The Avenger
The Avenger is a fully-scriptable, kernel-level Windows driver designed to
remove highly persistent files, registry keys/values, and other drivers
protected by entrenched malware.
Note: This is a very powerful program. It requires some level of expertise to
use this. If not used properly, this tool may make your system
unbootable. So please use this tool if advised by OS support staff of
astalavista.
Where to get it ?
This is the homepage of The Avenger. You can download from here.
Please login or register to download
or
Download here directly at 100Mbit
You can think of The Avenger as a scripting engine.
1. You give The Avenger commands to execute (the script)
consisting of files to delete, registry keys to delete, drivers to
disable, and so on.
2. The Avenger reboots your computer (it is common for it to
reboot twice, as necessary) and executes those commands during the
reboot(s).
3. Afterwards, Windows restarts, and opens the log generated by The Avenger so you can see the results.
.
How to input a script ?
There are multiple ways of doing it.
1. There is a text box in Avenger. You can manually type the syntax and name of file / registry keys to delete / modify,
2. You can input a script from a file (plain text, ANSI encoded) using the toolbar button,
3. You can input a script from an Internet URL using the toolbar button, or
4. You can also paste a script directly from the clipboard using the toolbar button.
Normally we use the second and fourth options.
Note: The last three options may also be selected from the "Load Script" menu.
Rootkit Scanning:
The Avenger [version 2] has an option to scan and disable rootkits
which are hidden from windows. Check the "Scan for rootkits" box to
enable this feature. It is enabled by default.
You may also authorize Avenger to disable any rootkits found
automatically by checking "Automatically disable any rootkits found"
box.
But it recommended not to touch the default settings. It is better to leave this as it is.
What happens if you click "Execute" ?
1. Once you click on the "Execute" button after inputting a script, The avenger starts to execute the script.
2. It will prompt for a reboot of a system. It performs the actions on
reboot of system and shows a log that containing the actions performed
it.
Here is a sample log:
3. Backups:
# The Avenger makes backups of all actions it takes, and saves those
backups in the folder C:Avenger (if C: is your system drive).
# The most recent backup is called "backup.zip", and the rest are named by date and time of creation.
# Registry backups are contained within the zip archives and named
"backup.reg". They are in standard .REG file format, and can be
restored simply by double-clicking on them.
# The Avenger's log file is also contained within the zip archive,
named "avenger.txt". You may view the log from the most recent
execution of The Avenger by selecting Open Log File from the File menu.
This most recent log is stored at C:avenger.txt (if C: is your system
drive), and is not deleted until the next time The Avenger executes
commands.
Note: The backups are
zipped and password-protected with password "infected", to prevent
accidental reinfection when viewing backups of live malware.
Script Tutorial
2. Files to replace with dummy:Let us learn how to make a script.
A word of CAUTION:
I take no responsibility if you used this program wrongly. It is adivsed to post your problem in OS support section dedicated for this purpose. The reason is that Avenger will delete main windows files / folders /drivers /registry keys [if you type script wrongly] which are necessary for running windows. It may cause the system not to boot. Avenger makes a backup before deleting anything. But it is difficult to restore a key system file when windows doesn't boot. Use this as a last option if unlocker, killbox etc., doesn't work.
Various Commands available:
# Files to delete
# Files to replace with dummy
# Files to move
# Folders to delete
# Registry keys to delete
# Registry keys to replace with dummy
# Registry values to delete
# Registry values to replace with dummy
# Programs to launch on reboot
# Drivers to delete
# Drivers to disable
1. Files to delete:
You can use this command to delete malicious files which could not be deleted by other means. This is probably the most typical use of The Avenger, and also some of its most reliable and powerful functionality.
After the "Files to delete:" line is read in a script, all successive lines will be interpreted as full paths of files for The Avenger to delete.
Note: you can also use environmental variables in file paths (%systemdrive%, %windir%, etc.).
Example:
This command replaces the files listed with empty "dummy" files and backs up the originals.
Some malware configures itself to load at boot of the operating system. If you delete such a file, there is a good chance for your system to crash at startup.
Example:
3. Files to move:
This command moves files from a source path to a destination path, backing up and then overwriting any existing destination files.
The source and destination paths should be separated by a pipe | symbol. Whitespace is ignored.
This command very useful when you want to overwrite a malicious file with a legitimate one. For example, you might want to replace a virus-infected copy of an important Windows file with a clean copy from the Windows installation folder.
Example:
4. Folders to delete:
As the name indicates this command deletes and backs up the folders listed.
The folders do not have to be empty. They can contain any number of files and subfolders, arbitrary levels deep, and will be backed up with their contents intact.
Example:
5. Registry keys to delete:
This command deletes and backs up the registry keys listed.
The Avenger can only delete keys under the HKEY_LOCAL_MACHINE hive, because the other hives are not constructed at the point in the boot process when The Avenger executes.
The registry key paths must begin with either HKEY_LOCAL_MACHINE\ or HKLM\ for short.
Example:
Note: Do NOT use this command to delete driver keys in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. If a malicious driver is active, this could cause system deadlock. Use "Drivers to delete:" or "Drivers to disable:" instead.
6. Registry keys to replace with dummy:
This command replaces all values under the registry keys listed, recursively, with "dummy" values (null strings for string values and zeroes for numeric values), and backs up the originals.
This command is used when you don't want to delete a key, which interferes boot process. same as "Files to replace with dummy:" option.
Example:
Note: The Avenger can only replace keys under the HKEY_LOCAL_MACHINE hive.
7. Registry values to delete:
This deletes and backs up the registry values listed. The registry value name should be separated from the parent key name by a pipe | symbol.
Example:
Note: Registry key paths must begin with either HKEY_LOCAL_MACHINE\ or HKLM\ for short. The Avenger can only delete values under the HKEY_LOCAL_MACHINE hive.
8. Registry values to replace with dummy:
This command replaces the registry values listed with "dummy" values (null strings for string values and zeroes for numeric values) and backs up the originals.
The registry value name should be separated from the parent key name by a pipe | symbol. Other things are same as above commands.
In general this is more useful than "Registry keys to replace with dummy:" command.
Example:
9. Programs to launch on reboot:
This command directive queues the programs listed to run once at next reboot.
This command is very useful when there is cleanup to do after running The Avenger, or further steps to be taken back in normal user-mode Windows, as part of a larger malware fix. This command allows The Avenger to be extended to execute user-mode code later in the boot process. It can be used to queue not only programs, but also batches and other ordinary scripts. In fact, it can be used to queue nearly any valid command-line expression.
You can also use this command to access the registry hives HKEY_USERS, HKEY_CLASSES_ROOT, and HKEY_CURRENT_USER. You can write a .REG file to make the desired registry modifications, and then queue this .REG file to execute on reboot. The .REG file will be executed later in the boot process, when the appropriate registry hives have been built.
Example:
Note: In Windows Vista, any programs queued with "Programs to launch on reboot:" will automatically be granted elevated privileges.
10. Drivers to delete:
This command unloads and deletes the drivers listed. You can use this command to delte active malicious drivers present, including kernel- and boot-level drivers. This is probably the most important functionality in The Avenger, since few other programs can remove active malicious kernel drivers.
A driver should be listed for deletion by its "driver name" (also known as its "service name" for user-mode services/drivers), which may be different from its so-called "DisplayName" and its file name. The "driver name" is the name of the subkey under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Service names are also listed in the Windows services.msc console.
This command should ALWAYS be used instead of direct file or registry manipulation when a driver may be active. Removing a driver file or a key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services directly instead of using "Drivers to delete:" is very dangerous and can cause system deadlock.
Example:
Note: By using this command the associated driver files are not removed automatically. If you want to delete a driver file, you may use "Files to delete:" additionally, ONLY after using "Drivers to delete:" or "Drivers to disable:" first.
11. Drivers to disable:
This command unloads and disables the drivers listed.
This command does not remove drivers from the system. It simply unloads the drivers from active memory and sets their "Startup Type" (the "Start" DWORDs in the registry) to "Disabled" (value = 4). To remove drivers, use "Drivers to delete:".
Others are same as in "Drivers to delete:" command.
Example:
Note: A driver should be listed for disablement by its "driver name", rather than its so-called "DisplayName" or its file name
Credits: Thanks to Swandog46, the author of this tool.