Reanimator. Detailed description of RNR commands.

Section [PROCESS]

Kills all processes listed in the section.

Format:

Proc_name=1

Proc_name2=1

[Proc_name]

Val=C:\WINDOWS\EXPLORER.EXE

[Proc_name2]

Val=C:\WINDOWS\notepad.EXE

Full path name is not required.

You can use only file name, but in this case Reanimator will kill all processes with the same name.

If we try to kill the virus with the same name as good filename (like explorer.exe") and located in the different folder.

In this case we must use full path name.

Tip! Killing "explorer.exe" process may be useful for removing some kind of viruses that use code injection or DLL linking.

Windows will automatically unloads DLL if there is no processes use this DLL.

Section [SERVICES]

Stops/Disables/Delete all services listed in the section.

Format:

[SERVICES]

60_Windows Kernel System Service_HKLM=1

[60_Windows Kernel System Service_HKLM]

Val=Windows Kernel System Service

Delete=1

If the "Delete" is specified the service will be disable and after that we will make attempt to delete it.

We must use the display service name, not the internal name.

Deleting Service command may not work in some cases.

Note! Working for NT4/2000/XP or higher.

Section [VXD]

Stops/Disables/Delete all services listed in the section.

Format:

[VXD]

60_VXD1 =1

[60_VXD1]

Val=VXD1

Note!

The VxD name is listed without file extension.

Section [WSOCK2]

Removes the DLL listed in the Winsock2 registry key.

Format:

[WSOCK2]

WSOCKDLL =1

[WSOCKDLL]

Val=wsocker.dll

Delete=1

Note!

We use only filename, not the full path name.

Delete option is required.

Section [UNREGISTER_DLL]

Unregisters the DLLs in the list.

Format:

[UNREGISTER_DLL]

%WinDir%\wsocker.dll

%WinDir%\wsocker2.dll

Note!

Simple format, one row- one DLL.

We use only the full path name.

You can use WinDir, Sysdir variables

Section [INI]

Used for changing INI files

Format:

[SERVICES]

1_system_ini =1

[1_system_ini]

File=c:\windows\system.ini

Section=drivers

Val=wave

Def=mmdrv.dll

Description: File points directly to the INI file. Full path is required.

Section is the section name in the INI file, like this [drivers].

You need to write without brackets.

Val= Value Name

Def= Def Value

Section [FOLDER]

Used for deleting file in the startup folder.

Format:

[FOLDER]

Folder1=1

[Folder1]

Folder=Path to folder

Val=File in the folder

File=Full path to any file

Note!

Section is obsolete. Use KILL_FILES instead.

Section [HOSTS]

Used for clear HOSTS file

Format:

[HOSTS]

33_192.168.13.75 matte_HKLM=1

[33_192.168.13.75 matte_HKLM]

Val=192.168.13.75 matte

Note!

"Val" points to the full row in the HOSTS file.

Section [SCHED]

Used for clear HOSTS file

Format:

[SCHED]

70_ScanDisk_HKCU=1

70_ScanDisk_HKLM=1

[70_ScanDisk_HKLM]

Val=ScanDisk

[70_ScanDisk_HKCU]

Val=ScanDisk
 

Note!

"Val" is a schedule task name.

Section [FILEEXT]

Used for restore file extensions to default.

Format:

[FILEEXT]

exe=1

com=1

[EXE]

Val=.exe

[com]

Val=.com

Note!

Use it only for exe, com, pif, bat extensions.

It restores the command line: ","\"%1\" %*

Section [DRIVERS]

Used for removing drivers/services

Format:

[DRIVERS]

drv1=1

[drv1]

VAL=baddriver.sys

Note!

It scans for HKLM\SYSTEM\CurrentControlSet\Services subkeys and compares IMAGEPATH value with VAL. If IMAGEPATH includes VAL, the search will stop.

In addition, it will search for the same in the LEGACY subkey.

After that it will try to delete the keys under Services and Legacy subkeys.

Need to be very careful!

Section [DEL_AT_STARTUP]

Used for removing files at next reboot

Format:

[DEL_AT_STARTUP]

per.exe=1

[per.exe]

Val=C:\WINDOWS\system32\per.exe

Note!

It will try to delete file immediately. Anyway it will try to kill file at startup using both methods: PendingFileRename and Partizan.

Section [KILL_FILES]

Used for removing files at next reboot.

Simple format. One file per row.

Format:

[KILL_FILES]

%WinDir%\virus.exe

%SysDir%\virus.exe

Note!

You can use variables WinDir, SysDir.

It will try to delete file immediately. Anyway it will try to kill file at startup using both methods: PendingFileRename and Partizan.

Section [REGISTRY]

Used for changing registry keys/values.

Format:

[REGISTRY]

64_gwiz_HKLM=1

37_C:\WINDOWS\system32\back.gif_HKLM=1

[64_gwiz_HKLM]

Key=\Software\Microsoft\Windows\CurrentVersion\Run

Val=gwiz

Root=HKLM

Type=0

Delete=1

Description:

Key = full path to the key name. The leading slash is required.

Root may be on of the:

HKLM or HKEY_LOCAL_MACHINE

HKCU or HKEY_CURRENT_USER

HKUS or HKEY_USERS

HKCR or HKEY_CLASSES_ROOT

Option "SubKey" may be used if you need to delete subkey.

"Delete=1" is required in this case.

Val is value name. Not required if SubKey is used.

Type is integer. One of the:

REG_NONE ( 0 )

REG_SZ ( 1 )

REG_EXPAND_SZ ( 2 )

REG_DWORD ( 4 )

REG_MULTI_SZ ( 7 )

Type may be skipped if the value need to delete.

Def -default value. Used if you need to change the value.

Delete - delete value or subkey.

If used both Value and Subkey, only SubKey willbe processed.

Section [KILL_REG_KEYS]

Used for deleting registry keys/values.

Format: simple

One key/value per row.

[KILL_REG_KEYS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\wininet.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\dfrgsrv.exe

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\wininet.dll

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\dfrgsrv.exe

You may use HKLM, HKEY_LOCAL_MACHINE, HKCU, HKEY_CURRENT_USER, HKUS, HKEY_USERS, HKCR, HKEY_CLASSES_ROOT.

If the row points to a key, the key will be deleted.

If there is no such key it will check for latest right slash.

The last part will be the value.

Section [CLEAN]

Used for clear Reanimator section

Format:

[CLEAN]

Internet Components_HKLM=1

[Internet Components_HKLM]

C:\WINDOWS\opuc.dll=1

C:\WINDOWS\system32\danim.dll=1

C:\WINDOWS\system32\ddrawex.dll=1

C:\WINDOWS\system32\GWFSPidGen.DLL=1

C:\WINDOWS\System32\iuctl.dll=1

C:\WINDOWS\System32\iuengine.dll=1

C:\WINDOWS\system32\LegitCheckControl.DLL=1

C:\WINDOWS\system32\quartz.dll=1

[Winlogon Notification_HKLM]

crypt32chain=1

cryptnet=1

cscdll=1

igfxcui=1

ScCertProp=1

Schedule=1

sclgntfy=1

SensLogn=1

termsrv=1

wlballoon=1

It will clear "Internet Components" section.

All items will be deleted except exclusion list.

Section [Internet Components_HKLM] contains the list of exclusions.

List of available sections:

Internet Components_HKLM=1

Winlogon Notification_HKLM=1

List of Injected DLLs_HKLM=1

Browser Helper Objects_HKLM=1

IE Extensions - All Users_=1

Explorer Bars_HKLM=1

Context menu items_=1

Hosts File Path_HKLM=1

Hosts File Contents_=1

WinSock2 Components_=1

Shell Execute Hooks_HKLM=1

Shell Services DelayLoad_HKLM=1

ActiveSetup_HKLM=1

Auto Services_=1

Drivers_=1

Registry Run_HKCU=1

Registry Run_HKLM=1

Registry RunOnce_HKCU=1

Registry RunOnce_HKLM=1

Explorer Run_HKCU=1

Explorer Run_HKLM=1

Startup Folder_=1

Common Startup Folder_=1

Scheduled Tasks_=1

Running Processes_=1

Running Services_=1

Section [DelEvery]

Used for removing a file from Windows startup.

Format: simple.

One full filepath per row.

[DelEvery]

c:\windows\system32\per.exe

It will collect full information listed in Reanimator and compare values with files in the DelEvery list.

Useful when we kill the file at reboot and we want to automatically kill in the registry startup too.

Section [CompSettings]

Used for changing computer settings.

Format and working values:

[CompSettings]

AutoRunInf=Y

Description:

Disable autorun on all local drives.

AutoRunInf=N

Enable autorun on all local drives.

 
ProtectAutoRunInf=Y

Description: protect local hard and USB drives against autorun.inf problem.

Used for changing computer settings.

Format and working values:

[CompSettings]

AutoRunInf=Y

Description:

Disable autorun on all local drives.

AutoRunInf=N

Enable autorun on all local drives.

 
ProtectAutoRunInf=Y

Description: protect local hard and USB drives against autorun.inf problem.

Section [Partizan]

Used for deleting service registry keys (subkeys under HKLM\System\CurrentControlSet\Services) using Partizan driver.

Format:

[Partizan]

Key=Servicename

Subkey Servicename will be deleted at next reboot.

Section [CHECK_SIGN]

Used for checking files signed by Microsoft digital sign on the user computer.

Format: simple

One file per row.

[CHECK_SIGN]

%SysDir%\kernel32.dll

Results will be written to the log file.

Section [CHECK_INFO]

Used for getting file version information.

Format: simple

One file per row.

[CHECK_INFO]

%SYSTEMROOT%\explorer.exe

Results will be written to the log file.

Section [GET_STRINGS]

Used for getting all strings from a file.

Format: simple

One file per row.

[GET_STRINGS]

%SYSTEMROOT%\explorer.exe

Results will be written to the log file.

Section [SEARCHT_REG]

Used for searching information in the registry

Format: simple

One search string per row.

[SEARCHT_REG]

virus

Results will be written to the log file.

Section [SEND]

Used for sending files to the support center.

Format: simple

One file name per row.

[SEND]

c:\windows\file.exe

Section [RESET_FILE_RIGHTS]

Used for resetting file permissions (NTFS).

Format: simple

One file name per row.

[RESET_FILE_RIGHTS]

c:\windows\file.exe

Add or See Comments (>10)
}