cookingluck & toseeka popups still showing up, logs attached

Discussion in 'Malware Help (A Specialist Will Reply)' started by freeme, Mar 10, 2008.

  1. freeme

    freeme Private E-2

    Hi, great website, great information.

    I walked methodically through your entire readme process, and after having done so, I am still getting cookingluck/toseeka popups.

    I've attached my logs for your review. Any additional guidance is much appreciated.

    My problem started immediately after allowing an activex to run after google searching something like '3-d geometric shapes'. A webpage I clicked on as a search result had what looked like a windows media player, but it asked me to download an activex file - I did so, but had a feeling in my gut that I had just done the wrong thing. Turned out I was correct. Shortly thereafter, I would get popup after popup, and if I tried to kill them, they'd just keep coming. Also, other instances of IE would lock up, and when I pressed Ctrl-Alt-Del to kill them (resources were killing the rest of my pc's functioning), my windows task manager button was disabled.

    After running your fixes in your readme thread, the task manager is enabled now (thanks!!), but the popups show up. However, the popups do not show up as frequently, and when I kill them, they seem to stay away for my entire session. In fact, I think they are only now showing up when I reboot.

    An interesting anomaly, when I first finished running all the fixes in the readme, everything seemed to be completed fixed. Now that I've rebooted a couple of times, though, the popups do show up initially, but after I kill a few of them, they stay away.

    Any help is GREATLY appreciated!

    freeme
     

    Attached Files:

    freeme, Mar 10, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not too bad ..let's start with this:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Mar 10, 2008
    #2
  3. freeme

    freeme Private E-2

    Thanks for the quick reply!
    I'll work through this and get back to you shortly.
     
    freeme, Mar 10, 2008
    #3
  4. freeme

    freeme Private E-2

    Hi TimW,

    Followed your instructions. Logs attached.

    So far, all is running smoothly! Thanks!

    FYI, for completeness, just before I executed the steps you mentioned in your reply, I received a Windows download dialogue box asking if I wanted to download cookingluck.com. I clicked the 'cancel' button. The box disappeared.

    One final note for clarification on my part. In the initial README FIRST instructions, there is a not that says it is not a good idea to download SAS, Spybot, etc, to any folder within C:\Documents and Settings. Where not instructed otherwise (ie MGTools, which I downloaded to C:\), I downloaded & executed files from my desktop. Hope this is ok.

    Let me know how the logs look. I'll report back any additional symptoms as they arise. I'm guessing after a day or two of heavy usage and multiple reboots, if I see nothing, I should assume I'm clean, correct?

    Thanks,
    freeme
     

    Attached Files:

    freeme, Mar 11, 2008
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You still have a few things to fix:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now use windows explorer to find and delete:
    C:\WINDOWS\system32\VAT_Error2.ini
    C:\WINDOWS\system32\EEPROMInfo.ini

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
    TimW, Mar 11, 2008
    #5
  6. freeme

    freeme Private E-2

    TimW,

    Instructions completed.
    Log attached.
    System continues to operate normally.
    Standing by for next steps.

    Thanks,
    freeme
     

    Attached Files:

    freeme, Mar 11, 2008
    #6
  7. freeme

    freeme Private E-2

    TimW,

    Yesterday evening, popups returned.

    Also, McAfee found and deleted several items McAfee described as Trojans.

    This morning upon rebooting, 9 popup windows appeared on my desktop, then one by one, they closed without my involvement.

    freeme
     
    freeme, Mar 12, 2008
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    One more time:

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run CCleaner.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Mar 12, 2008
    #8
  9. freeme

    freeme Private E-2

    Followed your instructions with one exception. In your REGEDIT quote, I placed = between "AvpKbd" and -, which is what we did prior. If this is incorrect, let me know.

    Logs attached.

    FYI, the workstation I'm using is my corporate workstation, and McAfee Enterprise with epolicy Orch Agent is running. I think it has not been disabled possibly in my previous attempts (appears ePolicy Orch re-enables it every 15 mins), but this time I did my best to make sure it was disabled throughout the process.

    Thanks,
    freeme
     

    Attached Files:

    Last edited: Mar 13, 2008
    freeme, Mar 13, 2008
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, I somehow missed the "=" ...but it didn't go bye bye.

    Let's try this in safe mode ...again disabling all virus and spyware programs ...

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.
    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
    TimW, Mar 13, 2008
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds