TechSpot

Bug problem, anti-virus wont update

By jeffsmith194
Feb 3, 2009
  1. My brothers laptop started having a problem awhile ago. His anti-virus, trendmicro, wouldn't update. He asked me to take a look at it and i found out that along with not updateing
    -when doing searches (i.e. google), it would take me to other websights other than what i wanted to go to
    -most if not all websights were basically blocked
    -system restore lost all restore points.

    I did a scan with trend micro, and it found a few trojans, tracking cookies and whanot and removed them (wpv973.cpx, TDSSriqp.dll, TDSSnrsr,...many other TDSS types, mmmatt.exe, gettoa222.exe) Finally i was able to put/run Microsofts Windows malicious software removal tool and that removed even more trojans (I didn't write down which ones though)

    Something is still wrong with the laptop though, the anti-viruses wont update and many websights still come up as "page cannot be loaded" or something of the like. I attempted to follow each step on the 8-step prelim removal instruction but Malwarebytes' Anti-Malware, SuperAntispyware and HijackThis wont install or run.

    Any ideas that i could try?
    Oh, forgot to menchion. The laptop is a Gateway running Windows XP, if that helps any.
     
  2. mflynn

    mflynn TS Rookie Posts: 2,793

    Boot to Safe Mode Networking do the below!

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.
    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
    del  tdss*.* /f /q /s
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
    del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    
    del c:\WINDOWS\system32\ieupdates.exe /f /q
    del c:\WINDOWS\system32\scui.cpl /f /q
    del c:\WINDOWS\system32\winsrc.dll /f /q
    
    attrib -h -s -r c:\program files\xwdxqu.txt
    attrib -h -s -r c:\windows\x
    attrib -h -s -r c:\windows\SxsCaPendDel
    
    del c:\program files\xwdxqu.txt  /f /q
    del c:\windows\x  /f /q
    del c:\windows\SxsCaPendDel  /f /q
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    :: rootkit gaopdxserv
    attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
    attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop gaopdxserv.sys.sys
    sc delete gaopdxserv.sys.sys
    
    del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
    del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    Try the 8 Steps again http://www.techspot.com/vb/topic58138.html.

    Mike
     
  3. jeffsmith194

    jeffsmith194 TS Rookie Topic Starter

    Thanks for your quick reply!
    While i was looking around i came across this thread techspot.com/vb/topic115811.html and im actually getting somewhere, Malwarebytes' anti malware is actually running! :)
    Sorry for not looking around more before posting my issues.
     
  4. mflynn

    mflynn TS Rookie Posts: 2,793

    If you are referring to FixIt

    I wrote that. If you have more issues getting thu the 8 Steps then do this new Copy/Paste it overlaps some but has new items that will help.

    If you can get MBAM and SAS to run and get some logs we are on the way!

    Mike
     
  5. jeffsmith194

    jeffsmith194 TS Rookie Topic Starter

    Alright, i was able to run malware thanks to your fixit program (thank you!). After that the anti-viruses were able to update. After running multiple scans from each scanner, they finally dont pick up anything anymore.

    However, here were the logs from malware, and hijack this.
     
  6. mflynn

    mflynn TS Rookie Posts: 2,793

    Nope your MBAM log shows all you did was scan and exit. You did not remove/delete found items.

    This evidenced by the "No action taken" in the log.

    So UPDATE MBAM then run again this time remove them!

    UPDATE then run SAS again and select the tracking cookies for removal!

    Post logs!

    Mike
     
  7. jeffsmith194

    jeffsmith194 TS Rookie Topic Starter

    Ah, right. I remembere what happend. i was so excited that it was working that i forgot to do the update. anywho. this is the log after i preformed the update.

    Here are the logs. When i preform the scans now, they dont pick up anything :)
     
  8. mflynn

    mflynn TS Rookie Posts: 2,793

    OK! Thats what Im talkin bout!

    Ok we had many found/removed in MBAM so update again and run quick scan to find any it could not finish or that was exposed by the last run but not even seen by the first run.

    Also update then run SAS quick scan and select and remove the tracking cookies!

    Last after the above runs a new HJT log.

    Mike
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.