Kills all processes listed in the section.
Format:
Proc_name=1
Proc_name2=1
[Proc_name]
Val=C:\WINDOWS\EXPLORER.EXE
[Proc_name2]
Val=C:\WINDOWS\notepad.EXE
Full path name is not required.
You can use only file name, but in this case Reanimator will kill all processes with the same name.
If we try to kill the virus with the same name as good filename (like explorer.exe") and located in the different folder.
In this case we must use full path name.
Tip! Killing "explorer.exe" process may be useful for removing some kind of viruses that use code injection or DLL linking.
Windows will automatically unloads DLL if there is no processes use this DLL.
Stops/Disables/Delete all services listed in the section.
Format:
[SERVICES]
60_Windows Kernel System Service_HKLM=1
[60_Windows Kernel System Service_HKLM]
Val=Windows Kernel System Service
Delete=1
If the "Delete" is specified the service will be disable and after that we will make attempt to delete it.
We must use the display service name, not the internal name.
Deleting Service command may not work in some cases.
Note! Working for NT4/2000/XP or higher.
Stops/Disables/Delete all services listed in the section.
Format:
[VXD]
60_VXD1 =1
[60_VXD1]
Val=VXD1
Note!
The VxD name is listed without file extension.
Removes the DLL listed in the Winsock2 registry key.
Format:
[WSOCK2]
WSOCKDLL =1
[WSOCKDLL]
Val=wsocker.dll
Delete=1
Note!
We use only filename, not the full path name.
Delete option is required.
Unregisters the DLLs in the list.
Format:
[UNREGISTER_DLL]
%WinDir%\wsocker.dll
%WinDir%\wsocker2.dll
Note!
Simple format, one row- one DLL.
We use only the full path name.
You can use WinDir, Sysdir variables
Used for changing INI files
Format:
[SERVICES]
1_system_ini =1
[1_system_ini]
File=c:\windows\system.ini
Section=drivers
Val=wave
Def=mmdrv.dll
Description: File points directly to the INI file. Full path is required.
Section is the section name in the INI file, like this [drivers].
You need to write without brackets.
Val= Value Name
Def= Def Value
Used for deleting file in the startup folder.
Format:
[FOLDER]
Folder1=1
[Folder1]
Folder=Path to folder
Val=File in the folder
File=Full path to any file
Note!
Section is obsolete. Use KILL_FILES instead.
Used for clear HOSTS file
Format:
[HOSTS]
33_192.168.13.75 matte_HKLM=1
[33_192.168.13.75 matte_HKLM]
Val=192.168.13.75 matte
Note!
"Val" points to the full row in the HOSTS file.
Used for clear HOSTS file
Format:
[SCHED]
70_ScanDisk_HKCU=1
70_ScanDisk_HKLM=1
[70_ScanDisk_HKLM]
Val=ScanDisk
[70_ScanDisk_HKCU]
Val=ScanDisk
Note!
"Val" is a schedule task name.
Used for restore file extensions to default.
Format:
[FILEEXT]
exe=1
com=1
[EXE]
Val=.exe
[com]
Val=.com
Note!
Use it only for exe, com, pif, bat extensions.
It restores the command line: ","\"%1\" %*
Used for removing drivers/services
Format:
[DRIVERS]
drv1=1
[drv1]
VAL=baddriver.sys
Note!
It scans for HKLM\SYSTEM\CurrentControlSet\Services subkeys and compares IMAGEPATH value with VAL. If IMAGEPATH includes VAL, the search will stop.
In addition, it will search for the same in the LEGACY subkey.
After that it will try to delete the keys under Services and Legacy subkeys.
Need to be very careful!
Used for removing files at next reboot
Format:
[DEL_AT_STARTUP]
per.exe=1
[per.exe]
Val=C:\WINDOWS\system32\per.exe
Note!
It will try to delete file immediately. Anyway it will try to kill file at startup using both methods: PendingFileRename and Partizan.
Used for removing files at next reboot.
Simple format. One file per row.
Format:
[KILL_FILES]
%WinDir%\virus.exe
%SysDir%\virus.exe
Note!
You can use variables WinDir, SysDir.
It will try to delete file immediately. Anyway it will try to kill file at startup using both methods: PendingFileRename and Partizan.
Used for changing registry keys/values.
Format:
[REGISTRY]
64_gwiz_HKLM=1
37_C:\WINDOWS\system32\back.gif_HKLM=1
[64_gwiz_HKLM]
Key=\Software\Microsoft\Windows\CurrentVersion\Run
Val=gwiz
Root=HKLM
Type=0
Delete=1
Description:
Key = full path to the key name. The leading slash is required.
Root may be on of the:
HKLM or HKEY_LOCAL_MACHINE
HKCU or HKEY_CURRENT_USER
HKUS or HKEY_USERS
HKCR or HKEY_CLASSES_ROOT
Option "SubKey" may be used if you need to delete subkey.
"Delete=1" is required in this case.
Val is value name. Not required if SubKey is used.
Type is integer. One of the:
REG_NONE ( 0 )
REG_SZ ( 1 )
REG_EXPAND_SZ ( 2 )
REG_DWORD ( 4 )
REG_MULTI_SZ ( 7 )
Type may be skipped if the value need to delete.
Def -default value. Used if you need to change the value.
Delete - delete value or subkey.
If used both Value and Subkey, only SubKey willbe processed.
Used for deleting registry keys/values.
Format: simple
One key/value per row.
[KILL_REG_KEYS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\wininet.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\dfrgsrv.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\wininet.dll
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\dfrgsrv.exe
You may use HKLM, HKEY_LOCAL_MACHINE, HKCU, HKEY_CURRENT_USER, HKUS, HKEY_USERS, HKCR, HKEY_CLASSES_ROOT.
If the row points to a key, the key will be deleted.
If there is no such key it will check for latest right slash.
The last part will be the value.
Used for clear Reanimator section
Format:
[CLEAN]
Internet Components_HKLM=1
[Internet Components_HKLM]
C:\WINDOWS\opuc.dll=1
C:\WINDOWS\system32\danim.dll=1
C:\WINDOWS\system32\ddrawex.dll=1
C:\WINDOWS\system32\GWFSPidGen.DLL=1
C:\WINDOWS\System32\iuctl.dll=1
C:\WINDOWS\System32\iuengine.dll=1
C:\WINDOWS\system32\LegitCheckControl.DLL=1
C:\WINDOWS\system32\quartz.dll=1
[Winlogon Notification_HKLM]
crypt32chain=1
cryptnet=1
cscdll=1
igfxcui=1
ScCertProp=1
Schedule=1
sclgntfy=1
SensLogn=1
termsrv=1
wlballoon=1
It will clear "Internet Components" section.
All items will be deleted except exclusion list.
Section [Internet Components_HKLM] contains the list of exclusions.
List of available sections:
Internet Components_HKLM=1
Winlogon Notification_HKLM=1
List of Injected DLLs_HKLM=1
Browser Helper Objects_HKLM=1
IE Extensions - All Users_=1
Explorer Bars_HKLM=1
Context menu items_=1
Hosts File Path_HKLM=1
Hosts File Contents_=1
WinSock2 Components_=1
Shell Execute Hooks_HKLM=1
Shell Services DelayLoad_HKLM=1
ActiveSetup_HKLM=1
Auto Services_=1
Drivers_=1
Registry Run_HKCU=1
Registry Run_HKLM=1
Registry RunOnce_HKCU=1
Registry RunOnce_HKLM=1
Explorer Run_HKCU=1
Explorer Run_HKLM=1
Startup Folder_=1
Common Startup Folder_=1
Scheduled Tasks_=1
Running Processes_=1
Running Services_=1
Used for removing a file from Windows startup.
Format: simple.
One full filepath per row.
[DelEvery]
c:\windows\system32\per.exe
It will collect full information listed in Reanimator and compare values with files in the DelEvery list.
Useful when we kill the file at reboot and we want to automatically kill in the registry startup too.
Used for changing computer settings.
Format and working values:
[CompSettings]
AutoRunInf=Y
Description:
Disable autorun on all local drives.
AutoRunInf=N
Enable autorun on all local drives.
ProtectAutoRunInf=Y
Description: protect local hard and USB drives against autorun.inf problem.
Used for changing computer settings.
Format and working values:
[CompSettings]
AutoRunInf=Y
Description:
Disable autorun on all local drives.
AutoRunInf=N
Enable autorun on all local drives.
ProtectAutoRunInf=Y
Description: protect local hard and USB drives against autorun.inf problem.
Used for deleting service registry keys (subkeys under HKLM\System\CurrentControlSet\Services) using Partizan driver.
Format:
[Partizan]
Key=Servicename
Subkey Servicename will be deleted at next reboot.
Used for checking files signed by Microsoft digital sign on the user computer.
Format: simple
One file per row.
[CHECK_SIGN]
%SysDir%\kernel32.dll
Results will be written to the log file.
Used for getting file version information.
Format: simple
One file per row.
[CHECK_INFO]
%SYSTEMROOT%\explorer.exe
Results will be written to the log file.
Used for getting all strings from a file.
Format: simple
One file per row.
[GET_STRINGS]
%SYSTEMROOT%\explorer.exe
Results will be written to the log file.
Used for searching information in the registry
Format: simple
One search string per row.
[SEARCHT_REG]
virus
Results will be written to the log file.
Used for sending files to the support center.
Format: simple
One file name per row.
[SEND]
c:\windows\file.exe
Used for resetting file permissions (NTFS).
Format: simple
One file name per row.
[RESET_FILE_RIGHTS]
c:\windows\file.exe