This is a little batch file that should aid in the cleanup of computers that have been locked out by malware.
Its a work in progress, so check back as this script evolves.
Please let us know if your experiences with this script as I will continue to work on it.
*** NOTE:
This will clean-out your start-up programs.
They will be backed up into a registry file so you can restore them later once the virus is removed.
@echo off
echo Creating backup folder...
mkdir backups
echo Removing policy restrictions...
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRun /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 0 /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /f
echo Backing up Startup Applications...
reg export HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "backups\HKCU Runs.reg"
reg export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "backups\HKLM Runs.reg"
echo Removing Startup Applications...
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f
echo Removing RunOnce entries...
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /f
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /f
echo Showing Hidden Files...
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f
echo Repairing Explorer Shell...
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d Explorer.exe /f
reg delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell" /f
echo Repairing Safemode...
reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell /t REG_SZ /d "cmd.exe" /f
echo Rebooting...
shutdown /f /r /t 00
