Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop
2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to delete:
C:\WINDOWS\ua2.dll
C:\WINDOWS\system32\bdod.bin
C:\WINDOWS\system32\xxywtsp.dll C:\WINDOWS\system32\xxywvst.dll C:\WINDOWS\system32\gebxwtu.dll C:\WINDOWS\system32\cbxwtsr.dll C:\WINDOWS\system32\byxvuts.dll
C:\WINDOWS\system32\urqomnn.dll
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\byxvuts.dll
C:\WINDOWS\system32\lwienlra.dll
C:\WINDOWS\system32\wlurfmoe.dll
C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\system32\tsqdkkia.dll
C:\WINDOWS\system32\lsasss.exe
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Download and install AVG Anti-Spyware We will need this later in safe mode
Be sure to update AVG Anti- Spyware
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\wlurfmoe.dll
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\byxvuts.dll
O2 - BHO: (no name) - {787DD02E-FCB4-4C39-AA6B-63AEA9A6FC9E} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {7A331278-8D57-4BC9-99DB-C551B3298C74} - C:\WINDOWS\system32\lwienlra.dll (file missing)
O2 - BHO: (no name) - {EC8356C4-10DE-4F6C-B40B-7A7740DAF1A1} - C:\WINDOWS\system32\gebyv.dll
O2 - BHO: (no name) - {FDBE9012-63B8-4ACA-9886-4296964A9BD6} - C:\WINDOWS\system32\tsqdkkia.dll
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O20 - Winlogon Notify: byxvuts - C:\WINDOWS\SYSTEM32\byxvuts.dll
O20 - Winlogon Notify: cbxwtsr - C:\WINDOWS\SYSTEM32\cbxwtsr.dll
O20 - Winlogon Notify: gebxwtu - C:\WINDOWS\SYSTEM32\gebxwtu.dll
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll
O20 - Winlogon Notify: gebywuv - gebywuv.dll (file missing)
O20 - Winlogon Notify: jkkiifc - jkkiifc.dll (file missing)
O20 - Winlogon Notify: nnnnnli - nnnnnli.dll (file missing)
O20 - Winlogon Notify: opnoppq - opnoppq.dll (file missing)
O20 - Winlogon Notify: qommkjk - qommkjk.dll (file missing)
O20 - Winlogon Notify: rqronnn - rqronnn.dll (file missing)
O20 - Winlogon Notify: ssqrqnl - ssqrqnl.dll (file missing)
O20 - Winlogon Notify: tuvsrrq - tuvsrrq.dll (file missing)
O20 - Winlogon Notify: urqomnn - C:\WINDOWS\SYSTEM32\urqomnn.dll
O20 - Winlogon Notify: urqpolk - urqpolk.dll (file missing)
O20 - Winlogon Notify: vtuuvut - vtuuvut.dll (file missing)
O20 - Winlogon Notify: wvuurpm - wvuurpm.dll (file missing)
O20 - Winlogon Notify: xxywtsp - C:\WINDOWS\SYSTEM32\xxywtsp.dll
O20 - Winlogon Notify: xxywvst - C:\WINDOWS\SYSTEM32\xxywvst.dll
Exit Hijack This but remain in safe mode.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Post thr AVG report, a new combofix log and a new Hijack This log please.
