8 Step Removal Program and Win32/Heur Problem

I have that regedit file parked on the desktop of the affected computer now. But, I dont know where to park it in the c drive becuase it has different dir folders than the computer I got it from.

OK good.

Rt click and copy
then open My computer
click c:
then click the windows folder
paste to a blank space and chose paste.

If it works then exit to desktop and run ComboFix as that was what found it missing.

Mike

I ran the combofix. It gave me a command prompt saying that the batch file cannot be found. What next?

Jeeze! I am hanging with you until we fix this and then I am taking the rest of the day off!

Meanwhile I am helping others while waiting on your replies. So no problem.

Paste the below into a notepad document so that you can cut and paste on the computer we are working on.

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

Code:

@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del  tdss*.* /f /q /s
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del c:\WINDOWS\system32\ieupdates.exe /f /q
del c:\WINDOWS\system32\scui.cpl /f /q
del c:\WINDOWS\system32\winsrc.dll /f /q

attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel

del c:\program files\xwdxqu.txt  /f /q
del c:\windows\x  /f /q
del c:\windows\SxsCaPendDel  /f /q

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys

del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop WinSvchostManager
sc delete WinSvchostManager

sc stop ntndis
sc delete ntndis

attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"

del  /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
del  /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"

sc stop u_lehj
sc delete u_lehj

attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
del  /f /q "c:\program files\Common Files\System\u_lehj32.dll"

attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"

del  /f /q "C:\WINDOWS\system32\svcprs32.exe"
del  /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
del  /f /q "C:\WINDOWS\system32\mdmcls32.exe"

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

This should run and exit!

It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

Reboot then do the below

Open then Update SuperAntiSpyware

Then Click Preferences
then click Repairs

Then counting down from top do the following entries

Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

Then in case some of the things we fixed after MBAM and SAS were reporting clean, allows them to find more now run MBAM and SAS again.

Mike

ok. I just got back from a small break myself and I really do appreciate your time on a Saturday. I am running the command now. How long does it take to run? The last statement on it says The operation completed successfully
Attrib -h -s -r tdss*.* /s

It hasnt exited itself yet.

sorry it just did...oops

OK running Mbam and then SAS. Will send txt files as well as HJT to you when done. Hopefully we are headed towards the finish line.

Yes but we sure are limited by no XP CD!

You are doing great. It is hard for you and me doing it this way but that is the only way for now.

Mike

No worries. I needed this done becuase this computer is my lifeline in my profession. How do I obtain a XP CD?

Who is the computer Mfg?

Mike

Look on the Sony website for your model usually they have a disk at a very good price.

Mike

It seems like mbam is not responding although the processors are running on it. I had to shut it down in Normal mode and had to restart it in Safe mode and it is still not responding on the interface screen.

Abort it and try SAS first.

Then retry MBAM.

We are getting nowhere. I think you should ask your family and friends to borrow a Windows XP cd.

Mike

I just talked to my friend and he says that he has several copys. Will an OEM copy work? Always does it need to go through a verification process in order for it to work? He ask me to verify.

oh yeah, it seems like mbam is working now.... found 3 more viruses.

Great on the MBAM!

Yes the OEM will work not required but is it SP2 as yours is! We will handle the registration issues but do get the Product Key. But we may not need it but just in case.

Mike

Yes!!! He has SP3 with everything we need. I will have to put it up later this evening though and we can possibly work on what you need from it Sunday if you work or Monday. For now I will run MBAM,SAS and HJT for you.

In post #60 you were doing an MBAM scan and it had found 3 more issues.

I need the log for that and then you were supposed to retry SDFix.

If we do a repair install or repair with sfc then we will need the computer as clean as possible.

If we were to totally format and reinstall this would not matter. But I don't plan that yet!

Mike

Hi Mike

I have been out all day and just got back in a ready to work on this. What I have done so far is ran ran SAS in both quick and full scan. The quick scan I ran last nght and it came up with threats. I ran a full scan again and it had only one. I am having a problem with MBAM because it keeps stopping on me. I tried to run it twice last night..I did a MBAM first, stopped it, ran SAS quick scan second, then I ran MBAM scan again and it stopped on me, and then SAS full scan last. Here are the logs. I can now run sdfix if you want me to. Let me know what you what me to do next.

OK run Combofix again post the log.

Reboot to Safe Mode

Then try MBAM in safe Mode.

Mike

Can I run Combofix in safe mode since I am in Sade mode now?

Yes

Mke is that ok??? Sorry Kim...I not sure if you are working with Mike on this...

OH Yes! Kim is #1 in my book!

.

..
..

But I just want tell you which Book!:grinthumb

Mike