Jump to content
KVT

Avenger.txt reloads and grows in size after each startup recommended by MAM so as to rid of captured malware

Recommended Posts

Thank you for getting back to me and i will do so now! should i delete the existing combofix or by downloading this new version it will override the existing version?

 

also: pls let me know what you think i should do ref scanning the external drive with files. 

Share this post


Link to post
Share on other sites

Also: do i download combofix from the link that you have just sent me to this new computer and then save it on a USB and transfer it to the old computer? mind you i hve not opened a browser in the old infected pc as the browser was not working and also since i was worried to enter the internet w no protection. 

Share this post


Link to post
Share on other sites

i just deleted the 5MB combofix icon from the desktop but i beleive this is just the read only file and to delete combofix completely i shall need to delete the whole 'combofix' folder under C drive which itself (the combofix folder) has a copy of the DVD drive, the control panel, the shared docs file and my own documents file. Is that so? or not?

Share this post


Link to post
Share on other sites

Ok, thank you, i proceed to download the combofix and transfer it to the infected pc via s usb (as also done earlier). if tht dsnt work i wll try to open a browser and download from the infected pc. 

Share this post


Link to post
Share on other sites

unfortunately when i downloaded the combofix from this new pc, it prevented me; Mcafee observed an artemis trojan which has placed in qurantine. I would not think that these fixes carry trojans themselves!

Share this post


Link to post
Share on other sites

are you sure? i read about the artemis virus and it sounds exactly as the one that i caught on the other computer in the first instance. Can i trust you please? also this new computer does not have any records at all, belongs to a friend and the last think i wish to do is to infect her pc. 

 

also,if you tell me it is safe, how can i download this comboxif in view of the Mcafee preventing it? 

Share this post


Link to post
Share on other sites

i have downloaded it from the infected pc, moved it from the download folder to the desktop (using folder manager) and tried to open it with the run command you offered, making sure all the letters ,symbols and dashes (forward or backward) are exact as you wrote. The run command does not recognise it. 

Share this post


Link to post
Share on other sites

i have copied in the run command exactly this trying versions of having front or back strokes in between, and also having 'space' after the KillAll and the Nombr words. DID not make any difference in wont run. IF I TRY TO RUN IT from the icon it runs but it gets stuck on the part about 'autoscan'. 

THIS issue has taken over my life and i hv hd enough...can u pls advise me on how to get control of my files from the external drive/ AT LEAST I WILL BE able to know if i have my files or not. FOR the last ten days i am in limbo. thank you

 

%userprofile%\desktop\ComboFix.exe /KillAll /Nombr /StepDel

Share this post


Link to post
Share on other sites

BTW, i will pay you regardless....i appreciate your effort. 

Share this post


Link to post
Share on other sites

i cannot highlight and copy the line, as this line is on this new pc that has internet connection and the other one is sketchy. i tried to go this forum from the infected pc but the internet connection breaks. \even the google home page does not look genuine.it does not have the G plus or the Gmail signs on the top anymore; dodgy. \so,i just type the command. 

 

Also pls note from each attempt to open bloody combofix on the infected pc a new file/icon is created under my documents file which is under the combofix drive that contains the  C drive etc. 

 

ANYHOW, i am at the end of my wire...i start to accept that i will have to clean and reinstall op system....as long as i can access my external drive....?  

Share this post


Link to post
Share on other sites

i went to the infected maschine and reloaded it and chrome; it opened ok. I went into our forum and exactly cut and pasted the command into the run and it still gave me the  'windows cant find C:documents' make sure you typed the name correctly and try again....

Share this post


Link to post
Share on other sites

ok i will try this command file by copying it vis usb into the infected pc. 

Share this post


Link to post
Share on other sites

i tried as you asked; i placed the document in the infected pc and opened it with word, copied the command into the run command but nothing. Do you have access to teamviewer so you can look into my computer? i have teamviewer. 

Share this post


Link to post
Share on other sites

thank you; i took a break to eat;my first meal of the day.  :( this command has worked and it does open combofix and it has managed to progress from the autoscan phase (not hung). It has deleted two system32/drivers files and it has completed 50 stages so far. when it finishes and produces a log i will send such to you. hope your evening is going well and thanks for sticking with me  :)

Share this post


Link to post
Share on other sites

The process completed itself, the pc shut down, but when restarting it hugs, it stops at 95 or so% of the rebooting process. it is the white line / bar above the 'BIOS revision A13 sign'. i m worried that if i force a new reboot we may not obtain the log file? combofix seems to be a mean yet hungry tool :)

Share this post


Link to post
Share on other sites

its been more than 30 mins since i wrote this above and it has not restarted, still hung. so i hope that i can force shutting and restart n the log file will be on the d drive. fingers crossed. 

Share this post


Link to post
Share on other sites

i restarted and i got the Combofix Find3M SCREEN-WINDOW which tells me now that is preparing for a Log report and 'do not run any programs untill combofix has finished. i await

Share this post


Link to post
Share on other sites

Here is the log file!! you have persevered since this am! 

 

ComboFix 14-08-06.02 - Konstantine Trivizas 08/08/2014  21:59:47.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.2047.1681 [GMT 1:00]
Running from: c:\documents and settings\Konstantine Trivizas\desktop\ComboFix.exe
Command switches used :: /KillAll /nombr /StepDel
AV: Ad-Aware Antivirus *Disabled/Outdated* {22CB8761-914A-11CF-B705-00AA0062CBB7}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Ad-Aware Firewall *Disabled* {9211320F-6C40-4035-BBDE-3C96ED504F33}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\drivers\etc\hosts.txt
c:\windows\system32\drivers\fad.sys
.
.
(((((((((((((((((((((((((   Files Created from 2014-07-08 to 2014-08-08  )))))))))))))))))))))))))))))))
.
.
2014-08-08 22:15 . 2014-08-08 22:15 62576 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C123CCD9-F9BF-4528-A0D5-1B8F3E0144D3}\offreg.dll
2014-08-08 15:26 . 2014-07-02 03:11 8217224 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C123CCD9-F9BF-4528-A0D5-1B8F3E0144D3}\mpengine.dll
2014-08-07 10:35 . 2014-07-02 03:11 8217224 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-08-06 12:51 . 2014-08-08 10:11 -------- d-----w- C:\FRST
2014-08-05 15:15 . 2014-08-05 15:15 -------- d-----w- c:\documents and settings\Konstantine Trivizas\Application Data\Lavasoft
2014-08-05 14:35 . 2014-08-05 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Search Protection
2014-08-05 14:35 . 2014-08-05 14:35 -------- d-----w- c:\documents and settings\Konstantine Trivizas\Local Settings\Application Data\adawarebp
2014-08-05 14:35 . 2014-08-08 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
2014-08-05 14:34 . 2014-08-05 14:34 -------- d-----w- c:\program files\Toolbar Cleaner
2014-08-05 14:33 . 2014-08-05 14:34 -------- d-----w- c:\documents and settings\Konstantine Trivizas\Application Data\adawaretb
2014-08-05 14:28 . 2014-08-05 14:28 -------- d-----w- c:\program files\Common Files\Lavasoft
2014-08-05 13:02 . 2014-08-05 14:38 -------- d-----w- c:\program files\Lavasoft
2014-08-05 12:29 . 2014-08-05 12:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2014-08-04 16:11 . 2014-08-06 15:24 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-08-04 16:10 . 2014-08-05 17:29 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-08-04 16:10 . 2014-08-04 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2014-08-04 16:10 . 2014-05-12 06:26 53208 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-08-04 16:10 . 2014-05-12 06:25 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-08-04 15:54 . 2014-08-04 15:56 -------- d-----w- c:\documents and settings\Administrator
2014-08-01 13:04 . 2014-08-01 13:04 -------- d-----w- c:\windows\system32\cos
2014-08-01 08:41 . 2014-08-01 08:41 -------- d-----w- c:\windows\system32\winrm
2014-08-01 08:40 . 2014-08-01 08:42 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2014-08-01 08:37 . 2014-08-01 08:37 -------- d-----w- C:\82c2f8c
2014-07-24 19:44 . 2014-07-24 19:44 -------- d-----w- c:\documents and settings\Konstantine Trivizas\Application Data\URSoft
2014-07-24 19:44 . 2014-07-24 20:06 -------- d-----w- c:\program files\Your Uninstaller 2008
2014-07-22 21:50 . 2014-08-04 16:15 -------- d-----w- c:\documents and settings\Konstantine Trivizas\Application Data\Xihoh
2014-07-22 21:50 . 2014-07-23 16:47 -------- d-----w- c:\documents and settings\Konstantine Trivizas\Application Data\Epme
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-06-16 12:57 . 2014-06-16 12:57 54048 ----a-w- c:\windows\system32\vrvd5.dll
2014-06-16 12:57 . 2014-06-16 12:57 11296 ----a-w- c:\windows\system32\drivers\vrvd5.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll" [2014-07-25 116248]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2014-07-25 13:44 116248 ----a-w- c:\program files\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll" [2014-07-25 116248]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 188416]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2013-09-27 559696]
"AdAwareTray"="c:\program files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareTray.exe" [2014-06-03 6699864]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-20 519584]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-09-13 10:33 155648 ----a-w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2012-03-26 16:08 931200 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2004-10-26 11:01 921600 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 08:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-01-02 18:37 295072 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Documents and Settings\\Konstantine Trivizas\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\SkypeWebPlugin\\SkypeWebPlugin.exe"=
"c:\\Program Files\\Lavasoft\\AdAware SecureSearch Toolbar\\dtUser.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management 
.
R2 LavasoftAdAwareService11;Ad-Aware Service 11;c:\program files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareService.exe [03/06/2014 16:12 655352]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [29/11/2012 21:31 38608]
R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [24/08/2012 09:44 2673064]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [06/02/2003 19:23 59328]
R3 vrvd5;vrvd5;c:\windows\system32\drivers\vrvd5.sys [16/06/2014 13:57 11296]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [21/06/2013 09:53 162408]
.
Contents of the 'Scheduled Tasks' folder
.
2014-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-20 20:21]
.
2014-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-20 20:21]
.
2014-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1563985344-1343024091-1001Core.job
- c:\documents and settings\Konstantine Trivizas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-23 11:37]
.
2014-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1563985344-1343024091-1001UA.job
- c:\documents and settings\Konstantine Trivizas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-23 11:37]
.
2014-08-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 16:03]
.
2014-08-08 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1004336348-1563985344-1343024091-1001.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 15:30]
.
2014-08-08 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1004336348-1563985344-1343024091-1001.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 15:30]
.
2014-08-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-1563985344-1343024091-1001.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 15:30]
.
2014-07-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-1563985344-1343024091-1001.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 15:30]
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 0.0.0.0
TCP: Interfaces\{44C2C7EA-F701-4F67-880D-ECFE2FE5B7BA}: NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{6A0C5F9A-BF17-46DE-9AC9-35267BF55774}: NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{96E2D96F-12B6-4E49-9218-35E42F97A477}: NameServer = 8.8.8.8,8.8.8.8
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-bascstray - BascsTray.exe
AddRemove-RealPlayer 16.0 - c:\program files\real\realplayer\Update\r1puninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-08-08 23:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(912)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(204)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\basfipm.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\TeamViewer\Version7\TeamViewer.exe
c:\windows\system32\wscntfy.exe
c:\program files\TeamViewer\Version7\tv_w32.exe
.
**************************************************************************
.
Completion time: 2014-08-08  23:20:40 - machine was rebooted
ComboFix-quarantined-files.txt  2014-08-08 22:20
.
Pre-Run: 23,102,857,216 bytes free
Post-Run: 23,146,909,696 bytes free
.
- - End Of File - - CA6CC6BFA49C3787954F9CEA9FF2A601
8F558EB6672622401DA993E1E865C861

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.