@echo off
mode con cols=80 lines=25
title "Virus Removal Tool"
color 0A
if _%1 == _vskip goto viremovl
cls
echo --------------------------------------------
echo * Original Chinese code release 2007-05-23
echo * Modified by www.CTPAX-X.ru 2007-09-08
echo         Virus Removal Tool
echo      The virus resident under C:\windows\
echo      cmd.exe.exe,lsass.exe,setuprs1.pif
echo      autorun.inf, runauto..
echo      autorun.inf text:
echo        [AutoRun]
echo        open=RUNAUT~1\autorun.pif
echo        shell\1=??(O)
echo        shell\1\Command=RUNAUT~1\autorun.pif
echo        shell\2\=??(B)
echo        shell\2\Command=RUNAUT~1\autorun.pif
echo        shellexecute=RUNAUT~1\autorun.pif
echo --------------------------------------------
set /p confremv="Do you want to continue (type Y to confirm)? "
if _%confremv% == _Y goto viremovl
if _%confremv% == _y goto viremovl
goto quit
:viremovl
taskkill /fi "services eq kkdc" /f
rem taskkill /im cmd.exe.exe /f
taskkill /im regedit.exe.exe /f
taskkill /im r.exe /f
sc stop kkdc
net stop kkdc
sc delete kkdc
attrib -s -h -r %SystemDrive%\autorun.inf
attrib -s -h -r %SystemDrive%\r.exe
attrib -s -h -r "%SYSTEMROOT%\cmd.exe.exe"
attrib -s -h -r "%SYSTEMROOT%\lsass.exe"
attrib -s -h -r "%SYSTEMROOT%\setuprs1.pif"
attrib -s -h -r "%SYSTEMROOT%\r.exe"
attrib -s -h -r "%SYSTEMROOT%\r*.exe"
rd %SystemDrive%\runaut~1 /s /q
del %SystemDrive%\autorun.inf /q
del %SystemDrive%\r.exe
del "%SYSTEMROOT%\cmd.exe.exe" /q
del "%SYSTEMROOT%\lsass.exe" /q
del "%SYSTEMROOT%\setuprs1.pif" /q
del "%SYSTEMROOT%\r.exe" /q
ren "%SYSTEMROOT%\regedit.exe" "%SYSTEMROOT%\_regedit.exe"
del "%SYSTEMROOT%\r*.exe" /q
ren "%SYSTEMROOT%\_regedit.exe" "%SYSTEMROOT%\regedit.exe"
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe" /v Debugger /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe" /v Debugger /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v Debugger /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe" /v Debugger /f
reg delete "HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KKDC" /f
reg delete "HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_KKDC" /f
reg delete "HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_KKDC" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KKDC" /f
reg delete "HKLM\SYSTEM\ControlSet001\Services\kkdc" /f
reg delete "HKLM\SYSTEM\ControlSet002\Services\kkdc" /f
reg delete "HKLM\SYSTEM\ControlSet003\Services\kkdc" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\kkdc" /f
reg delete "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" /v C:\WINDOWS\lsass.exe /f
reg delete "HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" /v C:\WINDOWS\lsass.exe /f
reg delete "HKLM\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" /v C:\WINDOWS\lsass.exe /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" /v C:\WINDOWS\lsass.exe /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SVOHOST /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /t reg_dword /d 1 /f
rem next four lines disables autorun for all disk
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t reg_dword /d 000000ff /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveAutoRun /t reg_dword /d 03ffffff /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t reg_dword /d 000000ff /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveAutoRun /t reg_dword /d 03ffffff /f
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do (
if exist %%d:\autorun.inf cacls %%d:\autorun.inf /c /e /p /t everyone:f
if exist %%d:\autorun.inf attrib -s -h -r %%d:\autorun.inf
if exist %%d:\autorun.inf del %%d:\autorun.inf /q
if exist %%d:\autorun.inf rd %%d:\autorun.inf /s /q

if exist %%d:\runaut~1 cacls %%d:\runaut~1 /c /e /p /t everyone:f
if exist %%d:\runaut~1 rd %%d:\runaut~1 /s /q
if exist %%d:\autorun.inf.tmp attrib -s -h -r %%d:\autorun.inf.tmp
if exist %%d:\autorun.inf.tmp del %%d:\autorun.inf.tmp /q
)
cls
if exist "%SYSTEMROOT%\cmd.exe.exe" goto vcmd
goto vmore
:vcmd
start "VRM" /I "%0" vskip
goto quit
:vmore
echo ------------------------
echo Removal process finished
echo ------------------------
echo.
set /p docheck="Do you want run chkdsk for all disk (type Y to confirm)? "
cls
if _%docheck% == _Y goto check
if _%docheck% == _y goto check
goto quit
:check
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do (
if exist %%d: chkdsk %%d: /f
)
:quit
cls
exit