mixi malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by alverton, Jun 15, 2013.

  1. alverton

    alverton Private E-2

    Hi

    Yesterday I installed the file cataloguer (Cathie) from the CNET website and I believe this led to my PC becoming infected with the Mixi toolbar malware. Both Firefox and IE are infected and regularly a pair of popups appear for a web feed called News.net. Also the vertical slider bars on the right of my windows are behaving strangely - this happened at the same time. For example the slider is only active if I use the up arrow and slide the window contents all the way to the top. If I release the slider and then resume it is stuck and I must use the up arrow again.

    I have run through your pre-checks and created the attached files. As six are required I have only attached the first five and will attempt to add the sixth in a following message.

    Your help would be appreciated - thank you



    richard
     

    Attached Files:

    alverton, Jun 15, 2013
    #1
  2. alverton

    alverton Private E-2

    And here is my sixth file regarding Mixi

    Here is the final file - associated with my last email
     

    Attached Files:

    alverton, Jun 15, 2013
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a lot more than that on your PC.

    Uninstall the below:
    Ask Toolbar
    BrowserDefender
    MixiDJ chrome Toolbar
    MixiDJ Toolbar


    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Now run a new scan with Hitman Pro and attach the new log from this too.
     
    chaslang, Jun 16, 2013
    #3
  4. alverton

    alverton Private E-2

    Hi thanks for your reply. I was able to uninstall everything except for the two Ask programs. On the second one I got the message that I need to contact my system administrator as I do not have enough priveleges. However I am the administrator for this laptop.

    Therefore I have not completed the other parts of your email yet.
     
    alverton, Jun 17, 2013
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There was only one Ask Toolbar in your logs. Are you saying you saw it more than once?

    Just continue on with all the next steps anyway.
     
    chaslang, Jun 17, 2013
    #5
  6. alverton

    alverton Private E-2

    Hi

    Thanks again I managed to remove the Ask Toolbar, but an Ask Toolbar updater is not uninstallable.

    I then completed the two attached files
     

    Attached Files:

    alverton, Jun 18, 2013
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    R3 - URLSearchHook: (no name) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
    R3 - URLSearchHook: (no name) - {a060276a-53be-45ec-8ebe-b94b1e803179} - (no file)
    R3 - URLSearchHook: (no name) - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - (no file)


    After clicking Fix, exit HJT.


    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe


:Files
C:\Program Files (x86)\Ask.com
C:\ProgramData\BrowserDefender
C:\WINDOWS\tasks\TopArcadeHits.job
C:\WINDOWS\tasks\{915ED9CB-7196-4396-8194-34519CCCA219}.job
C:\Users\Richard\AppData\Local\Smartbar
C:\ProgramData\Babylon
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
C:\ProgramData\BrowserDefender
C:\Program Files (x86)\Ask.com                                                                         
C:\Users\Richard\AppData\Local\Temp\*.*


:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{15D2D75C-9CB2-4efd-BAD7-B9B4CB4BC693}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"BrowserMngrDefaultScope"=-
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
"bProtectorDefaultScope"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{7E5082E3-2D07-4490-8DEE-6F71F46F88D6}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Infrastructure Helper"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"ApnUpdater"=-

[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"ApnUpdater"=-

[HKEY_USERS\S-1-5-21-2479586879-1573352390-180901207-1004\Software\Microsoft\Windows\CurrentVersion\run]
"Browser Infrastructure Helper"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D6A9BBF-402C-4301-B1EF-28D04F71D761}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A9D7E7-E0C0-4202-9F13-6A06BD073CDA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
"{CA9B9C89-4662-4ADC-9C23-A452BECD5D19}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C3110516-8EFC-49D6-8B72-69354F332062}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{16466D47-74A8-4928-B8B2-07CD79ABFC9F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26D5CC0A-7A46-4D86-AF45-2EFA320B0C54}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D13AC8F-037E-40C5-ADA6-231BA74EA2F4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{322EDCF5-9E7D-4021-8C67-F3FFE4961A38}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3E254398-828F-4D51-A39E-3F6B6D96A12C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{442DAF0C-7EAD-48D9-ABEA-E0036470D6D5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{58EB187D-24F8-4423-BD6C-655CE4C416BD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6BEB066C-A791-4A21-B934-7783533FE888}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A07612DF-B1DD-484F-A1C3-36CA4CE919D2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A76F97B2-2C56-456A-A29E-72741595C2E8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B19D9D96-E59C-4936-B283-8A831CDB3A53}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DC8AAABA-3F8B-4866-8B3A-D9368133A478}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E15519AE-99BE-42DD-BE60-FFC3C183F443}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Prod.cap]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\YontooIEClient.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{C3110516-8EFC-49D6-8B72-69354F332062}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{A8F0AD53-1AEE-447E-89CD-71C325796F84}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{F5F971A9-DBF8-4EEC-81E3-5F1660573E6C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Babylon]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BabylonToolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_USERS\S-1-5-21-2479586879-1573352390-180901207-1004\Software\DataMngr]
[-HKEY_USERS\S-1-5-21-2479586879-1573352390-180901207-1004\Software\DataMngr_Toolbar]
[-HKEY_USERS\S-1-5-21-2479586879-1573352390-180901207-1004\Software\Microsoft\Internet Explorer\Approved Extensions\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_USERS\S-1-5-21-2479586879-1573352390-180901207-1004\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
[-HKEY_USERS\S-1-5-21-2479586879-1573352390-180901207-1004\Software\Microsoft\Internet Explorer\Approved Extensions\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_USERS\S-1-5-21-2479586879-1573352390-180901207-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_USERS\S-1-5-21-2479586879-1573352390-180901207-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 19, 2013
    #7
  8. alverton

    alverton Private E-2

    Hi Again

    Thanks so much for your help. I have completed the previous instructions. I have not noticed anything odd about my PC yet - I will let things run for a few days to see if anything emerges.

    Two of the three files requested files are attached - in case you can spot any other issues. Unfortunately the MG file did not save but it appeared to remove the four lines of checked items successfully.

    Much appreciate your expert advise and assistance.

    Richard
     

    Attached Files:

    alverton, Jun 19, 2013
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That was not the program that produces the log. You need to run what was requested at the end of the last fix
    Then attach the new MGlogs.zip file

    Also tell me how things are running now after the last couple days.
     
    chaslang, Jun 21, 2013
    #9
  10. alverton

    alverton Private E-2

    Hi

    Apologies for the mistake here is the file that you requested.

    Best regards

    Richard

    The computer has been running well the last 24 hours.

    PS It appears that the ask-toolbar is sourced from Java update files - pity they cause so much trouble with those. Do I continue to update Java and continue to expose myself to this risk?
     

    Attached Files:

    alverton, Jun 22, 2013
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When you install the full Java program, it asks you if you want to install Ask Toolbar. You can and should uncheck it. ;) During normal updates, they do not reinstall this junk.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Jun 22, 2013
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds