@echo off if "%1" == "skip" goto skip cls echo . echo . echo . echo Press a key to get killer echo If the download does not start, then use a CDROM or USB key to load killer pause start iexplore www.miletechnologies.com/admin/killer/killerxp.exe cls echo . echo . echo . echo Press a key run killer pause start c:\killer\clean :skip cls echo . echo . echo . echo Press a key to check hosts file for strange stuff pause c: if exist %systemroot%\system32\drivers\etc\hosts notepad %systemroot%\system32\drivers\etc\hosts cls echo . echo . echo . echo Press a key to rename dosstart.bat winstart.bat and wininit.ini to .xxx echo Any files that exist will auto-edit the renamed file for inspection pause if exist %systemroot%\dosstart.bat copy %systemroot%\dosstart.bat %systemroot%\dosstart.xxx if exist %systemroot%\winstart.bat copy %systemroot%\winstart.bat %systemroot%\winstart.xxx if exist %systemroot%\wininit.ini copy %systemroot%\wininit.ini %systemroot%\wininit.xxx if exist %systemroot%\dosstart.bat del %systemroot%\dosstart.bat if exist %systemroot%\winstart.bat del %systemroot%\winstart.bat if exist %systemroot%\wininit.ini del %systemroot%\wininit.ini if exist %systemroot%\wininit.xxx notepad %systemroot%\wininit.xxx if exist %systemroot%\dosstart.xxx notepad %systemroot%\dosstart.xxx if exist %systemroot%\winstart.xxx notepad %systemroot%\winstart.xxx cls echo . echo . echo . echo Look for load or run....if listed then Start, Run, notepad c:\windows\win.ini if exist %systemroot%\win.ini type %systemroot%\win.ini|find "load=" if exist %systemroot%\win.ini type %systemroot%\win.ini|find "run=" pause if exist %systemroot%\win.ini notepad %systemroot%\win.ini cls echo . echo . echo . echo Look in HKCUser\soft\micro\windows\current version\run runonce runservices echo This will auto-take you to the USER key pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKLMachine\soft\micro\windows\current version\run runonce runservices echo This will auto-take you to the MACHINE key pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKLMachine\soft\micro\windows nt\current version\winlogon echo This will auto-take you to the Winlogon key (Shell should only have explorer.exe) echo (userinit should only have C:\WINDOWS\system32\userinit.exe,) echo (System should be blank) pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKLMachine\soft\micro\windows nt\current version\winlogon\notify echo This will auto-take you to the notify key (These should be on the list, maybe more) echo crypt32chain echo cryptnet echo cscdll echo ScCertProp echo Schedule echo sclgntfy echo SensLogn echo termsrv echo WgaLogon echo wlballoon pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKLMachine\soft\micro\windows\current version\policies\explorer echo This will auto-take you to the local machine policies explorer (should not be a run key under policies-explorer) pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKCurrent User\soft\micro\windows\current version\policies\explorer echo This will auto-take you to the Policy Explorer key (there should not be a run key under explorer, under policy) pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKCurrent User\soft\micro\windows\current version\shellserviceobjectdelayload echo The following in normal. There may be less. Investigate if there are more. echo CDBurn echo PostBootReminder echo SysTray echo WebCheck echo WPDShServiceObj pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKCurrent User\soft\micro\windows\current version\explorer\sharedtaskscheduler echo The following is normal. echo Browseui preloader echo Component Categories cache daemon pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\explorer\\sharedtaskscheduler">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKLM\soft\micro\shared tools\msconfig all subkeys echo The following keys should not have info, but only if msconfig has them remarked will they exist. echo services echo startupfolder echo startupreg echo state should all be zeros pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Shared Tools\\MSConfig">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKCR\exefile\shell\open\command all subkeys echo The default value for each of these should be "%%1" %%* pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_CLASSES_ROOT\\exefile\\shell\\open\\command">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKCR\comfile\shell\open\command all subkeys echo The default value for each of these should be "%%1" %%* pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_CLASSES_ROOT\\comfile\\shell\\open\\command">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKCR\batfile\shell\open\command all subkeys echo The default value for each of these should be "%%1" %%* pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_CLASSES_ROOT\\batfile\\shell\\open\\command">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKCR\piffile\shell\open\command all subkeys echo The default value for each of these should be "%%1" %%* pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_CLASSES_ROOT\\piffile\\shell\\open\\command">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKCR\htafile\shell\open\command all subkeys echo The default value for each of these should be C:\WINDOWS\system32\mshta.exe "%%1" %%* pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_CLASSES_ROOT\\htafile\\shell\\open\\command">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKCR\htfile\shell\open\command all subkeys echo The default value for each of these should be "C:\Program Files\Windows NT\HYPERTRM.EXE" %%1 pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_CLASSES_ROOT\\htfile\\shell\\open\\command">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look in HKLM\soft\micros\windows\ITStorage\Finders echo (Default) is normal echo .chm is normal echo . echo . echo ID (Random HEX number) Is NOT normal and should be considered a botnet pause echo Windows Registry Editor Version 5.00>lk-run.reg echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]>>lk-run.reg echo "View"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\>>lk-run.reg echo ff,ff,ff,ff,ff,ff,42,00,00,00,57,00,00,00,9a,02,00,00,eb,01,00,00,d8,00,00,\>>lk-run.reg echo 00,78,00,00,00,78,00,00,00,20,01,00,00,01,00,00,00>>lk-run.reg echo "FindFlags"=dword:0000000e>>lk-run.reg echo "LastKey"="Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ITStorage\\Finders">>lk-run.reg regedit /s lk-run.reg del lk-run.reg regedit cls echo . echo . echo . echo Look for Newer driver files or folders in windows pause start "%systemroot%\" "%systemroot%\" cls echo . echo . echo . echo Look for Newer driver files or folders in windows-inf pause start "%systemroot%\inf" "%systemroot%\inf" cls echo . echo . echo . echo Look for Newer files or folders in the root directory of c: pause start c:\ cls echo . echo . echo . echo Look for Newer driver files or folders in windows-system32, wpa.dbl is normal, leave it alone. pause start "%systemroot%\SYSTEM32" "%systemroot%\SYSTEM32" cls echo . echo . echo . echo Look for Newer driver files or folders in windows-system32-drivers pause start "%systemroot%\SYSTEM32\drivers" "%systemroot%\SYSTEM32\drivers" cls echo . echo . echo . echo Look for Newer driver files or folders in windows-system (not supposed to be system) pause start "%systemroot%\SYSTEM" "%systemroot%\SYSTEM" cls echo . echo . echo . echo Look for Newer driver files or folders in application data under all users pause start "c:\documents and settings\all users\application data" "c:\documents and settings\all users\application data" cls echo . echo . echo . echo Look for Newer driver files or folders in application data under This user pause start "%temp%..\..\application data" "%temp%..\..\application data" cls echo . echo . echo . echo Look for Startup Items pause start "c:\documents and settings\%username%\Start menu\Programs\Startup\" "c:\documents and settings\%username%\Start menu\Programs\Startup\" start "c:\documents and settings\All Users\Start menu\Programs\Startup\" "c:\documents and settings\All Users\Start menu\Programs\Startup\" cls echo . echo . echo . echo Another quick cleanup (Automatic) When press a key comes up it's done pause if exist %systemroot% del "%systemroot%\downloaded program files\*.*" /f /a /s /q cls echo . echo . echo . echo Reset Internet Explorer to all of it's defaults pause start control inetcpl.cpl cls echo . echo . echo . echo Check Services for all kinds of crap pause start services.msc cls echo . echo . echo . echo Check Desktop, Customize, Web for hidden WEB CRAP pause start control desk.cpl cls echo . echo . echo . echo Done pause