also @ TechSpot: Exploit allows command prompt to launch at Windows 7 login screen

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

AVG Virus - Heur

Discussion in 'Windows OS' started by ormes21, Mar 19, 2009.

Thread Status:
Not open for further replies.

  1. ormes21 Newcomer, in training

    Hello, I have managed to get the awful "win32 heur" virus on my computer which has been picked up by AVG....I was lazy about acting on it and after a few days my computer cannot access the internet, play audio and some programs cannot open!!

    What is annoying about this is I cannot download virus updates for malware bytes and super anti spyware due to no internet access. Luckily I have two computers, so I can get access to this forum.

    Is there anyway I can save my computer and get rid of this virus? I do have Hijack this and have heard of combo fix.....however this is all new territory for me so sorry if im a bit out of touch with it all!!

    Really grateful for any help....where should i start?

    Thanks v.much

    Andy
    ormes21, Mar 19, 2009
    #1

  2. mflynn Newcomer, in training

    Hi Andy

    Do this..

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del /f /q /s tdss*.*
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del /f /q "%UserProfile%\Desktop\Antivirus 2009.lnk"
del /f /q  "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
del /f /q "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
del /f /q "%UserProfile%\Start Menu\Antivirus 2009\*.*"

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del /f /q c:\WINDOWS\system32\ieupdates.exe
del /f /q c:\WINDOWS\system32\scui.cpl
del /f /q c:\WINDOWS\system32\winsrc.dll

attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel

del /f /q c:\program files\xwdxqu.txt
del /f /q c:\windows\x
del /f /q c:\windows\SxsCaPendDel

attrib -h -s -r c:\windows\system32\drivers\qh3s.sys
attrib -h -s -r c:\windows\system32\drivers\jsdpp32.sys
attrib -h -s -r c:\windows\system32\drivers\oxauau96.sys

del /f /q c:\windows\system32\drivers\qh3s.sys 
del /f /q c:\windows\system32\drivers\jsdpp32.sys
del /f /q c:\windows\system32\drivers\oxauau96.sys

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys

del /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
del /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop WinSvchostManager
sc delete WinSvchostManager

sc stop ntndis
sc delete ntndis

attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"

del /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
del /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"

sc stop u_lehj
sc delete u_lehj

attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
del /f /q "c:\program files\Common Files\System\u_lehj32.dll"

attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"

del /f /q "C:\WINDOWS\system32\svcprs32.exe"
del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
del /f /q "C:\WINDOWS\system32\mdmcls32.exe"

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit
    This should run and exit!

    It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

    Boot the non working computer to Safe mode and do the below.

    Ok the above is if you are connected, to do it on the computer that will not connect, paste it to a notepad document and take there on a flash drive or cd then copy from the notepad document and paste to an open command prompt.

    Reboot after the above to Safe Mode Networking! and test for a connection.

    Mike
    mflynn, Mar 19, 2009
    #2

  3. ormes21 Newcomer, in training

    Hey Mike, sorry for slow reply.

    I ran the txt file and rebooted in safe mode networking and my computer runs soo slow in this mode. i thought it froze. Anyway it loaded up in the end and i still had no luck connecting to the net.

    Thank you for getting back to me.
    ormes21, Mar 19, 2009
    #3

  4. mflynn Newcomer, in training

    OK do this

    On your working computer install MBAM and SAS and update.

    From here:TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).
    avg

    Most importantly update MalwareBytes (MBAM) and SuperAntiSpyware (SAS)!

    Before you scan with either MalwareBytes or SuperAntiSpyWare do the Extra Configs below these have become most important lately

    SuperAntispyware extra config

    After installed double-click the icon on your desktop to run it.

    Update the program definitions.

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

    MalwareBytes extra config

    After update but before running
    Click settings and confirm all are Checked.

    I repeat Update these 2 programs.

    Then go into program files and copy the MalwareBytes and SuperAntiSpyware folders and copy them to the problem computer into the same location (Program Files) then browse to MalwareBytes and run MBAM.

    Same for SAS.

    If the logs show found items then run again till both logs are clean.

    If we clean enough we can get you connected.

    Mike
    mflynn, Mar 19, 2009
    #4

  5. ormes21 Newcomer, in training

    ok, thanks v.much for your help mike...I will follow that now

    andy
    ormes21, Mar 19, 2009
    #5
Thread Status:
Not open for further replies.