TechSpot

Unable to run or update via TechSpot 8 Steps or manually run MBAM or SAS

By mflynn
Dec 21, 2008
  1. ATTENTION all Malware pros it is hard to test this so if you see any errors or additions or improvements to the below please PM me and I will correct or add.

    Anyone running this please post details on any errors that occur. Post the results of this process in your own thread since you will be linked back to here, don't assume we know you have run this process post the results in your own thread.

    In an effort to get control enough to even run our TechSpot 8 Step preliminary cleanup I have written a bat/cmd process to help break loose some of the things that are doing this.

    I have previously written the Fixit BFU process but unless the associations are correct then even that can not be downloaded. This does not negate that process as it does even more and with more powerful tools.

    This process does not even try to absolutely get everything, but to get most, and injure the Malware enough, that even if not completely removed to allow the Tools to be downloaded and ran. If the Malware is not completely removed but damaged it will then also ease the cleanup job of MBAM and SAS!

    It is written to use only native Windows functions and therefore no downloads are required.

    The Fix Associations module is ran twice on purpose first to try to help the rest of the commands run while the Malware is in charge, then again after attempting to clean just to be sure after the killing or damaging the Malware that was in charge.

    It goes specifically after TDSServ, and AntiVirus 2008 thu 2009.

    It attempts to set the file Associations back to normal to allow the downloading and running of MalwareBytes AntiMalware and SuperAntiSpyware.

    Before running the following BOOT TO SAFE MODE With Networking. If Internet access is working then log back to this thread and continue. If Internet access is not working at all or you are doing this from another computer via CD or flash drive then see Creating a stand alone CMD file at bottom.

    You are advised to go straight to run MBAM and SAS immediately after running this while still in Safe Mode Networking. And to save you heartache, and you and us time you should look at the logs and if anything was found removed by either then run them again.

    Do not run back to back but MBAM then SAS then MBAM then SAS. No need to run either after the log shows clean.

    Edit your last post, do not create a new post just for the log, and attach each log on each run. This allows us more time to parse each log while you are running the next tool.

    Some error checking was purposely omitted as this post has a limited size. Ignore any "File not found" errors.

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt.
    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
    del  tdss*.* /f /q /s
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
    del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    
    del c:\WINDOWS\system32\ieupdates.exe /f /q
    del c:\WINDOWS\system32\scui.cpl /f /q
    del c:\WINDOWS\system32\winsrc.dll /f /q
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    exit
    exit
    
    ------------------------------------------------------------------------------------------------------------

    There is no attachment because it is assumed you can not download anyway!

    Mike

    EDIT OK Sorry guys the problem was caused by the double "%%" required when run by BAT and CMD, but not when pasted directly to open command prompt. I originally tested this in a batch and forgot to remove the extra "%". Sorry to all for any inconvenience. The pasting part is fixed. I have removed the batch/cmd creation for now.
     
  2. rf6647

    rf6647 TS Maniac Posts: 829

    fixx.txt attachment

    Attached is a file created from the code box in message # 1. File date 12-21-08 9PM CT. The commands have the double %% in order to work as a bat or cmd.
    Code:
    Availability under the direction of mflynn.
    Subject to [B]warning[/B] appearing in Message # 1.
    
    Code:
    Rename file with 'cmd' extension.
     

    Attached Files:

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...