 | Malware Removal Specialist with 141 posts. | | Join Date: Apr 2008 Experience: Advanced | |
Hi Steve,  Quote: |
I chose the Vault option but this failed to remove the program.
| You took the correct action.  Do not take any action concerning Zand22b.exe at this point.
I assume that you performed the steps prior to the removal of FREEzeflip. Please continue with the following instructions. - Remove Programs Using Control Panel
Take extra care in answering questions posed by any Uninstaller.
- Click Start > Control Panel and then double-click on Programs and Features.
- Right-click the Java(TM) 6 Update 22 (64-bit) entry, choose Uninstall/Change, and give permission to Continue.
- Right-click the Spam Free Search Bar entry, choose Uninstall/Change, and give permission to Continue.
- Perform a Custom Fix with OTL
- Right-click the OTL icon on your Desktop and select Run As Administrator to run the program.
- In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
Code: :processes
killallprocesses
:OTL
MOD - [2011/06/28 21:41:54 | 000,569,344 | ---- | M] () -- c:\Program Files (x86)\FREEzeFlip\bin\1.0.4.0\FREEzeFlipSAHook.dll
MOD - [2011/06/28 21:41:16 | 000,660,480 | ---- | M] () -- C:\Program Files (x86)\FREEzeFlip\bin\1.0.4.0\FREEzeFlipSA.exe
IE - HKU\S-1-5-21-2860897020-2566643238-4265353738-1000\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekko.com/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb&u=2012022471B546ABA640BA459CC8 9F5B&q={searchTerms}
O2 - BHO: (Updater For Spam Free Search Bar) - {20a0be68-8fd9-4539-8712-ce3d1c1fdfc6} - C:\Program Files (x86)\blekkotb\auxi\blekkoAu.dll (Visicom Media)
O2 - BHO: (Spam Free Search Bar) - {26c9e18c-3717-4be1-a225-04e4471f5b6e} - C:\Program Files (x86)\blekkotb\blekkoDx.dll ()
O3 - HKLM\..\Toolbar: (Spam Free Search Bar) - {26c9e18c-3717-4be1-a225-04e4471f5b6e} - C:\Program Files (x86)\blekkotb\blekkoDx.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-2860897020-2566643238-4265353738-1000\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O3 - HKU\S-1-5-21-2860897020-2566643238-4265353738-1003\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [FREEzeFlipSA] C:\Program Files (x86)\FREEzeFlip\bin\1.0.4.0\FREEzeFlipSA.exe ()
O4 - HKU\S-1-5-21-2860897020-2566643238-4265353738-1000..\Run: [SuperAdBlocker] C:\Program Files (x86)\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
[1 C:\Users\Stephen\Documents\*.tmp files -> C:\Users\Stephen\Documents\*.tmp -> ]
[1 C:\Users\Stephen\*.tmp files -> C:\Users\Stephen\*.tmp -> ]
:Files
C:\Program Files (x86)\mozilla firefox\searchplugins\blekkotb.xml
C:\Users\Stephen\AppData\Local\{36FF007E-B755-49FB-A7AF-437816B8FBE6}
C:\Users\Stephen\AppData\Local\{EA010AAF-B694-4189-9D67-92F91BB7D993}
C:\Users\Stephen\AppData\Local\{CF02C848-345D-4ED8-BB5B-C8CA3F611EF2}
C:\Users\Stephen\AppData\Local\{0AF7DFAE-F94B-4D15-A0FE-AB240D249A68}
C:\Users\Stephen\AppData\Local\{7F72AF00-738F-4633-9565-F7DCB62BB255}
C:\Users\Stephen\AppData\Local\{F6A7A465-F03B-4B99-9BDD-3C0027B30466}
C:\Users\Stephen\AppData\Local\{84D9E78A-1719-40DD-BE00-728A038DC82A}
C:\Users\Stephen\AppData\Local\{3F7994C8-17E3-4121-A9F0-2A54B22F989F}
C:\Users\Stephen\AppData\Local\{090ED6EE-B3AB-43E5-B287-3602826B9413}
C:\Users\Stephen\AppData\Local\{EFBB750C-2922-4489-84F6-3D44045044A9}
C:\Users\Stephen\AppData\Local\{96F69879-A0BD-4239-8234-3F9BB124D4DD}
C:\Users\Stephen\AppData\Local\{E70C1E1F-0BA6-44A4-9F85-24D073CAEB74}
C:\Users\Stephen\AppData\Local\{E86EB2C7-0E66-49A2-AFB9-355F2F9156D1}
C:\Users\Stephen\AppData\Local\{8D107455-A77F-49D8-B214-A2E593293DB3}
C:\Users\Stephen\AppData\Local\{D7AA2746-D260-4EF0-B80C-AECC7225EEA0}
C:\Users\Stephen\AppData\Local\{EED95E8F-9691-445C-8CBD-A4AA45D5BF3E}
C:\Users\Stephen\AppData\Local\{70E2E621-46C7-4A05-8AB2-228CC189F25D}
C:\Users\Stephen\AppData\Local\{A96B4F81-A5E4-4917-8B19-A9D4E81E80ED}
C:\Users\Stephen\AppData\Local\{B91560E0-456D-4A14-AB0B-7E60FBCDF510}
C:\Users\Stephen\AppData\Local\{426C70A1-562E-4E33-8876-154A72ABF5FA}
C:\Users\Stephen\AppData\Local\{8D183605-8F57-4B98-8E1C-589C7154E2A0}
C:\Users\Stephen\AppData\Local\{C44F227F-7279-43CC-90C5-165FE6B54393}
C:\Users\Stephen\AppData\Local\{8E4A5BF1-FF3B-485E-8951-6904EED86E15}
C:\Users\Stephen\AppData\Local\{FB2BD032-D215-46ED-8124-847D4E0D5B86}
C:\Users\Stephen\AppData\Local\{7DD1C299-6903-4756-9B90-8299BCB53419}
C:\Users\Stephen\AppData\Local\{9D7F5485-10D9-436F-BA94-B090B61C2EDD}
C:\Users\Stephen\AppData\Local\{CDFEBCEB-7FA8-401D-A0CC-E8A776773585}
C:\Users\Stephen\AppData\Local\{93A8CB9F-CD80-4CEC-B73A-948C8B1E965B}
C:\Users\Stephen\AppData\Local\{8F10D4B1-46C1-4416-B346-7372BF7A8786}
C:\Users\Stephen\AppData\Local\{83AC9B27-B34C-4B30-807D-7335C15F5B24}
C:\Users\Stephen\AppData\Local\blekkotb
C:\Program Files (x86)\SuperAdBlocker.com
C:\Program Files (x86)\blekkotb
C:\Users\Cathie\AppData\Roaming\FREEzeFlip
C:\Users\Cathie\AppData\Roaming\SuperAdBlocker.com
C:\Program Files (x86)\FREEzeFlip
:Commands
[CREATERESTOREPOINT] - Close all running applications other than OTL.
- Click the Run Fix button at the top.
- Let the program run unhindered and reboot the PC when it is done.
- Right-click the OTL icon on your Desktop and select Run As Administrator to run the program again.
- Check the boxes labeled :
- Include 64 bit scans
- Scan All Users
- Extra Registry > Use SafeList <<< Be sure to select this
- Make sure all other windows are closed so that it can run uninterrupted.
- Click on the Run Scan button at the top left hand corner. Do not change any settings unless otherwise told to do so. The scan won't take long.
- When the scan completes, it will open two notepad windows. OTL.Txt will be displayed and Extras.Txt will be minimized. These are saved in the same location as OTL. (desktop)
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them as a reply. Use separate replies if more convenient.
- SystemLook
- Click here to download SystemLook by jpshortstuff and save it to your Desktop.
- Right-click the SystemLook.exe icon and select Run As Administrator to run it.
- Copy and paste the contents of the following codebox into the main textfield (do not include the word code:):
Code: :filefind
*FREEzeFlip*
Zand22b.exe
:folderfind
*FREEzeFlip*
:Regfind
FREEzeFlip - Click the Look button to start the scan.
Because of the Registry searches, the scan may take a while to run on a large machine. Please be patient. - When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
- Are you still getting the pop-ups?
After executing the above steps, please use your browser and let me know in your reply if you are still getting the pop-up ads or any other signs of malware.
IMPORTANT: There are still a number of things that we need to do even if you are no longer seeing the pop-up ads. Please continue to reply to my instructions until I tell you that your computer is clear of malware.
Please include in your reply (use separate posts if more convenient):- The text of any error messages and/or a description of any problems you encountered while performing these steps.
- The contents of the new OTL.txt and Extras.txt logs.
- The contents of the SystemLook.txt log.
- A description of how your computer is running and any Malware symptoms that are still present.
mambass |