Blekko virus still present

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Buckleyterp, Oct 8, 2012.

  1. Buckleyterp

    Buckleyterp Private First Class

    I carefully followed all of the steps in malware removal and both MIE 8.0.7601.blah and Firefox 15.0.1 are still infected. Running Windows 7 home premium 64 bit on a Toshiba satellite E205-S1904 with pentium i5. No performance or internet access problems with computer and no problems running the suggested programs.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Uninstall the software:
    Anti-phishing Domain Advisor
    Blekko search bar
    Java(TM) 6 Update 24
    PC Speed Maximizer v3.0

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blekkosearch.mystart.com/ble...9DDDDEC7115BAA904FCD2B5E27&tbp=homepage&v=2_0
    R3 - URLSearchHook: (no name) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    After clicking Fix, exit HJT.

    Now rE-run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

    Then immediately reboot your PC.

    Now please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
     
    :Files
    C:\windows\TEMP\remcsi.bat
    C:\Program Files (x86)\blekkotb_soc
    C:\Program Files (x86)\PC Speed Maximizer
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Maximizer
    C:\ProgramData\Anti-phishing Domain Advisor
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the new RogueKiller log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  3. Buckleyterp

    Buckleyterp Private First Class

    Dear Chaslang, problem understanding directions

    Dear Chaslang,

    Thank you for your kind and timely response to my continuing problem. Please excuse my noobiness, but I found, downloaded and used MGtools.exe. I cannot find a download site for the program MGtools\analyse.exe. And MGtools does not give me a 'Do a System Scan Only' button, so I suspect that MGtools is not what you want me to be running. Please advise.

    Buckley
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Dear Chaslang, problem understanding directions

    You already have it. It is in the MGtools folder. You need to run the analyse.exe program that is in the MGtools folder which is what the below means:

    C:\MGtools\analyse.exe

    Note that I did not ask you to rerun the MGtools.exe file you originally downloaded. In fact you can delete it to avoid confusion. You don't need the MGtools.exe file anymore.
     
  5. Buckleyterp

    Buckleyterp Private First Class

    Dear Chaslang, Figured it out

    Dear Chaslang,

    Please excuse the serial posts. Figured out that MGtools\analyse.exe was HijackThis.exe and downloaded the latter and found the buttons mentioned and completed the second set of instructions.
    The result is no apparent blekko activity in MIE or FF. Thank you very much for your expertise. The logs are appended as requested.
     

    Attached Files:

  6. Buckleyterp

    Buckleyterp Private First Class

    Back to SquareOne

    Everything was blekko-free. Downloaded Avast! antivirus instead of my previous Prevx. So far, so good. Then I replaced my AdAware virus and antispyware program by downloading it. In the AdAware 'security' search bar that was inserted into Firefox, there was blekko! When I closed the AdAware toolbar, the blekko portion of it was gone, as well. I deleted all AdAware programs and sent them an email asking if they were infected. Now, however, blekko is back in the Firefox toolbar. Here we go again... :banghead
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Dear Chaslang, Figured it out

    You did not need to download HijackThis.exe. You just needed to run C:\MGtools\analyse.exe You already had it. You just needed to run it from inside the MGtools folder on your C drive.

    Your last logs were fine. Since you manage to either reinfect things or Firefox may have still have been infected, I suggest a better way to repair this.



    We are going to be uninstalling your old version of FireFox and installing the new version. So do the below to save bookmarks:
    • Run FireFox and click Bookmarks.
    • Then select Organize Bootmarks.
    • Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.
    Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

    You will need exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.


    Now uninstall FireFox and then reboot. Do not skip the reboot.
    After reboot, delete the below folders:

    C:\Program Files (x86)\Mozilla Firefox
    C:\Users\Nat & Buckley\AppData\Roaming\Mozilla


    Now reinstall FireFox from the file previously downloaded.
    Import your bookmarks file. (similar process to exporting).
     
  8. Buckleyterp

    Buckleyterp Private First Class

    Still having obstructions

    C:\Users\Nat & Buckley\AppData\Roaming\Mozilla will not let me delete it.
    I tried the kill explorer cmd prompt method - no good
    Made sure attributes were -s -r -h - no good
    I tried TAKEOWN - no good
    Changed all filenames down to 'svc.exe' and cold rebooted - no good
    Can't use fileassassin - didn't buy Malwarebytes.

    Now what?

    I have an administrator account 'Daily Account', also with folder AppData\Roaming\Mozilla, etc. what about that one?

    With appreciation,

    Buckley
     
  9. Buckleyterp

    Buckleyterp Private First Class

    Re: Still having obstructions

    Spoke too soon. Was able to use FileASSASSIN. svc.exe is gone and, of course, when I bothered to look in the 'Daily Account' corresponding folders, no 'svc.exe' is present.

    Thank you, thank you.
     
  10. Buckleyterp

    Buckleyterp Private First Class

    Oh, no! Blekko is back!

    I was Blekko free for seven hours. At the beginning of seven hours, I browsed to Lavasoft, saw the Lavasoft partnership with Blekko on the Lavasoft home page and closed that window as fast as possible. I downloaded SUPERAntiSpyware 5.6.1010. I reinstalled Firefox as directed from the desktop but I saved the install program to the regular user account, and so it was installed into the Applications folder, not the Programs (x86) folder, so I had to go into the Administrative account and download Firefox to the Programs folder and uninstall it from the Applications folder. Did I do wrong?
    Now, 7 hours later and multiple browsings later, I am in the regular desktop account with Firefox. I just went to a tab that had been on United Airlines and typed 'goo' into the address box. Several websites were autocompleted from history and I clicked on 'google.com' and, instead, a Blekko search appeared with 'google' as the search entry.
    What did I do wrong?
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Oh, no! Blekko is back!

    Yes this is old news. ;) See: http://bits.blogs.nytimes.com/2012/03/23/blekko-partners-with-lavasoft-on-spam-free-search/


    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • C:\MGlogs.zip
     
  12. Buckleyterp

    Buckleyterp Private First Class

    Thanks, Chaslang. I reran the last set of instructions you gave me concerning backing up, saving installs, then deleting FF and I did this for each of my two user accounts. Then I cold rebooted and installed and I have been Blekko free for about three days, now, so I think the situation is under control. Thank you for keeping on top of it.

    With Kindness,

    Buckley (also from northern N.J. - didn't think anyone lived there anymore :-D)
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
  14. Buckleyterp

    Buckleyterp Private First Class

    Dear Chaslang,

    If an incomplete address is typed into the address line so that the entry resembles a search entry and 'enter' is hit, a blekko search comes up.

    This only happens with FF in the 'Nat & Buckley' user account. It does not happen with FF in the Daily Account (administrative) and it does not happen with MIE in either account.

    Attached is MGlogs.zip, as requested.

    Buckley
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try the below on this user account


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Then reboot and see if this helped.
     
  16. Buckleyterp

    Buckleyterp Private First Class

    Dear Chaslang,

    I followed all of your instructions while I was signed in on the affected user account (non-administrative, "Nat & Buckley"). I saved it to the desktop while in Nat & Buckley. Nevertheless, the Registry Editor info box that came up said: "The keys and values contained in C:\Users\Daily account\Desktop\fixme.reg have been successfully added to the registry" [italics mine], so I do not know if the desktop can belong to N&B or only to the administrative account ("Daily account"). Bottom line: I rebooted and blekko is still haunting the Nat & Buckley FF browser. I did not try the other browsers.

    B
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have to give this account adminstrator permissions while doing the cleaning. So do this and try again. If that does not help, it would just be easier and faster to uninstall Firefox and then delete the files and folders for it in both user accounts. Then reboot and reinstall. The problem is that Firefox has basically become infected.
     
  18. Buckleyterp

    Buckleyterp Private First Class

    Well, yes, I tried that quite some time ago. Deleted everything Mozilla or Firefox and reinstalled. As you could tell me better than I could tell you, there is some likely unidentified file sitting somewhere in the Guest account that is keeping blekko active in the Guest usage of FF and reinfects a new installation. I will try to get help from Mozilla. I do not think Lavasoft will help me.
     
    Last edited: Nov 20, 2012
  19. Buckleyterp

    Buckleyterp Private First Class

    Got it!

    Dear Chaslang,

    Finally got it and Lavasoft forum helped!

    Went to about:cofig in FF and reset keyword.url

    Now I am free!
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes this is in the prefs.js file but I could not see the one from your Guest account ( which should be disabled anyway or did you really mean "Daily account" ) because your last logs had the prefs.js from your main account.

    Glad to hear you got it fixed.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds