Browser Hijacked. Massive Redirects

[PossibleOne]

# AdwCleaner v2.005 - Logfile created 10/16/2012 at 15:46:32
# Updated 14/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Kathy - COMPUTER
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Kathy\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia
Folder Deleted : C:\Documents and Settings\Home\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Kathy\Application Data\searchquband
Folder Deleted : C:\Documents and Settings\Kathy\Local Settings\Application Data\APN
Folder Deleted : C:\Documents and Settings\Kathy\Local Settings\Application Data\Wajam
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search

***** [Registry] *****

Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcg kldadpdinhjjopdfpjfjp
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Kathy\Application Data\Mozilla\Firefox\Profiles\es39fw3d.default\pre fs.js

C:\Documents and Settings\Kathy\Application Data\Mozilla\Firefox\Profiles\es39fw3d.default\use r.js ... Deleted !

Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("browser.search.defaulturl", "hxxp://search.aol.com/search/search?query={searchTerms}&invo[...]
Deleted : user_pref("extensions.basicscan.init", true);
Deleted : user_pref("extensions.toolbar.mindspark._5zMembers _.homepage", "hxxp://home.mywebsearch.com/index.jh[...]
Deleted : user_pref("extensions.wajam.affiliate_id", "3004");
Deleted : user_pref("extensions.wajam.firstrun", "false");
Deleted : user_pref("extensions.wajam.log_send_info", "false");
Deleted : user_pref("extensions.wajam.mappingListJsonString" , "{\"version\":\"0.21083\",\"supported_sites\": {\[...]
Deleted : user_pref("extensions.wajam.no_trace", "false");
Deleted : user_pref("extensions.wajam.server_current_mapping _version", "0.21083");
Deleted : user_pref("extensions.wajam.supported_sites.google .wajam_google_se_js", "try {window['APP_LABEL_NAME[...]
Deleted : user_pref("extensions.wajam.trace_log", "1343627180211 - onFlagInfoReceived - No user current mappin[...]
Deleted : user_pref("extensions.wajam.unique_id", "4B8C79D596FBE97D0E5505A748510EAD");
Deleted : user_pref("extensions.wajam.user_current_mapping_v ersion", "0");
Deleted : user_pref("extensions.wajam.version", "1.25");
Deleted : user_pref("keyword.URL", "hxxps://isearch.avg.com/search?cid=%7B93279a7a-6fe7-4649-b946-bc884e85077f[...]

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\Kathy\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.40] : icon_url = "hxxp://isearch.avg.com/favicon.ico",
Deleted [l.43] : keyword = "isearch.avg.com",
Deleted [l.46] : search_url = "hxxp://isearch.avg.com/search?cid={0CFD2D56-587C-4E98-878E-26CCFA861508}&mid=b757975cf7fe47d191cfd15a920d0fab-b4a3c1beb6c5816b3fd0b2430ad8548cc6d18a1e&lang=en&d s=AVG&pr=pr&d=2012-08-03 03:13:00&v=11.1.0.12&sap=dsp&q={searchTerms}",

*************************

AdwCleaner[R1].txt - [5707 octets] - [15/10/2012 20:19:45]
AdwCleaner[S1].txt - [5238 octets] - [16/10/2012 15:46:32]

########## EOF - C:\AdwCleaner[S1].txt - [5298 octets] ##########

[Jintan]

Located and removed a bunch of stuff. Please post back on any problems there we still need to address.

[PossibleOne]

Tis rather annoying eh sir? Went to google. first link I clicked on was good, second one redirected me to nixxie. Seems to be a rather stubborn culprit. If that is all the malware means that is going to happen (based on the info you have seen in the logs) then I am good with it. Tis only a little annoying. So long as it doesnt contribute to any instability on my system and whatever not then its not a huge deal to me.

[Jintan]

Need to manually extract it then. New name, so unfortunately it will take some days before our scan tools can add it, to remove it.

Run and post a new OTL scan log please. That was the first scan we used.

[PossibleOne]

So other than that the system looks pretty good as far as malware and such? No other issues on it besides that that I have noticed.

[Jintan]

Need to still locate nixxie though, and the info here may add to the removal databases, so please post a new OTL scan log.

Also go here and download Agent Ransack to your desktop (the 32 bit option), then click the downloaded file to install the program. Once installed go to Start - Programs and open Agent Ransack.

Under the Advanced tab, type the following, exactly as shown, into the text box next to "Containing text:"

nixxie

Make no other changes at this time. Then click the "Start search" button (upper right corner) and allow Agent Ransack to search. This will take quite a while to complete, depending on the number of files stored on the system, so please allow the scan to complete and not use the computer while it is running.

When the scan is done go to File - Save Results, and click the "Save" button to save the information to your clipboard. The open Notepad and click Paste to copy the scan results. Save this as Life.txt.


Zip a copy of it, and send it to jintan@malwarecrypt.com as an attachment. Please place "Submitted Files -PossibleOne/cth/ransack" as the email Subject.