Firefox Search Engine Redirects

Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.

 

Hello

1. Just a FYI: You should not be using msconfig to control what software runs at start-up. There are much wiser alternatives which you can discuss in the software forum.

2. I am seeing the below in your add/remove prograns listing. What exactly do you still have installed from symantec?

• LiveUpdate 3.2 (Symantec Corporation)

3. Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

4. Could you please get this: sctdisk.sys into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following:

**** log retrievable @ C:\collect.zip


5. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Are you set up to use the following proxy? If not then please include it with our other fixable.

After clicking Fix exit HJT.

6. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Driver::
dgof
ernhec
lujcs
rwknmheq
ymqw
IOGSTAJEFRK

FileLook::
c:\windows\system32\sctdisk.sys

RenV::
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\Intel\Modem Event Monitor\intelmem .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\LIVEUPDATE\liveupdate .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\NVIDIA Corporation\nView\nwiz .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr .exe
c:\program files\SPAMfighter\sfagent .exe
c:\program files\Stardock\WinCustomize\BootSkin\bootskin .exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
c:\program files\TiVo\Desktop\tivonotify .exe
c:\program files\TiVo\Desktop\tivoserver .exe

File::
C:\WINDOWS\SYSTEM32\VFBBYZPUQ
C:\WINDOWS\SYSTEM32\mmf.sys
C:\WINDOWS\Temp\hlktmp
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\Intel\Modem Event Monitor\intelmem .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\LIVEUPDATE\liveupdate .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\NVIDIA Corporation\nView\nwiz .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr .exe
c:\program files\SPAMfighter\sfagent .exe
c:\program files\Stardock\WinCustomize\BootSkin\bootskin .exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
c:\program files\TiVo\Desktop\tivonotify .exe
c:\program files\TiVo\Desktop\tivoserver .exe
c:\windows\system32\drivers\uvtu.sys
c:\windows\system32\drivers\sytstafr.sys
c:\windows\system32\drivers\pivkfldq.sys
c:\windows\system32\drivers\cpfvdq.sys
c:\tmp\IOGSTAJEFRK.exe

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

7. From your logs I see that ctfmon.exe is missing from the system32 directory, we will need to replace this, and to do so, please look at the below:

Running SFC Scannow

8. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix. TDSSKiller and the collect.zip into your next reply.

9. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Good. Keep me updated about how the machine is behaving.

ctfmon.exe is still missing. Did you complete the SFC Scannow? If so then you will have to visit the software forum to sort this out.

There are a couple of files that I am unsure of, let's do this:

Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and logs posted for each one)

• Copy the file path in the below Code box:
  
  Code:

  c:\windows\system32\sctdisk.sys
  

• At the upload site, click the browse button.
• Next click Submit file
• Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Important: Wait for all of the scanning engines to complete.
• Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

Then do the same for the below files and also let me know the results:

Code:

c:\windows\system32\mmf.sys

Then use windows explorer to right click on each of the files and tell me what info you glean from the properties.

 

I see somewhere to retrieve a copy from so at some point we will do this before we wrap up.

 

Ok, let's do this and then I want you to let a day or so pass of you using the computer and making a couple reboots, and let me know how things are:

Now we need to use ComboFix again

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Driver::
sctdisk

File::
c:\windows\system32\sctdisk.sys
c:\windows\system32\mmf.sys

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Alright. After researching the file more thoroughly this morning I believe the mmf.sys file is benign. However the other file that I wasn't sure about:

is a baddy that combofix was unable to be rid of when I had you run my last script, so... let's try another tool:

1. Now download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
  
  
  
  2. Now run combofix again just by double clicking it.

3. Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from avenger. and also the log from combofix.

 

Good. The file I wanted dead does not appear to exist anymore. Combofix showed it's presence in your last log, but the newest CF log confirms that it no longer exists.

Let's just have you do the below and then all being well, I can give you final steps to follow.

Running RootRepeal

 

Ok try this instead:
GMER - running with a random name

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're most welcome.... Safe surfing.