Have you ever had the kind of virus that even your anti virus can't remove? because it's running a bunch of files? well....in some cases it can be solved with bat files =)
Scenario: You have the following infected files...
C:/windows/shellfix.dll
C:/windows/shellvirii.exe
Now the shellfix.dll is injected in the Explorer.exe and keeps an eye on the shellvirii.exe so that it is not shutdown, and if it is, the shellfix.dll makes sure it starts again. The shellvirii.exe is just a random trojan that wants your account information, but it also makes sure that the shellfix.dll is always injected somewhere and running. They basicly keep an eye on each other...
Now...you could do this in a case like this...
example of AV.bat:
TASKKILL /F /IM shellvirii.exe
TASKKILL /F /IM explorer.exe
DEL /F /Q C:/windows/shellfix.dll
DEL /F /Q C:/windows/shellvirii.exe
TASKKILL: Shutdown the process specified
/F: Forces the process to shutdown
/IM: Specify the image name of the process that should be terminated
DEL: Deletes the file specified
/F: Forces it to delete
/Q: Does it without any question...
Now you can just use your imagination and it could turn out to be a pretty good antivirus you are building =)
This is a small anti virus i made for a friend in batch:
Code:
@echo off
:check
echo Running check....
IF EXIST C:\windows\system32\syshelps.dll GOTO infected
IF NOT EXIST C:\windows\system32\syshelps.dll GOTO notinfected
:notinfected
echo You are not infected with Backdoor.Win32.IRCBot.acd
GOTO end
:infected
echo You are infected with Backdoor.Win32.IRCBot.acd
echo Trying to remove the file syshelps.dll (Backdoor.Win32.IRCBot.acd)
echo Shuting down Explorer and msn messenger for virus removal....
TASKKILL /F /IM explorer.exe
TASKKILL /F /IM msnmsgr.exe
echo Removing syshelps.dll and all of it's companions
DEL /F /Q C:\windows\system32\syshelps.dll
IF NOT EXIST C:\WINDOWS\photos.zip GOTO 1
DEL /F /Q C:\WINDOWS\photos.zip
:1
IF NOT EXIST C:\System Volume Information\_restore{C196A4E6-BCE6-4324-B52C-2F62F9E264DD}\RP61\A0008326.dll GOTO 2
DEL /F /Q C:\System Volume Information\_restore{C196A4E6-BCE6-4324-B52C-2F62F9E264DD}\RP61\A0008326.dll
:2
IF NOT EXIST C:\System Volume Information\_restore{C196A4E6-BCE6-4324-B52C-2F62F9E264DD}\RP58\A0008254.scr GOTO 3
DEL /F /Q C:\System Volume Information\_restore{C196A4E6-BCE6-4324-B52C-2F62F9E264DD}\RP58\A0008254.scr
:3
echo Starting Explorer again....
start C:\windows\explorer.exe
IF NOT EXIST C:\windows\system32\syshelps.dll GOTO success
IF EXIST C:\windows\system32\syshelps.dll GOTO failure
:sucess
echo The file was removed, please run a virus scan with Kaspersky for example, to make sure that all the minor files from the virus has been removed properly, also remove the "photos.zip" in your recieved files folder if not already removed.
GOTO end
:failure
echo The removal failed..... please send an email to admin@justbgeek.com to notify me
:end
Pause
NOTE: I hope you can see the line break in the code example ^^ the page was to short for the code....
ليست هناك تعليقات:
إرسال تعليق