Ace01

Infected with Advanced Virus Remover infection HELP NEEDED

120 posts in this topic

Hi - I have the Advanced Virus Remover (AVR) infection that has slowed my pc, pops up fake anti-virus screens, displays a blue background screen with a black box stating that my PC is infected. I have had this for a week although have not had my pc on for most of the week as I was reading the posts about it here.

When I first got the virus, I had researched it online and followed advice on to delete the PAVRM executable and the various registry key entries it made. I did that (including doing various explorer searches for any wording related to AVR - e.g., shortcuts it puts on), doing so in SAFE MODE and still have it. It does not allow me to run MBAM (even after renaming it completely) or HJT. They will run for about 10 seconds, but then close out. My control mgr is also disabled although I read how to fix that registry entry which works a bit but then the virus takes over and does not allow it to work. My browser (IE) when doing searches, provides fake results related to AVR. Other browsers will just plain not to seem to work.

I am hoping you can help me. I am willing to download and post any logs needed to help with your help. Please let me know what I can do next to provide you more information.

Thanks in advance for your time and help. It seems like this one is going around.

Share this post


Link to post
Share on other sites

Please note that all instructions given are customised for this computer only,

the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Failure to reply within 5 days will result in the topic being closed.
  5. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly laechel.gif

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.

Be assured, any links I give are safe

----------------------------------------------------------------------------------------

Let's see if we can get some more info so we know what we are dealing with.

Download and Run RSIT

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.

    [*]Please post the contents of both log.txt and info.txt.

    ( They can also be found in the C:\RSIT folder )

SysProt Antirootkit

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.
    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

    [*]At the bottom of the page

    • Hidden Objects Only << Selected

    [*]Click on the Create Log button on the bottom right.

    [*]After a few seconds a new window should appear.

    [*]Select Scan Root Drive. Click on the Start button.

    [*]When it is complete a new window will appear to indicate that the scan is finished.

    [*]The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Share this post


Link to post
Share on other sites

Hi - Thank you for your help. I downloaded RSIT as stated and when I tried to run it, it just blanked out - I never got to a Continue screen. Also, as an update to my orginal post, the Antivirus Removal popup has now changed to a Windows Antivirus popup.

Please let me know what I should do next, in that I am not able to run RSIT. I did download the Sysprot zip, but have not done anything yet, assuming I needed to do step 1 of your instructions first.

Again, thanks for coming to the rescue. I should be on most of tonight.

Share this post


Link to post
Share on other sites

Please try running Sysprot, let's see if we can find out what is hiding

Share this post


Link to post
Share on other sites

Hi - I can unzip SysProt, but when I go to run it, it too fails - nothing happens - it looks like it tries to run, but nothing happens.

I have recieved a message popup that says sychost.exe failed. Not sure if this is real or fake, or if it is related to trying to run the RSIT process.

Share this post


Link to post
Share on other sites

OK, let's try a different approach ..

----------------------------------------------------------------------------------------

Step 1

Create A Batch File

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.

Save it as "All Files" and name it look.bat Please save it on your desktop.

@Echo Off

if exist "%Temp%\Katlog.txt" del /q "%Temp%\Katlog.txt"

For /R "%AllUsersProfile%" %%G in (*) DO (

@Echo Searching .. %%~nG

Echo "%%~nG"|Findstr /R "[A-Za-z]" > nul || Echo "%%~nG"|Findstr /R "[0-9]">nul&& Echo "%%~pG"|findstr "%%~nG">nul&& if exist "%%~dpG\%%~nG.exe" echo "%%~dpG">> "%Temp%\Katlog.txt"

CLS

)

If exist "%Temp%\Katlog.txt" (@Echo Scan Finished) Else (@Echo No Folders Found >>"%Temp%\Katlog.txt")

Notepad "%Temp%\Katlog.txt"

del /q %0

Exit

Double click on look.bat

Please be patient, as this will search the entire disc

Notepad will open, please copy/paste the results here.

----------------------------------------------------------------------------------------

Step 2

Please download the Win32kDiag.exe tool from the following location and save it to your desktop:

http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe

Once downloaded, double-click on the program and let it finish. When it states Finished! Press any key to exit..., you can press any key on your keyboard to close the program. On your desktop should now be a file called Win32kDiag.txt.

Double-click on this file and post the contents as a reply to this topic.

Share this post


Link to post
Share on other sites

Hi - when I run the look.bat file it runs a dos screen for a second then disappears. A message pops up that says "Applicaiton cannot be executed. The file is infected. Please activate your antivirus software." I am sure this is the virus doing this. Should I continue with step 2 Win32kDiag?

Share this post


Link to post
Share on other sites
1) I am sure this is the virus doing this.

2) Should I continue with step 2 Win32kDiag?

1) I'm positive it is the virus :D

2) Please

Please try the following also ...

OTScanIt

  1. Please download OTS.exe by OldTimer and save it to your desktop.
  2. Double click on OTS.exe to run it.
  3. Under Additional Scans section, put a check mark next to Reg - Uninstall List. ( you will need to scroll down)
  4. Click on the Run Scan button at the top left hand corner.
  5. OTS will start running. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply.

Share this post


Link to post
Share on other sites

Hi - No luck with this either. I am able to download it to my desktop but when I double click it does something for a second then nothing happens. I am doing this in the normal mode (e.g. turn PC on as if I had no virus). Should I try this in Safe Mode ??

Also, if I leave the pc on for a period of time, as message pop up here and there, all of a sudden every now and then the pc will reboot. Once it reboots and things load, every now and then I also get a system error (the ones where they say do you want to send to Microsoft) that says 133.exe cannot run (the numbers vary). This has just been happening today (it is the first day I have really had the pc on since the virus hit). I am sending these updates from a laptop.

I do need to step out for an hour an a half due to a family comittment. Hope that is okay. If you can let me know what you think I need to do next, I'll do so as soon as I get back.

Thanks again....I do hope we can beat this thing.

Share this post


Link to post
Share on other sites

We are struggling without any logs, but let's see if we can trick it.

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

explorer "%allusersprofile%\application data"

Have a look for any folders that are named 8 numerical digits eg. 12345679

If you find any, Drag them to your desktop.

-------------------------------------------------------------------------------------------

Download Combofix from the link below. Save it to your desktop.

Link 1

(I have renamed the file)

Reboot in safe mode

You will now need to reboot in safe mode, you will not have internet access whilst you do the next part

Please copy/paste or print the following instructions.

You can boot in Safe Mode by restarting your computer, then continually tapping F5 OR F8 until a menu appears.

Use your up arrow key to highlight Safe Mode, then hit enter.

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\sVchost.exe" /killall

( it may be tomorrow before I get back to you again, it's turned midnight here :D )

Share this post


Link to post
Share on other sites

Hi - I am back. I have tried both scripts you provided by using the Run command, as you instructed - nothing happens with the first one. I downloaded ComboFix and then tried the second one in Safe Mode and nothing runs. I then tried the first one in Safe Mode and it doesn't work in Safe Mode either. Is there a way I could manually search for what the first script is trying to do (e.g. using Explorer Search)?. I am getting worried now that nothing seems to be working. It seems to have control of the Operating System - I hope there is a way to break that hold.

I appreciate your help tonight and being up late, your instructions are very easy to follow.....just so you know, I'll be back around 5 pm EST.

Thanks.

Share this post


Link to post
Share on other sites
Is there a way I could manually search for what the first script is trying to do

Yes, ...... you may need to Unhide Files And Folders to find the folder though.

Just so I know, what OS are you using, XP or Vista ?

Navigate to

C:\Documents and Settings\All Users\Application Data

Look for the random named folder.

Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt

Share this post


Link to post
Share on other sites

Hi - I am using XP Service Pack 2.

I could download the DDS.scr, but could not run it. In fact, I am realizing that I cannot access and run many things. As an example, I was trying to use Control Panel to see if I could verify my OS and when I went to Control Panel, it would not allow me to open System.

Is there some type of script to allow it to stop the hold the virus put on my ability to open and run things ?? I Imagine that is what some of these prior scripts are aimed at doing.

Also, I am doing this in normal mode. Should I try Safe Mode ?? Does that matter ??

Thanks for coming back and helping.

Share this post


Link to post
Share on other sites

Sorry to post again. Is it okay to back up files on my PC to an external hard drive during this issue? For example, I have itunes folders and pictures and some word documents - is it okay to copy those to an external hard drive - would the virus possibly be attached to any of these files or possibly try to attach itself ??

Share this post


Link to post
Share on other sites
Is it okay to back up files on my PC to an external hard drive during this issue?

I recommend you backup any files you want to keep, we can easily disinfect the external drive once the main machine is clean.

The way this is going, we may well need to do a repair install ..... if I can't get any logs, I don't know what I'm trying to kill !!!

1) I Imagine that is what some of these prior scripts are aimed at doing.

2) Also, I am doing this in normal mode. Should I try Safe Mode ?? Does that matter ??

1) Correct

2) Let's try a safe mode run, see if that trips up the infection

Boot to safe mode and try the following ....

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\Combofix.exe" /stepdel

If that doesn't work, try this one.

"%userprofile%\desktop\Combofix.exe" /killall

Share this post


Link to post
Share on other sites

Quick question - When I downloaded ComboFix, it was renamed. I tried running the script in normal mode and I got a regular Windows warning back that basically said it cannot locate ComboFix. Should I download ComboFix without renaming it prior to going to Safe Mode ?

Share this post


Link to post
Share on other sites
Should I download ComboFix without renaming it prior to going to Safe Mode ?

Yes please, it has been updated anyway.

Make sure you save it on your desktop.

ComboFix.exe

Share this post


Link to post
Share on other sites

Hi - In safe mode, I ran both scripts, but I did not see anything run. I then began clicking on some of the tools I had downloaded and had success in running Win32kDiag and one other. I'll add the logs below - hopefully they help.

Win32kDiag:

Log file is located at: C:\Documents and Settings\HP_Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\Administrator.acl

[1] 2009-08-12 20:58:26 35262 C:\WINDOWS\Administrator.acl ()

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2156329642-1541253121-17644588-500\S-1-5-21-2156329642-1541253121-17644588-500

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-09 17:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 20:49:14 24281536 C:\WINDOWS\system32\MRT.exe ()

Cannot access: C:\WINDOWS\system32\tmp.txt

[1] 2009-08-15 10:05:07 0 C:\WINDOWS\system32\tmp.txt ()

Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log

[1] 2009-08-26 17:23:34 5028 C:\WINDOWS\system32\wbem\Logs\FrameWork.log ()

Found mount point : C:\WINDOWS\Temp\MCE001a7\MCE001a7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001a8\MCE001a8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001a9\MCE001a9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001aa\MCE001aa

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ab\MCE001ab

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ac\MCE001ac

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ad\MCE001ad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ae\MCE001ae

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001af\MCE001af

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b0\MCE001b0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b1\MCE001b1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b2\MCE001b2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b3\MCE001b3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b4\MCE001b4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b5\MCE001b5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b6\MCE001b6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b7\MCE001b7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b8\MCE001b8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b9\MCE001b9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Finished!

SysProt - this ran for a bit then gave me a message that I did not have Administrator rights. It generated a log though:

SysProt AntiRootkit v1.0.1.0

by swatkat

********************************************************************************

**********

********************************************************************************

**********

No Hidden Processes found

********************************************************************************

**********

********************************************************************************

**********

No Hidden Kernel Modules found

********************************************************************************

**********

********************************************************************************

**********

No SSDT Hooks found

********************************************************************************

**********

********************************************************************************

**********

No Kernel Hooks found

********************************************************************************

**********

********************************************************************************

**********

No hidden files/folders found

OTS ran for a bit and then failed, producing no logs.

Share this post


Link to post
Share on other sites

Great stuff :D

In safe mode, do the following

Please save this file to your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Now try Combofix again.

Share this post


Link to post
Share on other sites

Hi - I have a few mintues this morning, but will not be back in time tonight before you sign off. Before I try your fix, I wanted to let you know that I was able to get the Batch program to run by double clicking it enough to get multiple instances to run. When multiple instances run, it runs, however in normal mode, after an hour or so, the virus took over. I am running it in Safe mode this morning, hoping it will complete. Can I see how that goes before I try the step you mentioned prior to this post? If it completes in the next hour and a half I'll post it, but I will have to go and will not be back until Friday 5[m RST (did not want to hold you up). I'll have time then and this weekend to dedicate to this. Let me know. Thanks again.

Share this post


Link to post
Share on other sites

The batch file won't fix anything, it just looks for problem files.

Please try the "%userprofile%\desktop\win32kdiag.exe" -f -r instructions

Share this post


Link to post
Share on other sites

Here is the new output

Log file is located at: C:\Documents and Settings\HP_Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\Administrator.acl

[1] 2009-08-12 20:58:26 35262 C:\WINDOWS\Administrator.acl ()

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2156329642-1541253121-17644588-500\S-1-5-21-2156329642-1541253121-17644588-500

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-09 17:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 20:49:14 24281536 C:\WINDOWS\system32\MRT.exe ()

Cannot access: C:\WINDOWS\system32\tmp.txt

[1] 2009-08-15 10:05:07 0 C:\WINDOWS\system32\tmp.txt ()

Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log

[1] 2009-08-26 17:23:34 5028 C:\WINDOWS\system32\wbem\Logs\FrameWork.log ()

Found mount point : C:\WINDOWS\Temp\MCE001a7\MCE001a7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001a8\MCE001a8

Mount point destination : \Device\__max++>\^

Share this post


Link to post
Share on other sites

I was able to run the script but it did not launch the Win32kDiag - I had to do this manually. Also when I ran ComboFix, nothing happened, however I was able to run the renamed (earlier) version I had. However it produced no output - should it? Lastly, I as thinking that running the .bat file might give you more insight into whats going on. If you think it is valuable, I can let it run later tonight and see what it produces.

Let me know of next steps. Thanks. I will try them later tonight, probably after you have signed off unfortunately.

Share this post


Link to post
Share on other sites

Sorry, I just realized whole out put not show in above post - here is the whole thing:

Log file is located at: C:\Documents and Settings\HP_Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\Administrator.acl

[1] 2009-08-12 20:58:26 35262 C:\WINDOWS\Administrator.acl ()

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2156329642-1541253121-17644588-500\S-1-5-21-2156329642-1541253121-17644588-500

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-09 17:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 20:49:14 24281536 C:\WINDOWS\system32\MRT.exe ()

Cannot access: C:\WINDOWS\system32\tmp.txt

[1] 2009-08-15 10:05:07 0 C:\WINDOWS\system32\tmp.txt ()

Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log

[1] 2009-08-26 17:23:34 5028 C:\WINDOWS\system32\wbem\Logs\FrameWork.log ()

Found mount point : C:\WINDOWS\Temp\MCE001a7\MCE001a7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001a8\MCE001a8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001a9\MCE001a9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001aa\MCE001aa

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ab\MCE001ab

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ac\MCE001ac

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ad\MCE001ad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ae\MCE001ae

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001af\MCE001af

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b0\MCE001b0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b1\MCE001b1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b2\MCE001b2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b3\MCE001b3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b4\MCE001b4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b5\MCE001b5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b6\MCE001b6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b7\MCE001b7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b8\MCE001b8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001b9\MCE001b9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001ba\MCE001ba

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001bb\MCE001bb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001bc\MCE001bc

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001bd\MCE001bd

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001be\MCE001be

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE001bf\MCE001bf

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Finished!

Share this post


Link to post
Share on other sites

Avenger

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to replace with dummy:
    C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Now try Combofix

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.