Browser Hijacked, anti-malware programs no longer work!

1. You are running combofix from the wrong location:

You need to ensure that it's on your desktop as requested or final steps will not go smoothly.

2. You didnt agree to HJT license. We will have you re-run MGTools in a little while because I need to see the Hijackthis log.

3. If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

4. Do you know what this is?

• C:\WINDOWS\iriqovy.db

5. Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and logs posted for each one)

• Copy the file path in the below Code box:
  
  Code:

  c:\windows\Thofirogodinire.dat

• At the upload site, click once inside the window next to Browse.
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
• Next click Submit file
• Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Important: Wait for all of the scanning engines to complete.
• Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

6. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Fcopy::
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll | C:\WINDOWS\system32\scecli.dll
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe | c:\windows\system32\proquota.exe

File::
c:\windows\system32\fjhdyfhsn.bat
c:\windows\Jfafa.bin
c:\documents and settings\LocalService\Application Data\fvgqad.dat
c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
c:\documents and settings\NetworkService\Application Data\fvgqad.dat
c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
C:\Documents and Settings\Owner\My Documents\~WRL2215.tmp
C:\Documents and Settings\Owner\My Documents\~WRL2936.tmp
C:\WINDOWS\ygyg.pif
C:\WINDOWS\yqemebohej.lib

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint

DirLook::
c:\documents and settings\Owner\Local Settings\Application Data\{818B2643-DFC8-4E97-8086-92487A2ED678}
c:\documents and settings\Owner\Local Settings\Application Data\{91E4CE33-2AFE-44E7-B614-FA8B90AE5670}
c:\documents and settings\Owner\Local Settings\Application Data\{D542CD73-CA5B-47BE-BF6D-D9BE8D2BA7BA}
C:\Jeffs Folder

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


7. Now run MGTools.exe again by double clicking it. When you are asked to agree to the HijackThis license then please do so. You may have to click accept TWICE. Yes.. it's a bug.

8. Attach the C:\Mglogs.zip into your next reply as well as the log from running combofix, the results from jotti, and make sure you answer any questions that I asked.

9. Let me know how your machine is behaving now please.

 

Let's try this and then tell me if you are still being redirected or not:

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Fcopy::
C:\MGtools\temp\XPSP3\scecli.dllmg | C:\WINDOWS\system32\scecli.dll

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

 

Download a fresh copy of Combofix and then re-run the instructions in my post #4. Attach the log from doing so.

Also make sure you are NOT running MGTools from this location, it should be directly on your C Drive and not inside of any other folders.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

1. Are you set up to use a proxy?

2. There has been another update to java so please do the following:

Go to add/remove programs and uninstall the outdated java:

• Java(TM) 6 Update 17

Now reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

3. Now use Windows Explorer to locate and delete the below bold file:

C:\WINDOWS\iriqovy.db

4. Navigate to C:\MGTools directory and locate analyse.exe. Double click it to run it, agree to the HJT license (may have to click "I agree" twice, it's a bug) Do a system scan and save a log file. Attach it into your next reply, and don't forget to answer my question about the proxy.

 

Okay then lets download a fresh copy of MGTools.exe and run it again. Make sure it's on your C drive before doing so and this time around ensure you agree to the Trend Micro HJT license.

Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

Attach the C:\Mglogs.zip.

 

Then please run it, do a system scan and save a log file. Attach it into your next reply.

 

If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Scan with HijackThis and fix the following lines:

A question:
is the below related to this?

http://www.thesuperiorview.com/

 

Re scan with HJT. Are the lines definately gone?

 

and is this something you installed knowingly?

 

Then fix the line with HJT:

Use Windows Explorer to locate and delete the below bold folder:
C:\Program Files\Superior View

 

And since reviewing the HJT log I am seeing more to do, please await instructions in my next reply, for we are not entirely out of the woods yet.

 

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Scan with HJT and fix the following 020 line:

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix exit HJT.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

File::
C:\WINDOWS\SYSTEM32\classapi64.dll 

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

Thanks
Kes13!

 

Could you attach the log from HJT after re scanning to be sure the file is really gone? (My fault, I should have asked you this in my last steps)

 

Looks good. Except I still see the below line in your latest HJT log indicating that messenger is still running. (Run the steps to kill messenger again after fixing it's line with HJT)

Now tell me, how are things running? Still no browser redirects I take it?

 

Yes your logs look good now.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Exactly

Any other question you have can be asked in the software forum or wherever appropriate. You're welcome for the help and safe surfing! :wave