Rob van der Woude's Scripting Pages
Powered by GeSHi

Source code for Natalie Green's cleanpclocal.bat

(view source code of ng_cleanpclocal.bat as plain text)

  1. echo off
  2. :: Cleanup script for infected computers - Windows 2000-Windows 2008, including XP, Vista, 7
  3.  
  4.  
  5. :: Set variable values
  6. SET WorkFolder=c:\LOGS\
  7. SET LogFile=%WorkFolder%LocalLog.txt
  8. set profdir=
  9. set userroot=
  10. echo UserID=%1
  11. SET REGKEY=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
  12.  
  13. :: Get path for ProfilesDirectory, like "C:\Documents and Settings" in XP or "C:\Users" in >=Vista
  14. :: Must use CALL to run SET, per Rob van der Woude. Brief explanation:
  15. :: http://ss64.com/nt/call.html
  16. for /f "tokens=3*" %%f in ('reg query "%REGKEY%\ProfileList" /v ProfilesDirectory ^|find /i "Profiles"') do (
  17. 	@CALL set profdir=%%f %%g
  18. )
  19. echo profdir=%profdir%
  20.  
  21. :: Get operating system numerical value to set OS-specific values below
  22. for /f "tokens=3" %%f in ('reg query "%REGKEY%" /v CurrentVersion ^|find /i "CurrentVersion"') do (
  23. 	@CALL set OSVer=%%f
  24. )
  25. echo OSVer=%OSVer%
  26.  
  27. :: Set userroot to %profdir%\%1, and remove appending space(s) from userroot and OSVer strings
  28. :: http://www.dostips.com/DtTipsStringManipulation.php
  29. SET OSVer=%OSVer: =%
  30. IF %OSVer% LSS 6 (
  31. 	SET userroot=%profdir%\%1
  32. ) ELSE (
  33. 	SET userroot=%profdir: =%\%1
  34. )
  35. echo userroot=%userroot%
  36. echo.
  37.  
  38. :: OS profile and system variables
  39. IF %OSVer% LSS 6 (
  40. 	SET AppData1=%userroot%\Application Data
  41. ::	SET AppLow=%userroot%\Local Settings???
  42. 	SET AppLocal=%userroot%\Local Settings
  43. 	SET IE1Temp=%AppLocal%\Temporary Internet Files\Content.IE5
  44. 	SET IE2Temp=%AppLocal%\Application Data\Microsoft\Internet Explorer\DOMStore
  45. 	SET FFFolder=%AppLocal%\Application Data\Mozilla\Firefox\Profiles
  46. 	SET OSRecBin=%SystemDrive%\RECYCLER
  47. 	SET SysRestore=srservice
  48. ) ELSE (
  49. 	SETLOCAL EnableDelayedExpansion
  50. 	SET AppData1=%userroot%\AppData\Roaming
  51. 	SET AppLow=%userroot%\AppData\LocalLow
  52. 	SET AppLocal=%userroot%\AppData\Local
  53. 	SET IE1Temp=!AppLocal!\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
  54. 	SET IE2Temp=!AppLow!\Microsoft\Internet Explorer\DomStore
  55. 	SET FFFolder=!AppLocal!\Mozilla\Firefox\Profiles
  56. 	SET OSRecBin=%SystemDrive%\$Recycle.Bin
  57. 	SET SysRestore=vss
  58. 	SETLOCAL DisableDelayedExpansion
  59. )
  60.  
  61. echo AppData1=%AppData1%
  62. echo AppLow=%AppLow%
  63. echo AppLocal=%AppLocal%
  64. echo IE1Temp=%IE1Temp%
  65. echo IE2Temp=%IE2Temp%
  66. echo FFFolder=%FFFolder%
  67. echo OSRecBin=%OSRecBin%
  68. REM PAUSE
  69. ECHO.
  70.  
  71. :: Clean, then stop SystemRestore (Win<6) or Volume Shadow Copy (Win>=6)
  72. echo About to delete any/all VolumeShadow copies
  73. vssadmin delete shadows /all /quiet
  74. sc stop %SysRestore%
  75. ECHO.
  76.  
  77. echo Going to=[spyware section]
  78. :: Spyware and nuissance Removal Section
  79. :: del /Q /F /S /A "%ProgramFiles%\FunWebProducts\*.*" > nul
  80. :: Stop certain processes, like iTunes
  81. tskill AppleMobileDeviceHelper /A
  82. tskill iPodService /A
  83. tskill iTunes /A
  84. tskill iTunesHelper /A
  85. tskill jusched /A
  86. tskill GoogleUpdate.exe
  87. tskill GoogleToolbarNotifier.exe
  88. tskill mDNSResponder.exe
  89.  
  90. echo Remove malicious and outdated regkeys
  91. reg delete HKLM\Software\CDExtraInstall /f
  92. reg delete HKLM\Software\SONYBMG /f
  93. reg delete HKLM\Software\$sys$reference /f
  94. reg delete HKLM\Software\ECDDiscProducers /f
  95. reg delete "HKLM\SOFTWARE\Fun Web Products" /f
  96.  
  97. :: Clean up profile garbage files
  98. echo Going to=%userroot%
  99. CD /D %userroot%
  100. CD
  101. echo About to clean up garbage file in profile
  102. del /Q /F /S /A ~*.* *.tmp *.asd *.xar *.*~ autorecovery*.* liverecovery*.* *.swf *.dmp *.log > nul
  103.  
  104. echo Clean unused Profile-based temp, JRE, and Flash cache
  105. del /Q /F /S /A "%AppLocal%\temp\*.*" > nul
  106. RD /S /Q "%AppLocal%\temp\" >nul
  107. RD /S /Q "%AppData1%\Sun\Java\Deployment\cache\" > nul
  108. RD /S /Q "%AppData1%\Macromedia\Flash Player\" > nul
  109. RD /S /Q "%AppData1%\Adobe\Flash Player\" > nul
  110.  
  111. :: Google Chrome cache cleanup
  112. echo Going to=[chrome]
  113. CD "%AppLocal%\Application Data\Google\Chrome\User Data\"
  114. CD profile*
  115. SET CURRENTDIR=%CD%
  116. RD /S /Q "%CURRENTDIR%\Cache\" > nul
  117. MD "%CURRENTDIR%\Cache\"
  118. ICACLS "%CURRENTDIR%\Cache\" /t /q /c /reset
  119.  
  120. RD /S /Q "%CURRENTDIR%\Media Cache\" > nul
  121. MD /S /Q "%CURRENTDIR%\Media Cache\" > nul
  122. ICACLS "%CURRENTDIR%\Media Cache\" /t /q /c /reset
  123. ECHO.
  124.  
  125. echo Directory of executable(s) and dll(s) in user's profile
  126. dir /s "%userroot%\*.exe *.dll"
  127. ECHO.
  128.  
  129. :: Firefox cache cleanup. Note that because of the FF profile naming structure, you can't just go straight to that
  130. :: folder, so extra steps and logic must be done to check for existence of FF profile folder first.
  131. echo Going to=%FFFolder%\
  132. CD "%FFFolder%\"
  133. CD
  134. CD *default
  135. CD
  136. echo Are we in FF cache folder? Skip to next section if not..
  137. IF NOT EXIST "cache" GOTO :IECACHE
  138. echo About to delete FF cache..
  139. CD "Cache"
  140. SET CURRENTDIR=%CD%
  141. CD ..
  142. RD /S /Q "%CURRENTDIR%"
  143. REM MD /S /Q "%CURRENTDIR%"
  144.  
  145. :IECACHE
  146. ECHO.
  147. echo Now onto IE Cache...
  148. echo Going to=%userroot%\
  149. CD %userroot%\
  150. CD
  151. :: IE cache cleanup (w/DAT preservation)
  152. COPY "%IE1Temp%\index.dat" %WorkFolder%index-%1.dat
  153. COPY "%AppLocal%\Temporary Internet Files\Content.IE5\index.dat" %WorkFolder%
  154. del /Q /F /S /A "%IE1Temp%\*.*" >nul
  155. RD /S /Q "%IE1Temp%\" >nul
  156. MD "%IE1Temp%\"
  157. ICACLS "%IE1Temp%\" /t /q /c /reset
  158. MOVE /Y %WorkFolder%index-%1.dat "%IE1Temp%\"
  159. MOVE /Y %WorkFolder%index.dat "%AppLocal%\Temporary Internet Files\Content.IE5\"
  160. RD /S /Q "%userroot%\UserData" >nul
  161. ECHO.
  162.  
  163. :: System folders cleanup
  164. echo Going to=[system folders cleanup]
  165. del /Q /F /S /A %windir%\temp\*.* >nul
  166. RD /S /Q %windir%\temp\ >nul
  167. MD %windir%\temp\
  168. ICACLS %windir%\temp /t /q /c /reset
  169. echo Going to=[prefetch,pif]
  170. del /Q /F /S /A %windir%\Prefetch\*.* >nul
  171. del /Q /F /S /A %windir%\PIF\*.* >nul
  172.  
  173. echo Going to=[recycle bin]
  174. RD /S /Q %OSRecBin%\ >NUL
  175. MD %OSRecBin%
  176. ATTRIB +H +S %OSRecBin%
  177. ICACLS %OSRecBin% /t /q /c /reset
  178. ECHO.
  179.  
  180. echo Going to=[dllcache, 32- and 64-bit sysprofiles]
  181. del /Q /F /S /A %windir%\system32\dllcache\*.* >nul
  182. del /Q /F /S /A %windir%\SysWOW64\dllcache\*.* >nul
  183. RD /S /Q "%windir%\Temporary Internet Files"
  184. RD /S /Q "%windir%\Profiles"
  185.  
  186. :: Clean up system profile garbage files
  187. echo Going to=%windir%\system32\config\systemprofile\
  188. CD /D %windir%\system32\config\systemprofile\
  189. CD
  190. echo About to clean up garbage file in system32 systemprofile
  191. del /Q /F /S /A ~*.* *.tmp *.asd *.xar *.*~ autorecovery*.* liverecovery*.* *.swf *.dmp *.log *.exe *.dll
  192. del /Q /F /S /A %windir%\system32\config\systemprofile\*.*
  193.  
  194. echo About to clean up garbage file in SysWOW64 systemprofile
  195. echo Going to=%windir%\SysWOW64\config\systemprofile\
  196. CD /D %windir%\SysWOW64\config\systemprofile\
  197. CD
  198. del /Q /F /S /A ~*.* *.tmp *.asd *.xar *.*~ autorecovery*.* liverecovery*.* *.swf *.dmp *.log *.exe *.dll
  199. del /Q /F /S /A %windir%\SysWOW64\config\systemprofile\*.*
  200. ECHO.
  201.  
  202. echo Going to=[service profiles]
  203. CD /D %windir%\ServiceProfiles
  204. CD
  205. del /Q /F /S /A ~*.* *.tmp *.asd *.xar *.*~ autorecovery*.* liverecovery*.* *.swf *.dmp *.log *.exe *.dll
  206. ECHO.
  207.  
  208. echo Going to=[sysvol]
  209. dir /s "%SystemDrive%\System Volume Information\*.*"
  210. ECHO.
  211. echo about to clean sysvol
  212. del /Q /F /S /A "%SystemDrive%\System Volume Information\*.*"
  213. RD /S /Q "%SystemDrive%\System Volume Information\_restore{D61EAD08-B79B-49F0-A861-4E6DD980D83A}\" > NUL
  214. del /Q /F /S /A Syscache.hve
  215. ECHO.
  216.  
  217. :: Delete garbage in system folders
  218. echo Going to=%windir%
  219. CD %windir%
  220. CD
  221. ECHO.
  222. del /Q /F /S /A *.tmp *.bak *.old *.dmp >nul
  223. ECHO.
  224.  
  225. echo Going to=%windir%\system32
  226. CD %windir%\system32
  227. CD
  228. del /Q /F /S /A $sys$*.* >nul
  229. RD /S /Q "%windir%\system32\$SYS$*" > NUL
  230. RD /S /Q "%windir%\system32\Program Files" > NUL
  231.  
  232. :: Only .SAM and no-extension files should usually exist in \ETC.
  233. echo Going to=%WINDIR%\SYSTEM32\DRIVERS\ETC
  234. CD %WINDIR%\SYSTEM32\DRIVERS\ETC
  235. CD
  236. ECHO.
  237. del /Q /F /S /A *.DLL *.EXE *.COM *.PIF *.SYS *.INF *.INI *.BIN *.CMD *.BAT *.REG *.OCX *.SYS *.VBS > nul
  238.  
  239. sc start %SysRestore%
  240.  
  241.  

page last modified: 2024-02-26; loaded in 0.0263 seconds