Blekko virus still present

[Buckleyterp]

I carefully followed all of the steps in malware removal and both MIE 8.0.7601.blah and Firefox 15.0.1 are still infected. Running Windows 7 home premium 64 bit on a Toshiba satellite E205-S1904 with pentium i5. No performance or internet access problems with computer and no problems running the suggested programs.

[chaslang]

Welcome to Major Geeks!

Uninstall the software:
Anti-phishing Domain Advisor
Blekko search bar
Java(TM) 6 Update 24
PC Speed Maximizer v3.0

Now install the current version of Sun Java from: Sun Java Runtime Environment

Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blekkosearch.mystart.com/blek...homepage&v=2_0
R3 - URLSearchHook: (no name) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

After clicking Fix, exit HJT.

Now rE-run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

Quote:

[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : Anti-phishing Domain Advisor ("C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe") -> FOUND
[STARTUP][SUSP PATH] Best Buy pc app.lnk @Default : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND
[STARTUP][SUSP PATH] Best Buy pc app.lnk @Default User : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND

Then immediately reboot your PC.

Now please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\windows\TEMP\remcsi.bat
C:\Program Files (x86)\blekkotb_soc
C:\Program Files (x86)\PC Speed Maximizer
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Maximizer
C:\ProgramData\Anti-phishing Domain Advisor
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• the new RogueKiller log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[Buckleyterp]

Dear Chaslang,

Thank you for your kind and timely response to my continuing problem. Please excuse my noobiness, but I found, downloaded and used MGtools.exe. I cannot find a download site for the program MGtools\analyse.exe. And MGtools does not give me a 'Do a System Scan Only' button, so I suspect that MGtools is not what you want me to be running. Please advise.

Buckley

[chaslang]

Quote:

Originally Posted by Buckleyterp

Please excuse my noobiness, but I found, downloaded and used MGtools.exe. I cannot find a download site for the program MGtools\analyse.exe.

You already have it. It is in the MGtools folder. You need to run the analyse.exe program that is in the MGtools folder which is what the below means:

C:\MGtools\analyse.exe

Note that I did not ask you to rerun the MGtools.exe file you originally downloaded. In fact you can delete it to avoid confusion. You don't need the MGtools.exe file anymore.

[Buckleyterp]

Dear Chaslang,

Please excuse the serial posts. Figured out that MGtools\analyse.exe was HijackThis.exe and downloaded the latter and found the buttons mentioned and completed the second set of instructions.
The result is no apparent blekko activity in MIE or FF. Thank you very much for your expertise. The logs are appended as requested.

[Buckleyterp]

Everything was blekko-free. Downloaded Avast! antivirus instead of my previous Prevx. So far, so good. Then I replaced my AdAware virus and antispyware program by downloading it. In the AdAware 'security' search bar that was inserted into Firefox, there was blekko! When I closed the AdAware toolbar, the blekko portion of it was gone, as well. I deleted all AdAware programs and sent them an email asking if they were infected. Now, however, blekko is back in the Firefox toolbar. Here we go again...

[chaslang]

Quote:

Originally Posted by Buckleyterp

Please excuse the serial posts. Figured out that MGtools\analyse.exe was HijackThis.exe and downloaded the latter.

You did not need to download HijackThis.exe. You just needed to run C:\MGtools\analyse.exe You already had it. You just needed to run it from inside the MGtools folder on your C drive.

Your last logs were fine. Since you manage to either reinfect things or Firefox may have still have been infected, I suggest a better way to repair this.



We are going to be uninstalling your old version of FireFox and installing the new version. So do the below to save bookmarks:

• Run FireFox and click Bookmarks.
• Then select Organize Bootmarks.
• Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

You will need exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.


Now uninstall FireFox and then reboot. Do not skip the reboot.
After reboot, delete the below folders:

C:\Program Files (x86)\Mozilla Firefox
C:\Users\Nat & Buckley\AppData\Roaming\Mozilla


Now reinstall FireFox from the file previously downloaded.
Import your bookmarks file. (similar process to exporting).

[Buckleyterp]

C:\Users\Nat & Buckley\AppData\Roaming\Mozilla will not let me delete it.
I tried the kill explorer cmd prompt method - no good
Made sure attributes were -s -r -h - no good
I tried TAKEOWN - no good
Changed all filenames down to 'svc.exe' and cold rebooted - no good
Can't use fileassassin - didn't buy Malwarebytes.

Now what?

I have an administrator account 'Daily Account', also with folder AppData\Roaming\Mozilla, etc. what about that one?

With appreciation,

Buckley

[Buckleyterp]

Spoke too soon. Was able to use FileASSASSIN. svc.exe is gone and, of course, when I bothered to look in the 'Daily Account' corresponding folders, no 'svc.exe' is present.

Thank you, thank you.

[Buckleyterp]

I was Blekko free for seven hours. At the beginning of seven hours, I browsed to Lavasoft, saw the Lavasoft partnership with Blekko on the Lavasoft home page and closed that window as fast as possible. I downloaded SUPERAntiSpyware 5.6.1010. I reinstalled Firefox as directed from the desktop but I saved the install program to the regular user account, and so it was installed into the Applications folder, not the Programs (x86) folder, so I had to go into the Administrative account and download Firefox to the Programs folder and uninstall it from the Applications folder. Did I do wrong?
Now, 7 hours later and multiple browsings later, I am in the regular desktop account with Firefox. I just went to a tab that had been on United Airlines and typed 'goo' into the address box. Several websites were autocompleted from history and I clicked on 'google.com' and, instead, a Blekko search appeared with 'google' as the search entry.
What did I do wrong?

[chaslang]

Quote:

Originally Posted by Buckleyterp

I was Blekko free for seven hours. At the beginning of seven hours, I browsed to Lavasoft, saw the Lavasoft partnership with Blekko on the Lavasoft home page and closed that window as fast as possible.

Yes this is old news. See: http://bits.blogs.nytimes.com/2012/03/23/blekko-partners-with-lavasoft-on-spam-free-search/

Quote:

Originally Posted by Buckleyterp

I just went to a tab that had been on United Airlines and typed 'goo' into the address box. Several websites were autocompleted from history and I clicked on 'google.com' and, instead, a Blekko search appeared with 'google' as the search entry.
What did I do wrong?

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

[Buckleyterp]

Thanks, Chaslang. I reran the last set of instructions you gave me concerning backing up, saving installs, then deleting FF and I did this for each of my two user accounts. Then I cold rebooted and installed and I have been Blekko free for about three days, now, so I think the situation is under control. Thank you for keeping on top of it.

With Kindness,

Buckley (also from northern N.J. - didn't think anyone lived there anymore )

[chaslang]

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
2. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

[Buckleyterp]

Dear Chaslang,

If an incomplete address is typed into the address line so that the entry resembles a search entry and 'enter' is hit, a blekko search comes up.

This only happens with FF in the 'Nat & Buckley' user account. It does not happen with FF in the Daily Account (administrative) and it does not happen with MIE in either account.

Attached is MGlogs.zip, as requested.

Buckley

[chaslang]

Try the below on this user account


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Then reboot and see if this helped.

[Buckleyterp]

Dear Chaslang,

I followed all of your instructions while I was signed in on the affected user account (non-administrative, "Nat & Buckley"). I saved it to the desktop while in Nat & Buckley. Nevertheless, the Registry Editor info box that came up said: "The keys and values contained in C:\Users\Daily account\Desktop\fixme.reg have been successfully added to the registry" [italics mine], so I do not know if the desktop can belong to N&B or only to the administrative account ("Daily account"). Bottom line: I rebooted and blekko is still haunting the Nat & Buckley FF browser. I did not try the other browsers.

B

[chaslang]

Quote:

Originally Posted by Buckleyterp

I followed all of your instructions while I was signed in on the affected user account (non-administrative, "Nat & Buckley"). I saved it to the desktop while in Nat & Buckley.

You have to give this account adminstrator permissions while doing the cleaning. So do this and try again. If that does not help, it would just be easier and faster to uninstall Firefox and then delete the files and folders for it in both user accounts. Then reboot and reinstall. The problem is that Firefox has basically become infected.

[Buckleyterp]

Well, yes, I tried that quite some time ago. Deleted everything Mozilla or Firefox and reinstalled. As you could tell me better than I could tell you, there is some likely unidentified file sitting somewhere in the Guest account that is keeping blekko active in the Guest usage of FF and reinfects a new installation. I will try to get help from Mozilla. I do not think Lavasoft will help me.

[Buckleyterp]

Dear Chaslang,

Finally got it and Lavasoft forum helped!

Went to about:cofig in FF and reset keyword.url

Now I am free!

[chaslang]

Yes this is in the prefs.js file but I could not see the one from your Guest account ( which should be disabled anyway or did you really mean "Daily account" ) because your last logs had the prefs.js from your main account.

Glad to hear you got it fixed.