Start Up Missing File

rationalthinking

rationalthinking

New Member
When I start up, I get a prompt saying I am missing this file.

C:/WINDOWS/system32/efbxrnay.dll


Any help on what this file is and what it is used for?

How can I get it back?
 
Can you think of a program you installed right before it started. It sounds like a file from a installed program that starting up with windows.
 
No I just meant a program that you installed before it started getting the error thats starting up with windows could have a corrupted file thats causing it. You would just have to uninstall that one program and reinstall it
 
Yes, think about it, as it all points out on some malware. Also I've done some research on your problem, and found thats RUNDILL error in most cases want to get some 'uknown' file, so some btdeayne.eye is needed somewhere on forum...
and so on and so on. If you can't think of such a program ( as StrangleHold told you ) then be sure to post your HijackThis log.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:05 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jake\My Documents\Unzipped\cpu-z-143\cpuz.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {21dd55ee-de5c-cc09-e964-274894611702} - {20711649-8472-469e-90cc-c5edee55dd12} - C:\WINDOWS\system32\jyhsfdpc.dll (file missing)
O2 - BHO: (no name) - {2B324AD5-3B09-417A-888D-0A0568D7A73D} - C:\WINDOWS\system32\vtsqn.dll (file missing)
O2 - BHO: (no name) - {3E81A9D2-447B-4E36-B6AE-06337B9A57EB} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59AF0001-5641-4A95-9D2C-88BE7EAA0D08} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [mpbqirz] C:\WINDOWS\system32\mpbqirz.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [a0533eb2] rundll32.exe "C:\WINDOWS\system32\efbxrnay.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O20 - Winlogon Notify: awtqoml - awtqoml.dll (file missing)
O20 - Winlogon Notify: awtqopo - awtqopo.dll (file missing)
O20 - Winlogon Notify: awtuttq - awtuttq.dll (file missing)
O20 - Winlogon Notify: byxuvwt - byxuvwt.dll (file missing)
O20 - Winlogon Notify: gebbbcd - gebbbcd.dll (file missing)
O20 - Winlogon Notify: mljgdbb - mljgdbb.dll (file missing)
O20 - Winlogon Notify: mljkllj - mljkllj.dll (file missing)
O20 - Winlogon Notify: pmnmjjj - pmnmjjj.dll (file missing)
O20 - Winlogon Notify: qomlihf - qomlihf.dll (file missing)
O20 - Winlogon Notify: tuvuvvw - tuvuvvw.dll (file missing)
O20 - Winlogon Notify: urqrpqp - urqrpqp.dll (file missing)
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)
O20 - Winlogon Notify: vtustrp - vtustrp.dll (file missing)
O20 - Winlogon Notify: yayxyxv - yayxyxv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: (no name) - http://myspace-419.vo.llnwd.net/00488/91/40/488510419_l.jpg

--
End of file - 7754 bytes
 
I salute you man...it's passed some time when I last time saw so many infections.
Don't mean to discourage ya, but...OK Here it goes. Before I start curing you, I must ask you, did you and ceewi finish the topic? Did he helped you until the end? So you got this fresh infections after he helped you? Anyway, he may even come here and interrupt me and you should hope he does it :P
Please download Process Explorer by Systernals from here.

Also download KillBox by Option^Explicit from here.


Then boot up in Safe mode.
The rest of this fix must be done in safe mode.


Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of <bad file from 02 and 020>
  • jyhsfdpc.dll
  • vtsqn.dll
  • pmkhg.dll
  • mljgf.dll
  • awtqoml.dll
  • awtqopo.dll.
  • awtuttq.dll
  • byxuvwt.dll
  • gebbbcd.dll
  • mljgdbb.dll
  • mljkllj.dll
  • pmnmjjj.dll
  • qomlihf.dll
  • tuvuvvw.dll
  • urqrpqp.dll
  • vtstr.dll
  • vtustrp.dll
  • yayxyxv.dll
once and then click the kill button.

After you have killed all of the <bad file from 02 and 020> under winlogon click OK.

Also look for any .ini or bak files or other dll's with either the same name or the file name in reverse & kill them as well

Example:

<bad filename from 02 and 020>.bak
<bad filename from 02 and 020>.ini
<bad filename from 02 and 020>.reg etc

or

<bad filename(reversed) from 02 and 020>.dll
<bad filename(reversed) from 02 and 020>.bak
<bad filename(reversed) from 02 and 020>.ini etc

Next double click on explorer.exe and again click once on each instance of <bad file from 02 and 020> then click the kill button.

Also look for any .ini or bak files or reverse named dll's with either the same name or the file name in reverse & kill them as well. See above for examples

Click on the Threads tab at the top.

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following.

O2 - BHO: (no name) - {2B324AD5-3B09-417A-888D-0A0568D7A73D} - C:\WINDOWS\system32\vtsqn.dll (file missing)
O2 - BHO: (no name) - {3E81A9D2-447B-4E36-B6AE-06337B9A57EB} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O2 - BHO: (no name) - {59AF0001-5641-4A95-9D2C-88BE7EAA0D08} - C:\WINDOWS\system32\mljgf.dll (file missing)
O20 - Winlogon Notify: awtqoml - awtqoml.dll (file missing)
O20 - Winlogon Notify: awtqopo - awtqopo.dll (file missing)
O20 - Winlogon Notify: awtuttq - awtuttq.dll (file missing)
O20 - Winlogon Notify: byxuvwt - byxuvwt.dll (file missing)
O20 - Winlogon Notify: gebbbcd - gebbbcd.dll (file missing)
O20 - Winlogon Notify: mljgdbb - mljgdbb.dll (file missing)
O20 - Winlogon Notify: mljkllj - mljkllj.dll (file missing)
O20 - Winlogon Notify: pmnmjjj - pmnmjjj.dll (file missing)
O20 - Winlogon Notify: qomlihf - qomlihf.dll (file missing)
O20 - Winlogon Notify: tuvuvvw - tuvuvvw.dll (file missing)
O20 - Winlogon Notify: urqrpqp - urqrpqp.dll (file missing)
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)
O20 - Winlogon Notify: vtustrp - vtustrp.dll (file missing)
O20 - Winlogon Notify: yayxyxv - yayxyxv.dll (file missing)

Now click fix checked and close HijackThis.

Please copy the text in BOLD below, and paste it into a blank notepad window.
Save it as vundo.reg and in the save as type box choose all files.

Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]

Double click on Killbox.exe and check the Delete on Reboot button.

Enter the following filepath and filename into the "Full path of file to delete" box:

C:\WINDOWS\system32\vtsqn.dll
C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\mljgf.dll

Click the red and white "Delete File" button.
Click "Yes" at the first prompt .
Click "No" at the second.

Repeat those same steps for any of the same named or reversed named .bak, .ini. reg, etc, files you may have found earlier.

Once you have entered in all the files, reboot.

After your computer has rebooted please run Hijackthis and post a new log.

OK, this should get rid of the nasties. Please keep in mind a few things:
1. I am newbie in cleaning malwares, especially this sort,
2. some of the files I put there to find, maybe are not there, meaning are clean. But some of them will be there and be sure to at least try the prompted.
I wish you good luck!
 
Last edited:
You must log in or register to reply here.
Back
Top