FunWeb shuts down BO Cleaner and other stuff

Actually this is a friend's laptop running WindowsXP Professional.

She had some curious files on her desktop...My Fun Cards...4 copies, an exe file for an anti-spyware program, and a shortcut for a registery cleaning program called Find and Fix Errors. She says she did not download any of this stuff and checked Add/Remove programs and none of this stuff shows up there and does not show up in the Start Programs list.

When I clicked on one of the My Fun Cards icons it began an installation program and when I clicked cancel BO Cleaner attempted to stop the program stating it was a trojan and did I want to remove the file. I clicked Yes, and then BO Cleaner said it had encountered a problem and had to close and did I want to send an error report.

I ran SpyBot S&D in Normal mode first and it found the following and removed them.

MyWebSearch
FunWeb
FunWebProducts
Microsoft.WindowSecurityCenter_disabled
MyWay.MyWebSearch
Zango AntiSpam Bar
Clickbank
Coremetrics
Hitbox
Hotbar
MediaPlex
Webtrends live
Zedo

There were a couple of others but they were just cookies.

So I thought things were OK but the icons on the desktop did not disappear and then I saw a few folders in the C:/Program Files area:

AskPBar/bar/1.bin - empty
Support.com - empty

So, I ran SpyBot S&D in safe mode and it came out clean.

I ran AvG and it found a few cookies and found Hotbar. I hiTt apply all actions and then tried to save the report but of course there was no report to be saved

I am not sure if the system is clean or not. I am perplexed that I cannot find any associated files for the short cuts or programs. Maybe you can see something in the logs? Thanks.

Oh, the reason for Microsoft.WindowSecurityCenter_disabled is because there is Norton Security installed on this machine and incidentally all of this stuff has been able to get on this machine since the installation of Norton Internet Security provided by Yahoo/Verizon Online rolleyes

 

Hi trisha!
Looks like you got a lot of stuff out. There's a couple of things left:

1) First of all, what's in the following folders. (do not open any files) Were they installed by the user on purpose?

C:\Documents and Settings\test
C:\Documents and Settings\test\Application Data\MSN6
C:\Documents and Settings\All Users\Application Data\ MSN6
C:\Documents and Settings\All Users\Application Data\ Meridian93
C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
C:\Program Files\AskPBar
C:\Program Files\bfgclient <---- also belongs to Big Fish Games


2) Can you see where this links to in properties?

C:\Documents and Settings\test\Desktop\Find And Fix Errors.lnk



3) If there are no add/remove options for the following, please delete them from Windows Explorer:

C:\Documents and Settings\test\Desktop\msgr8us.exe
C:\Documents and Settings\test\Desktop\MyFunCardsSetup2.2.60.11-2.exe
C:\Documents and Settings\test\Desktop\ MyFunCardsSetup2.2.60.11-2(2).exe
C:\Documents and Settings\test\Desktop\ MyFunCardsSetup2.2.60.11-2(3).exe
C:\Documents and Settings\test\Desktop\ MyFunCardsSetup2.2.60.11-2(4).exe

4) Now run CCleaner at the default setting with the Windows tab as the one on top.

5) Go to add/remove programs and uninstall the below:

- J2SE Runtime Environment 5.0 Update 6

6) Reboot after uninstalling the above.

7) Install the current version of Sun Java from: Sun Java Runtime Environment


8) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O8 - Extra context menu item: &Search - ?p=ZU

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" <----- optional

After you click fix, just close hijackthis.


9) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


Let me know about the folders above and also, how things are going?
abri

 

Hi abri,

The test file is a user file. My friend wanted her name to show at the top of the start menu and the system would not let me rename her account without first creating another account with admin privledges. So I did that but then when I tried to delete the folder it says it is a windows system folder and cannot be deleted.

So under user accounts my friend's name shows up as well as the guest account which is closed. However, looking at the list of users under Windows Task Manager the only user listed is test.

Contents of the following:

C:\Documents and Settings\test

Application Data
Cookies
Desktop
Favorites
Local Settings
My Documents
My Recent Documents
NetHood
SendTo
Start Menu
Templates
UserData
Of course there are files within the folders above. If you want them listed I will do it.​

C:\Documents and Settings\test\Application Data\MSN6 - I don't know who installed this. My friend says she didn't install anything.

file: msndata.dat​

C:\Documents and Settings\All Users\Application Data\ MSN6 - I don't know who installed this. My friend says she didn't install anything.

file: au.ini​

C:\Documents and Settings\All Users\Application Data\ Meridian93 - I don't know who installed this. My friend says she didn't install anything. After viewing the contents of these folders I am wondering if she moved files on accident with the mouse by dragging.

Flowers
->Cached
-->Data
--->Sounds
---->board
----->board_arrive.wav
----->chain_submit.wav
----->dead.wav
----->ill.wav
----->rotate.wav
---->buttons
----->simple_button_selected.wav
->Microsoft
-->Network
--->Downloader
-->Office
--->Data
---->data.dat
-->Provisioning
-->User Account Pictures
--->Administrator.bmp
--->guest.bmp
--->test.bmp
--->Thumbs.db
--->Default Pictures
---->airplane.bmp
---->astronaut.bmp
---->ball.bmp
---->...and other various system bmp images
->Profiles
-->adventure.hs
-->last_logged_user.dat
-->users.id
-->0
--->adventure.game
--->user.dat​

C:\Documents and Settings\All Users\Application Data\BigFishGamesCache - My friend says she didn't download files from BigFishGames but I know she did because I introduced her to the site and I have the games on my computer as well.

DRM1
->ActivationInformation.xml
GameManager
->ClientConfig
-->config.xml
->GameDB
-->...several game image files and xml files and a log file
Persistant
->persistant.xml
​

C:\Program Files\AskPBar - I am thinking this might be from installing Trillian. The Trillian Basic has two freewares during the installation WeatherBug and Ask Toolbar. I unchecked the options to install these two things during installation. Maybe that is why the folders are empty? There is no visible toolbar.

bar
->1.bin​

C:\Program Files\bfgclient

BFG.ico
bfgclient.exe
bfgcommon.dll
bfgservices.exe
bfgprocess.exe
bfgus.dll
msvcp71.dll
msvcr71.dll
tempo1
unicows.dll
uninstall.exe

​

<---- also belongs to Big Fish Games[/QUOTE]

I checked under properties before I posted for help. The properties show the following:

Target type: http://zoombli.com/PrimaryLanding/landingan...(the remainder of the link is obscured)

Target location: Internet Explorer

Target: (Same as target type above)​

OK, I am going to go finish the rest of the tasks you have detailed. Thanks so much for such detailed instructions.

 

Done

Done

Done

Done

Done

Done

I told you about the folders in the other post. The only problem I am seeing now is when I ran ComboFix it did not reset the system clock. Should I just reset the clock myself or run ComboFix again to see if it will fix the problem?

Also, Symantec is indicating there are things needed to be taken care of, i.e., a system scan for malware and antivirus but it will not respond when I click on the scan button.

 

Hi trisha,

Try resetting the clock as follows

Can MSN6 be removed via add/remove programs? If not, I'll have you remove it a different way.

Is test the only user besides administrator (which will only show in safe mode)?

Please post a fresh MGlogs.zip
To do this, go to the MGTools folder under C and find the GetLogs.bat file. Run it by double clicking on it. When it's done it will say hit any key ...
You can find the MGlogs.zip directly under C above the superman icon.
Thanks.
abri

 

There is no removal through add/remove programs. I believe the MSN6 is the Butterfly browser. She does not use it.

Debbie shows in users under normal mode.
However, in normal under task manager the only user listed is test.
I don't remember for sure but I think Debbie, and administrator show in safe mode.

Now a new problem. When going to User Accounts and clicking on change picture all of the default pics are gone. The window is empty; this also is true for safe mode.

I am going to run the MGlog and getlogs.bat


Please post a fresh MGlogs.zip
To do this, go to the MGTools folder under C and find the GetLogs.bat file. Run it by double clicking on it. When it's done it will say hit any key ...
You can find the MGlogs.zip directly under C above the superman icon.
Thanks.
abri

 

file attached.

 

Hi trisha,

The logs for this computer are clean. If you feel there are still malware problems, you may want to run some of the Alternate Scans, in particular BitDefender (must be run with Internet Explorer) which also looks at the archived files and several of the rootkit scans. Also, I found a file called C:\WINDOWS\inf\iis.tmp. I'm not sure why this is a tmp file, but you can read about it at the microsoft technet website IIS Lockdown Tool.

Nortons does not get everything.

If you run any of the alternate scans, attach your results.
Thanks.
abri

 

Abrii,

Thanks a lot. I am not sure what IIS is and why my friend's laptop would have it after reading the link from Microsoft. Of course I don't understand a lot about servers and such. I do connect her computer to my network (dsl router) when I am fixing her computer. I am running Microsoft Small Business on my desktop.

You didn't mention anymore about the MSN6 so I guess it is no longer an issue?

Thanks for all of your help. Yes, I know, Norton does not get everything.

I guess at this point I will toggle System Restore.

 

Hi trisha,
Yes go ahead with the final cleanup instructions:

• abri