Hi Jamboy,
On top of the rogue you have a major vundo infection. The best thing to do is hit it hard.
Please download the OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe).
- Save it to your desktop. Do not run it yet, we will use it in a minute.
.
Open hijackthis, do a system scan only and checkmark these lines, if present
R3 - URLSearchHook: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
O2 - BHO: (no name) - {33d1f2d1-1d2e-49a0-b6e7-5ea771a9330b} - C:\WINDOWS\system32\huwifibe.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: C:\WINDOWS\system32\sdfgerfgf3f.dll - {e2ba40a2-74f3-42bd-f434-2604812c8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll
O4 - HKLM\..\Run: [b4b9edb1] rundll32.exe "C:\WINDOWS\system32\sinehotu.dll",b
O4 - HKLM\..\Run: [CPMb78ade2d] Rundll32.exe "c:\windows\system32\dubuwemo.dll",a
O4 - HKLM\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s
O4 - HKLM\..\Run: [Awowuxofumut] rundll32.exe "C:\WINDOWS\Mgokiyin.dat",e
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\i4u4io2fhn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\i4u4io2fhn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1267477596.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--0ac8a2ed-27e6-4c7d-b84e-94fc4c446ae2/online/bejeweled_2/en/popcaploader_v10.cab
O20 - AppInit_DLLs: c:\windows\system32\dumepiwo.dll c:\windows\system32\dubuwemo.dll,C:\WINDOWS\system32\hesanebo.dll c:\windows\system32\bimefili.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dubuwemo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dubuwemo.dll
O22 - SharedTaskScheduler: sdfg54y54yhhgth6w4efvrg - {E2BA40A2-74F3-42BD-F434-2604812C8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll
Close ALL other windows/browsers and click Fix Checked. Answer Yes if prompted. Close HJT.
.
Next, it is important to allow this next tool to reboot your computer when prompted
- Please double-click OTMoveIt3.exe to run it.
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Do Not copy the word QUOTE note the fix starts with the :
:Processes
explorer.exe
3538055374.exe
:Services
:Reg
:Files
C:\WINDOWS\system32\huwifibe.dll
C:\WINDOWS\system32\sdfgerfgf3f.dll
C:\WINDOWS\system32\sinehotu.dll
c:\windows\system32\dubuwemo.dll
C:\WINDOWS\system32\yayosiyi.dll
C:\WINDOWS\Mgokiyin.dat
C:\WINDOWS\TEMP\i4u4io2fhn.exe
C:\WINDOWS\TEMP\1267477596.exe
C:\WINDOWS\system32\hesanebo.dll
c:\windows\system32\bimefili.dll
:Commands
[Purity]
[emptytemp]
[start explorer]
[Reboot]
- Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
.
Next
It is vitally important that combofix is renamed before it is even started to download
Please download ComboFix from Here (http://subs.geekstogo.com/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".
- During the download, rename Combofix to Combo-Fix as follows:
(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif)
(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif)
- It is important you rename Combofix during the download, but not after.
- Please do not rename Combofix to other names, but only to the one indicated.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix
-----------------------------------------------------------
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
[color="blue"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/color]
(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)
Please post back with- OTMOVEIT3 log
- combofix log
- new HJT log taken after all other steps are done.
How's the computer?
Thanks
Hi Jamboy,
old timer
OldTimer creates the tools, I just get to play with them. ;)
Some more to remove with OTLISTIT2.
.
Next, Double click on OTList2.exe - Under the Custom Scans/Fixes box at the bottom, paste in the following
- Do Not copy the word CODE
- please note the fix starts with the :
:OTLI
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
[1 C:\WINDOWS\*.tmp files]:Services
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [] File not found
O4 - HKCU..\Run: [Aim6] File not found
:Reg
:Files
C:\WINDOWS\System32\osusoley.ini
C:\WINDOWS\System32\ovalejat.ini
C:\WINDOWS\System32\ewotevuz.ini
C:\WINDOWS\System32\ihuwulod.ini
C:\WINDOWS\System32\otekifol.ini
C:\WINDOWS\System32\omunajid.ini
C:\WINDOWS\System32\unihuvov.ini
C:\WINDOWS\System32\aredufak.ini
C:\WINDOWS\System32\ayuzilas.ini
C:\WINDOWS\System32\nanehutu.dll
C:\WINDOWS\System32\osakohiv.ini
C:\WINDOWS\System32\elavasak.ini
C:\WINDOWS\System32\odetevej.ini
C:\WINDOWS\System32\apuwowek.ini
C:\WINDOWS\imsins.BAK
C:\WINDOWS\System32\utobakoh.ini
:Commands
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top
- Let the program run unhindered
- Please save the resulting log to be posted in your next reply.
.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
.
Please post back with - OTLIST2 log
- combofix log
- new HJT log taken last
Thanks