Redirects

I see you ran TDSSKiller several times, which found and dealt with many nasties, however I see critters which remain and a bunch of miscellaneous stuff to take care of too.

Please attach the log from running Malware Bytes. I would like to see two logs, one from Nov 6th and one from 7th. Also you neglected to run SUPERantispyware which is also a part of our malware removal procedures. Please do so now and attach the log it creates after scanning.

Viewpoint Media Player <--- Uninstall this garbage.
Java(TM) 6 Update 2 <--- Outdated, also uninstall. You already have the most current version installed, 6.22.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

Now download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :dir
  {7560C30B-7836-4DEC-9F6B-CD1A076FF66C}
  D7DAD5950A1446F36298AA2D039B71D2

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Reboot the machine.

Run Ccleaner at this point.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now unless you have 64 bit vista please download and run Combofix as per the instructions in the R&R. (Making sure that you have of course followed step 6 of the read me and disabled disk emulation software)

Download DeFogger by jpshortstuff and save it to your desktop.

• Double click DeFogger.exe to run the tool.
• The application window will appear.
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue.
• A 'Finished!' message will appear.
• Click OK.
• DeFogger will now ask to reboot the machine...click OK.

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Don't forget the logs from MBAM and SAS.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know how things are now running for you!!

 

The avenger fix did not work! Did you follow instructions exactly with the files to delete?

You need to rerun it again as per the instructions for avenger in post #2. Then:

Use windows explorer to see if the following files still exist, if so, delete them manually.

• C:\Users\alexl\AppData\Local\Qnakivutamuxudi.dat
• C:\Users\alexl\AppData\Local\Xniwoxucemuco.bin
• C:\Windows\System32\drivers\wauqo.sys

Make SURE you reboot after deleting and then check back and see if they didn't resurface somehow.

Does this directory exist now? If so, tell me exactlywhat's in it, or screenshot the contents.

C:\Users\alexl\AppData\Local\{7560C30B-7836-4DEC-9F6B-CD1A076FF66C}

Delete this directory if it exists:

C:\Program Files\COMODO

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:services
Viewpoint Manager Service

:files
C:\Program Files\Viewpoint
C:\Users\alexl\AppData\Local\{7560C30B-7836-4DEC-9F6B-CD1A076FF66C}
C:\Users\alexl\AppData\Local\bgeuctalr
C:\Windows\Temp\afco.tmp
C:\Windows\Temp\aiwu.tmp
C:\Windows\Temp\aljv.tmp
C:\Windows\Temp\aypm.tmp
C:\Windows\Temp\dxtn.tmp
C:\Windows\Temp\jfpg.tmp
C:\Windows\Temp\omgq.tmp
C:\Windows\Temp\suvs.tmp
C:\Windows\Temp\waqn.tmp
C:\Windows\Temp\xyxl.tmp

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Now tell me if the redirects persist. They shouldn't do though.

 

No, and avenger didn't seem to work for you either. Are you following my instructions exactly? I cannot see any errors in my posts that would have caused the scripts not to run correctly.

I certainly will, but in turn, you must tell me if the redirects persist. I asked you to tell me this at the end of my last post.

Because we cannot blindly delete a folder we know nothing about. System look should locate a folder we insert into it's script and then let me know the contents. It failed for us, so I asked you to tell me yourself. Once I saw the contents, I saw it needed to be killed as it was the cause of your redirects.

The two tools are very different, I don't have time to go into the in's and outs. You can learn about tools used for malware removal at an online training school.

That folder and it's contents... which looking at your new logs I see it does not exist anymore. Can you navigate to
C:\Users\alexl\AppData\Local\{7560C30B-7836-4DEC-9F6B-CD1A076FF66C} and just tell me if it's there or not. Did you delete it manually after the OTM script failed?

You also have a load of temp files that should be gone.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Answer my questions and let me know how things are running.

Thanks
Kes