Tech Support Guy
mambass's Avatar
mambass mambass is offline mambass is authorized to help remove malware.
Malware Removal Specialist with 141 posts.
 
Join Date: Apr 2008
Experience: Advanced
20-Mar-2012, 01:06 PM #8
Hi Steve,

Quote:
I chose the Vault option but this failed to remove the program.
You took the correct action. Do not take any action concerning Zand22b.exe at this point.

I assume that you performed the steps prior to the removal of FREEzeflip. Please continue with the following instructions.
  1. Remove Programs Using Control Panel
    Take extra care in answering questions posed by any Uninstaller.
    1. Click Start > Control Panel and then double-click on Programs and Features.
    2. Right-click the Java(TM) 6 Update 22 (64-bit) entry, choose Uninstall/Change, and give permission to Continue.
    3. Right-click the Spam Free Search Bar entry, choose Uninstall/Change, and give permission to Continue.

  2. Perform a Custom Fix with OTL
    1. Right-click the OTL icon on your Desktop and select Run As Administrator to run the program.
    2. In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
      Code:
      :processes
      killallprocesses
      
      :OTL
      MOD - [2011/06/28 21:41:54 | 000,569,344 | ---- | M] () -- c:\Program Files (x86)\FREEzeFlip\bin\1.0.4.0\FREEzeFlipSAHook.dll
      MOD - [2011/06/28 21:41:16 | 000,660,480 | ---- | M] () -- C:\Program Files (x86)\FREEzeFlip\bin\1.0.4.0\FREEzeFlipSA.exe
      IE - HKU\S-1-5-21-2860897020-2566643238-4265353738-1000\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekko.com/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb&u=2012022471B546ABA640BA459CC8 9F5B&q={searchTerms}
      O2 - BHO: (Updater For Spam Free Search Bar) - {20a0be68-8fd9-4539-8712-ce3d1c1fdfc6} - C:\Program Files (x86)\blekkotb\auxi\blekkoAu.dll (Visicom Media)
      O2 - BHO: (Spam Free Search Bar) - {26c9e18c-3717-4be1-a225-04e4471f5b6e} - C:\Program Files (x86)\blekkotb\blekkoDx.dll ()
      O3 - HKLM\..\Toolbar: (Spam Free Search Bar) - {26c9e18c-3717-4be1-a225-04e4471f5b6e} - C:\Program Files (x86)\blekkotb\blekkoDx.dll ()
      O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
      O3 - HKU\S-1-5-21-2860897020-2566643238-4265353738-1000\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
      O3 - HKU\S-1-5-21-2860897020-2566643238-4265353738-1003\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
      O4 - HKLM..\Run: [] File not found
      O4 - HKLM..\Run: [FREEzeFlipSA] C:\Program Files (x86)\FREEzeFlip\bin\1.0.4.0\FREEzeFlipSA.exe ()
      O4 - HKU\S-1-5-21-2860897020-2566643238-4265353738-1000..\Run: [SuperAdBlocker] C:\Program Files (x86)\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe File not found
      O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
      O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
      O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22) 
      [1 C:\Users\Stephen\Documents\*.tmp files -> C:\Users\Stephen\Documents\*.tmp -> ]
      [1 C:\Users\Stephen\*.tmp files -> C:\Users\Stephen\*.tmp -> ]
      
      :Files
      C:\Program Files (x86)\mozilla firefox\searchplugins\blekkotb.xml
      C:\Users\Stephen\AppData\Local\{36FF007E-B755-49FB-A7AF-437816B8FBE6}
      C:\Users\Stephen\AppData\Local\{EA010AAF-B694-4189-9D67-92F91BB7D993}
      C:\Users\Stephen\AppData\Local\{CF02C848-345D-4ED8-BB5B-C8CA3F611EF2}
      C:\Users\Stephen\AppData\Local\{0AF7DFAE-F94B-4D15-A0FE-AB240D249A68}
      C:\Users\Stephen\AppData\Local\{7F72AF00-738F-4633-9565-F7DCB62BB255}
      C:\Users\Stephen\AppData\Local\{F6A7A465-F03B-4B99-9BDD-3C0027B30466}
      C:\Users\Stephen\AppData\Local\{84D9E78A-1719-40DD-BE00-728A038DC82A}
      C:\Users\Stephen\AppData\Local\{3F7994C8-17E3-4121-A9F0-2A54B22F989F}
      C:\Users\Stephen\AppData\Local\{090ED6EE-B3AB-43E5-B287-3602826B9413}
      C:\Users\Stephen\AppData\Local\{EFBB750C-2922-4489-84F6-3D44045044A9}
      C:\Users\Stephen\AppData\Local\{96F69879-A0BD-4239-8234-3F9BB124D4DD}
      C:\Users\Stephen\AppData\Local\{E70C1E1F-0BA6-44A4-9F85-24D073CAEB74}
      C:\Users\Stephen\AppData\Local\{E86EB2C7-0E66-49A2-AFB9-355F2F9156D1}
      C:\Users\Stephen\AppData\Local\{8D107455-A77F-49D8-B214-A2E593293DB3}
      C:\Users\Stephen\AppData\Local\{D7AA2746-D260-4EF0-B80C-AECC7225EEA0}
      C:\Users\Stephen\AppData\Local\{EED95E8F-9691-445C-8CBD-A4AA45D5BF3E}
      C:\Users\Stephen\AppData\Local\{70E2E621-46C7-4A05-8AB2-228CC189F25D}
      C:\Users\Stephen\AppData\Local\{A96B4F81-A5E4-4917-8B19-A9D4E81E80ED}
      C:\Users\Stephen\AppData\Local\{B91560E0-456D-4A14-AB0B-7E60FBCDF510}
      C:\Users\Stephen\AppData\Local\{426C70A1-562E-4E33-8876-154A72ABF5FA}
      C:\Users\Stephen\AppData\Local\{8D183605-8F57-4B98-8E1C-589C7154E2A0}
      C:\Users\Stephen\AppData\Local\{C44F227F-7279-43CC-90C5-165FE6B54393}
      C:\Users\Stephen\AppData\Local\{8E4A5BF1-FF3B-485E-8951-6904EED86E15}
      C:\Users\Stephen\AppData\Local\{FB2BD032-D215-46ED-8124-847D4E0D5B86}
      C:\Users\Stephen\AppData\Local\{7DD1C299-6903-4756-9B90-8299BCB53419}
      C:\Users\Stephen\AppData\Local\{9D7F5485-10D9-436F-BA94-B090B61C2EDD}
      C:\Users\Stephen\AppData\Local\{CDFEBCEB-7FA8-401D-A0CC-E8A776773585}
      C:\Users\Stephen\AppData\Local\{93A8CB9F-CD80-4CEC-B73A-948C8B1E965B}
      C:\Users\Stephen\AppData\Local\{8F10D4B1-46C1-4416-B346-7372BF7A8786}
      C:\Users\Stephen\AppData\Local\{83AC9B27-B34C-4B30-807D-7335C15F5B24}
      C:\Users\Stephen\AppData\Local\blekkotb
      C:\Program Files (x86)\SuperAdBlocker.com
      C:\Program Files (x86)\blekkotb
      C:\Users\Cathie\AppData\Roaming\FREEzeFlip
      C:\Users\Cathie\AppData\Roaming\SuperAdBlocker.com
      C:\Program Files (x86)\FREEzeFlip
      
      :Commands
      [CREATERESTOREPOINT]
    3. Close all running applications other than OTL.
    4. Click the Run Fix button at the top.
    5. Let the program run unhindered and reboot the PC when it is done.
    6. Right-click the OTL icon on your Desktop and select Run As Administrator to run the program again.
    7. Check the boxes labeled :
      • Include 64 bit scans
      • Scan All Users
      • Extra Registry > Use SafeList <<< Be sure to select this
    8. Make sure all other windows are closed so that it can run uninterrupted.
    9. Click on the Run Scan button at the top left hand corner. Do not change any settings unless otherwise told to do so. The scan won't take long.
    10. When the scan completes, it will open two notepad windows. OTL.Txt will be displayed and Extras.Txt will be minimized. These are saved in the same location as OTL. (desktop)
    11. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them as a reply. Use separate replies if more convenient.

  3. SystemLook
    1. Click here to download SystemLook by jpshortstuff and save it to your Desktop.
    2. Right-click the SystemLook.exe icon and select Run As Administrator to run it.
    3. Copy and paste the contents of the following codebox into the main textfield (do not include the word code:):
      Code:
      :filefind
      *FREEzeFlip*
      Zand22b.exe
      
      :folderfind
      *FREEzeFlip*
      
      :Regfind
      FREEzeFlip
    4. Click the Look button to start the scan.
      Because of the Registry searches, the scan may take a while to run on a large machine. Please be patient.
    5. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

  4. Are you still getting the pop-ups?
    After executing the above steps, please use your browser and let me know in your reply if you are still getting the pop-up ads or any other signs of malware.
    IMPORTANT: There are still a number of things that we need to do even if you are no longer seeing the pop-up ads. Please continue to reply to my instructions until I tell you that your computer is clear of malware.


Please include in your reply (use separate posts if more convenient):
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The contents of the new OTL.txt and Extras.txt logs.
  3. The contents of the SystemLook.txt log.
  4. A description of how your computer is running and any Malware symptoms that are still present.


mambass