MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 10-08-12, 18:53
Buckleyterp Buckleyterp is offline
Private E-2
 
Join Date: Oct 2012
Posts: 15
Thanks: 1
Thanked 1 Time in 1 Post
Default Blekko virus still present

I carefully followed all of the steps in malware removal and both MIE 8.0.7601.blah and Firefox 15.0.1 are still infected. Running Windows 7 home premium 64 bit on a Toshiba satellite E205-S1904 with pentium i5. No performance or internet access problems with computer and no problems running the suggested programs.
Attached Files
File Type: txt RKreport[1].txt (2.3 KB, 2 views)
File Type: log HitmanPro_20121008_1830.log (21.7 KB, 4 views)
File Type: txt TDSSKiller.2.8.10.0_08.10.2012_19.47.31_log.txt (3.4 KB, 1 views)
File Type: zip MGlogs.zip (252.9 KB, 2 views)
File Type: txt mbam-log-2012-10-08 (17-54-06).txt (4.2 KB, 1 views)
Reply With Quote
Sponsored links
  #2  
Old 10-09-12, 01:31
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,227
Thanks: 61
Thanked 7,611 Times in 4,096 Posts
Default Re: Blekko virus still present

Welcome to Major Geeks!

Uninstall the software:
Anti-phishing Domain Advisor
Blekko search bar
Java(TM) 6 Update 24
PC Speed Maximizer v3.0

Now install the current version of Sun Java from: Sun Java Runtime Environment

Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blekkosearch.mystart.com/blek...homepage&v=2_0
R3 - URLSearchHook: (no name) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

After clicking Fix, exit HJT.

Now rE-run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

Quote:
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : Anti-phishing Domain Advisor ("C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe") -> FOUND
[STARTUP][SUSP PATH] Best Buy pc app.lnk @Default : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND
[STARTUP][SUSP PATH] Best Buy pc app.lnk @Default User : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND
Then immediately reboot your PC.

Now please download OTM by Old Timer and save it to your Desktop.
  • Right-click OTM.exe and select Run as administrator to run it.
  • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
    (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
    the code box
Code:
:Processes
explorer.exe
 
:Files
C:\windows\TEMP\remcsi.bat
C:\Program Files (x86)\blekkotb_soc
C:\Program Files (x86)\PC Speed Maximizer
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Maximizer
C:\ProgramData\Anti-phishing Domain Advisor
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
    ) and choose Paste.
  • Now click the large button.
  • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTM.
Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • the C:\_OTM\MovedFiles log
  • the new RogueKiller log
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #3  
Old 10-09-12, 11:21
Buckleyterp Buckleyterp is offline
Private E-2
 
Join Date: Oct 2012
Posts: 15
Thanks: 1
Thanked 1 Time in 1 Post
Default Dear Chaslang, problem understanding directions

Dear Chaslang,

Thank you for your kind and timely response to my continuing problem. Please excuse my noobiness, but I found, downloaded and used MGtools.exe. I cannot find a download site for the program MGtools\analyse.exe. And MGtools does not give me a 'Do a System Scan Only' button, so I suspect that MGtools is not what you want me to be running. Please advise.

Buckley
Reply With Quote
  #4  
Old 10-09-12, 13:57
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,227
Thanks: 61
Thanked 7,611 Times in 4,096 Posts
Default Re: Dear Chaslang, problem understanding directions

Quote:
Originally Posted by Buckleyterp View Post
Please excuse my noobiness, but I found, downloaded and used MGtools.exe. I cannot find a download site for the program MGtools\analyse.exe.
You already have it. It is in the MGtools folder. You need to run the analyse.exe program that is in the MGtools folder which is what the below means:

C:\MGtools\analyse.exe

Note that I did not ask you to rerun the MGtools.exe file you originally downloaded. In fact you can delete it to avoid confusion. You don't need the MGtools.exe file anymore.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #5  
Old 10-09-12, 14:08
Buckleyterp Buckleyterp is offline
Private E-2
 
Join Date: Oct 2012
Posts: 15
Thanks: 1
Thanked 1 Time in 1 Post
Default Dear Chaslang, Figured it out

Dear Chaslang,

Please excuse the serial posts. Figured out that MGtools\analyse.exe was HijackThis.exe and downloaded the latter and found the buttons mentioned and completed the second set of instructions.
The result is no apparent blekko activity in MIE or FF. Thank you very much for your expertise. The logs are appended as requested.
Attached Files
File Type: log 10092012_143940.log (5.8 KB, 2 views)
File Type: txt RKreport[4].txt (2.2 KB, 2 views)
File Type: zip MGlogs.zip (282.9 KB, 2 views)
Reply With Quote
Sponsored links
  #6  
Old 10-10-12, 05:09
Buckleyterp Buckleyterp is offline
Private E-2
 
Join Date: Oct 2012
Posts: 15
Thanks: 1
Thanked 1 Time in 1 Post
Default Back to SquareOne

Everything was blekko-free. Downloaded Avast! antivirus instead of my previous Prevx. So far, so good. Then I replaced my AdAware virus and antispyware program by downloading it. In the AdAware 'security' search bar that was inserted into Firefox, there was blekko! When I closed the AdAware toolbar, the blekko portion of it was gone, as well. I deleted all AdAware programs and sent them an email asking if they were infected. Now, however, blekko is back in the Firefox toolbar. Here we go again...
Reply With Quote
  #7  
Old 10-10-12, 23:44
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,227
Thanks: 61
Thanked 7,611 Times in 4,096 Posts
Default Re: Dear Chaslang, Figured it out

Quote:
Originally Posted by Buckleyterp View Post
Please excuse the serial posts. Figured out that MGtools\analyse.exe was HijackThis.exe and downloaded the latter.
You did not need to download HijackThis.exe. You just needed to run C:\MGtools\analyse.exe You already had it. You just needed to run it from inside the MGtools folder on your C drive.

Your last logs were fine. Since you manage to either reinfect things or Firefox may have still have been infected, I suggest a better way to repair this.



We are going to be uninstalling your old version of FireFox and installing the new version. So do the below to save bookmarks:
  • Run FireFox and click Bookmarks.
  • Then select Organize Bootmarks.
  • Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.
Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

You will need exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.


Now uninstall FireFox and then reboot. Do not skip the reboot.
After reboot, delete the below folders:

C:\Program Files (x86)\Mozilla Firefox
C:\Users\Nat & Buckley\AppData\Roaming\Mozilla


Now reinstall FireFox from the file previously downloaded.
Import your bookmarks file. (similar process to exporting).
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #8  
Old 10-11-12, 07:58
Buckleyterp Buckleyterp is offline
Private E-2
 
Join Date: Oct 2012
Posts: 15
Thanks: 1
Thanked 1 Time in 1 Post
Default Still having obstructions

C:\Users\Nat & Buckley\AppData\Roaming\Mozilla will not let me delete it.
I tried the kill explorer cmd prompt method - no good
Made sure attributes were -s -r -h - no good
I tried TAKEOWN - no good
Changed all filenames down to 'svc.exe' and cold rebooted - no good
Can't use fileassassin - didn't buy Malwarebytes.

Now what?

I have an administrator account 'Daily Account', also with folder AppData\Roaming\Mozilla, etc. what about that one?

With appreciation,

Buckley
Reply With Quote
  #9  
Old 10-11-12, 08:12
Buckleyterp Buckleyterp is offline
Private E-2
 
Join Date: Oct 2012
Posts: 15
Thanks: 1
Thanked 1 Time in 1 Post
Default Re: Still having obstructions

Spoke too soon. Was able to use FileASSASSIN. svc.exe is gone and, of course, when I bothered to look in the 'Daily Account' corresponding folders, no 'svc.exe' is present.

Thank you, thank you.
Reply With Quote
  #10  
Old 10-11-12, 15:48
Buckleyterp Buckleyterp is offline
Private E-2
 
Join Date: Oct 2012
Posts: 15
Thanks: 1
Thanked 1 Time in 1 Post
Default Oh, no! Blekko is back!

I was Blekko free for seven hours. At the beginning of seven hours, I browsed to Lavasoft, saw the Lavasoft partnership with Blekko on the Lavasoft home page and closed that window as fast as possible. I downloaded SUPERAntiSpyware 5.6.1010. I reinstalled Firefox as directed from the desktop but I saved the install program to the regular user account, and so it was installed into the Applications folder, not the Programs (x86) folder, so I had to go into the Administrative account and download Firefox to the Programs folder and uninstall it from the Applications folder. Did I do wrong?
Now, 7 hours later and multiple browsings later, I am in the regular desktop account with Firefox. I just went to a tab that had been on United Airlines and typed 'goo' into the address box. Several websites were autocompleted from history and I clicked on 'google.com' and, instead, a Blekko search appeared with 'google' as the search entry.
What did I do wrong?
Reply With Quote
Sponsored links
  #11  
Old 10-13-12, 14:47
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,227
Thanks: 61
Thanked 7,611 Times in 4,096 Posts
Default Re: Oh, no! Blekko is back!

Quote:
Originally Posted by Buckleyterp View Post
I was Blekko free for seven hours. At the beginning of seven hours, I browsed to Lavasoft, saw the Lavasoft partnership with Blekko on the Lavasoft home page and closed that window as fast as possible.
Yes this is old news. See: http://bits.blogs.nytimes.com/2012/03/23/blekko-partners-with-lavasoft-on-spam-free-search/


Quote:
Originally Posted by Buckleyterp View Post
I just went to a tab that had been on United Airlines and typed 'goo' into the address box. Several websites were autocompleted from history and I clicked on 'google.com' and, instead, a Blekko search appeared with 'google' as the search entry.
What did I do wrong?
Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:
  • C:\MGlogs.zip
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #12  
Old 10-16-12, 05:52
Buckleyterp Buckleyterp is offline
Private E-2
 
Join Date: Oct 2012
Posts: 15
Thanks: 1
Thanked 1 Time in 1 Post
Default Re: Blekko virus still present

Thanks, Chaslang. I reran the last set of instructions you gave me concerning backing up, saving installs, then deleting FF and I did this for each of my two user accounts. Then I cold rebooted and installed and I have been Blekko free for about three days, now, so I think the situation is under control. Thank you for keeping on top of it.

With Kindness,

Buckley (also from northern N.J. - didn't think anyone lived there anymore )
Reply With Quote
  #13  
Old 10-17-12, 00:19
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,227
Thanks: 61
Thanked 7,611 Times in 4,096 Posts
Default Re: Blekko virus still present

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
  2. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
  3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  5. Go to add/remove programs and uninstall HijackThis.
  6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
    related to MGtools and some other items from our cleaning procedures.
  7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 7 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  8. After doing the above, you should work thru the below link:
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #14  
Old 11-09-12, 14:23
Buckleyterp Buckleyterp is offline
Private E-2
 
Join Date: Oct 2012
Posts: 15
Thanks: 1
Thanked 1 Time in 1 Post
Default Re: Blekko virus still present

Dear Chaslang,

If an incomplete address is typed into the address line so that the entry resembles a search entry and 'enter' is hit, a blekko search comes up.

This only happens with FF in the 'Nat & Buckley' user account. It does not happen with FF in the Daily Account (administrative) and it does not happen with MIE in either account.

Attached is MGlogs.zip, as requested.

Buckley
Attached Files
File Type: zip MGlogs.zip (228.4 KB, 7 views)
Reply With Quote
  #15  
Old 11-10-12, 12:39
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,227
Thanks: 61
Thanked 7,611 Times in 4,096 Posts
Default Re: Blekko virus still present

Try the below on this user account


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Then reboot and see if this helped.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #16  
Old 11-12-12, 19:30
Buckleyterp Buckleyterp is offline
Private E-2
 
Join Date: Oct 2012
Posts: 15
Thanks: 1
Thanked 1 Time in 1 Post
Default Re: Blekko virus still present

Dear Chaslang,

I followed all of your instructions while I was signed in on the affected user account (non-administrative, "Nat & Buckley"). I saved it to the desktop while in Nat & Buckley. Nevertheless, the Registry Editor info box that came up said: "The keys and values contained in C:\Users\Daily account\Desktop\fixme.reg have been successfully added to the registry" [italics mine], so I do not know if the desktop can belong to N&B or only to the administrative account ("Daily account"). Bottom line: I rebooted and blekko is still haunting the Nat & Buckley FF browser. I did not try the other browsers.

B
Reply With Quote
  #17  
Old 11-14-12, 22:34
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,227
Thanks: 61
Thanked 7,611 Times in 4,096 Posts
Default Re: Blekko virus still present

Quote:
Originally Posted by Buckleyterp View Post
I followed all of your instructions while I was signed in on the affected user account (non-administrative, "Nat & Buckley"). I saved it to the desktop while in Nat & Buckley.
You have to give this account adminstrator permissions while doing the cleaning. So do this and try again. If that does not help, it would just be easier and faster to uninstall Firefox and then delete the files and folders for it in both user accounts. Then reboot and reinstall. The problem is that Firefox has basically become infected.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #18  
Old 11-20-12, 05:26
Buckleyterp Buckleyterp is offline
Private E-2
 
Join Date: Oct 2012
Posts: 15
Thanks: 1
Thanked 1 Time in 1 Post
Default Re: Blekko virus still present

Well, yes, I tried that quite some time ago. Deleted everything Mozilla or Firefox and reinstalled. As you could tell me better than I could tell you, there is some likely unidentified file sitting somewhere in the Guest account that is keeping blekko active in the Guest usage of FF and reinfects a new installation. I will try to get help from Mozilla. I do not think Lavasoft will help me.

Last edited by Buckleyterp; 11-20-12 at 05:30.. Reason: Spelling
Reply With Quote
  #19  
Old 11-20-12, 05:50
Buckleyterp Buckleyterp is offline
Private E-2
 
Join Date: Oct 2012
Posts: 15
Thanks: 1
Thanked 1 Time in 1 Post
Default Got it!

Dear Chaslang,

Finally got it and Lavasoft forum helped!

Went to about:cofig in FF and reset keyword.url

Now I am free!
Reply With Quote
  #20  
Old 11-20-12, 21:09
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,227
Thanks: 61
Thanked 7,611 Times in 4,096 Posts
Default Re: Blekko virus still present

Yes this is in the prefs.js file but I could not see the one from your Guest account ( which should be disabled anyway or did you really mean "Daily account" ) because your last logs had the prefs.js from your main account.

Glad to hear you got it fixed.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
Buckleyterp (11-21-12)
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
I need help! Blekko virus on my pc user89 Malware Removal 1 06-09-12 14:37
Virus is Present - But it CANNOT be found! jwarne1 Malware Removal 5 12-08-10 18:50
Virus/malware still present on my computer daviesl Malware Removal 9 10-19-10 18:13
Virus/Malware still present jkbrockman Malware Removal 3 09-11-08 21:01
Virus + Trojans present silverman Malware Removal 19 02-01-06 20:57


All times are GMT -5. The time now is 08:24.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger