[JSntgRvr]

Remove The Avenger you downloaded earlier. This is a new version I want you to download as follows:

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:C:\WINDOWS\system32\mdelk.exeC:\WINDOWS\system32\wintems.exeRegistry values to delete: HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603 | wintems.exeHKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603 | Mdelk.exeHKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5604 | wintems.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe2 | a

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V).
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

[Advertisements]

I get the same message I got with the old Avenger. "avenger.exe is not a valid Win32 application".

How exactly does the virus block the application, does it delete it?

Edited by Karol33, 29 February 2008 - 07:43 PM.

[Karol33]

I get the same message I got with the old Avenger. "avenger.exe is not a valid Win32 application".

How exactly does the virus block the application, does it delete it?

Edited by Karol33, 29 February 2008 - 07:43 PM.

[JSntgRvr]

Start WinPFind35U. Copy/Paste the information in the Codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer][Unregister Dlls][Files/Folders - Created Within 30 days]YY -> 4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmpYY -> mdelk.exe -> %SystemRoot%\System32\mdelk.exeYY -> xfcodec.dll -> %SystemRoot%\System32\xfcodec.dllYY -> NV19441972.TMP -> %SystemRoot%\NV19441972.TMPYY -> 5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmpYY -> winstart.bat -> %SystemRoot%\winstart.bat[Files/Folders - Modified Within 30 days]YY -> hosts.20080208-161428.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080208-161428.backupYY -> hosts.20080208-164121.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080208-164121.backupYY -> hosts.20080208-164134.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080208-164134.backupYN -> hosts.20080209-111825.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080209-111825.backupYY -> hosts.20080211-151943.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080211-151943.backupYY -> hosts.20080215-154915.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080215-154915.backupYY -> hosts.20080215-154919.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080215-154919.backupYY -> hosts.20080216-231506.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080216-231506.backupYY -> 4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmpYY -> mdelk.exe -> %SystemRoot%\System32\mdelk.exeYY -> xfcodec.dll -> %SystemRoot%\System32\xfcodec.dllYY -> 5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmpYY -> NV19441972.TMP -> %SystemRoot%\NV19441972.TMPYY -> winstart.bat -> %SystemRoot%\winstart.batYY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.datYY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.datYY -> am6g3dcd.exe -> C:\Documents and Settings\user\Local Settings\Temp\am6g3dcd.exeYY -> cleanup.exe -> C:\Documents and Settings\user\Local Settings\Temp\cleanup.exeYY -> t0jpgii1.exe -> C:\Documents and Settings\user\Local Settings\Temp\t0jpgii1.exeYY -> 2 C:\Documents and Settings\user\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\user\Local Settings\Temp\*.tmpYY -> setup.exe -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\MSAA20RDK\setup.exeYY -> drm_dialogs.dll -> C:\Documents and Settings\user\Local Settings\Temp\drm_dialogs.dllYY -> 2 C:\Documents and Settings\user\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\user\Local Settings\Temp\*.tmpYY -> gtapi.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\gtapi.dllYY -> helper.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\helper.dllYY -> ikdll.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\ikdll.dllYY -> InnoHelpers.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\InnoHelpers.dllYY -> isxdl.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\isxdl.dllYY -> PCTLicHelper.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\PCTLicHelper.dllYY -> PCTLicReset.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\PCTLicReset.dllYY -> PCTWSC.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\PCTWSC.dllYY -> SecurityUtil.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\SecurityUtil.dllYY -> _shfoldr.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\_isetup\_shfoldr.dllYY -> 1 C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\_isetup\*.tmp files -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\_isetup\*.tmpYY -> aamig.DLL -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\MSAA20RDK\aamig.DLLYY -> msaa2rdk.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\MSAA20RDK\msaa2rdk.dllYY -> MSAATextA.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\MSAA20RDK\MSAATextA.dllYY -> MSAATextW.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\MSAA20RDK\MSAATextW.dllYY -> msoobci.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\MSAA20RDK\msoobci.dllYY -> oleaccA.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\MSAA20RDK\oleaccA.dllYY -> oleaccrc.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\MSAA20RDK\oleaccrc.dllYY -> oleaccW.dll -> C:\Documents and Settings\user\Local Settings\Temp\is-LIJ73.tmp\MSAA20RDK\oleaccW.dllYY -> Perflib_Perfdata_62c.dat -> C:\Documents and Settings\user\Local Settings\Temp\Perflib_Perfdata_62c.datYY -> 2 C:\Documents and Settings\user\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\user\Local Settings\Temp\*.tmp[Extra Files]C:\WINDOWS\system32\wintems.exe[Empty Temp Folders][Start Explorer][ZipFiles][Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind35u scan and a Hijackthis log, separately (the Hijackthis can be pasted on the reply).

This time, when scanning with WinpFind35u, under Processes, Services, Drivers and Registry, select the All button.

I will review the information when it comes back in.

Edited by JSntgRvr, 29 February 2008 - 08:34 PM.

[JSntgRvr]

If the above fix fails as the others did, please download the enclosed folder. Save and extract its contents to the desktop. It will create a new folder on your desktop, DieBagle. Once extracted, open this folder and click on the Runme.bat file. The computer will restart and upon will create a Catchme.log on your desktop. Please open this log in Notepad and post its contents along with a Hijackthis log.

In case we need to boot into the Recovery Console, do you have the XP installation CD?

[JSntgRvr]

I found this application in Spain developed for the removal of Trojan Bagle. Sorry I am throwing all at once, but these are new alternatives addressing new variants.

Go to this page:

http://www.zonavirus...95/elibagla.asp

Scroll down and click on ELIBAGLA 11.08 to download this tool. Once downloaded run the application and click on "Explorar". It should take a while to scan the computer

When Finished, there should be a C:\Infosat.txt report. Post its contents.

[Karol33]

The first fix worked but I had to reboot. So I didn't get the Notepad file with the actions taken. But I still get the massage "is not a valid Win32 application" when I try to start up HJT.

I uploaded the new scan from Winpfind and ELIBAGLE.

I don't have the windows CD sorry. Do I sill try the DIEBAGLE method?

Attached Files

•  WinPFind35.Txt   260.52KB   163 downloads
•  InfoSat.txt   996bytes   155 downloads

Edited by Karol33, 01 March 2008 - 10:07 AM.

[JSntgRvr]

Start WinPFind35U. Copy/Paste the information in the Codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Driver Services - All]YY -> (srosa) Megadrv3 [Kernel | System | Running] -> %SystemRoot%\system32\drivers\srosa.sys[Files/Folders - Created Within 30 days]YY -> mdelk.exe -> %SystemRoot%\System32\mdelk.exe[Files/Folders - Modified Within 30 days]YY -> mdelk.exe -> %SystemRoot%\System32\mdelk.exe

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind35u scan and a Hijackthis log, separately (the Hijackthis can be pasted on the reply).

When scanning with WinpFind35u, under Processes, Services, Drivers and Registry, select the All button.

I will review the information when it comes back in.

[Karol33]

I removed that Spanish app because it was scanning on start up. I do what you said but when I click RUN FIX I get a crash to blue screen. Then on start up when I click "log in" it takes a while and I get a message "Windows cannot find 'C:\Documents'. Make sure you typed the name correctly, and then try again."

Also KHALMNRP appeared again:

C:\Documents and Settings\user\KHALMNPR.EXE Infected: Trojan-Downloader.Win32.Bagle.jv

i deleted it

Edited by Karol33, 01 March 2008 - 07:00 PM.

[JSntgRvr]

Download the enclosed folder. Save and Extract its contents to the desktop. It is a batch file, Files.bat Once extracted, doubleclick on the Files.bat file and post back the report it shall produce.

Please go here:
The Spy Killer Forum

• Click on "New Topic"
• Put your name, e-mail address, and this as the title: "Catchme.zip"
• Put a link to this thread in the description box.
• Then next to the file box, at the bottom, click the browse button, then navigate to this file:
  
  
  • Catchme.zip on your desktop
  
  
• Click Open.
• Click Post.

Also upload :

C:\Windows\system32\drivers\srosa.sys

You will not be able to see if the upload was successful. But let me know when done and I will check for you.

[Karol33]

I did the rest except, I can't find: C:\Windows\system32\drivers\srosa.sys srosa is not there.

[JSntgRvr]

It is hidden, but catchme got a copy. Thanks. Run the batch file on Post 24 and post its report.

Edited by JSntgRvr, 01 March 2008 - 07:58 PM.

[JSntgRvr]

Remove the Combo-fix copy you downloaded earlier and download this copy:

http://download.blee...ta/ComboFix.exe

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

[Karol33]

Ok, I downloaded it now can you post what I must do again.

[JSntgRvr]

1. Run the batch file on Post 24 and post its report. You can attach the file instead.

2. Run the Combofix as downloaded. Doubleclick on it and sit back. Do not click on the screen while Combofix is running. I shall also produce a report. Paste that report.

Let me know the outcome.

[Karol33]

Ran the batch file and I have uploaded the report.

Sadly I get "Combofix.exe is not a valid Win32 application" message.

Attached Files

•  Report1.txt   286.65KB   180 downloads