Firefox Redirecting With Launchpage On Opening

Discussion in 'Malware Help - Public (Anyone Can Post & Respond)' started by oldkiwirocker, Sep 22, 2017.

  1. oldkiwirocker

    oldkiwirocker Private E-2

    Hi, I've had this a couple of times recently, first with Weevah, and now with Launchpage. The first time I got these I went through the removal procedures, and managed to get rid of Weevah (at least I think I have), however Launchpage is proving a bit more difficult. Fortunately my protection seems to prevent my wandering into dangerous sites, but I would still like to get rid of it.
    I have followed the Malware Removal guide as outlined in the sticky on this site, and now attach the requisite files for an experts perusal.
    I await your advice.
     

    Attached Files:

  2. oldkiwirocker

    oldkiwirocker Private E-2

    I should add that I have refreshed Firefox also, but am still getting launchpage getting involved.
     
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rerun RogueKiller and remove these items:

    ¤¤¤ Registry : 24 ¤¤¤
    [PUP.Ghokswa] (X86) HKEY_LOCAL_MACHINE\Software\Firefox -> Found
    [PUP.Ghokswa] (X64) HKEY_USERS\.DEFAULT\Software\Firefox -> Found
    [PUP.Ghokswa] (X86) HKEY_USERS\.DEFAULT\Software\Firefox -> Found
    [PUP.Ghokswa] (X64) HKEY_USERS\S-1-5-21-3542371458-540030603-4258767761-1000\Software\Firefox -> Found
    [PUP.Ghokswa] (X86) HKEY_USERS\S-1-5-21-3542371458-540030603-4258767761-1000\Software\Firefox -> Found
    [PUP.Ghokswa] (X64) HKEY_USERS\S-1-5-18\Software\Firefox -> Found
    [PUP.Ghokswa] (X86) HKEY_USERS\S-1-5-18\Software\Firefox -> Found
    [PUP.Ghokswa] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {27F9A532-447C-418C-B091-95D7BC39B5B5} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\Firefox\Firefox.exe|Name=Firefox browser| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F7D50FF6-C274-47DE-8A29-604754B44994} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Norris\AppData\Local\Temp\FlowSpritSetup_slnt_5016.exe|Name=FlowSpritSetup_slnt_5016.exe| [x] -> Found
    [PUP.Ghokswa] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {27F9A532-447C-418C-B091-95D7BC39B5B5} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\Firefox\Firefox.exe|Name=Firefox browser| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F7D50FF6-C274-47DE-8A29-604754B44994} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Norris\AppData\Local\Temp\FlowSpritSetup_slnt_5016.exe|Name=FlowSpritSetup_slnt_5016.exe| [x] -> Found
    [PUP.UCBrowser] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9} | StubPath : "C:\Program Files (x86)\UCBrowser\Application\6.1.2107.204\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --wow-install-target-path="C:\Program Files (x86)\UCBrowser" [x] -> Found
    ¤¤¤ Tasks : 10 ¤¤¤
    [Suspicious.Path] \classicstartmenu -- C:\Windows\system32\rundll32.exe ("C:\ProgramData\906h410h625T223\906h410h625T223.dll",hTdfwXKEdTVC) -> Found
    [Suspicious.Path] \firefox -- C:\Windows\system32\rundll32.exe ("C:\ProgramData\906h410h625T223\906h410h625T223.dll",hTdfwXKEdTVC) -> Found
    [Suspicious.Path] \qw -- C:\Windows\system32\rundll32.exe ("C:\ProgramData\906h410h625T223\906h410h625T223.dll",hTdfwXKEdTVC) -> Found
    [Suspicious.Path] \client\dropbox -- C:\Windows\system32\rundll32.exe ("C:\ProgramData\906h410h625T223\906h410h625T223.dll",hTdfwXKEdTVC) -> Found
    [Suspicious.Path] \realtek usb 2-0 card reader\riconman -- C:\Windows\system32\rundll32.exe ("C:\ProgramData\906h410h625T223\906h410h625T223.dll",hTdfwXKEdTVC) -> Found
    [Suspicious.Path] \revo uninstaller\revounin -- C:\Windows\system32\rundll32.exe ("C:\ProgramData\906h410h625T223\906h410h625T223.dll",hTdfwXKEdTVC) -> Found
    [Suspicious.Path] \samsung magician\samsungmagician -- C:\Windows\system32\rundll32.exe ("C:\ProgramData\906h410h625T223\906h410h625T223.dll",hTdfwXKEdTVC) -> Found
    [Suspicious.Path] \trueimagehome\ga_service -- C:\Windows\system32\rundll32.exe ("C:\ProgramData\906h410h625T223\906h410h625T223.dll",hTdfwXKEdTVC) -> Found
    [Suspicious.Path] \update\dropboxupdate -- C:\Windows\system32\rundll32.exe ("C:\ProgramData\906h410h625T223\906h410h625T223.dll",hTdfwXKEdTVC) -> Found
    [Suspicious.Path] \update\dropboxupdate-exe -- C:\Windows\system32\rundll32.exe ("C:\ProgramData\906h410h625T223\906h410h625T223.dll",hTdfwXKEdTVC) -> Found
    ¤¤¤ Files : 4 ¤¤¤
    [Hj.Shortcut][File] C:\Users\Norris\AppData\Roaming\Microsoft\Office\Shortcut Bar\Office\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\MOZILL~1\firefox.exe https://launchpage.org/?uid=qTBKGGjMhxpsXWEz4onePXJBHv3HiGu3i7gvw8Mf82uwrbYPpW9KHuGdfTpB5Kia4R2V -> Found
    [PShell.Gen][File] C:\Users\Norris\AppData\Local\Ludesy\SwReporter\15.85.1\software_reporter_tool.exe -> Found
    [PShell.Gen][File] C:\Users\Norris\AppData\Local\Safiry\SwReporter\15.85.1\software_reporter_tool.exe -> Found
    [PShell.Gen][File] C:\Users\Norris\AppData\Local\Temp\GoogleChromeUserData\SwReporter\17.98.0\software_reporter_tool.exe -> Found


    Now, do this:
    Reset Firefox to Defaults

    After doing all that, reboot and rescan with RogueKiller and attach the new log.]

    Be sure to tell me how things are running now.
     
    baklogic likes this.
  4. oldkiwirocker

    oldkiwirocker Private E-2

    Hi Tim,
    Thanks for your response. It took me a while to do this as the text list is not in the same order as the list displayed in RK, so I had to find a way of checking what needed to be deleted against a different order. Also the weekend!
    Anyways, I think I have managed to do it and I have attached the post deletion scan for you.
    Rgds
     

    Attached Files:

  5. oldkiwirocker

    oldkiwirocker Private E-2

    Further to the above post, it seems (touch wood) that it may have solved the problem.
    I'll leave it for a day or two to confirm or otherwise.
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good. Let me know how things go. When you are ready, you can do the final clean up:

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Re-enable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8 or 10, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
  7. oldkiwirocker

    oldkiwirocker Private E-2

    Hi Tim. Have completed the cleanup as requested and am happy to report that whatever malware I had lurking seems to have been successfully eliminated, so thanks again for your help.

    Rgds,
    Norris
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds