Meloco Browser Hijacker

Thank you for your assistance, it is very greatly appreciated. My daughter had been visiting a music download site (she thinks it is "letitsing.com" or "letssingit.com"). The McAfee software popped up, indicating that a Qoologic trojan had been picked up and deleted. The location was C:\Docs and Settings\Kate\Local Settings\Temp Internet Files\Content.IE5\ADVGD0FU\installer_252[1].exe

I ran a full McAfee Virus Scan, which was clear. I ran Ad-Aware SE Pro and Spybot. However, the next day when my daughter went to use IE again, she called me because the homepage had been reset to a suspicious page that looked like a MySpace type site. http://www.meloco.com/index.php?i=sm. I ran McAfee again, which picked up Webhancer, as well as Ad-Aware SE pro, which picked up 50 or 60 cookies and trackers. A-A SE also reported possible browser hijacker. I had been helped by Major Geeks folx on a previous occasion w a browser hijacker, so I went directly to your site.

As per your Read/Run First directions, we have done the following. I ran the whole suite a second time in safe mode without rebooting, because I had to reboot several times in normal mode during first pass when I was trying to download updates, and there were reinfections.

Ran FindQool, RKTOOL, WinPfind

Ccleaner, Ad-Aware SE pro, Windows Defender, Spybot SD, MS Windows Maliscious Software Removal Tool, Bit Defender, ActiveScan

Ran HJT, report is attached. Also reports for BD, ActiveScan, A-A SE, CCleaner, WD, MSWMSRT, FindQool

I can see in the HJT report that opening IE page for my daughters account is set to Meloco.com, but I don't know enough to recognize whether there are other suspicious files. It would be much appreciated if you could Pls review and provide me direction on removing the browser hijacker and any other maliscious files.

again, thank you for your help.

Alan Traugott

 

I had attached two HJT files and Active Scan log. When I realized I could only attach 3 files, I tried to remove one HJT log and replace w BDScan log, but came back w errors. When I tried to post again w attachments, the program gave me errors. I will reread "how to post" and try again.

 

These are first 3 runs of BDscan, activescan and HJT. I will upload separate 2nd round of same files, plus some additional scans from other programs

 

2nd batch of files

 

3rd batch

 

2nd BD Scan log

PS one of the programs also found unstall.exe, which I deleted

 

In reviewing the Read/Run instructions, I saw that HJT should be run from Normal Boot mode. I think the last scan, HijackThis2.log was run from Safe Mode w Networking, so I reran and attached as HijackThis 3.log. In rebooting and opening IE, McAfee popped up w several cookies, one of which was from Winantivirus, which I denied. New window opened indicating error with following URL.


http://winantivirus.com/pages/scanner/index.php?aid=nm_go_wav_r5&ed=0&ex=1&ax=1&lid=keyin

 

Thanx for your help and patience. I checked Add/Remove Software, no media-motor program. I started up HJT, went to Misc Tools, Uninstall Mgr, tried to save list, but program just closes, no save option. I am in safe mode w networking, do I need to be in normal boot mode? Can I do fixme.reg without uninstall log?

I looked for C:\Windows\unstall.exe, does not seem to be there.

Do I need to do the Disable System Restore steps, as last step?

 

OK, couple of things:

Did all steps as per your instructions

still could not get HJT to save the uninstall list, even after rebooting in normal mode, but in normal mode program just sits there, doesn't close.

After running the scan and saving logfile, program comes up w application error:

Instruction at "0x01608620"referenced memory at "0x01608620" and memory could not be read. Click OK to terminate.

Then, when starting up IE to post reply/logfile, McAfee Privacy service pops up and is blocking MajorGeeks.com, and another window with Internet Explorer Error shows a site http://winantivirus.com/pages/scanner/index.php?aid=nm_go_wav_r5&ed=0&ex=1&ax=1&lid=keyin

I closed windows, added MajorGeeks.com to Accepted Cookies in McAfee Privacy Service so MajorGeeks opened as homepage, but when I clicked Support Forum, same thing happened.

Whole series of windows, looking semi-legit, trying to get me to run a scan from the following site:

http://scanner.sysprotect.com/pages/scanner/?p=20&ex=1&ax=2&aid=nm_go_spt_r5&lid=keyin

I've cancelled out of everything, closed windows, turned off McAfee Privacy Service while I post log

 

When opening IE to MajorGeeks.com, McAfee has been intercepting multiple cookies:
62.4.84.53
cpvfeed.com
xctrk.com
autoweb.com

I rejected all

new window opens on top of homepage (MajorGeeks)

http://count.exitexchange.com/exit/1281705

seems like my daughters bug has morphed to my acct or I've picked up something new from MSN or one of the scan sites.

 

I reran Bitdefender, Spybot, WMST, nothing found.

I reran adaware and it picked up a few cookies again. pls see attached log.

 

Thanx for your followup. I have run Blacklight, Process Explorer and Kaspersky. the logs are attached.

When I went to download Process Explorer, another window popped up - http://www.amaena.com/securityworm5/?aid=nm_go_amn_kw1&lid=ad ware. seems like another fake redirect.

Kaspersky seems to have found several viruses. Pls let me know next steps when you can. thanx for the help

 

Thanx I've received your msg and I will run these steps this evening. I have printed the post so that I have it available offline. A couple of questions to make sure I have it right:

First I download Killbox to own folder
then, unplug cable
reboot in Normal mode (does it matter whether Restart or Shutdown?)
Exit processes in system tray, ie, ATI, AOL, network, McAfee, etc (right click, exit on dropdown menu)
Run Process Explorer as directed for winlogon.exe and explorer.exe (or iexplorer.exe?)
Run fixVundo.reg
Run Pocket Killbox as directed
Run Killbox.exe as directed
Reboot Normal mode (shutdown?)
Post new HJT log

The scan from Kaspersky seemed to indicate virus files in the restore directory, do I need to delete any of those lines/files somewhere in the above process before a final reboot?

 

Got it thanx, starting download and rest of process

 

OK, our story so far...

don't know if this means anything. I've been leaving pc on w screen saver, cable unplugged. when I came home and went to PC to start process, screen had been reset to 480x640, when I went to change settings back to higher rez, pc was acting very sluggish, balky. I think McAfee may have been doing an automatic download. Anyway did as instructed, downloaded Killbox, saved fixVundo.reg in notebook, etc. went to reboot and pc froze. finally had to hit power switch to reboot.

uplugged cable, ran Process Explorer
clicked on winlogon.exe, threads tab
found no instances of asvts.dll

clicked on explorer.exe, found no instances of asvts.dll

merged fixVundo.reg with registry, successful

ran Killbox.exe
tools>Delete Temp Files (for each user) and exited.

pasted stvwa.* files into killbox, w delete on reboot, unregister DLL checkbox not available

clicked yes on last file and rebooted, rebooted OK

Have attached HJT and Process Exp log for Iexplore. While checking logs, noticed that there is a C:\!Killbox directory, checked and found a log subdirectory w log of killbox steps, which is also attached. However also noticed that there are 3 files in same directory: stvwa.ini, stvwa.bak1, stvwa.bak2, should they be there, be deleted? pls advise. thanx!!

 

Oops, sorry about that.

PC seems to be fine, in normal mode, I am able to log on to Majorgeeks.com and support forum, altho McAfee asks whether OK to accept a bunch of cookies, including mediaplex, tribalfusion, atdmt, revsci all of which I've rejected. Also asks permission for majorgeeks.com,which i accepted.

When I switched users to my daughters user acct, and started up iexplorer, it tried to go to meloco home page, but IE said page not available. I switched default homepage to msn and started IE OK. As MSN loading, McAfee asked whether OK to accept multiple cookies, including meloco, 207net, doubleclick, adbrite, live.com, statcounter, all of which I denied.

When I used Killbox to delete temp files, I probably deleted McAfee privacy service database, so I had to remove the program and reinstall it. After reinstalling, restarted PC. Restarted OK. this evening, McAfee Privacy Service also updated and restarted.

As I mentioned on last post, last nite pc was sluggish and balky and screen was reset to 480x640, maybe following a power failure, altho I have pC on APC UPS. I tried to reset screen resolution, but pc hung. When I tried to clear by restarting, PC froze towards end of restart and I had to push and hold power button to reset. I think the PC froze twice and had to be reset.

But now, other than the flurry of maliscious cookies, pc feels normal at moment, fingers crossed, I think you did it. I've opened IE under different users, and everything appears normal, stays on correct homepage. I've restarted a couple of times, still seems normal.

I can't tell you how much I appreciate your help and expertise. I am happy to make a donation to the cause, but you guys ought to consider some kind of subscription service. I understand the satisfaction of volunteering for a worthy cause (I am very involved in developing and promoting "green" buildings for over 15 years), but I would gladly pay a monthly or annual fee to have access to this invaluable service. My IE homepage is set to MajorGeeks.com!

Pls let me know final steps. thanx again!!! Alan T

 

OK, proceeding to Disable and Enable System Restore.

Again, many thanx for your invaluable help!

cheers, alan t

 

Well, this is disappointing, but I did the disable/enable restore, and then updated Adaware and scanned and it found 12 instances of MediaMotor, which I deleted. And then, McAfee popped up and said it had found and deleted a Vundo trojan in file
c:\windows\system32\vtsqr.dll.

I've attached adaware log, and process explorer logs for Winlogon.exe, and explorer.exe. I will post a sep log w iexplorer.exe log

did I just get reinfected?

 

iexplorer.exe log from process explorer

 

No further notifications. I have downloaded Vundofix, will run and attach log next post.

 

no files found, log attached

 

I had also updated and run ccleaner, I think that was before the trojan msg popped up. After the Mcaffee msg showed up, I also ran the fixVundo.reg, so don't know if that impacted process exp logs.

 

I have printed and read How to Protect thread, but have not implemented all of the steps. I will do so this evening. Ran Kaspersky online scanner, which found NSIS. log attached. McAfee scan found nothing else. Blacklight found nothing else. Have not yet run Bitdefender or Panda or Windows Defender. can also do this evening?

 

PS don't think I'm having any other problems as far as browser redirects or popups.

 

SG2 is SkyGolf folder. GPS based navigation for golf courses, distances to green, pin. SG2 Browser enables downloads from SG database for specific courses.

deleted Chadch.exe from Windows

ran windows defender, found nothing

 

thanx! will run thru process once more as per #25. Again, much appreciated. Hopefully this does it for a bit. cheers