AVENGER

File Behavior

AVENGER.EXE has been seen to perform the following behavior:

* The Process is packed and/or encrypted using a software packing process
* Adds a Registry Key (RUNONCE) to auto start Programs on system start up
* Creates a new Background Service on the machine
* This process creates other processes on disk
* This Process Deletes Other Processes From Disk
* Adds a Registry Key (RUN) to auto start Programs on system start up
* Registers a Dynamic Link Library File
* Executes a Process
* Found on infected systems and resists interrogation by security products
* Uses low level functions to hide itself from the user and from system/security processes

AVENGER.EXE has been the subject of the following behavior:

* Executed as a Process
* Has code inserted into its Virtual Memory space by other programs
* Created as a process on disk
* Executed from Temporary Folders
* Deleted as a process from disk
* Terminated as a Process


Please download The Avenger by Swandog46 to your Desktop.

* Double click on Avenger.zip to open the file and extract avenger.exe to your Desktop
* Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing
CTRL+C

* Now, run The Avenger program by double clicking its icon on your Desktop.
* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
*Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Files to delete:
%Windir%\System32\askearth17.exe
%Windir%\System32\ei.exe
%Windir%\System32\filgmo.exe
%Windir%\system32\iniwin32.dll
%Windir%\System32\pruttct.exe
%Windir%\System32\prutpct.exe
%Windir%\System32\prutsct.exe
%Windir%\System32\ptech.exe
%Windir%\System32\skytown.exe
%ProgramFiles%\data19
%Windir%\pi1.exe
%UserProfile%\Desktop\askearth17.exe
%UserProfile%\Desktop\ei.exe
%UserProfile%\Desktop\filgmo.exe
%UserProfile%\Desktop\prutpct.exe
%UserProfile%\Desktop\prutsct.exe
%UserProfile%\Desktop\ptech.exe
%UserProfile%\Desktop\skytown.exe
%UserProfile%\Local Settings\Temp\ei.exe

Folders to delete:
C:\PROGRAM FILES\E2G
C:\PROGRAM FILES\Windows AdStatus

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Registry keys to delete:
HKLM\software\e2g
HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{3643abc2-21bf-46b9-b230-f247db0c6fd6}

* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

* It will Restart your computer. (When the script being executed contains "Drivers to Unload",
The Avenger will actually reboot your system two times.)
* On reboot, it will briefly open a black command window on your desktop, this is normal.
* After the reboot, it creates a log file that should open with the results of Avenger’s actions. This log
file will be located at C:\avenger.txt
* The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped
them and moved the zip archives to C:\avenger\backup.zip.

Please attach the c:\avenger.txt file to your next message. Now continue with the below fixes!

Copy the bold text below to notepad. Save it as fixE2G.reg to your desktop. Be sure the "Save as"
type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\PTech]
[-HKEY_CLASSES_ROOT\AppID\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]
[-HKEY_CLASSES_ROOT\AppID\IeBHOs.DLL]
[-HKEY_CLASSES_ROOT\IeBHOs.Control.1]
[-HKEY_CLASSES_ROOT\IeBHOs.Control]
[-HKEY_CLASSES_ROOT\Interface\{8F0A06F6-DF4D-4D54-B8CA-E8EEDBAE6DDB}]
[-HKEY_CLASSES_ROOT\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]
[-HKEY_CLASSES_ROOT\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]
[-HKEY_CLASSES_ROOT\CLSID\{4A5B0528-1EE4-4871-8546-AB34DF31E861}]
[-HKEY_CLASSES_ROOT\CLSID\{4A5B0D43-13BE-4B7C-820E-660CED71CDBF}]
[-HKEY_CLASSES_ROOT\CLSID\{4A5B482D-E087-43C9-8FD6-0F36510CF2B9}]
[-HKEY_CLASSES_ROOT\CLSID\{4A5ADB4F-48EE-4840-8DAB-166A239F7E86}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\[Random CLSID]
[-HKEY_LOCAL_MACHINE\Software\E2G]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g plugin]
[-HKEY_LOCAL_MACHINE\Software\Classes\AppID\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]
[-HKEY_LOCAL_MACHINE\Software\Classes\AppID\IeBHOs.DLL]
[-HKEY_LOCAL_MACHINE\Software\Classes\IeBHOs.Control.1]
[-HKEY_LOCAL_MACHINE\Software\Classes\IeBHOs.Control]
[-HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit

all browser sessions including the one you are reading in right now:

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O20 - AppInit_DLLs: iniwin32.dll