Sorry, I was out of town yesterday. Unfortunately, there is a nasty rootkit on this computer that we really need to get rid of before you give it back to the customer. This is going to take at least another round to make sure that we got everything.
Download The Avenger
Please download
The Avenger to your Desktop.
- Click on Avenger.zip to open the file.
- Extract avenger.exe to your desktop
- Copy all the text contained in the code box below to your clipboard by highlighting it and pressing Ctrl+C:
Code:
Drivers to unload:
pe386
Files to delete:
C:\Program Files\GIB\01setup.EXE
C:\WINDOWS\SYSTEM32\i
C:\WINDOWS\Setup90.exe
C:\WINDOWS\srvbtsebdr.exe
NOTE: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Now, start The Avenger program by clicking on its icon on your desktop.
- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Paste the text copied to clipboard into this window by pressing (Ctrl+V).
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
- The Avenger will automatically do the following:
- It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
- Please post the contents of c:\avenger.txt with your next reply.
Online Scan
Please perform an
BitDefender Online Scan using Internet Explorer. Once finished, click on the
Details button to view the results. To the upper right of the results you will see an option saying "
Click here to export the scan results". Please do so and save it to your desktop. Post the results of the scan with your next post.
Re-Download ComboFix
ComboFix has been updated since you downloaded it. Please delete your copy and download ComboFix from one of the following links:
- http://www.techsupportforum.com/sectools/combofix.exe
- http://download.bleepingcomputer.com/sUBs/combofix.exe
Double click combofix.exe & follow the prompts. While ComboFix is running, please do not click or move the window, as this may cause the tool to stall. When the tool has finished, it will produce a log for you and save it as
C:\ComboFix.txt. Post that log in your next reply.
Run ADS Spy- Please open HIjackThis, and go to Config || Misc Tools
- Click the button labelled "Open ADSSpy"
- Make sure "Ignore Safe System Info Streams" and "Quick Scan (Windows based folders only)" are checked.
- Click the "Scan" button.
- When it has finished scanning, checkmark/tick all that entries that it found.
- Click the "remove selected" button, then Click "Yes" at the following prompt.
- Click the "Scan" button once again.
- Click the "Save Log" button once this scan is complete.
Please post that log here for review.
With Your Next Post
Please paste the following logs in this order:
- The contents of C:\avenger.txt,
- The results of the BitDefender scan,
- The contents of C:\ComboFix.txt,
- The results of ADS Spy, and
- A new HijackThis log taken after ComboFix has finished.