Please Help My Baby (64 Bit System)

Discussion in 'Malware Help (A Specialist Will Reply)' started by Brinks3015, Dec 7, 2008.

  1. Brinks3015

    Brinks3015 Private E-2

    Hello and thank you in advance for any help that can be provided.

    Approximately a week ago I was surfing the net looking for a desktop wallpaper when I got one of those bogus alerts that stated I had a virus on my computer and to download the fix. I closed everything out noting that my BitDefender antivirus appeared to be running just fine and I restarted my computer. Since then on startup I sometimes get the following error: Error loading C:\Windows\system32\mubohome.dll or a few other variations of that error. I also have my internet browser automatically open a new window to an ads while surfing the net and sometimes get the same bogus virus alert.

    My baby is sick and I cannot seem to figure out how to clean out this problem. Attached are the logs from the Read & Run post which I followed the best I could. The ComboFix log is not included and the MGtools log is incomplete because I have a 64 bit system and could not get those two programs to work well.

    Thanks again for your much appreciated help,
    Richard
     
    Brinks3015, Dec 7, 2008
    #1
  2. Brinks3015

    Brinks3015 Private E-2

    Logs
     

    Attached Files:

    Brinks3015, Dec 7, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Congrats! You may be the first x64 user that actually came here with real malware problems to remove. How did you managed to get youself so badly infected? Did you have protection software in place before this happened?


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {e989d1d3-3cee-4797-8ba6-2e5fa4f6f8af} - C:\Windows\SysWow64\gazizisa.dll
    O4 - HKLM\..\Run: [kusiyovaja] Rundll32.exe "C:\Windows\system32\mubohome.dll",s
    O20 - AppInit_DLLs: c:\windows\system32\funugipi.dll c:\windows\system32\rimomuzo.dll c:\windows\system32\yalepefo.dll c:\windows\system32\valalafo.dll c:\windows\system32\legadaza.dll C:\Windows\SysWow64\kusitozo.dll C:\Windows\system32\doguvuvo.dll C:\Windows\SysWow64\petonuho.dll c:\windows\system32\pusekudu.dll C:\Windows\system32\poruzowo.dll C:\Windows\system32\pivumuwe.dll C:\Windows\SysWow64\womezila.dll C:\Windows\system32\juposeno.dll C:\Windows\SysWow64\gazizisa.dll c:\windows\system32\fubatuzo.dll

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now reboot into safe mode and look for all the below fils and delete them if found. Let me know the results:
    C:\Windows\SysWow64\gazizisa.dll
    C:\Windows\SysWow64\kusitozo.dll
    C:\Windows\SysWow64\petonuho.dll
    C:\Windows\SysWow64\womezila.dll
    c:\windows\system32\funugipi.dll
    c:\windows\system32\rimomuzo.dll
    C:\windows\system32\yalepefo.dll
    c:\windows\system32\valalafo.dll
    c:\windows\system32\legadaza.dll
    C:\Windows\system32\doguvuvo.dll
    C:\Windows\system32\mubohome.dll
    c:\windows\system32\pusekudu.dll
    C:\Windows\system32\poruzowo.dll
    C:\Windows\system32\pivumuwe.dll
    C:\Windows\system32\juposeno.dll
    c:\windows\system32\fubatuzo.dll

    Then reboot into normal boot mode
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
     
    chaslang, Dec 10, 2008
    #3
  4. Brinks3015

    Brinks3015 Private E-2

    Chaslang, thank you very much for your help and the personal time you use to help us all.

    This is one time being first for something has become a nightmare for me. I have BitDefender Total Security 2009 and keep it updated along with windows like it’s my religion. I don’t know how I ended up in this situation.

    I did everything you asked word for word. The registry fix you provide was successfully added. When I rebooted into safe mode the only file I found and deleted was C:\Windows\SysWow64\kusitozo.dll. Attached are the logs you requested.

    Thanks again for your help it is much appreciated.
    Richard
     

    Attached Files:

    Brinks3015, Dec 10, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay the infection has spread. It is possible that it is spreading on each reboot so from this point on I suggest that you no longer powerdown/reboot your PC unless I request you to. It will be very important that you do not powerdown or reboot after attaching any new logs. If you do, it could make any fix I post a waste of time.

    Let's try this again and try using Pocket Killbox that hopefully runs on x64. If Killbox does not run, you will have to boot into safe mode and delete the listed files manually.

    First uninstall the version of SUPERAntiSpyware that you currently have installed.

    Start by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {e989d1d3-3cee-4797-8ba6-2e5fa4f6f8af} - C:\Windows\SysWow64\navavaze.dll
    O4 - HKLM\..\Run: [kusiyovaja] Rundll32.exe "C:\Windows\system32\dikemude.dll",s
    O4 - HKUS\S-1-5-21-1016019758-1941530761-1336395221-1001\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime (User 'Jennifer')
    O4 - HKUS\S-1-5-21-1016019758-1941530761-1336395221-1001\..\Run: [CPMcfec93fe] Rundll32.exe "c:\windows\system32\fubatuzo.dll",a (User 'Jennifer')
    O4 - HKUS\S-1-5-21-1016019758-1941530761-1336395221-1001\..\Run: [kusiyovaja] Rundll32.exe "C:\Windows\system32\dikemude.dll",s (User 'Jennifer')
    O20 - AppInit_DLLs: C:\Windows\SysWow64\navavaze.dll

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.


    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.


    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Windows\system32\dikemude.dll
    c:\windows\system32\fubatuzo.dll

    C:\Windows\SysWow64\navavaze.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

    If Killbox does not reboot just reboot your PC yourself.

    After reboot look for all of the above files we had Pocket Killbox attempt to delete. If you still see them, delete them yourself.

    Now install the current version of SUPERAntiSpyware and make sure you update it during the install as it normally requests. Then run a full system scan to get a new log.

    Now run Ccleaner!


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below log:
    • SUPERAntiSpyware log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
    Make sure that you do not shutdown or reboot your PC now.
     
    chaslang, Dec 14, 2008
    #5
  6. Brinks3015

    Brinks3015 Private E-2

    Chaslang, thanks again for your help in this mess I have gotten myself into.

    I followed everything verbatim and Pocket KillBox seemed to work just fine on my system. I did receive the PendingFileRenameOperations prompt and had to reboot my PC myself. After reboot I found and deleted C:\Windows\SysWow64\navavaze.dll.

    I ran SUPERAntiSpyware to get a new log but just so you know I did not let it reboot my system till I get your OK. So far it appears I am having all the same old problems of getting bogus virus infection windows and my browser being redirected to ads.

    Attached are the logs you requested.

    Thanks for your hard work and time,
    Richard
     

    Attached Files:

    Brinks3015, Dec 14, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {e989d1d3-3cee-4797-8ba6-2e5fa4f6f8af} - C:\Windows\SysWow64\torayiya.dll
    O4 - HKLM\..\Run: [CPMcfec93fe] Rundll32.exe "c:\windows\system32\sowesuno.dll",a
    O4 - HKLM\..\Run: [kusiyovaja] Rundll32.exe "C:\Windows\system32\rahuguzi.dll",s

    After clicking Fix, exit HJT.

    Now immediately run a fullscan with SUPERAntiSpyware (update before scanning) and again DO NOT LET it reboot at this point if it asks you to. We will reboot after running Killbox.



    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.



    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Windows\SysWow64\torayiya.dll
    c:\windows\system32\sowesuno.dll

    C:\Windows\system32\rahuguzi.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

    If Killbox does not reboot just reboot your PC yourself.

    After reboot look for all of the above files we had Pocket Killbox attempt to delete. If you still see them, delete them yourself.

    Now run Ccleaner!


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



    Then attach the below log:
    • SUPERAntiSpyware log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
    Make sure that you do not shutdown or reboot your PC now.
     
    chaslang, Dec 17, 2008
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds