You are on page 1of 2

c 


  

 

Have you ever had the kind of virus that even your anti virus can't remove? because it's running a
bunch of files? well....in some cases it can be solved with bat files =)

Scenario: You have the following infected files...

C:/windows/shellfix.dll
C:/windows/shellvirii.exe

Now the shellfix.dll is injected in the Explorer.exe and keeps an eye on the shellvirii.exe so that
it is not shutdown, and if it is, the shellfix.dll makes sure it starts again. The shellvirii.exe is just
a random trojan that wants your account information, but it also makes sure that the shellfix.dll is
always injected somewhere and running. They basicly keep an eye on each other...

Now...you could do this in a case like this...

example of AV.bat:

TASKKILL /F /IM shellvirii.exe


TASKKILL /F /IM explorer.exe
DEL /F /Q C:/windows/shellfix.dll
DEL /F /Q C:/windows/shellvirii.exe

TASKKILL: Shutdown the process specified


/F: Forces the process to shutdown
/IM: Specify the image name of the process that should be terminated

DEL: Deletes the file specified


/F: Forces it to delete
/Q: Does it without any question...

Now you can just use your imagination and it could turn out to be a pretty good antivirus you are
building =)

This is a small anti virus i made for a friend in batch:

PHP Code:
@echo off

:check
echo Running check....
IF EXIST C:windowssystem32syshelps.dll GOTO infected
IF NOT EXIST C:windowssystem32syshelps.dll GOTO notinfected
:notinfected
echo You are not infected with Backdoor.Win32.IRCBot.acd
GOTO end
:infected
echo You are infected with Backdoor.Win32.IRCBot.acd
echo Trying to remove the file syshelps.dll (Backdoor.Win32.IRCBot.acd)
echo Shuting down Explorer and msn messenger for virus removal....
TASKKILL /F /IM explorer.exe
TASKKILL /F /IM msnmsgr.exe
echo Removing syshelps.dll and all of its companions
DEL /F /Q C:windowssystem32syshelps.dll
IF NOT EXIST C:WINDOWSphotos.zip GOTO 1
DEL /F /Q C:WINDOWSphotos.zip
:1
IF NOT EXIST C:System Volume Information_restore{C196A4E6-BCE6-4324-B52C-
2F62F9E264DD}RP61A0008326.dll GOTO 2
DEL /F /Q C:System Volume Information_restore{C196A4E6-BCE6-4324-B52C-
2F62F9E264DD}RP61A0008326.dll
:2
IF NOT EXIST C:System Volume Information_restore{C196A4E6-BCE6-4324-B52C-
2F62F9E264DD}RP58A0008254.scr GOTO 3
DEL /F /Q C:System Volume Information_restore{C196A4E6-BCE6-4324-B52C-
2F62F9E264DD}RP58A0008254.scr
:3
echo Starting Explorer again....
start C:windowsexplorer.exe
IF NOT EXIST C:windowssystem32syshelps.dll GOTO success
IF EXIST C:windowssystem32syshelps.dll GOTO failure
:sucess
echo The file was removed, please run a virus scan with Kaspersky for example
, to make sure that all the minor files from the virus has been removed prope
rly, also remove the "photos.zip" in your recieved files folder if not alread
y removed.
GOTO end
:failure
echo The removal failed..... please send an email to admin@hackers.gov.my to
notify me
:end
Pause