@ECHO OFF 

TITLE DBFIX
color 1F
cd %~dps0

if [%1]==[/second] goto Second

ver|%systemroot%\system32\find.exe "Windows XP">nul && set TypeOS=XP
if [%TypeOS%]==[XP] goto mbotStart
ver|%systemroot%\system32\find.exe "Windows 2000">nul && set TypeOS=W2K
if [%TypeOS%]==[W2K] goto mbotStart

goto End

:mbotStart

set update=%Version 1.005

echo.
echo.
echo                    *** DelphiBot Fix %update% ***
echo.
echo. 
echo. 
echo           DBFIX was developed with the greatest attention to detail,
echo            However, Use of this program is at your own discretion. 
echo          The program is provided "as is" without warranty of any kind. 
echo.
echo.
echo   Backups will be made of registry entries and files before they are removed 
echo.
echo                    Type Y to run DBFIX or N to exit 
echo.
echo.
echo.
echo.
echo.
echo.
echo.
set /p Choice=Type Y to Start or N to Exit....
if [%Choice%]==[y] goto msnbotfix
if [%Choice%]==[Y] goto msnbotfix
if [%Choice%]==[n] goto End
if [%Choice%]==[N] goto End
if [%Choice%]==[f] goto Second
if [%Choice%]==[F] goto Second

For %%a in (Y,y,N,n) do if not [%Choice%]==[%%a] goto End

pause

:msnbotfix

IF EXIST test* del/q test* >nul
IF EXIST find*.txt del/q find*.txt >nul
IF EXIST check*.txt del/q check*.txt >nul

cls
ECHO.
ECHO Checking For Trojan File and Run Value
ECHO.

IF NOT EXIST "%cd%\dnif.exe" COPY /Y "%systemroot%\system32\find.exe" "%cd%\dnif.exe">nul
IF NOT EXIST "%cd%\dnif.exe" COPY /Y "%systemroot%\system32\dllcache\find.exe" "%cd%\dnif.exe">nul
IF NOT EXIST "%cd%\rtsdnif.exe" COPY /Y "%systemroot%\system32\findstr.exe" "%cd%\rtsdnif.exe">nul
IF NOT EXIST "%cd%\rtsdnif.exe" COPY /Y "%systemroot%\system32\dllcache\findstr.exe" "%cd%\rtsdnif.exe">nul
IF NOT EXIST "%cd%\editreg.exe" COPY /Y "%systemroot%\regedit.exe" "%cd%\editreg.exe">nul
IF NOT EXIST "%cd%\editreg.exe" COPY /Y "%systemroot%\system32\dllcache\regedit.exe" "%cd%\editreg.exe">nul
IF NOT EXIST "%cd%\editreg.exe" COPY /Y "%cd%\apps\replace\regedit.exe" "%cd%\editreg.exe">nul
IF NOT EXIST "%cd%\apps\CSweg.exe" COPY /Y "%cd%\apps\swreg.exe" "%cd%\apps\CSweg.exe">nul

IF EXIST test* del/q test* >nul
IF EXIST repair*.reg del/q repair*.reg >nul
IF EXIST find*.txt del/q find*.txt >nul
IF EXIST check*.txt del/q check*.txt >nul
IF EXIST DBFIX_Report_old.txt del /q DBFIX_Report_old.txt >nul
IF EXIST DBFIX_Report.txt ren DBFIX_Report.txt DBFIX_Report_old.txt >nul

ver|dnif.exe /I "Windows XP">nul && (
if not exist "%windir%\system32\AUTOEXEC.NT" copy "%cd%\apps\replace\XP\AUTOEXEC.NT" "%windir%\system32\AUTOEXEC.NT">NUL && echo Replaced file missing AUTOEXEC.NT>>filecheck.txt
if not exist "%windir%\system32\Config.nt" copy "%cd%\apps\replace\XP\Config.nt" "%windir%\system32\Config.nt">NUL && echo Replaced missing Config.nt>>filecheck.txt
if not exist "%windir%\system32\Command.com" copy "%cd%\apps\replace\XP\Command.com" "%windir%\system32\Command.com">NUL && echo Replaced missing Command.com>>filecheck.txt
	)

ver|dnif.exe /I "Windows 2000">nul && (
if not exist "%windir%\system32\AUTOEXEC.NT" copy "%cd%\apps\replace\W2K\AUTOEXEC.NT" "%windir%\system32\AUTOEXEC.NT">NUL && echo Replaced missing AUTOEXEC.NT>>filecheck.txt
if not exist "%windir%\system32\Config.nt" copy "%cd%\apps\replace\W2K\Config.nt" "%windir%\system32\Config.nt">NUL && echo Replaced missing Config.nt>>filecheck.txt
if not exist "%windir%\system32\Command.com" copy "%cd%\apps\replace\W2K\Command.com" "%windir%\system32\Command.com">NUL && echo Replaced missing Command.com>>filecheck.txt
	)

apps\Csweg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System" /v DisableRegistryTools >nul
apps\Csweg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System" /v DisableRegistryTools >nul

apps\Csweg.exe export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" CheckRunsa.txt

apps\locate "%systemroot%\system32\*.exe" /A:D-H+ /s:30000,110000 /n /nr /O:"&W"|dnif.exe /I ".exe">TestIRCBotDelphi1a.txt
IF EXIST TestIRCBotDelphi1a.txt dnif.exe /I "."<TestIRCBotDelphi1a.txt>NUL && for /f "tokens=*" %%a in (TestIRCBotDelphi1a.txt) do ECHO %%~a>>TestIRCBotDelphi2a.txt
IF EXIST TestIRCBotDelphi2a.txt rtsdnif.exe /m /f:TestIRCBotDelphi2a.txt "00000000">>TestIRCBotDelphi3a.txt 2>nul
IF EXIST TestIRCBotDelphi3a.txt rtsdnif.exe /m /f:TestIRCBotDelphi3a.txt "Delphi">TestIRCBotDelphi4a.txt 2>nul
IF EXIST TestIRCBotDelphi2a.txt rtsdnif.exe /m /f:TestIRCBotDelphi2a.txt "QQQQQS3">>TestIRCBotDelphi3b.txt 2>nul
IF EXIST TestIRCBotDelphi3b.txt rtsdnif.exe /m /f:TestIRCBotDelphi3b.txt "AVP.Tray">TestIRCBotDelphi4a.txt 2>nul
IF EXIST TestIRCBotDelphi4a.txt dnif.exe /I "."<TestIRCBotDelphi4a.txt>NUL && for /f "tokens=4 delims=\." %%b in (TestIRCBotDelphi4a.txt) do dnif.exe /I "%%b.exe"<CheckRunsa.txt|dnif.exe /I /V "system32"|dnif.exe /I /V "%windir%"|dnif.exe /I /V "%systemdrive%">>TestIRCBotDelphiRun1a.txt && IF EXIST %systemroot%\system32\%%b.exe echo %systemroot%\system32\%%b.exe>>RemLat2a.txt
	
IF EXIST TestIRCBotDelphiRun1a.txt dnif.exe /I "."<TestIRCBotDelphiRun1a.txt>NUL && (
>RepairDelphiBota.reg (
echo Windows Registry Editor Version 5.00
echo.
echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system]
echo "DisableRegistryTools"=-
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
	)
for /f "tokens=1 delims==" %%e in (TestIRCBotDelphiRun1a.txt) do (
echo %%e=->>RepairDelphiBota.reg
echo.>>RepairDelphiBota.reg
echo %%e>>TestBotDelphi.txt
	))

apps\Csweg.exe QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot" /s>TESTsboot1.txt 

time /t>CurrentT.txt 2>NUL
For /f "tokens=*" %%b in (CurrentT.txt) do Call Set cctime=%%b
del /q CurrentT.txt >NUL

>DBFIX_Report.txt (
echo.
echo DBFix %update%
echo Run on %date% @ %cctime%
echo.
IF EXIST filecheck.txt TYPE filecheck.txt
echo.
IF EXIST RemLat2a.txt echo DelfBot File Found:
IF EXIST RemLat2a.txt dnif.exe /I "."<RemLat2a.txt>NUL && For /f "tokens=*" %%C in (RemLat2a.txt) do echo %%C
IF NOT EXIST RemLat2a.txt ECHO No DelfBot Files Found
ECHO.
IF EXIST RepairDelphiBota.reg echo DelfBot Run Value Found:
IF EXIST RepairDelphiBota.reg dnif.exe /I "HKEY"<RepairDelphiBota.reg>NUL && For /f "tokens=*" %%f in (TestBotDelphi.txt) do echo HKLM~\Run %%f
IF NOT EXIST RepairDelphiBota.reg ECHO No DelfBot Run Values Found
echo.
	)

dnif.exe /I "andymanchesta"<%windir%\SYSTEM32\DRIVERS\ETC\HOSTS>NUL && (
echo Restoring Default HOSTS File>>DBFIX_Report.txt
ATTRIB -h -s -r -a "%windir%\SYSTEM32\DRIVERS\ETC\HOSTS" >NUL
COPY /Y "%windir%\SYSTEM32\DRIVERS\ETC\HOSTS" "%CD%\HOSTS.BAK" >NUL
DEL /Q "%windir%\SYSTEM32\DRIVERS\ETC\HOSTS" >nul 2>&1
>%windir%\SYSTEM32\DRIVERS\ETC\HOSTS (
echo # Copyright © 1993-1999 Microsoft Corp.
echo #
echo # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
echo #
echo # This file contains the mappings of IP addresses to host names. Each
echo # entry should be kept on an individual line. The IP address should
echo # be placed in the first column followed by the corresponding host name.
echo # The IP address and the host name should be separated by at least one
echo # space.
echo #
echo # Additionally, comments ^(such as these^) may be inserted on individual
echo # lines or following the machine name denoted by a "#" symbol.
echo #
echo # For example:
echo #
echo # 102.54.94.97 rhino.acme.com # source server
echo # 38.25.63.10 x.acme.com # x client host
echo #
echo 127.0.0.1 localhost
	))

IF EXIST TESTsboot1.txt dnif.exe /I "Boot file system"<TESTsboot1.txt>NUL && dnif.exe /I "vga.sys"<TESTsboot1.txt>NUL && GOTO sfbfne

ECHO SPRFND>TESTSFBT1.TXT
ECHO Restoring Missing SafeBoot Keys>>DBFIX_Report.txt
echo.>>DBFIX_Report.txt
ver|dnif.exe "Windows XP">nul && (
apps\Csweg QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CSDVersion|dnif.exe /i "Service Pack 2">NUL && apps\Csweg IMPORT apps\Restore_SafeBoot_WindowsXP_SP2.reg>nul && GOTO sfbfne
apps\Csweg QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CSDVersion|dnif.exe /i "Service Pack 3">NUL && apps\Csweg IMPORT apps\Restore_SafeBoot_WindowsXP_SP3.reg>nul && GOTO sfbfne
apps\Csweg IMPORT apps\Restore_SafeBoot_WindowsXP.reg>nul
	)
ver|dnif.exe "Windows 2000">nul && apps\Csweg IMPORT apps\Restore_SafeBoot_Windows2000_SP4.reg >nul

:sfbfne

IF NOT EXIST RepairDelphiBota.reg (
ECHO Finished!>>DBFIX_Report.txt
IF EXIST testirc* del/q testirc* >nul
IF EXIST tests* del/q tests* >nul
IF EXIST check*.txt del/q check*.txt >nul
IF EXIST dnif.exe del/q dnif.exe >nul
IF EXIST editreg.exe del/q editreg.exe >nul
IF EXIST rtsdnif.exe del/q rtsdnif.exe >nul
start NOTEPAD DBFIX_Report.txt
EXIT
	)

IF NOT EXIST DBFIX_backups\ MD DBFIX_backups 2>nul
apps\Csweg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "%cd%\DBFIX_backups\HKLM_RunKey_Backup.reg"
apps\Csweg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot" "%cd%\DBFIX_backups\SafeBoot_Backup.reg"

echo DelfBot Trojan Found!
IF EXIST RepairDelphiBota.reg editreg.exe /s RepairDelphiBota.reg 2>NUL 
IF EXIST RepairDelphiBota.reg apps\Csweg import RepairDelphiBota.reg 2>NUL

IF EXIST RemLat2a.txt dnif.exe /I "."<RemLat2a.txt>NUL && For /f "tokens=4 delims=\." %%b in (RemLat2a.txt) do if exist "%systemroot%\system32\%%b.exe" (
apps\Cghtme.exe -c "%systemroot%\system32\%%b.exe" DBFIX_backups\%%b.exe.vir >NUL
apps\Cghtme.exe -e "%systemroot%\system32\%%b.exe" >nul
IF EXIST "%userprofile%\desktop\catchme.zip" del /q "%userprofile%\desktop\catchme.zip" >NUL
IF EXIST "%userprofile%\desktop\catchme.log" del /q "%userprofile%\desktop\catchme.log" >NUL
	)

echo.>>DBFIX_Report.txt

IF EXIST RemLat2a.txt dnif.exe /I "."<RemLat2a.txt>NUL && For /f "tokens=*" %%a in (RemLat2a.txt) do ( 	
IF NOT EXIST "%%a" ECHO %%a - Deleted>>DBFIX_Report.txt
IF EXIST "%%a" ECHO Unable To Remove %%a!>>DBFIX_Report.txt
	)

IF NOT EXIST TESTSFBT1.TXT GOTO SEBTFNE

apps\Csweg.exe QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot" /s>TESTsboot2.txt
IF EXIST TESTsboot2.txt dnif.exe /I "Boot file system"<TESTsboot2.txt>NUL && dnif.exe /I "vga.sys"<TESTsboot2.txt>NUL && ECHO Safeboot Keys Repaired Successfully>TESTSFB1.txt||echo Unable to repair SafeBoot key!>TESTSFB1.txt

:SEBTFNE

echo.>>DBFIX_Report.txt
IF EXIST TestBotDelphi.txt apps\Csweg QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run">>TestDelfRun.txt
IF EXIST TestBotDelphi.txt For /f "tokens=*" %%b in (TestBotDelphi.txt) do dnif.exe /I "%%~b"<TestDelfRun.txt|dnif.exe /I ".exe">nul && echo %%b - Unable to remove registry value!>>DBFIX_Report.txt||echo HKLM\~\Run %%b - Deleted>>DBFIX_Report.txt
echo.>>DBFIX_Report.txt
FIND.EXE /I "HOSTS "<DBFIX_Report.txt>NUL && dnif.exe /I "andymanchesta"<%windir%\SYSTEM32\DRIVERS\ETC\HOSTS>NUL && ECHO Unable to Repair HOSTS file!>>DBFIX_Report.txt||ECHO HOSTS File Replaced Successfully>>DBFIX_Report.txt
IF EXIST TESTSFB1.txt TYPE TESTSFB1.txt>>DBFIX_Report.txt
echo.>>DBFIX_Report.txt
echo Finished!>>DBFIX_Report.txt
echo.>>DBFIX_Report.txt

IF EXIST HOSTS.BAK MOVE /Y HOSTS.BAK .\DBFIX_backups\ >nul
IF EXIST test*.txt del /q test*.txt >nul
IF EXIST repair*.reg del /q repair*.reg >nul
IF EXIST find*.txt del /q find*.txt >nul
IF EXIST file*.txt del /q file*.txt >nul
IF EXIST check*.txt del /q check*.txt >nul
IF EXIST dnif.exe del /q dnif.exe >nul
IF EXIST editreg.exe del /q editreg.exe >nul
IF EXIST Remlat*.txt del /q Remlat*.txt >nul
IF EXIST rtsdnif.exe del /q rtsdnif.exe >nul

apps\zip "DBFIX_backups.zip" DBFIX_backups\*.* >nul 2>&1
del /q DBFIX_backups\*.* >nul 2>&1
move DBFIX_backups.zip DBFIX_backups\ >nul 2>&1

Start notepad DBFIX_Report.txt && exit

:end

EXIT