37 replies to this topic

[LDTate]

Download Avenger by Swandog, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).
http://swandog46.gee...com/avenger.zip

Note: The Avenger must be run from a user account with administrator privileges,

and ONLY works on Windows 2000 and XP, and only on 32-bit versions!
If yours is a 64 bit version, do not use it, let me know.


Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK. Don't add the Quotes.

Click Format, and ensure Word Wrap is unchecked.

Copy and Paste all the text inside the box below into Notepad.

Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
C:\WINDOWS\System32\awtrqrs.dll
C:\WINDOWS\System32\mllif.dll
C:\WINDOWS\system32\fillm.ini2
C:\WINDOWS\system32\fillm.ini
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\ypkmvnnx.dll
C:\WINDOWS\system32\cumuepqb.dll
C:\WINDOWS\SYSTEM32\winkei32.dll
C:\TTC.dll
C:\WINDOWS\system32\mkacgjxn.dll
C:\WINDOWS\system32\tdghugph.dll
C:\WINDOWS\system32\gpfirrea.dll
C:\WINDOWS\system32\nldiqvuu.dll
C:\WINDOWS\system32\llqhdgkg.dll
C:\WINDOWS\system32\nhvfmpn.dll
C:\WINDOWS\system32\oajrwbh.dll
C:\WINDOWS\system32\rqrpqpn.dll
C:\WINDOWS\system32\vbrdhrb.dll
C:\WINDOWS\system32\ebysjkm.dll
C:\WINDOWS\system32\vturonl.dll
C:\WINDOWS\system32\bmgncde.dll
C:\WINDOWS\system32\wgjcvmrm.dll
C:\WINDOWS\system32\oplcghot.dll
C:\WINDOWS\system32\fillm.bak2
C:\WINDOWS\system32\drivera.exe
C:\WINDOWS\system32\monterreya_sc.exe<MONTER~1.EXE
C:\WINDOWS\system32\itgydwj.dll
C:\WINDOWS\system32\dlh9jkd1q8.exe<DLH9JK~1.EXE
C:\WINDOWS\TTC.exe
C:\WINDOWS\system32\grbqcdl.dll
C:\WINDOWS\system32\sporder.dll
C:\WINDOWS\TEMP\stdrun1.exe

Folders to delete:
C:\FOUND.006
C:\FOUND.005
C:\FOUND.004
C:\FOUND.003
C:\FOUND.002

Start Avenger by double clicking on Avenger.exe.

Check Load script from file:

Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.

Double click it to enter it into Avenger.

Click the green traffic light symbol.

You will be asked if you want to execute the script, answer Yes.

At this point you may get prompts from your protection systems, allow them please.

Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.

Answer Yes, and allow your computer to re-boot.

Upon re-boot a command window will briefly appear on screen (this is normal).

A Notepad text file will be created C:\avenger.txt.

Copy and Paste it into your next post please, along with a new HJT log.


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O2 - BHO: (no name) - {01D6DF35-DDE1-4FAF-A3C8-301D7ED0BFD5} - \
O2 - BHO: (no name) - {022C0918-8965-47FF-9663-19E9549244B3} - \
O2 - BHO: (no name) - {04677740-8D24-456B-93A8-9234494F38F7} - \
O2 - BHO: (no name) - {12FDBA36-508D-4DED-9B0F-5EBCB2D50C1F} - \
O2 - BHO: (no name) - {1425CB4C-BE1A-403F-932D-824626F64935} - \
O2 - BHO: 0 - {1A91C860-D382-4BE6-23BE-22E91B490054} - C:\Program Files\Outlook Express\rydimyz.dll (file missing)
O2 - BHO: (no name) - {37D267F2-72B3-4A9B-A32D-60F808A8BE71} - \
O2 - BHO: (no name) - {405AED7B-648B-CD31-D8D6-085EAEA5A579} - C:\WINDOWS\System32\nhvfmpn.dll
O2 - BHO: (no name) - {44216188-77A0-6189-F04B-03A6DA2AE438} - C:\WINDOWS\System32\vbrdhrb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll (file missing)
O2 - BHO: (no name) - {59CC9B03-6161-449A-9D3D-AA7EEB8E52B9} - \
O2 - BHO: (no name) - {5D8C3ED9-7346-41A1-B478-5F445D8B7394} - \
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\cumuepqb.dll
O2 - BHO: (no name) - {6D1A2FF3-1ADF-4935-A2A7-CA9DCE67D450} - C:\WINDOWS\System32\awtrqrs.dll
O2 - BHO: (no name) - {7F3F9FA9-9B2A-46F7-A3B3-0AC7AABC9AFD} - \
O2 - BHO: (no name) - {80F37839-8643-41E6-9195-6472AD8B14E1} - C:\WINDOWS\System32\mllif.dll
O2 - BHO: (no name) - {8DCA00D6-AFAF-45F9-BB65-ACF5CA9732D7} - \
O2 - BHO: (no name) - {9C2443C9-BA89-4044-9DF2-F4B4D184B59F} - \
O2 - BHO: 0 - {A9FB0FE5-537D-4A4C-CC9F-510370668740} - C:\Program Files\Outlook Express\rydimyz.dll (file missing)
O2 - BHO: (no name) - {C5FC8332-F8D3-4BEF-8C8E-15CD7E7467DF} - \
O2 - BHO: (no name) - {C708E199-1A40-48FC-A90F-16A07FEBA337} - \
O2 - BHO: (no name) - {D3A0E59E-DA6C-4ACD-8147-85AF711B4429} - \
O2 - BHO: (no name) - {D5328ED0-97FF-48FD-9EDA-309A16454E84} - \
O2 - BHO: (no name) - {DD21BA76-CBD6-4B8E-8F8D-9AA2BE59E58F} - \
O2 - BHO: (no name) - {DE1F4F0E-EA2C-45FF-9BEF-FFE9F4DF6EEB} - \
O2 - BHO: (no name) - {DE95B2DC-556A-4A71-8EAB-CC8E49CB3297} - \
O2 - BHO: (no name) - {E50EF314-66B7-4685-A64B-DA72105C34FE} - \
O2 - BHO: (no name) - {E8C0CC66-8438-4236-92CD-3811FC143767} - \
O20 - Winlogon Notify: awtrqrs - C:\WINDOWS\SYSTEM32\awtrqrs.dll
O20 - Winlogon Notify: instcat - instcat.dll (file missing)
O20 - Winlogon Notify: mllif - C:\WINDOWS\System32\mllif.dll
O20 - Winlogon Notify: winkei32 - winkei32.dll (file missing)

Close ALL windows and browsers except HijackThis and click "Fix checked"


Empty Recycle Bin


Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

[haunt]

how can I tell if its 32 or 64 bits?

[LDTate]

how can I tell if its 32 or 64 bits?

You would know if you bought a 64 bit.

[haunt]

Made it! Here are the requested logs of HijackThis & avenger.txt

In the short time since I completed your last recommended actions, my computer appears to be running EXCELLENT! I even took a spin around some sites through Google searches where I knew I got mugged before, and didn't get jacked once. What a pleasure. Hope it stays this way


Logfile of HijackThis v1.99.1
Scan saved at 8:15:01 PM, on 2/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Home\Desktop\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://supportcenter...oad/tgctlsr.cab
O16 - DPF: {010123DF-5E80-11D8-9E86-0007E96C65AE} (SprtCtlBrowse Class) - http://supportcenter...d/sprtctlbr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1171219238547
O20 - Winlogon Notify: awtrqrs - awtrqrs.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\joberuri

*******************

Script file located at: \??\C:\Program Files\tyhdalcw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\awtrqrs.dll deleted successfully.
File C:\WINDOWS\System32\mllif.dll deleted successfully.
File C:\WINDOWS\system32\fillm.ini2 deleted successfully.
File C:\WINDOWS\system32\fillm.ini deleted successfully.
File C:\WINDOWS\system32\tmp.reg deleted successfully.
File C:\WINDOWS\system32\ypkmvnnx.dll deleted successfully.
File C:\WINDOWS\system32\cumuepqb.dll deleted successfully.


File C:\WINDOWS\SYSTEM32\winkei32.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\winkei32.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\winkei32.dll
Status: 0xc0000034

File C:\TTC.dll deleted successfully.
File C:\WINDOWS\system32\mkacgjxn.dll deleted successfully.
File C:\WINDOWS\system32\tdghugph.dll deleted successfully.
File C:\WINDOWS\system32\gpfirrea.dll deleted successfully.
File C:\WINDOWS\system32\nldiqvuu.dll deleted successfully.
File C:\WINDOWS\system32\llqhdgkg.dll deleted successfully.
File C:\WINDOWS\system32\nhvfmpn.dll deleted successfully.
File C:\WINDOWS\system32\oajrwbh.dll deleted successfully.
File C:\WINDOWS\system32\rqrpqpn.dll deleted successfully.
File C:\WINDOWS\system32\vbrdhrb.dll deleted successfully.
File C:\WINDOWS\system32\ebysjkm.dll deleted successfully.
File C:\WINDOWS\system32\vturonl.dll deleted successfully.
File C:\WINDOWS\system32\bmgncde.dll deleted successfully.
File C:\WINDOWS\system32\wgjcvmrm.dll deleted successfully.
File C:\WINDOWS\system32\oplcghot.dll deleted successfully.
File C:\WINDOWS\system32\fillm.bak2 deleted successfully.
File C:\WINDOWS\system32\drivera.exe deleted successfully.


Could not open file C:\WINDOWS\system32\monterreya_sc.exe<MONTER~1.EXE for deletion
Deletion of file C:\WINDOWS\system32\monterreya_sc.exe<MONTER~1.EXE failed!

Could not process line:
C:\WINDOWS\system32\monterreya_sc.exe<MONTER~1.EXE
Status: 0xc0000033

File C:\WINDOWS\system32\itgydwj.dll deleted successfully.


Could not open file C:\WINDOWS\system32\dlh9jkd1q8.exe<DLH9JK~1.EXE for deletion
Deletion of file C:\WINDOWS\system32\dlh9jkd1q8.exe<DLH9JK~1.EXE failed!

Could not process line:
C:\WINDOWS\system32\dlh9jkd1q8.exe<DLH9JK~1.EXE
Status: 0xc0000033

File C:\WINDOWS\TTC.exe deleted successfully.
File C:\WINDOWS\system32\grbqcdl.dll deleted successfully.
File C:\WINDOWS\system32\sporder.dll deleted successfully.


File C:\WINDOWS\TEMP\stdrun1.exe not found!
Deletion of file C:\WINDOWS\TEMP\stdrun1.exe failed!

Could not process line:
C:\WINDOWS\TEMP\stdrun1.exe
Status: 0xc0000034

Folder C:\FOUND.006 deleted successfully.
Folder C:\FOUND.005 deleted successfully.
Folder C:\FOUND.004 deleted successfully.
Folder C:\FOUND.003 deleted successfully.
Folder C:\FOUND.002 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[LDTate]

You had some hidden bad guys there. You can kill this dead one with HJT O20 - Winlogon Notify: awtrqrs - awtrqrs.dll (file missing) Glad it's working now. I'll leave this log open until tommorow

[haunt]

AWSOME. Thank you for your help.

[LDTate]

lets be sure to do this again:

You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.

[LDTate]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php