Security
•  Greatis •  AppDatabase •  Utilities •  Delphi/CB •  Visual Basic • .NET •  just4fun
RegRun Security Suite
Not an antivirus. Detects and removes rootkits/malware/adware that your antivirus could not.
Features
Benefits

Warrior CD...

Examiner...

Shortcut Antivirus

Stuxnet Remover

Startup Monitor...

Bootlog Analyser...

Advanced MSConfig...

Know more?
TDL4 Removal Video

TDL3 Removal Video

Screenshots

FAQ

On-line manual

Print PDF

One-click purchase
RegRun Suite Platinum
Download trial
RegRun Suite Platinum
Blogs & Forum
Malware Analysis and Removal blog

Newest viruses and malware

System Software Research

Greatis Forum

Thank you!

International
Download Russian

Download Ukrainian

Join our localization team

Home Download Order Support   Newsletter Your shopping cart ?

Reanimator

Detailed description of RNR commands



Sections table
  1. PROCESS
  2. SERVICES
  3. VXD
  4. WSOCK2
  5. UNREGISTER_DLL
  6. INI
  7. FOLDER
  8. HOSTS
  9. SCHED
  10. FILEEXT
  11. DRIVERS
  12. DEL_AT_STARTUP
  13. KILL_FILES
  14. REGISTRY
  15. KILL_REG_KEYS
  16. CLEAN
  17. DELEVERY
  18. COMPSETTINGS
  19. CHECK_SIGN
  20. CHECK_INFO
  21. GET_STRINGS
  22. SEARCHT_REG
  23. SEND


Section [PROCESS]

Kills all processes listed in the section.

Format:

Proc_name=1

Proc_name2=1

[Proc_name]

Val=C:\WINDOWS\EXPLORER.EXE

[Proc_name2]

Val=C:\WINDOWS\notepad.EXE

Full path name is not required.

You can use only file name, but in this case Reanimator will kill all processes with the same name.

If we try to kill the virus with the same name as good filename (like explorer.exe") and located in the different folder.

In this case we must use full path name.

Tip! Killing "explorer.exe" process may be useful for removing some kind of viruses that use code injection or DLL linking.

Windows will automatically unloads DLL if there is no processes use this DLL.

 

Section [SERVICES]

Stops/Disables/Delete all services listed in the section.

Format:

[SERVICES]

60_Windows Kernel System Service_HKLM=1

[60_Windows Kernel System Service_HKLM]

Val=Windows Kernel System Service

Delete=1

If the "Delete" is specified the service will be disable and after that we will make attempt to delete it.

We must use the display service name, not the internal name.

Deleting Service command may not work in some cases.

Note! Working for NT4/2000/XP or higher.

 

Section [VXD]

Stops/Disables/Delete all services listed in the section.

Format:

[VXD]

60_VXD1 =1

[60_VXD1]

Val=VXD1

Note!

The VxD name is listed without file extension.

Section [WSOCK2]

Removes the DLL listed in the Winsock2 registry key.

Format:

[WSOCK2]

WSOCKDLL =1

[WSOCKDLL]

Val=wsocker.dll

Delete=1

Note!

We use only filename, not the full path name.

Delete option is required.

 

Section[UNREGISTER_DLL]

Unregisters the DLLs in the list.

Format:

[UNREGISTER_DLL]

%WinDir%\wsocker.dll

%WinDir%\wsocker2.dll

Note!

Simple format, one row- one DLL.

We use only the full path name.

You can use WinDir, Sysdir variables

 

 

Section [INI]

Used for changing INI files

Format:

[SERVICES]

1_system_ini =1

[1_system_ini]

File=c:\windows\system.ini

Section=drivers

Val=wave

Def=mmdrv.dll

Description: File points directly to the INI file. Full path is required.

Section is the section name in the INI file, like this [drivers].

You need to write without brackets.

Val= Value Name

Def= Def Value

 

Section [FOLDER] (obsolete)

Used for deleting file in the startup folder.

Format:

[FOLDER]

Folder1=1

[Folder1]

Folder=Path to folder

Val=File in the folder

File=Full path to any file

Note!

Section is obsolete. Use KILL_FILES instead.

Section [HOSTS]

Used for clear HOSTS file

Format:

[HOSTS]

33_192.168.13.75 matte_HKLM=1

[33_192.168.13.75 matte_HKLM]

Val=192.168.13.75 matte

Note!

"Val" points to the full row in the HOSTS file.

 

Section [SCHED]

Used for clear HOSTS file

Format:

[SCHED]

70_ScanDisk_HKCU=1

70_ScanDisk_HKLM=1

[70_ScanDisk_HKLM]

Val=ScanDisk

[70_ScanDisk_HKCU]

Val=ScanDisk
 

Note!

"Val" is a schedule task name.

Section [FILEEXT]

Used for restore file extensions to default.

Format:

[FILEEXT]

exe=1

com=1

[EXE]

Val=.exe

[com]

Val=.com

Note!

Use it only for exe, com, pif, bat extensions.

It restores the command line: ","\"%1\" %*

 

Section [DRIVERS]

Used for removing drivers/services

Format:

[DRIVERS]

drv1=1

[drv1]

VAL=baddriver.sys

Note!

It scans for HKLM\SYSTEM\CurrentControlSet\Services subkeys and compares IMAGEPATH value with VAL. If IMAGEPATH includes VAL, the search will stop.

In addition, it will search for the same in the LEGACY subkey.

After that it will try to delete the keys under Services and Legacy subkeys.

Need to be very careful!

 

Section [DEL_AT_STARTUP]

Used for removing files at next reboot

Format:

[DEL_AT_STARTUP]

per.exe=1

[per.exe]

Val=C:\WINDOWS\system32\per.exe

Note!

It will try to delete file immediately. Anyway it will try to kill file at startup using both methods: PendingFileRename and Partizan.

 

Section [KILL_FILES]

Used for removing files at next reboot.

Simple format. One file per row.

Format:

[KILL_FILES]

%WinDir%\virus.exe

%SysDir%\virus.exe

Note!

You can use variables WinDir, SysDir.

It will try to delete file immediately. Anyway it will try to kill file at startup using both methods: PendingFileRename and Partizan.

 

Section [REGISTRY]

Used for changing registry keys/values.

Format:

[REGISTRY]

64_gwiz_HKLM=1

37_C:\WINDOWS\system32\back.gif_HKLM=1

[64_gwiz_HKLM]

Key=\Software\Microsoft\Windows\CurrentVersion\Run

Val=gwiz

Root=HKLM

Type=0

Delete=1

Description:

Key = full path to the key name. The leading slash is required.

Root may be on of the:

HKLM or HKEY_LOCAL_MACHINE

HKCU or HKEY_CURRENT_USER

HKUS or HKEY_USERS

HKCR or HKEY_CLASSES_ROOT

Option "SubKey" may be used if you need to delete subkey.

"Delete=1" is required in this case.

Val is value name. Not required if SubKey is used.

Type is integer. One of the:

REG_NONE ( 0 )

REG_SZ ( 1 )

REG_EXPAND_SZ ( 2 )

REG_DWORD ( 4 )

REG_MULTI_SZ ( 7 )

Type may be skipped if the value need to delete.

Def -default value. Used if you need to change the value.

Delete - delete value or subkey.

If used both Value and Subkey, only SubKey willbe processed.

 

Section [KILL_REG_KEYS]

Used for deleting registry keys/values.

Format: simple

One key/value per row.

[KILL_REG_KEYS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\wininet.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\dfrgsrv.exe

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\wininet.dll

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\dfrgsrv.exe

You may use HKLM, HKEY_LOCAL_MACHINE, HKCU, HKEY_CURRENT_USER, HKUS, HKEY_USERS, HKCR, HKEY_CLASSES_ROOT.

If the row points to a key, the key will be deleted.

If there is no such key it will check for latest right slash.

The last part will be the value.

 

Section [CLEAN]

Used for clear Reanimator section

Format:

[CLEAN]

Internet Components_HKLM=1

[Internet Components_HKLM]

C:\WINDOWS\opuc.dll=1

C:\WINDOWS\system32\danim.dll=1

C:\WINDOWS\system32\ddrawex.dll=1

C:\WINDOWS\system32\GWFSPidGen.DLL=1

C:\WINDOWS\System32\iuctl.dll=1

C:\WINDOWS\System32\iuengine.dll=1

C:\WINDOWS\system32\LegitCheckControl.DLL=1

C:\WINDOWS\system32\quartz.dll=1

[Winlogon Notification_HKLM]

crypt32chain=1

cryptnet=1

cscdll=1

igfxcui=1

ScCertProp=1

Schedule=1

sclgntfy=1

SensLogn=1

termsrv=1

wlballoon=1

It will clear "Internet Components" section.

All items will be deleted except exclusion list.

Section [Internet Components_HKLM] contains the list of exclusions.

List of available sections:

Internet Components_HKLM=1

Winlogon Notification_HKLM=1

List of Injected DLLs_HKLM=1

Browser Helper Objects_HKLM=1

IE Extensions - All Users_=1

Explorer Bars_HKLM=1

Context menu items_=1

Hosts File Path_HKLM=1

Hosts File Contents_=1

WinSock2 Components_=1

Shell Execute Hooks_HKLM=1

Shell Services DelayLoad_HKLM=1

ActiveSetup_HKLM=1

Auto Services_=1

Drivers_=1

Registry Run_HKCU=1

Registry Run_HKLM=1

Registry RunOnce_HKCU=1

Registry RunOnce_HKLM=1

Explorer Run_HKCU=1

Explorer Run_HKLM=1

Startup Folder_=1

Common Startup Folder_=1

Scheduled Tasks_=1

Running Processes_=1

Running Services_=1

 

Section [DelEvery]

Used for removing a file from Windows startup.

Format: simple.

One full filepath per row.

[DelEvery]

c:\windows\system32\per.exe

It will collect full information listed in Reanimator and compare values with files in the DelEvery list.

Useful when we kill the file at reboot and we want to automatically kill in the registry startup too.

 

Section [CompSettings]

Used for changing computer settings.

Format and working values:

[CompSettings]

AutoRunInf=Y

Description:

Disable autorun on all local drives.

AutoRunInf=N

Enable autorun on all local drives.

 
ProtectAutoRunInf=Y

Description: protect local hard and USB drives against autorun.inf problem.

 
Section [Partizan]

Used for deleting service registry keys (subkeys under HKLM\System\CurrentControlSet\Services) using Partizan driver.

Format:

[Partizan]

Key=Servicename

Subkey Servicename will be deleted at next reboot.

 

Section [CHECK_SIGN]

Used for checking files signed by Microsoft digital sign on the user computer.

Format: simple

One file per row.

[CHECK_SIGN]

%SysDir%\kernel32.dll

Results will be written to the log file.

 

Section [CHECK_INFO]

Used for getting file version information.

Format: simple

One file per row.

[CHECK_INFO]

%SYSTEMROOT%\explorer.exe

Results will be written to the log file.

 

Section [GET_STRINGS]

Used for getting all strings from a file.

Format: simple

One file per row.

[GET_STRINGS]

%SYSTEMROOT%\explorer.exe

Results will be written to the log file.

 

Section [SEARCHT_REG]

Used for searching information in the registry

Format: simple

One search string per row.

[SEARCHT_REG]

virus

Results will be written to the log file.

Section [SEND]

Used for sending files to the support center.

Format: simple

One file name per row.

[SEND]

c:\windows\file.exe

Section [RESET_FILE_RIGHTS]

Used for resetting file permissions (NTFS).

Format: simple

One file name per row.

[RESET_FILE_RIGHTS]

c:\windows\file.exe



Go to the Reanimator main page



RegRun  Reanimator

Getting Started

Visit the Support Center

Automatic Malware Removal

Analysing regrunlog.txt

RNR commands

Awards
Software.Informer Editor's pick award     RegRun Reanimator video tutorial at downloadtube.com
Articles
Using Registry Tracer...

RegRun against Trojans and Viruses

Specify an order for startup programs

RunGuard prevents a launch...

Using Bootlog Analyser...

They say
"RegRun Security Suite is one of those very rare tool kits that no one who is serious about protecting their PC should ever be without. This toolkit covers all the bases when it comes to eradicating the attempted security threats from malware that we all face - daily. The near real time tech support, direct from Greatis, is nothing sort of superb, something that can be rarely said these days! I have no hesitation in recommending this suite to anyone."

Miles Pearson

Wilders.ORG. Security advisors recommend...

Testimonials
You guys are awesome!!!!
Traci www.pentagonattack911.com

Bob Schmulian:
Absolutely love it and have recommended to many people!

Ian Robinson:
It is FANTASTIC! It has saved my life on more than one occasion since I purchased it less than 6 months ago. I now would not run my system without it... it's worth many times the cost! The service and support are terrific. Helpful - friendly - and accommodating; and generally a reply is received within 12 hours. Just great.

Theodore Soucie:
Since RegRun was installed my system is more stable. I use to experience freezeup daily. I have not had a crash.


Greatis Software Greatis | Security | AppDatabase | Utilities | Delphi/CB | Visual Basic | .NET | just4fun

Contacts | Add to Favorites | Recommend to a Friend | Privacy Policy | Copyright © 1998-2016 Greatis Software

hit counter for tumblr