Batch autorun virus removal tool

Time:2021-4-20

@Echo Off
color 2f
Title autorun virus removal tool – by phexon
REM kill process
taskkill /F /IM SocksA.exe /IM SVOHOST.exe /IM AdobeR.exe /IM ravmone.exe /IM wincfgs.exe /IM doc.exe /IM rose.exe /IM sxs.exe /IM autorun.exe /IM KB20060111.exe /IM tel.xls.exe>nul 2>nul

:clearauto
cls
Echo.
Echo autorun virus removal tool
Echo.
Echo.                
Echo.
Echo production: phexon
Echo.
Echo this program automatically clears the AutoRun virus under each drive letter
Echo this procedure is based on the principle of reading each drive letter Autorun.inf Related fields
Echo.
Echo [1] just delete the AutoRun virus under all drive letters
Echo         [ two ] Delete all the AutoRun viruses under the drive letter and create an immune directory with the same name ( recommend !)
Echo [3] disable the AutoRun mechanism of the system to avoid the re infection of the AutoRun virus
Echo [4] cancels autorun virus immunity for all drive letters
Echo         [ five ] Remove and immunize autorun virus with specified drive letter
Echo [6] desensitize specified drive letter
Echo         [ seven ] Restore related registry key defaults
Echo [0] exit
Echo.
Set / P clearslt = please enter your choice (1 / 2 / 3 / 4 / 5 / 6 / 7 / 0)::
If “%clearslt%”==”” Goto clearauto
If “%clearslt%”==”1” Goto clearauto1
If “%clearslt%”==”2” Goto clearauto2
If “%clearslt%”==”3” Goto clearauto3
If “%clearslt%”==”4” Goto clearauto4
If “%clearslt%”==”5” Goto clearauto5
If “%clearslt%”==”6” Goto clearauto6
If “%clearslt%”==”7” Goto clearauto7
If “%clearslt%”==”0” Exit

:clearauto1
taskkill /F /IM SocksA.exe /IM SVOHOST.exe /IM AdobeR.exe /IM ravmone.exe /IM wincfgs.exe /IM doc.exe /IM rose.exe /IM sxs.exe /IM autorun.exe /IM KB20060111.exe /IM tel.xls.exe>nul 2>nul
For %%a In (C D E F G H I J K L M N O P Q R S T U V W X Y Z) Do (
Fsutil FSInfo drivetype%% a: | find / I “fixed drive” & & A(
        For /f “tokens=2 delims==” %%b In (%%a:\autorun.inf) Do Del /a /f /q “%%a:\%%b” >nul 2>nul
        Del /a /f /q %%a:\autorun.inf >nul 2>nul
        ) >nul 2>nul
Fsutil FSInfo drivetype%% a: | find / I “removable drive” & & A(
        For /f “tokens=2 delims==” %%b In (%%a:\autorun.inf) Do Del /a /f /q “%%a:\%%b” >nul 2>nul
        Del /a /f /q %%a:\autorun.inf >nul 2>nul
        ) >nul 2>nul
    )
cls
Echo          After the AutoRun virus is cleared, press any key to return to
pause>nul
Goto clearauto

:clearauto2
taskkill /F /IM SocksA.exe /IM SVOHOST.exe /IM AdobeR.exe /IM ravmone.exe /IM wincfgs.exe /IM doc.exe /IM rose.exe /IM sxs.exe /IM autorun.exe /IM KB20060111.exe /IM tel.xls.exe>nul 2>nul
For %%a In (C D E F G H I J K L M N O P Q R S T U V W X Y Z) Do (
Fsutil FSInfo drivetype%% a: | find / I “fixed drive” & & A(
         For / f ” tokens = 2 delims ==” %% b In (%% a :\ autorun . inf ) Do Del / a / f / q “%% a :\%% b ” & md “%% a :\%% b \ Immune directory don’t delete !…\” & attrib + s + h + r “%% a :\%% b ” & Echo Y | cacls “%% a :\%% b ” / T / C / P everyone : N > nul 2 > nul
         Del / a / f / q %% a :\ autorun . inf & md “%% a :\ autorun . inf \ Immune directory don’t delete !…\” & attrib + s + h + r %% a :\ autorun . inf & Echo Y | cacls “%% a :\ autorun . inf ” / T / C / P everyone : N > nul 2 > nul
        ) >nul 2>nul
Fsutil FSInfo drivetype%% a: | find / I “removable drive” & & A(
        For /f “tokens=2 delims==” %%b In (%%a:\ autorun.inf )Do del / A / F / Q “%% a: \%% B” & MD “%% a: \%% B \ \ immune directory do not delete!… \” & attrib + S + H + R “%% a: \%% B” & echo y|cacls “%% a: \%% B) / T / C / P everyone:N >nul 2>nul
         Del / a / f / q %% a :\ autorun . inf & md “%% a :\ autorun . inf \ Immune directory don’t delete !…\” & attrib + s + h + r %% a :\ autorun . inf & Echo Y | cacls “%% a :\ autorun . inf ” / T / C / P everyone : N > nul 2 > nul
        ) >nul 2>nul
    )
cls
Echo autorun virus is cleared and immunized. Press any key to return
pause>nul
Goto clearauto

:clearauto3
cls
Echo.
Echo is stopping related services
Echo.
reg add “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer” /v NoDriveTypeAutoRun /t REG_DWORD /d 0x000000ff /f >nul 2>nul
reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer” /v NoDriveTypeAutoRun /t REG_DWORD /d 0x000000ff /f >nul 2>nul
net stop ShellHWDetection >nul 2>nul
sc config ShellHWDetection start= disabled >nul 2>nul
REM adds a policy that prevents executable files from running directly from the recycle bin or from a directory that mimics the recycle bin
Set REGPATH=HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
Set SFLAG=/v SaferFlags /t REG_DWORD /d 0x00000000 /f
Set IDATA=/f /v ItemData /d “?:\Recyc?
reg add %REGPATH%\{00ffa5bf-abe7-4901-aacf-4f58aa31217a} %SFLAG%>nul
reg add %REGPATH%\{00ffa5bf-abe7-4901-aacf-4f58aa31217a} %IDATA%\*\*\*\*.*”>nul

reg add %REGPATH%\{41fe7eed-c47a-46f6-840a-240796fd03cf} %SFLAG%>nul
reg add %REGPATH%\{41fe7eed-c47a-46f6-840a-240796fd03cf} %IDATA%\*\*\*.*”>nul

reg add %REGPATH%\{4e93c91c-a40e-462e-9b89-3b0832d222d9} %SFLAG%>nul
reg add %REGPATH%\{4e93c91c-a40e-462e-9b89-3b0832d222d9} %IDATA%\*.*”>nul

reg add %REGPATH%\{5bfc100b-d3fb-450e-88ec-6819ab56a9ff} %SFLAG%>nul
reg add %REGPATH%\{5bfc100b-d3fb-450e-88ec-6819ab56a9ff} %IDATA%\*\*\*\*.*”>nul

reg add %REGPATH%\{5c5e2bcd-7057-43f4-830c-e4361d2afadd} %SFLAG%>nul
reg add %REGPATH%\{5c5e2bcd-7057-43f4-830c-e4361d2afadd} %IDATA%\*.*”>nul

reg add %REGPATH%\{5f8ff865-0638-4c6e-98de-923e7bc6b330} %SFLAG%>nul
reg add %REGPATH%\{5f8ff865-0638-4c6e-98de-923e7bc6b330} %IDATA%\*\*\*.*”>nul

reg add %REGPATH%\{649c1429-0e79-453c-abe9-b5682e035ae7} %SFLAG%>nul
reg add %REGPATH%\{649c1429-0e79-453c-abe9-b5682e035ae7} %IDATA%\*\*.*”>nul

reg add %REGPATH%\{718f54b2-c669-4d7b-aeff-18d69f100034} %SFLAG%>nul
reg add %REGPATH%\{718f54b2-c669-4d7b-aeff-18d69f100034} %IDATA%\*\*.*”>nul

reg add %REGPATH%\{8385d9d2-80c9-4ac1-a100-ed3e62863d97} %SFLAG%>nul
reg add %REGPATH%\{8385d9d2-80c9-4ac1-a100-ed3e62863d97} %IDATA%\*.*”>nul

reg add %REGPATH%\{af2a4fcf-441c-421e-9663-52cd3502cfd7} %SFLAG%>nul
reg add %REGPATH%\{af2a4fcf-441c-421e-9663-52cd3502cfd7} %IDATA%\*\*\*.*”>nul

reg add %REGPATH%\{b997f4b2-c037-4e97-b051-31f5d86df802} %SFLAG%>nul
reg add %REGPATH%\{b997f4b2-c037-4e97-b051-31f5d86df802} %IDATA%\*\*.*”>nul

reg add %REGPATH%\{d4e7b6ff-d76f-407f-b8bb-ea0835f5babc} %SFLAG%>nul
reg add %REGPATH%\{d4e7b6ff-d76f-407f-b8bb-ea0835f5babc} /f /v ItemData /d “RECYC*.*”>nul

REM cleans viruses that like to run automatically on mobile disks using the recycle bin
For %%a In (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) Do (
    For %%b In (exe pif com) Do (
        Echo Y|cacls “%%a:\Recycler\*.%%b” /C /T /P everyone:F>nul 2>nul&Echo Y|cacls “%%a:\Recycled\*.%%b” /C /T /P everyone:F>nul 2>nul&Echo Y|cacls “%%a:\Recycled\Recycled\*.%%b” /C /T /P everyone:F>nul 2>nul
        Del /A /F /S /Q “%%a:\Recycler\*.%%b”>nul 2>nul&Del /A /F /S /Q “%%a:\Recycled\*.%%b”>nul 2>nul&Del /A /F /S /Q “%%a:\Recycled\Recycled\*.%%b”>nul 2>nul
        )
    )>nul 2>nul
Echo.
Echo          Related services have been stopped and disabled, any key to return
pause >nul
Goto clearauto

:clearauto4
For %%a In (C D E F G H I J K L M N O P Q R S T U V W X Y Z) Do (
     fsutil fsinfo drivetype %% a : | find / i ” Fixed drive ” && (
        cacls “%%a:\autorun.inf” /T /C /P everyone:F&Del /a /f /q “%%a:\autorun.inf” & rd /s /q “%%a:\autorun.inf”>nul 2>nul
        )>nul 2>nul
Fsutil FSInfo drivetype%% a: | find / I “removable drive” & & A(
        cacls “%%a:\autorun.inf” /T /C /P everyone:F&Del /a /f /q “%%a:\autorun.inf” & rd /s /q “%%a:\autorun.inf”>nul 2>nul
        )>nul 2>nul
    )
cls
Echo.
Echo ﹣ has been immune to all drive letters. Press any key to return
pause>nul
Goto clearauto

:clearauto5
cls
Echo.
Set / P pf = please enter the drive letter, such as “F: (excluding quotation marks)
Echo is about to immunize% pf% disk |Find / I “:” |||||||||||||||||||||||||||
taskkill /F /IM SocksA.exe /IM SVOHOST.exe /IM AdobeR.exe /IM ravmone.exe /IM wincfgs.exe /IM doc.exe /IM rose.exe /IM sxs.exe /IM autorun.exe /IM KB20060111.exe /IM tel.xls.exe>nul 2>nul
Fsutil FSInfo drivetype% pf% | find / I “fixed drive” &(
    For /f “tokens=2 delims==” %%a In (%pf%\ autorun.inf )Do del / A / F / Q% pf% \%% a “& MD% pf% \%% a \ \ immune directory do not delete!… \” & attrib + S + H + R% pf% \%% a “& echo y| cacls% pf% \%% a / t / C / P everyone:N >nul 2>nul
    Del /a /f /q %pf%\ autorun.inf & md “%pf%\ autorun.inf \Immune directory don’t delete!… \ “& attach + S + H + R% pf%\ autorun.inf & Echo Y|cacls “%pf%\ autorun.inf ” /T /C /P everyone:N >nul 2>nul
    Goto DoneclearAuto
    ) >nul 2>nul
Fsutil FSInfo drivetype% pf% | find / I “removable drive” &(
    For /f “tokens=2 delims==” %%a In (%pf%\ autorun.inf )Do del / A / F / Q% pf% \%% a “& MD% pf% \%% a \ \ immune directory do not delete!… \” & attrib + S + H + R% pf% \%% a “& echo y| cacls% pf% \%% a / t / C / P everyone:N >nul 2>nul
    Del /a /f /q %pf%\ autorun.inf & md “%pf%\ autorun.inf \Immune directory don’t delete!… \ “& attach + S + H + R% pf%\ autorun.inf & Echo Y|cacls “%pf%\ autorun.inf ” /T /C /P everyone:N >nul 2>nul
    Goto DoneclearAuto
    ) >nul 2>nul
Echo.
Echo          The drive letter you entered does not exist or is a read-only device,
Echo? Please re-enter
Goto clearauto5

:DoneclearAuto
cls
Echo.
The disk% pf% specified by echo has successfully cleared and immunized against autorun virus
Echo.
Echo [1] continues to be immune to other disks
Echo         [ 0 ] Return to main menu
Set / P choice = please enter your choice (1 / 0):
If %choice%=”” Goto DoneclearAuto
If %choice%=”1″ Goto clearauto5
If %choice%=”0″ Goto clearauto

:clearauto6
cls
Echo.
Set / p pf =         Please enter the drive letter, such as ” F :”( Do not include quotation marks )
Echo is about to cancel immunization with% pf% disk |Find / I “:” |||||||||||||||||||||||||||
Fsutil FSInfo drivetype% pf% | find / I “fixed drive” &(
    cacls “%pf%\autorun.inf” /T /C /P everyone:F&Del /a /f /q “%pf%\autorun.inf” & rd /s /q “%pf%\autorun.inf”>nul 2>nul
    Goto DoneUnauto
    )>nul 2>nul
fsutil fsinfo drivetype % pf % | find / i ” Removable drive ” && (
    cacls “%pf%\autorun.inf” /T /C /P everyone:F&Del /a /f /q “%pf%\autorun.inf” & rd /s /q “%pf%\autorun.inf”>nul 2>nul
    Goto DoneUnauto
    )>nul 2>nul
Echo.
Echo the drive letter you entered does not exist or is a read-only device,
Echo? Please re-enter
Goto clearauto6

:DoneUnauto
cls
Echo.
Echo          Specified disk % pf % Autorun virus immunity has been successfully removed
Echo.
Echo [1] continues to de immunize other disks
Echo         [ 0 ] Return to main menu
Set choice=
Set / p choice =         Please enter your choice ( one / 0 ):
If %choice%=”” Goto DoneUnauto
If %choice%=”1″ Goto clearauto6
If %choice%=”0″ Goto clearauto

:clearauto7
cls
REM prevents files from being completely hidden or forbidden in Explorer
reg add “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL” /v CheckedValue /t REG_DWORD /d 0x00000001 /f>nul 2>nul
reg delete “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2” /f>nul 2>nul
reg delete “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun” /f>nul 2>nul
reg delete “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v DisallowRun /f>nul 2>nul
REM prevent transfer start group location
Reg add “HKCU, software, Microsoft, windows, current version, explorer, shell folders” V startup / D
reg add ” HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Shell Folders ” / v ” Common Startup ” / d “% ALLUSERSPROFILE %\ Start menu \ program \ start-up ” / f > nul 2 > nul
Echo.
Echo related registry recovery completed, any key to return
pause>nul
Goto clearauto