Welcome to the TechSpot OpenBoards. Please read the FAQ if you have any questions. Login to participate.
|
|||||||
MS Antivirus 2009
 |
|
|
|
Thread Tools |
|
#1
02-16-2009
|
|||
|
|||
|
MS Antivirus 2009
Help
A member of my family has a severe infection with this virus he is no longer running a spy ware program - but does have current anti virus (e-trust) he also uses registry optimizer All files on said machine are backed up I downloadedl lots of instructions over the weekend and followed all - i.e. found and deleted several components. BUT I cannot edit or access any of hte registry files. I'm told permission is denied. I tried a software calls 'rtts' to unlock the permissions - it did not work. Have conclued that this machine needs a reformat on the hard drive Simple? no - I cannot get to it (the hard drive) . When I boot from my windows cd the cd will only install When I come up in safe mode I cannot format the hard drive (because I'm working on it?) any and all help will be appreciated! |
|
#2
02-16-2009
|
|||
|
|||
|
What is brand, model, and configuration of the computer.
Have you tried a cold boot to the recovery, restore, or Windows Disk? Do you have the drivers available if you reformat the drive. Consider using the Amended 8 Step program elsewhere on this forum for removing infestations before you try a full reformat and reinstall of Windows. |
|
|
#3
02-16-2009
|
|||
|
|||
|
PC is a midwest micro 'custom' - - really a basic config - 2 149G mirrored HD, intel 2.13 gh processor - CD/DVD dual layer
I have tried several cold boots - cannot get the system to 'stop' on the cd. It reads the CD then goes on to the 'infected' hard drive. I cannot delete several of the infected files that were found in the '8' step as I cannot edit system files or the registry. I am going to redo the 8 steps this evening - but at various steps of the 8 steps (this weekend) I get a 'failure' as I cannot delete the files that need deleted - i.e. I get tht pop up error that says 'you do not have permission to do this' Re a reformat - I do have everything I need (famous last words- who ever has everything) - & i did a complete back up onto a portable drive - I guess my question really is - should the 8 step get rid of ms antivirus2009? or am i still just banging my head against the wall - |
|
#4
02-16-2009
|
|||
|
|||
|
Malware Bytes should remove the ms antivirus 2009. It is a free program and is very good at removing rogue malware such as that. You should not have to reformat. just download and install MBAM. google it for a download link or it should be somewhere in the 8-steps thread. Boot to safe mode if possible and then scan.
|
|
#5
02-18-2009
|
|||
|
|||
|
Malware was the first remover we tried last week - virus would not allow it to run - got 000's of pop up windows saying 'change not allowed'
(that's where I was last week) - now i can no longer boot up - not even in safe mode - The start up starts, grinds for a minute & then jumps to shutting down. Was never able to successfully get through the 8 steps due to hijacks etc. ..... am looking now for a boot cd as I think this pc is truely dead. I'll take any suggestions anyone might have. |
|
#6
02-18-2009
|
|||
|
|||
|
Do the below.
Boot to Safe Mode Networking then.. Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit. Then paste to the black screen of an open command prompt. All may not apply so ignore errors. Code:
@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del tdss*.* /f /q /s
:: The above two lines first clears protective attributes then
:: deletes all files on Drive beginning with the name tdss
:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q
rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"
attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
del c:\WINDOWS\system32\ieupdates.exe /f /q
del c:\WINDOWS\system32\scui.cpl /f /q
del c:\WINDOWS\system32\winsrc.dll /f /q
attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel
del c:\program files\xwdxqu.txt /f /q
del c:\windows\x /f /q
del c:\windows\SxsCaPendDel /f /q
reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys
del /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del /f /q "c:\windows\system32\gaopdxqpqjwmyc.dll"
del /f /q "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
sc stop WinSvchostManager
sc delete WinSvchostManager
sc stop ntndis
sc delete ntndis
attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"
del /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
del /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"
sc stop u_lehj
sc delete u_lehj
attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
del /f /q "c:\program files\Common Files\System\u_lehj32.dll"
attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"
del /f /q "C:\WINDOWS\system32\svcprs32.exe"
del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
del /f /q "C:\WINDOWS\system32\mdmcls32.exe"
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit
It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore. then Do the TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall). Most importantly update MalwareBytes and SuperAntiSpyware! Get the logs attached back. Mike |
|
| Thread Tools | |
|
|
| Similar Topics | ||||
| Topic | Category | Replies | Last Post | |
| Antivirus 2009 | Virus & Malware removal | 8 | 01-13-2009 05:53 PM | |
| Antivirus Pro 2009 | Virus & Malware removal | 7 | 11-24-2008 05:50 PM | |
| Antivirus 2009 | Windows OS | 5 | 11-21-2008 05:12 PM | |
| Antivirus pro 2009 | Virus & Malware removal | 5 | 11-08-2008 06:46 PM | |
| Antivirus 2009 | Virus & Malware removal | 27 | 08-08-2008 06:53 PM | |
All times are GMT -4. The time now is 01:20 AM.