@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del tdss*.* /f /q /s
:: The above two lines first clears protective attributes then
:: deletes all files on Drive beginning with the name tdss
:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q
rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"
attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
del c:\WINDOWS\system32\ieupdates.exe /f /q
del c:\WINDOWS\system32\scui.cpl /f /q
del c:\WINDOWS\system32\winsrc.dll /f /q
attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel
del c:\program files\xwdxqu.txt /f /q
del c:\windows\x /f /q
del c:\windows\SxsCaPendDel /f /q
reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys
del /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del /f /q "c:\windows\system32\gaopdxqpqjwmyc.dll"
del /f /q "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit