Win32: Dropper-gen and BV: Agent-ANZ

Hi guys,

Toshiba Ultrabook was hanging. Booted with Avast Rescue USB and found 200 temp files and executables in temp folders infected with Win32: Dropper-gen, Win32: Evo-gen and BV: Agent-ANZ. Avast repaired the files.

Rebooted from the hard drive and can’t get past Win7 password so it looks like the machine has been hijacked.

I created a boot CD with OTLPENet and set the USB ODD as first boot drive in the Toshiba as it doesn’t have a built-in one but it won’t boot from the CD.
As it did boot from the Avast rescue USB, it looks like I need to do go down the USB boot road. Is there a way to create a bootable USB with OTLPENet or another recommended method to boot from USB in order to run FRST?

Cheers.

https://rufus.akeo.ie/

Thanks Eddy. I used Rufus and the OTLPE ISO to create the bootable USB. The machine booted but as the Win XP screen was loading it gave a BSOD STOP error 0x0000007B so either its a driver problem or the virus has its claws in the hard drive MBR? Any ideas?

What version of windows do you have

Windows 7 Home Premium (Toshiba OEM). The machine is a Toshiba Portege 830 Ultrabook with a 128GB SSD - maybe that caused the BSOD?

crapazilla,

create the bootdisk (usb) on a clean machine.

Is that 32 or 64 bit, as I can give you the link for the recovery console and we could use that to run FRST

I did do that Eddy but still got the BSOD.

I’m doing this for someone else so don’t know if it’s 32 or 64 bit as I can’t get past the Windows password screen.

OK I will pm you the links for both 32 and 64 bit. Only the correct version will work

Download the following three programmes to your desktop :

  1. Rufus

For 64bit systems
2. Windows 7 64bit RC
3. Farbar Recovery Scan Tool x64

For 32bit systems
2. Windows 7 RC
3. Farbar Recovery Scan Tool

Insert the USB stick Then run Rufus

https://dl.dropbox.com/u/73555776/rufus.JPG

Select the ISO file on the desktop via the ISO icon.

Press Start Burn

https://dl.dropbox.com/u/73555776/RufusISO.JPG

Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

Windows 7 and Vista screenshots

When you reboot you will see this.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe or e:\frst.exe dependant on system
and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Ok so I finally got it to work. Thanks so much for your help essexboy. Here is my frst log file.

Initially I will try to reset the registry if that fails, I will then remove AVG and see if that helps

Download the attached fixlist.txt to the same location as FRST
Start FRST as before and press Fix

On completion try a normal boot

That worked! Brilliant. Thanks essexboy. I installed, updated and ran MBAM - no problems found. I’ll install MCShield and Avast and clean up the temp folders with Old Timers Temp File Cleaner. Anything else I should install?

Are you able to tell me where the virus came from so I can tell the owner of the machine?

Also I’d like to contribute something for your time - what’s the best way to make a donation? Thanks a million for all the amazing work you guys are doing. For FREE!

Don’t forget to run the AVG uninstall tool to clear the remnants https://support.avg.com/supportArticleView?urlname=How-to-uninstall-AVG&l=en_US

Difficult to say where it came from as there was nothing left :slight_smile:

I do not think the forum allows donations but, thanks anyway :slight_smile:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Thanks again essexboy.
I decided to make a donation to farbar for his excellent FRST tool.

That is good :slight_smile: