ATTENTION all Malware pros it is hard to test this so if you see any errors or additions or improvements to the below please PM me and I will correct or add.
Anyone running this please post details on any errors that occur. Post the results of this process in your own thread since you will be linked back to here, don't assume we know you have run this process post the results in your own thread.
In an effort to get control enough to even run our TechSpot 8 Step preliminary cleanup I have written a bat/cmd process to help break loose some of the things that are doing this.
I have previously written the Fixit BFU process but unless the associations are correct then even that can not be downloaded. This does not negate that process as it does even more and with more powerful tools.
This process does not even try to absolutely get everything, but to get most, and injure the Malware enough, that even if not completely removed to allow the Tools to be downloaded and ran. If the Malware is not completely removed but damaged it will then also ease the cleanup job of MBAM and SAS!
It is written to use only native Windows functions and therefore no downloads are required.
The Fix Associations module is ran twice on purpose first to try to help the rest of the commands run while the Malware is in charge, then again after attempting to clean just to be sure after the killing or damaging the Malware that was in charge.
It goes specifically after TDSServ, and AntiVirus 2008 thu 2009.
It attempts to set the file Associations back to normal to allow the downloading and running of MalwareBytes AntiMalware and SuperAntiSpyware.
Before running the following BOOT TO SAFE MODE With Networking. If Internet access is working then log back to this thread and continue. If Internet access is not working at all or you are doing this from another computer via CD or flash drive then see Creating a stand alone CMD file at bottom.
You are advised to go straight to run MBAM and SAS immediately after running this while still in Safe Mode Networking. And to save you heartache, and you and us time you should look at the logs and if anything was found removed by either then run them again.
Do not run back to back but MBAM then SAS then MBAM then SAS. No need to run either after the log shows clean.
Edit your last post, do not create a new post just for the log, and attach each log on each run. This allows us more time to parse each log while you are running the next tool.
Some error checking was purposely omitted as this post has a limited size. Ignore any "File not found" errors.
Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt.
------------------------------------------------------------------------------------------------------------
There is no attachment because it is assumed you can not download anyway!
Mike
EDIT OK Sorry guys the problem was caused by the double "%%" required when run by BAT and CMD, but not when pasted directly to open command prompt. I originally tested this in a batch and forgot to remove the extra "%". Sorry to all for any inconvenience. The pasting part is fixed. I have removed the batch/cmd creation for now.
Anyone running this please post details on any errors that occur. Post the results of this process in your own thread since you will be linked back to here, don't assume we know you have run this process post the results in your own thread.
In an effort to get control enough to even run our TechSpot 8 Step preliminary cleanup I have written a bat/cmd process to help break loose some of the things that are doing this.
I have previously written the Fixit BFU process but unless the associations are correct then even that can not be downloaded. This does not negate that process as it does even more and with more powerful tools.
This process does not even try to absolutely get everything, but to get most, and injure the Malware enough, that even if not completely removed to allow the Tools to be downloaded and ran. If the Malware is not completely removed but damaged it will then also ease the cleanup job of MBAM and SAS!
It is written to use only native Windows functions and therefore no downloads are required.
The Fix Associations module is ran twice on purpose first to try to help the rest of the commands run while the Malware is in charge, then again after attempting to clean just to be sure after the killing or damaging the Malware that was in charge.
It goes specifically after TDSServ, and AntiVirus 2008 thu 2009.
It attempts to set the file Associations back to normal to allow the downloading and running of MalwareBytes AntiMalware and SuperAntiSpyware.
Before running the following BOOT TO SAFE MODE With Networking. If Internet access is working then log back to this thread and continue. If Internet access is not working at all or you are doing this from another computer via CD or flash drive then see Creating a stand alone CMD file at bottom.
You are advised to go straight to run MBAM and SAS immediately after running this while still in Safe Mode Networking. And to save you heartache, and you and us time you should look at the logs and if anything was found removed by either then run them again.
Do not run back to back but MBAM then SAS then MBAM then SAS. No need to run either after the log shows clean.
Edit your last post, do not create a new post just for the log, and attach each log on each run. This allows us more time to parse each log while you are running the next tool.
Some error checking was purposely omitted as this post has a limited size. Ignore any "File not found" errors.
Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt.
Code:
@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del tdss*.* /f /q /s
:: The above two lines first clears protective attributes then
:: deletes all files on Drive beginning with the name tdss
:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q
rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"
attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
del c:\WINDOWS\system32\ieupdates.exe /f /q
del c:\WINDOWS\system32\scui.cpl /f /q
del c:\WINDOWS\system32\winsrc.dll /f /q
reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exitThere is no attachment because it is assumed you can not download anyway!
Mike
EDIT OK Sorry guys the problem was caused by the double "%%" required when run by BAT and CMD, but not when pasted directly to open command prompt. I originally tested this in a batch and forgot to remove the extra "%". Sorry to all for any inconvenience. The pasting part is fixed. I have removed the batch/cmd creation for now.
