "hijackthis.log" find "O1 - Hosts: localhost 127.0.0.1" "hijackthis.log" find "O4 - HKLM\..\Run: [HCLEAN32.EXE] C:\WINDOWS\HCLEAN32.EXE" "hijackthis.log" find "O4 - HKLM\..\Run: [dmcup.exe] C:\WINDOWS\System32\dmcup.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [WareOut] C:\Program Files\WareOut\WareOut.exe" "hijackthis.log" find "O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)" "hijackthis.log" find "O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)" "hijackthis.log" find "O17 - HKLM\System\CCS\Services\Tcpip\..\{55B2AE21-8872-48DB-A2B4-6831AB3122B!}: NameServer = 69.50.184.84,85.255.112.9" "hijackthis.log" find "O17 - HKLM\System\CCS\Services\Tcpip\..\{ECFF8F98-69BE-40ED-A311-2965DB08F05D}: NameServer = 69.50.184.84,195.225.176.37" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Websearch infection echo. find "R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=" "hijackthis.log" find "O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" "hijackthis.log" find "O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50024/QDow_AS2.cab" "hijackthis.log" find "O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll" "hijackthis.log" find "O23 - Service: WebSearch Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Tollbar\TBPSSvc.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo WebSiteViewer echo. find "O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\prvdi1.exe" "hijackthis.log" find "O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\prvdi1.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo Winfixer infection echo. find "O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe" "hijackthis.log" find "O15 - Trusted Zone: *.frame.crazywinnings.com" "hijackthis.log" find "O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)" "hijackthis.log" find "O15 - Trusted Zone: *.media-motor.net" "hijackthis.log" find "O15 - Trusted Zone: *.popuppers.com" "hijackthis.log" find "O20 - Winlogon Notify: msvcun - C:\WINDOWS\AppPatch\msvcun.dll" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo W32.Delfkil.exe/W32.Delf.pa echo. find "O2 - BHO: C:\WINDOWS\q842468_disk.dll - {B212D577-05B7-4963-911E-4A8588160DFA} - C:\WINDOWS\q842468_disk.dll" "hijackthis.log" find "O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll" "hijackthis.log" find "O2 - BHO: (no name) - {8D82BB89-B5-8C-4F21--9C5D-377F65947806} - C:\WINDOWS\slassac.dll" "hijackthis.log" find "O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\prflbmsgp32.dll" "hijackthis.log" find "O2 - BHO: (no name) - {C7CF1142-0785-4B12-A280-B64681E4D45E} - C:\WINDOWS\system32\prflbmsgp32.dll" "hijackthis.log" find "O2 - BHO: C:\WINDOWS\system32\st3.dll - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - C:\WINDOWS\system32\st3.dll" "hijackthis.log" find "O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B711} - C:\WINDOWS\adsldpbd.dll" "hijackthis.log" find "O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - C:\WINDOWS\adsldpbd.dll" "hijackthis.log" find "O2 - BHO: C:\WINDOWS\adsldpbd.dll - {C0E5FF11-4AE0-4699-A6A7-2FB7118F2081} - C:\WINDOWS\adsldpbd.dll" "hijackthis.log" find "O20 - Winlogon Notify: style32 - C:\WINDOWS\q842468_disk.dll" "hijackthis.log" find "O20 - Winlogon Notify: style2 - C:\WINDOWS\q842468_disk.dll" "hijackthis.log" find "O20 - Winlogon Notify: style2 - C:\WINDOWS\q10948125.dll" "hijackthis.log" find "O20 - Winlogon Notify: style2 - C:\WINDOWS\system32\winstyle2.dll" "hijackthis.log" find "O20 - Winlogon Notify: style32 - C:\WINDOWS\system32\winstyle32.dll" "hijackthis.log" find "O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll" "hijackthis.log" find "O20 - Winlogon Notify: st3i - C:\WINDOWS\q126578.dll" "hijackthis.log" find "O20 - Winlogon Notify: gg - BHO: C:\WINDOWS\adsldpbd.dll" "hijackthis.log" find "O20 - Winlogon Notify: gggg - BHO: C:\WINDOWS\adsldpbd.dll" "hijackthis.log" find "O20 - Winlogon Notify: ggggg - BHO: C:\WINDOWS\adsldpbd.dll" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo WinTools infection echo. find "R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=" "hijackthis.log" find "R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa" "hijackthis.log" find "O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll" "hijackthis.log" find "O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WinToolsA.exe" "hijackthis.log" find "O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WinToolsA.exe" "hijackthis.log" find "O4 - HKCU\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe" "hijackthis.log" find "O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe" "hijackthis.log" find "O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WinToolsS.exe" "hijackthis.log" echo ................................................ echo. pause cls echo =======================HJT Analyzer======================================= echo WMPLAYER.EXE hijacker Agobot-Bm Worm echo. find "O4 - HKLM\..\Run: [wmplayer] C:\WINDOWS system32\services\wmplayer.exe" "hijackthis.log" echo ............................................... echo. pause cls echo =======================HJT Analyzer======================================= echo analysis finished! pause goto menu