Structure of the Service script
In the first line of the scripts header you can find information about the Engine version (ev), GUI version (gv) and the Log version (lv). You can use this data to track possible changes in the .xml file that generates the script and prevent any inconsistencies during execution. This part of the script should not be altered.
The remainder of the file is divided into sections in which items can be edited (denote those that will be processed by the script). You mark items for processing by replacing the - character in front of an item with a + character. Sections in the script are separated from each other by an empty line. Each section has a number and title.
This section contains a list of all processes running in the system. Each process is identified by its UNC path and, subsequently, its CRC16 hash code in asterisks (*).
01) Running processes:
- \SystemRoot\System32\smss.exe *4725*
- C:\Windows\system32\svchost.exe *FD08*
+ C:\Windows\system32\module32.exe *CF8A*
In this example a process, module32.exe, was selected (marked by a + character); the process will end upon execution of the script.
This section lists currently used system modules.
02) Loaded modules:
In this example the module khbekhb.dll was marked by a +. When the script runs, it will recognize the processes using that specific module and end them.
This section contains information about existing TCP connections.
03) TCP connections:
- Active connection: 127.0.0.1:30606 -> 127.0.0.1:55320, owner: ekrn.exe
- Active connection: 127.0.0.1:50007 -> 127.0.0.1:50006,
- Active connection: 127.0.0.1:55320 -> 127.0.0.1:30606, owner: OUTLOOK.EXE
- Listening on *, port 135 (epmap), owner: svchost.exe
+ Listening on *, port 2401, owner: fservice.exe Listening on *, port 445 (microsoft-ds), owner: System
When the script runs, it will locate the owner of the socket in the marked TCP connections and stop the socket, freeing system resources.
This section contains information about existing UDP endpoints.
04) UDP endpoints:
- 0.0.0.0, port 123 (ntp)
+ 0.0.0.0, port 3702
- 0.0.0.0, port 4500 (ipsec-msft)
- 0.0.0.0, port 500 (isakmp)
When the script runs, it will isolate the owner of the socket at the marked UDP endpoints and stop the socket.
05) DNS server
This section contains information about the current DNS server configuration.
05) DNS server entries:
Marked DNS server entries will be removed when you run the script.
This section contains information about important registry entries.
06) Important registry entries:
* Category: Standard Autostart (3 items)
- HotKeysCmds = C:\Windows\system32\hkcmd.exe
- IgfxTray = C:\Windows\system32\igfxtray.exe
- Google Update = C:\Users\antoniak\AppData\Local\Google\Update\GoogleUpdate.exe /c
* Category: Internet Explorer (7 items)
+ Default_Page_URL = http://thatcrack.com/
The marked entries will be deleted, reduced to 0-byte values or reset to their default values upon script execution. The action to be applied to a particular entry depends on the entry category and key value in the specific registry.
This section lists services registered within the system.
- Name: Andrea ADI Filters Service, exe path: c:\windows\system32\aeadisrv.exe, state: Running, startup: Automatic
- Name: Application Experience Service, exe path: c:\windows\system32\aelupsvc.dll, state: Running, startup: Automatic
- Name: Application Layer Gateway Service, exe path: c:\windows\system32\alg.exe, state: Stopped, startup: Manual
The services marked and their dependant services will be stopped and uninstalled when the script is executed.
This section lists installed drivers.
- Name: Microsoft ACPI Driver, exe path: c:\windows\system32\drivers\acpi.sys, state: Running, startup: Boot
- Name: ADI UAA Function Driver for High Definition Audio Service, exe path: c:\windows\system32\drivers\adihdaud.sys, state: Running, startup: Manual
When you execute the script, the drivers selected will be unregistered from the system and removed.
This section contains information about files critical to proper function of the operating system.
09) Critical files:
* File: win.ini
* File: system.ini
* File: hosts
- 127.0.0.1 localhost
- ::1 localhost
The selected items will either be deleted or reset to their original values.