net stop server /y (temporarily stops the server service to prevent re-infection while the system is being cleaned)

KidoKiller.exe -y (runs the sophos kidokiller and automatically removes memory resident / file resident infection… in our testing, seemed to work just as well as the MRT)

AT /Delete /Yes (deletes all AT-created scheduled tasks)

net stop “Task Scheduler” (temporarily stops the task scheduler to prevent further AT task creation until the virus has been cleared from the system)

sc stop “srservice” (stops the system restore service)

sc config “srservice” start= disabled (perminently disables the system restore service… sorry, but it sucks just for this reason)

cacls “c:\System Volume Information” /E /G %username%:F (grants full access to the “system volume information” folder on c: to the current user)
rd “c:\System Volume Information” /s /q (deletes the “system volume information” folder and any contents)

sc config “wuauserv” start= auto (resets Windows Update service to “automatic”)
sc config “bits” start= demand (resets BITS service to “manual”)
sc config “ersvc” start= auto (resets Error Reporting service to “automatic”)

net user administrator ****** (changes the admin password… use a strong alpha numeric instead of ******, of course)

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0×1 /f (disables the policy that the virus adds at infection… you will be able to reselect “show hidden files / folders” after the policy is disabled)

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f (completely disables autorun / autoplay from all drives… might be a bit overkill, but you can change the reg dword value to something that suits your environment better. more information below)

reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v AutoShareWks /t REG_DWORD /d 0×00 /f (this is dangerous, and probably will not be a good idea for domain environments. this will kill all the administrator shares on the system… c$ may not get much used, but admin$ is very important… it may be better to take this out of the script unless you absolutely cannot clean the virus from your network environment)

WindowsXP-KB958644-x86-ENU.exe /passive /norestart (passive install for MS08-067)

WindowsXP-KB957097-x86-ENU.exe /passive /norestart (passive install for MS08-068)

WindowsXP-KB958687-x86-ENU.exe /passive /norestart (passive install for MS09-001)

windows-kb890830-v2.7.exe (runs the microsoft malicious software removal tool… quick scan is probably fine for conflicker removal… may not find anything as kidokiller already ran)

You’ll need to put the following files in the same directory:

KidoKiller.exe (from sophos)

WindowsXP-KB958644-x86-ENU.exe (MS08-067 patch)

WindowsXP-KB957097-x86-ENU.exe (MS08-068 patch)

WindowsXP-KB958687-x86-ENU.exe (MS09-001 patch)

windows-kb890830-v2.7.exe (microsoft malicious software removal tool)


Windows Shell Script
net stop server /y 
KidoKiller.exe -y 
AT /Delete /Yes 
net stop “Task Scheduler” 
sc stop “srservice” 
sc config “srservice” start= disabled  
cacls “c:\System Volume Information” /E /G %username%:F  
rd “c:\System Volume Information” /s /q 
sc config “wuauserv” start= auto 
sc config “bits” start= demand 
sc config “ersvc” start= auto 
net user administrator ****** 
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0×1 /f  
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f 
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v AutoShareWks /t REG_DWORD /d 0×00 /f 
WindowsXP-KB958644-x86-ENU.exe /passive /norestart 
WindowsXP-KB957097-x86-ENU.exe /passive /norestart 
WindowsXP-KB958687-x86-ENU.exe /passive /norestart 
echo off 
echo You need to restart your computer as soon as possible!