Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:O4 - HKUS\S-1-5-19\..\Run: [toyayurela] Rundll32.exe "C:\WINDOWS\system32\titobigi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [toyayurela] Rundll32.exe "C:\WINDOWS\system32\titobigi.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: zukmyo.dll C:\WINDOWS\system32\rewikote.dll
I cannot reliably identify this Domain. A search for 'ambusi' brings up this site:titobigi.dll
toyayurela
saseneda.dll
zukmyo.dll
rewikote.dll >> Fraudulent Security Program
If AmBusi is your legitimate Domain, the entries are not set up correctly.O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\Software\..\Telephony: DomainName = ambusi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ambusi.com
Reboot into Normal modeO15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: .sbcglobal.net[/url]
* Download SDFix and save it to your Desktop.
Boot into Safe Mode* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Run SDFix* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Update and rescan with Malwarebytes again following SDFix, the do a new scan with HijackThis. Attach all the logs when through.* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here
Then the entries should be removed.The domain is no longer in use, however we still have the domain name.
I am concerned about the security you're running- all I see are the two Active X files loading for McAfee:Quote:
titobigi.dll
toyayurela
saseneda.dll
zukmyo.dll
rewikote.dll >> Fraudulent Security Program
But there are no McAfee programs entries and no McAfee Services running as there should be if you have the McAfee security installed. Can you fill me in on this please? Were you using this as part of a corporate network? Maybe the defunct Domain. Because it does not appear that you have a fully functioning security program.O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab>> for McAfee Security Installer Control.
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab>> process info for McAfee Security Download Control.
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n028p/EN/install/gtdownlr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\Software\..\Telephony: DomainName = ambusi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ambusi.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ambusi.com
Update Java:O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://parachute.webex.com/client/v_mywebex-t20/event/ieatgpc.cab
Please see the Cert Advisory on the potential buffer overflow. If you need an update, get it. If you need to disable the Active XD entry, do it.
WebexUCFObject ActiveX Control stack buffer overflow:
http://www.kb.cert.org/vuls/id/661827
What is the status of the original pop-ups. Have we resolved that issue? Are you having any other problems>Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 11 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.
Remove the older versions of Java:
1. Click Start, Control Panel, Add/Remove Programs.
2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 11