Mixidj - Not Sure if it is Malware or Just a Hijack

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jonesey, May 19, 2013.

  1. jonesey

    jonesey Private E-2

    Hello - any help you could give would be much appreciated, as I am struggling with MixiDJ.

    Like several other people who have posted on MixiDJ, I am struggling to figure out whether MixiDJ is malware, or just a basic browser hijack.

    I just ran a quick scan on MBAM and attached the log.

    Sorry that this questions has been asked before. I am struggling to figure out how to approach removing MixiDJ.

    Thanks!

    Ray
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  3. jonesey

    jonesey Private E-2

    Hey! We went back and followed all of the instructions and completed the various downloads and scans. We were not able to get the logs for tdsskiller and hitmanpro to save. But - here are the three other logs.

    The MixiDJ toolbar is still on my browsers and it is still creating pop-ups every time you enter something into the browser address bar.

    Let me know the next step. Thanks!
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What browser are you using?

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Users\USER\AppData\Roaming\SearchProtect\bin\cltmng.exe) [7] -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-2921965164-1417254725-3561152691-1000[...]\Run : SearchProtect (C:\Users\USER\AppData\Roaming\SearchProtect\bin\cltmng.exe) [7] -> FOUND
      [TASK][SUSP PATH] CandyUpdater.job : C:\Users\USER\AppData\Local\ArcadeCandy\candyUpdater.exe [-] -> FOUND
      [TASK][SUSP PATH] CandyUpdater : C:\Users\USER\AppData\Local\ArcadeCandy\candyUpdater.exe [-] -> FOUND
      [TASK][SUSP PATH] Updater26278.exe : C:\Users\USER\AppData\Local\Updater26278\Updater26278.exe /extensionid=26278 /extensionname="Solid Savings" /chromeid=cijeeimilokkhlfjombmalgpabbonmah [x] -> FOUND
      [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (actsvr.comcastonline.com:8100) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)

    [​IMG] Please download Junkware Removal Tool to your desktop.

    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now reboot and rescan with RogueKiller and attach that log as well.

    Tell me how things are running.
     
  5. jonesey

    jonesey Private E-2

    Hey Tim....

    Aw man - I think you have me on the right path - but I ruined it on step three.

    Here is what happened. I ran RogueKiller.exe and it ran exactly like you had said - and I was able to click and delete everything on the registry list that you provided.

    Then - I ran Junkware Removal Tool (after having shut down everything on my anti-virus). As you said, it took a few minutes to run.

    I then blew it on step three.

    The problem was that I had your instructions open in Google Chrome - thinking that I would cut and past the REGEDIT4 command after the Junkware Removal Tool finished running.

    This proved to be my fatal flaw.

    The Junkware Removal Tool closed Google Chrome, which meant that I had to reopen Google Chrome in order to get to the REGEDIT4 command to cut and paste.

    On one hand, your approach seems to have worked, in that the MixiDJ toolbar and popup was gone when I opened Chrome. Unfortunately, it immediately reinstalled MixiDJ.

    I even went back and tried to follow your instructions on Roguekiller again - but the list of registry flaws (specifically the two RUN flaws and the three TASK flaws) did not appear this time. I just went back and ran it again - the RUN and TASK flaws are not appearing.

    Interestingly, I went back and typed in the full REGEDIT4 command by hand, and I did receive a success message. But - MixiDJ has completely reinstalled itself (and I only have myself to blame, as we were really close).

    Anyway - enough kicking myself - here is what I am thinking. If you can tell me how to get back to where RogueKiller will again present me with the two RUN flaws and the three TASK flaws - I will go in beforehand and have the fixME.reg file preloaded onto my desktop (in fact, it is still there - let me know if you just want me to use it again - as it did generate a success message). Then, this time, I won't reopen Google Chrome until after the fixME.reg file gives me a success message.

    Let me know if this is a good plan. Sorry again for messing your excellent instructions....
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Attach the new C:\MGLogs.zip.
     
  7. jonesey

    jonesey Private E-2

    Thanks Tim!

    I just ran it. Here is the mglogs.zip file

    Ray

     

    Attached Files:

  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Attach the new C:\MGLogs.zip.
     
  9. jonesey

    jonesey Private E-2

    Hey Tim....

    I just followed the instructions from your last message. I saved the new fixME.reg file (as "all files") and double-clicked it. I received a success message.

    I then ran mgtools, and have attached the log file.

    I apologize if I missed something. I wasn't sure if I was supposed to go back and follow one of the earlier steps.

    Thanks for your help! Let me know the next step.

    Ray

     

    Attached Files:

  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good. Tell me if you have any more issues.
     
  11. jonesey

    jonesey Private E-2

    No Tim - MixiDJ is still as bad as ever. We still have the MixiDJ toolbar installed, it still pops up a video ad every few minutes and it still pushes a MixiDJ popup every time you go to a new website.

    The only thing that seemed to have any impact on it was last week when you had me run this:

    [RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Users\USER\AppData\Roaming\SearchProtect\bin\cltmng.exe) [7] -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-2921965164-1417254725-3561152691-1000[...]\Run : SearchProtect (C:\Users\USER\AppData\Roaming\SearchProtect\bin\cltmng.exe) [7] -> FOUND
    [TASK][SUSP PATH] CandyUpdater.job : C:\Users\USER\AppData\Local\ArcadeCandy\candyUpdater.exe [-] -> FOUND
    [TASK][SUSP PATH] CandyUpdater : C:\Users\USER\AppData\Local\ArcadeCandy\candyUpdater.exe [-] -> FOUND
    [TASK][SUSP PATH] Updater26278.exe : C:\Users\USER\AppData\Local\Updater26278\Updater26278.exe /extensionid=26278 /extensionname="Solid Savings" /chromeid=cijeeimilokkhlfjombmalgpabbonmah [x] -> FOUND
    [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (actsvr.comcastonline.com:8100) -> FOUND

    This seemed to stop it for about a minute until it reinstalled itself when I reopened Google Chrome.

    And - My Dad is getting concerned, because one of his recent files (an Excel file) has suddenly disappeared and is not even in the Recycle bin. We are worried that this thing is really bad.

    Do you think we should take this in to a computer professional? I feel like I might be doing more harm than good by trying to remove this thing on my own.
     
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    While you have Google Chrome open, type this into the address bar and press ENTER: chrome://chrome/settings/

    From here you should be able to remove any settings related to MixiDJ.

    Tell me what you find.
     
  13. jonesey

    jonesey Private E-2

    Hey Tim....

    I'm sorry - while I understand the basic principles of browser settings, most of this is way over my head. My Dad looked at it the other day and then I looked it just now. The only thing we see in the Chrome settings is that the MixiDJ page is listed as our default start page. This is the only reference to MixiDJ that I could see in the setting, but again, I have no idea where to look for it.

    I know that MixiDJ has the start page in both of our browers (Chrome and IE), but it also has the MixiDJ toolbar installed on both of our browsers as well - but I don't know where it is installed.

    And - MixiDJ still pushes pop-up ads every few minutes when either of these browsers are open.

    And, as I told you in my last message, my Dad is concerned when we run the various "cleaner" programs that we have been running, because something seems to have erased two of his Excel files and an MS-Word file that were located in his "Most Recent" files list. We are unsure when these programs because we don't know what all they are doing.

    Thanks for your help. Let me know if you think this is fixable....

     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not finding any instance of it in your logs. You may have to post in the software forum for instructions regarding changing your home page.

    Let;s do one more thing:

    Rescan with both RogueKiller and Hitman and attach the logs.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds