Firefox Search Problems

[Geezer7348]

Hi there,

I noticed last night that I was having problems whilst doing a search in yahoo for example. A List of the correctly searched items appears although when you click on the hyperlink it fails to open the webpage or will open up an alternative search engine website. I tried to run a spyware scan and all it came back with was some tracking cookies, the same result was also found in AVG Virus scanner and no virus' detected. I tried to run spybot search and destroy although it couldnt connect the the update server to check for updates

I have attached a log of hijack this incase this helps, I am currently using Vista.

[chaslang]

Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.

• If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
  • TDSSserv Non-Plug & Play Driver Disable
• If something does not run, write down the info to explain to us later but keep on going.
• Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

[Geezer7348]

Hi there,

Thank you very much for your assistance, I managed to run combofix last night which seemed to help clear the problem with the browser but I have run all the cleaning options in the link as requested.

I am still going to run SuperAntiSpyware, Spybot S&D again to ensure there is nothing lurking in the background.

Thanks

[chaslang]

I advise you to attach all of the logs from the FIRST run as requested so we can check them out.

[Geezer7348]

Dear Chas,

Please find attached the first logs as requested. More to follow.

Neil

[Geezer7348]

Please find attached further logs as requested.

Please advise me if you require any other log and where I would find it.

Thanks

[chaslang]

Please attach only the logs requested in the procedure. Those are:

• SUPERAntiSpyware
• Malwarebytes Anti-Malware
• ComboFix << already attached
• MGlogs.zip which is the only log from running MGtools you should be attaching. As stated, do not attach anything from the C:\MGtools folder

Also note that you are using MSconfig! See step 1 of the READ & RUN ME.
And you have Teatimer enabled but temporarily disabled using MSconfig. Again see the READ & RUN ME and disable Teatimer properly. You will need to run MGtools again after doing this so you can attach a new and proper log.

[Geezer7348]

Dear Chas,

Please find attached the logs as requested, it would appear there is some form of adware in the form of Videoegg according to the mbam log.

Regards,

Neil

[chaslang]

Quote:

Originally Posted by Geezer7348

Please find attached the logs as requested, it would appear there is some form of adware in the form of Videoegg according to the mbam log.

According to your MBAM log, you did not fix what it found. Please run it again, update first, and then run a new scan and fix what it finds before saving a log. Then attach the new log later.

Now complete the below instructions in the order written.

First we have few questions to get answered.

What is the below G Data stuff and did you install it?

Code:

"C:\Users\neil\AppData\Local\"
GDATA~1       28 Jan 2009              "G DATA"
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=G

Did you knowingly install Kontiki and allow it to pass thru your firewall?

Quote:

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FF327DDE-4B79-46A2-97F9-68A0589DA994}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{C76F1780-AF79-4B2F-A881-CB8B7AE7EC5D}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service

What is the below SoundMovieServer service?

Quote:

O23 - Service: SoundMovieServer - SoundMovieServer - C:\Windows\system32\snmvtsvc.exe

I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

Now uninstall Viewpoint Media Player as requested in step 1 of the READ & RUN ME.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)

After clicking Fix, exit HJT.


You have left overs from Symantec that need to be cleaned up. Please run the below then reboot. After reboot run it one more time.

Norton Removal Tool (SymNRT)




Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

KILLALL::

Driver::
LiveUpdate
LiveUpdate Notice Ex

DirLook::
C:\Users\neil\AppData\Local\G DATA

Folder::
C:\Program Files\Search Settings
C:\Program Files\Symantec
C:\Program Files\Common Files\Symantec Shared

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\?????????]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe"
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe"
"ehTray.exe"="c:\windows\ehome\ehTray.exe"
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1eb9026-c152-11db-8066-806e6f6e6963}]

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run MSconfig and select Normal Startup as was originally requested in step 1 of the READ & RUN ME.

Now run Ccleaner!

Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.


Run MGtools.exe then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[Geezer7348]

Dear Chas,

Thank you for your assistance, please note my following responses to your queries.

Quote:

Originally Posted by chaslang

What is the below G Data stuff and did you install it?

I'm not honestly sure what it is, I certainly do not recall installing this.

Quote:

Originally Posted by chaslang

Did you knowingly install Kontiki and allow it to pass thru your firewall?

Again, I have no knoledge of Kontiki, I have never used this application as far as I am aware.

Quote:

Originally Posted by chaslang

What is the below SoundMovieServer service?

Again, I do not recall installing this program, could it possibly have been pre-installed on the machine when I purchased it?, I have removed this application in the steps you listed below.

I have carried out the MGTools and Norton Removal Tool steps along with Combofix. Whilst using Combofix I had problems with my AVG virus scanner as Combofix kept detecting it regardless of which options I disabled so I temporarily uninstalled it to allow me to carry on with the scanning process. Whilst carrying out the CFscript.txt drag and drop into Combofix I received a message saying the OS was incompatible with "Error - Win32 Only", and also a message saing Combofix has expired and I could run it in reduced functionality mode, it turns out there was a new version I could download which I did and after carrying out the steps suggested it seemed to work without any further problems.

fixme.reg, once I had double clicked this I got the following success message "the keys and values contained in C:\users\Neil\Desktop\fixme.reg have been successfully added to the registry. I proceeded to run ccleaner which fixed the registry keys it could not locate by removing them.

I have also updated MgTools as detailed in the final step and have attached the following logs as requested.

I have a couple of final queries for yourself.

1. Is it now safe to delete the fixme.reg from my desktop?
2. Can I now also delete the Norton_removal tool from my desktop?
3. In response to your comments about a cluttered desktop I have removed the documents to another portion of my HD, however there is one folder "FMFormation Database which I cannot delete or move from my desktop.

Best wishes,

Neil

[chaslang]

Quote:

Originally Posted by Geezer7348

I'm not honestly sure what it is, I certainly do not recall installing this.

Again, I have no knoledge of Kontiki, I have never used this application as far as I am aware.

Okay then we will remove them. You can start by removing the below folder:

c:\users\neil\AppData\Local\G DATA

Quote:

Originally Posted by Geezer7348

1. Is it now safe to delete the fixme.reg from my desktop?

No! We still need to use it again.

Quote:

Originally Posted by Geezer7348

2. Can I now also delete the Norton_removal tool from my desktop?

Yes!

Quote:

Originally Posted by Geezer7348

however there is one folder "FMFormation Database which I cannot delete or move from my desktop.

What is in the folder? Is this something you installed.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKCU\..\Run: [?????????] ??????????????e
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

KILLALL::

Driver::
KService

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now double click the fixME.reg file on your Desktop and allow it to be added to the registry. Make sure you tell me if it was successful.

Now run Ccleaner!

Now goto this link Using MGtools and download the new version (yes there is another new version) of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[Geezer7348]

I have carried out all the tasks as listed below although I could not locate the registry key "O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)".

In respect of the folder FMFormations It contains a .dat file which I knowingly installed at the time as it is an update for a game on the machine, now that I am on a newer version of the game this file is no longer required although I cant delete the file as my recycle bin doesnt process this file when I try dragging/dropping or even pressing delete followed by the confirmation, all it does is sit as if it is thinking about deleting although nothing moves along in the progress bar to indicate this is being carried out. The file itself is 111MB large and is found within the following folder address C:\Users\neil\Desktop\FMFormation's Database Update

Please also find attached the logs as requested.

Regards,

Neil

[chaslang]

Your logs are clean.

Quote:

Originally Posted by Geezer7348

The file itself is 111MB large and is found within the following folder address C:\Users\neil\Desktop\FMFormation's Database Update

Try the below.

Right click on the Recycle Bin icon on your Desktop and select Properties. The click the Use one setting for all drives button. Once you select this another check box option should be available. Check the box that says Do not move files to the Recycle Bin, Remove files immediately when deleted.

Now go see if you can right click on the problem file and select Delete.

Let me know what happens.

[Geezer7348]

Dear Chas,

Thank you for your help, unfortunately the file still remains despite changing the recycle bin setting. The folder still wont delete.

[chaslang]

If there is anything in the folder like files and subfolders, first go to the furthest level down and delete each file and folder one at a time working your way back to the top. If that does not help, we will try more forceful methods.

[Geezer7348]

Hi Chas,

I can confirm there are no further level(s) of folders. As detailed below the folder location is C:\Users\neil\Desktop\FMFormation's Database Update and the file located within this folder is people_db.dat file. I have tried cutting the file into another location but it wont budge either.

[chaslang]

Do you still use the below programs?
Football Manager 2007
Football Manager 2008
Football Manager 2009

If not then uninstall them and then reboot and see it the folder can be deleted. If you still use those programs, leave the folder alone since that is what it is for.

Since this is not a malware problem, I'm going to post final instructions.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
8. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

[Geezer7348]

Dear Chas,

I removed the older versions of the game as suggested and also all the sub directories it stored in my documents and unfortunately it still wont let me delete this FMFormations Database folder.

Please see my attached screengrab for an image of the problem.

[bjgarrick]

Quote:

Originally Posted by Geezer7348

Dear Chas,

I removed the older versions of the game as suggested and also all the sub directories it stored in my documents and unfortunately it still wont let me delete this FMFormations Database folder.

Please see my attached screengrab for an image of the problem.

When deleting, hold the "Shift" key and while holding the shift key hit the delete key. Doing so will bypass the Recycle Bin and permanently delete the file/folder.

[chaslang]

Quote:

Originally Posted by Geezer7348

I removed the older versions of the game

Whar do you mean by older versions of the game? If any version of the game is still installed the database will still be in use.