echo off
:: Cleanup script for infected computers - Windows 2000-Windows 2008, including XP, Vista, 7


:: Set variable values
SET WorkFolder=c:\LOGS\
SET LogFile=%WorkFolder%LocalLog.txt
set profdir=
set userroot=
echo UserID=%1
SET REGKEY=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

:: Get path for ProfilesDirectory, like "C:\Documents and Settings" in XP or "C:\Users" in >=Vista
:: Must use CALL to run SET, per Rob van der Woude. Brief explanation:
:: http://ss64.com/nt/call.html
for /f "tokens=3*" %%f in ('reg query "%REGKEY%\ProfileList" /v ProfilesDirectory ^|find /i "Profiles"') do (
	@CALL set profdir=%%f %%g
)
echo profdir=%profdir%

:: Get operating system numerical value to set OS-specific values below
for /f "tokens=3" %%f in ('reg query "%REGKEY%" /v CurrentVersion ^|find /i "CurrentVersion"') do (
	@CALL set OSVer=%%f
)
echo OSVer=%OSVer%

:: Set userroot to %profdir%\%1, and remove appending space(s) from userroot and OSVer strings
:: http://www.dostips.com/DtTipsStringManipulation.php
SET OSVer=%OSVer: =%
IF %OSVer% LSS 6 (
	SET userroot=%profdir%\%1
) ELSE (
	SET userroot=%profdir: =%\%1
)
echo userroot=%userroot%
echo.

:: OS profile and system variables
IF %OSVer% LSS 6 (
	SET AppData1=%userroot%\Application Data
::	SET AppLow=%userroot%\Local Settings???
	SET AppLocal=%userroot%\Local Settings
	SET IE1Temp=%AppLocal%\Temporary Internet Files\Content.IE5
	SET IE2Temp=%AppLocal%\Application Data\Microsoft\Internet Explorer\DOMStore
	SET FFFolder=%AppLocal%\Application Data\Mozilla\Firefox\Profiles
	SET OSRecBin=%SystemDrive%\RECYCLER
	SET SysRestore=srservice
) ELSE (
	SETLOCAL EnableDelayedExpansion
	SET AppData1=%userroot%\AppData\Roaming
	SET AppLow=%userroot%\AppData\LocalLow
	SET AppLocal=%userroot%\AppData\Local
	SET IE1Temp=!AppLocal!\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
	SET IE2Temp=!AppLow!\Microsoft\Internet Explorer\DomStore
	SET FFFolder=!AppLocal!\Mozilla\Firefox\Profiles
	SET OSRecBin=%SystemDrive%\$Recycle.Bin
	SET SysRestore=vss
	SETLOCAL DisableDelayedExpansion
)

echo AppData1=%AppData1%
echo AppLow=%AppLow%
echo AppLocal=%AppLocal%
echo IE1Temp=%IE1Temp%
echo IE2Temp=%IE2Temp%
echo FFFolder=%FFFolder%
echo OSRecBin=%OSRecBin%
REM PAUSE
ECHO.

:: Clean, then stop SystemRestore (Win<6) or Volume Shadow Copy (Win>=6)
echo About to delete any/all VolumeShadow copies
vssadmin delete shadows /all /quiet
sc stop %SysRestore%
ECHO.

echo Going to=[spyware section]
:: Spyware and nuissance Removal Section
:: del /Q /F /S /A "%ProgramFiles%\FunWebProducts\*.*" > nul
:: Stop certain processes, like iTunes
tskill AppleMobileDeviceHelper /A
tskill iPodService /A
tskill iTunes /A
tskill iTunesHelper /A
tskill jusched /A
tskill GoogleUpdate.exe
tskill GoogleToolbarNotifier.exe
tskill mDNSResponder.exe

echo Remove malicious and outdated regkeys
reg delete HKLM\Software\CDExtraInstall /f
reg delete HKLM\Software\SONYBMG /f
reg delete HKLM\Software\$sys$reference /f
reg delete HKLM\Software\ECDDiscProducers /f
reg delete "HKLM\SOFTWARE\Fun Web Products" /f

:: Clean up profile garbage files
echo Going to=%userroot%
CD /D %userroot%
CD
echo About to clean up garbage file in profile
del /Q /F /S /A ~*.* *.tmp *.asd *.xar *.*~ autorecovery*.* liverecovery*.* *.swf *.dmp *.log > nul

echo Clean unused Profile-based temp, JRE, and Flash cache
del /Q /F /S /A "%AppLocal%\temp\*.*" > nul
RD /S /Q "%AppLocal%\temp\" >nul
RD /S /Q "%AppData1%\Sun\Java\Deployment\cache\" > nul
RD /S /Q "%AppData1%\Macromedia\Flash Player\" > nul
RD /S /Q "%AppData1%\Adobe\Flash Player\" > nul

:: Google Chrome cache cleanup
echo Going to=[chrome]
CD "%AppLocal%\Application Data\Google\Chrome\User Data\"
CD profile*
SET CURRENTDIR=%CD%
RD /S /Q "%CURRENTDIR%\Cache\" > nul
MD "%CURRENTDIR%\Cache\"
ICACLS "%CURRENTDIR%\Cache\" /t /q /c /reset

RD /S /Q "%CURRENTDIR%\Media Cache\" > nul
MD /S /Q "%CURRENTDIR%\Media Cache\" > nul
ICACLS "%CURRENTDIR%\Media Cache\" /t /q /c /reset
ECHO.

echo Directory of executable(s) and dll(s) in user's profile
dir /s "%userroot%\*.exe *.dll"
ECHO.

:: Firefox cache cleanup. Note that because of the FF profile naming structure, you can't just go straight to that
:: folder, so extra steps and logic must be done to check for existence of FF profile folder first.
echo Going to=%FFFolder%\
CD "%FFFolder%\"
CD
CD *default
CD
echo Are we in FF cache folder? Skip to next section if not..
IF NOT EXIST "cache" GOTO :IECACHE
echo About to delete FF cache..
CD "Cache"
SET CURRENTDIR=%CD%
CD ..
RD /S /Q "%CURRENTDIR%"
REM MD /S /Q "%CURRENTDIR%"

:IECACHE
ECHO.
echo Now onto IE Cache...
echo Going to=%userroot%\
CD %userroot%\
CD
:: IE cache cleanup (w/DAT preservation)
COPY "%IE1Temp%\index.dat" %WorkFolder%index-%1.dat
COPY "%AppLocal%\Temporary Internet Files\Content.IE5\index.dat" %WorkFolder%
del /Q /F /S /A "%IE1Temp%\*.*" >nul
RD /S /Q "%IE1Temp%\" >nul
MD "%IE1Temp%\"
ICACLS "%IE1Temp%\" /t /q /c /reset
MOVE /Y %WorkFolder%index-%1.dat "%IE1Temp%\"
MOVE /Y %WorkFolder%index.dat "%AppLocal%\Temporary Internet Files\Content.IE5\"
RD /S /Q "%userroot%\UserData" >nul
ECHO.

:: System folders cleanup
echo Going to=[system folders cleanup]
del /Q /F /S /A %windir%\temp\*.* >nul
RD /S /Q %windir%\temp\ >nul
MD %windir%\temp\
ICACLS %windir%\temp /t /q /c /reset
echo Going to=[prefetch,pif]
del /Q /F /S /A %windir%\Prefetch\*.* >nul
del /Q /F /S /A %windir%\PIF\*.* >nul

echo Going to=[recycle bin]
RD /S /Q %OSRecBin%\ >NUL
MD %OSRecBin%
ATTRIB +H +S %OSRecBin%
ICACLS %OSRecBin% /t /q /c /reset
ECHO.

echo Going to=[dllcache, 32- and 64-bit sysprofiles]
del /Q /F /S /A %windir%\system32\dllcache\*.* >nul
del /Q /F /S /A %windir%\SysWOW64\dllcache\*.* >nul
RD /S /Q "%windir%\Temporary Internet Files"
RD /S /Q "%windir%\Profiles"

:: Clean up system profile garbage files
echo Going to=%windir%\system32\config\systemprofile\
CD /D %windir%\system32\config\systemprofile\
CD
echo About to clean up garbage file in system32 systemprofile
del /Q /F /S /A ~*.* *.tmp *.asd *.xar *.*~ autorecovery*.* liverecovery*.* *.swf *.dmp *.log *.exe *.dll
del /Q /F /S /A %windir%\system32\config\systemprofile\*.*

echo About to clean up garbage file in SysWOW64 systemprofile
echo Going to=%windir%\SysWOW64\config\systemprofile\
CD /D %windir%\SysWOW64\config\systemprofile\
CD
del /Q /F /S /A ~*.* *.tmp *.asd *.xar *.*~ autorecovery*.* liverecovery*.* *.swf *.dmp *.log *.exe *.dll
del /Q /F /S /A %windir%\SysWOW64\config\systemprofile\*.*
ECHO.

echo Going to=[service profiles]
CD /D %windir%\ServiceProfiles
CD
del /Q /F /S /A ~*.* *.tmp *.asd *.xar *.*~ autorecovery*.* liverecovery*.* *.swf *.dmp *.log *.exe *.dll
ECHO.

echo Going to=[sysvol]
dir /s "%SystemDrive%\System Volume Information\*.*"
ECHO.
echo about to clean sysvol
del /Q /F /S /A "%SystemDrive%\System Volume Information\*.*"
RD /S /Q "%SystemDrive%\System Volume Information\_restore{D61EAD08-B79B-49F0-A861-4E6DD980D83A}\" > NUL
del /Q /F /S /A Syscache.hve
ECHO.

:: Delete garbage in system folders
echo Going to=%windir%
CD %windir%
CD
ECHO.
del /Q /F /S /A *.tmp *.bak *.old *.dmp >nul
ECHO.

echo Going to=%windir%\system32
CD %windir%\system32
CD
del /Q /F /S /A $sys$*.* >nul
RD /S /Q "%windir%\system32\$SYS$*" > NUL
RD /S /Q "%windir%\system32\Program Files" > NUL

:: Only .SAM and no-extension files should usually exist in \ETC.
echo Going to=%WINDIR%\SYSTEM32\DRIVERS\ETC
CD %WINDIR%\SYSTEM32\DRIVERS\ETC
CD
ECHO.
del /Q /F /S /A *.DLL *.EXE *.COM *.PIF *.SYS *.INF *.INI *.BIN *.CMD *.BAT *.REG *.OCX *.SYS *.VBS > nul

sc start %SysRestore%