First prob was redirect and pop up - now worse...

Welcome to Major Geeks!

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Administrator

You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

1. Rkill.exe
2. Rkill.com
3. Rkill.scr
4. Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.

Now download and Run exeHelper from Raktor

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• A log file named log.txt will be created in the directory where you ran exeHelper.com
• Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now run this: Using Malwarebytes Anti-Malware

Now run this: Using MGtools


Now you need to attach (See: HOW TO: Attach Items To Your Post ) the below logs created while running the above scans

• exeHelper log
• Malwarebytes Anti-Malware log
• MGlogs.zip - normally it is C:\MGlogs.zip - only attach this log from MGtools.exe DO NOT attach any logs seen in the MGtools folder.

 

I do not understand why Ccleaner and avg are clashing. Ccleaner removes temporary files, I have never known it delete anything more than that, and we do not request that you run the registry cleaner aspect of the tool.

If you want to be completely rid of avg there is a removal tool we can use. Then you can reinstall as per instructions i'd give you, or..you can opt for another AV. Let's deal with that afterwards, for now I shall review your logs and get back to you with a response soon.

ahhh I see you already have the avgremover...

 

1. Please put this machine into normal start up mode by using MSCONFIG before we continue!

2. Go to add/remove programs and uninstall the following outdated java:

• Java(TM) 6 Update 19
• Java(TM) 6 Update 7

3. Run SUPERantispyware > let it update > fix all it finds and attach the log it creates.

4. Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

5. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

6. A leftover service from viewpoint is running, we will deal with that shortly.

7. Run Combofix at this point which you already have downloaded, as per the instructions.

8. Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

9. Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

10. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and do not forget the SAS log.

11. Tell me how things are running now, are you still having redirects??

 

I think these files belong to DivX but I want to be sure so we will check them out.

• c:\documents and settings\All Users\Application Data\6375D7699B.sys
• c:\windows\system32\4FCC7662BC.sys

The logs for superantiapyware can be found here:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Driver::
ASKService
ASKUpgrade
Viewpoint Manager Service

FileLook::
c:\documents and settings\All Users\Application Data\6375D7699B.sys
c:\windows\system32\4FCC7662BC.sys

File::
c:\windows\system32\REN49.tmp
c:\windows\system32\REN48.tmp
c:\windows\system32\REN47.tmp
C:\WINDOWS\temp\50.tmp

Folder::
c:\program files\Viewpoint

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Could you please get this: 6375D7699B.sys into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following:

log retrievable @ C:\collect.zip

Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and logs posted for each one)

• Copy the file path in the below Code box:
  
  Code:

  c:\documents and settings\All Users\Application Data\6375D7699B.sys

• At the upload site, click the browse button.
• Use Windows Explorer to navigate to the file(s) we need scanned and click "submit file"
• Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Important: Wait for all of the scanning engines to complete.
• Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

Then do the same for the below file and also let me know the results:

Code:

c:\windows\system32\4FCC7662BC.sys

You did not clean your temp files out last time by the looks so be sure to do this now as instructed;

Delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

Don't forget to install new java

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach those logs from SAS, post the jotti results and attach the collect.zip.


Are you still getting redirects? Tell me how things are running now.

 

Then uninstall avg from add/remove programs if it lets you.

Then reboot and use the avg removal tool

Make sure you also delete any AVG folders in Program Files and Documents & Settings/Application Data directories.

Reboot again and then complete the below:

Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

Run the new MGTools.exe and attach the C:\Mglogs.zip into your next reply.

 

Just get me the latest logs from MGTools please. I am in the middle of getting ready for my shift ast work tonight right now, so just get me those logs and we will deal with any remaining issues afterwards, I will even give you a fix for removing any avg related files/folders (which is something that ought to be dealt with in the software forum really)

 

As you said, you performed a system restore, so for now get me a new MGlogs.zip and let me see your status. Thanks.

 

I'm sorry but I am not seeing much left to do here in this forum. I think you have problems which are not caused by malware. We can do the below but then you must visit the software forum to resolve any other outstanding issues.

You have not put this machine into normal start up mode yet by using msconfig. (I am NOT referring to safe mode) Please do this now.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

Use windows explorer to navigate to the following files, right click each of them and tell me what info you can glean from the properties.
Or perhaps right click and send to > notepad or wordpad and copy and paste what you see for each into notepad.

c:\documents and settings\All Users\Application Data\6375D7699B.sys
c:\windows\system32\4FCC7662BC.sys

Delete using windows explorer:

• C:\Documents and Settings\All Users\Application Data\avg9
• C:\Documents and Settings\All Users\Application Data\avg9(2)
• C:\Program Files\AVG
• C:\WINDOWS\system32\REN32.tmp
• C:\WINDOWS\system32\REN33.tmp
• C:\WINDOWS\system32\REN34.tmp
• C:\WINDOWS\system32\REN47.tmp
• C:\WINDOWS\system32\REN48.tmp
• C:\WINDOWS\system32\REN49.tmp

Now Reboot your machine and consider using something other than avg

Run a full system scan with it and let me know if anything crops up. Also let me know about those files which I am positive are legit, I just want to cover all bases for you.

 

I didn't know your version of avg was paid for. Don't change then, you'll have to visit the software forum I'm afraid

 

Now download and Run exeHelper

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now get us a new C:\MGLogs.zip

 

Please attach the new MGLogs.zip.

 

Then you need to stay in that software thread to get it all sorted out.

Since you are not having any malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!