Key-Find has high Jacked my Browser

[ken545]

go ahead and run HitmanPro and post the log please

[autographshark]

I was so tired I fell asleep at the PC trying to run the program after work, Sorry! I didn't see the save log last night on the first scan. Today I ran a new scan and here is the second log.

Code:

HitmanPro 3.7.9.216
www.hitmanpro.com

   Computer name . . . . : PC801713467250
   Windows . . . . . . . : 5.1.3.2600.X86/2
   User name . . . . . . : PC801713467250\kenneth
   License . . . . . . . : Trial (30 days left)

   Scan date . . . . . . : 2014-04-08 08:47:39
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 10m 18s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 23

   Objects scanned . . . : 761,823
   Files scanned . . . . : 23,613
   Remnants scanned  . . : 213,936 files / 524,274 keys

Cookies _____________________________________________________________________

   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:2o7.net
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.pointroll.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.pubmatic.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.yahoo.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:adtechus.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:advertising.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:at.atwola.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:atdmt.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:fastclick.net
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:interclick.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:kontera.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:media6degrees.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:mediaplex.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:pointroll.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:questionmarket.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ru4.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:statse.webtrendslive.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:tribalfusion.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:www.googleadservices.com
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:yieldmanager.net
   C:\Documents and Settings\kenneth\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:zedo.com

[ken545]

Hi,

I don't see Key-Find in the second Hitman scan so not sure if it was removed or not

Internet Explorer

• Open Internet Explorer
• Click on Tools up on the top right
• Click on Manage Add Ons
• Click on Search Providers
• Highlite Key-Find and select Delete

Firefox

• Open Firefox
• Up on the Top Right in the Search Box , click on the down arrow and select Manage Search Engines
• Highlite Key-Find and select Delete

Chrome

1. Open Chrome
2. Click the Chrome menu on the browser toolbar.
3. Click on Settings
4. Then Manage Search Engines
5. Highlite Key Find and select Delete

Then let me know if key find is still present

[autographshark]

I manged to get IE to accept the changes and it's slow loading but it goes to my set page.

Firefox the down arrow will not allow me to see anything but the current page which is Key-Find.

Google Chrome, I deleted it before from the settings so it doesn't show up in settings manage search engines but goes to Key-Find still upon opening Google Chrome. If I hit the home button it goes to my set home page then.

[ken545]

Lets set your browsers back to default

• Click the Chrome menu on the browser toolbar.
• Select Settings.
• Scroll down to Show advanced settings...
• Down on the bottom you will see an option for RESET BROWSER SETTINGS
• Click on it and it will set Chome back to defaults

• Open Firefox
• Click on Help > Troubleshooting Information > Reset Firefox to its default state

• Open IE
• Go to Tools> Internet Options > Advanced Tab
• Reset Internet Explorer Setting
• Reset
• This will take a few seconds
• Close IE and then reopen it and see if it helped

[autographshark]

That worked on IE and Firefox. I have an idea, what if we uninstall Google Chrome and re install it?

[ken545]

That may not work because when a program is installed most times its not completely uninstalled, there could be registry keys and what not still laying around part of key-find may be in there. It appears that this infection is making the rounds and a tutorial has been written for it, so far we / you have done pretty good, but lets do a couple of more things to make sure its completely gone

First where going to run rKill, this wont remove key-find but it will stop it from running so that the next program can remove it

• Please download rkill (Courtesy of Bleepingcomputer.com).
• There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
• Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
• Note: You only need to get one of the tools to run, not all of them.

• 1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. WiNlOgOn.exe
  5. uSeRiNiT.exe

• Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.
  
  Run rkill repeatedly until it's able to do it's job. This may take a few tries.
  
  You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

Now you should download Emsisoft Anti-Malware, which will clean the remnants of this infection for free. Please download and save the Emsisoft Anti-Malware setup program to your desktop from the link below:

• The download is fairly large, so please be patient while it downloads.
• Once the file has been downloaded, double-click on the EmsisoftAntiMalwareSetup.exe icon to start the program. If Windows Smart Screen issues an alert, please allow it to run anyway.
• If the setup program displays an alert about safe mode, please click on the Yes button to continue. You should now see a dialog asking what language you would like to use. Please select the language you wish to use and press the OK button.
• You will eventually get to a screen asking the mode that you wish to use Emsisoft Anti-Malware.
• Click the Freeware Mode
• You will now be at a screen asking if you wish to join Emsisoft's Anti-Malware network. Read the descriptions and uncheck the options that you wish to use. When you are ready click on the Next button.
• Emsisoft Anti-Malware will now begin to update it's virus detections.
• Please be patient as it may take a few minutes for the updates to finish downloading.
• When the updates are completed, click on the Clean computer now button. Emsisoft Anti-Malware will start to load its scanning engine and then display a screen asking what type of scan you would like to perform.
• Select the Deep scan
• When its done click on the Quarantine Selected Objects button, which will remove the infections and place them in the program's quarantine. You will now be at the last screen of the Emsisoft Anti-Malware setup program, which you can close. If Emsisoft prompts you to reboot your computer to finish the clean up process, please allow it to do so. Otherwise you can close the program.

We now need to clean up the various Windows shortcuts that have been hijacked by Key-Find Browser Hijacker .
To do this, please download Shortcut Cleaner from the following web page and save it to your Windows desktop.



Once the file is downloaded, double-click on the ss-cleaner.exe file that should now be on your desktop. If you are using Windows Vista, 7, or 8 you will need to allow it to run when the prompt appears. Shortcut Cleaner will now start and scan your computer for hijacked Windows shortcuts and if any are found it will automatically clean them for you. When it is done, it will show you a log that contains a list of shortcuts that were cleaned. When you have finished reviewing the log file, please close it and try setting Chome back to default as I posted previously


Any problems or questions let me know and also if key-find is gone

[autographshark]

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/09/2014 11:55:11 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* System Restore Disabled

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = dword:00000001

* ALERT: ZEROACCESS rootkit symptoms found!

* C:\Recycler\S-1-5-18\$a1d0c5961d66e3a4bb4dbce057b0ee27\ [ZA Dir]
* C:\Recycler\S-1-5-18\$a1d0c5961d66e3a4bb4dbce057b0ee27\@ [ZA File]
* C:\Recycler\S-1-5-18\$a1d0c5961d66e3a4bb4dbce057b0ee27\L\ [ZA Dir]
* C:\Recycler\S-1-5-18\$a1d0c5961d66e3a4bb4dbce057b0ee27\U\ [ZA Dir]
* C:\Recycler\S-1-5-18\$a1d0c5961d66e3a4bb4dbce057b0ee27\U\00000001.@ [ZA File]
* C:\RECYCLER\S-1-5-21-2420282109-1773090242-3309790634-1007\$a1d0c5961d66e3a4bb4dbce057b0ee27\ [ZA Dir]
* C:\RECYCLER\S-1-5-21-2420282109-1773090242-3309790634-1007\$a1d0c5961d66e3a4bb4dbce057b0ee27\@ [ZA File]
* C:\RECYCLER\S-1-5-21-2420282109-1773090242-3309790634-1007\$a1d0c5961d66e3a4bb4dbce057b0ee27\L\ [ZA Dir]
* C:\RECYCLER\S-1-5-21-2420282109-1773090242-3309790634-1007\$a1d0c5961d66e3a4bb4dbce057b0ee27\U\ [ZA Dir]

* Reparse Point/Junctions Found (Most likely legitimate)!

* C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
* C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]

Checking Windows Service Integrity:

* System Restore Service (srservice) is not Running.
Startup Type set to: Automatic

* System Restore Filter Driver (sr) is not Running.
Startup Type set to: Disabled

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 04/09/2014 11:57:14 AM
Execution time: 0 hours(s), 2 minute(s), and 3 seconds(s)

[ken545]

Good, it found entries for the Zero Access Rootkit but we ran TDSSKiller and it didnt find it, those entries are in the recycle bin and are harmless and we can deal with this later, there is no rootkit involved here

Go ahead and run the next two programs in the order I posted please, first Emsisoft and then the shortcut cleaner

[autographshark]

Emsisoft anti-malware stated it's trail had been used on this PC. After running Shortcut Cleaner we have success! Reset Goggle Chrome and re opened with and Key-Find was gone. Don't forget I'm running XP and need to see if I can upgrade to Windows 7. Here is the Shortcut Cleaner Log.

Shortcut Cleaner 1.3.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Shortcut Cleaner can be found at this link:
http://www.bleepingcomputer.com/down...rtcut-cleaner/

Windows Version: Microsoft Windows XP Service Pack 3
Program started at: 04/09/2014 01:22:07 PM.

Scanning for registry hijacks:

* HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command "@" hijacked!

* HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "@" hijacked!

Backup Registry file created at:
C:\Documents and Settings\kenneth\Desktop\sc-cleaner\sc-cleaner-04-09-2014-01-22-07.reg

Searching for Hijacked Shortcuts:

Searching C:\Documents and Settings\kenneth\Start Menu\

* Shortcut Cleaned: C:\Documents and Settings\kenneth\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.key-find.com/?type=sc&ts=...S18PJDNSA10144

* Shortcut Cleaned: C:\Documents and Settings\kenneth\Start Menu\Programs\Internet Explorer.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.key-find.com/?type=sc&ts=...S18PJDNSA10144

Searching C:\Documents and Settings\All Users\Start Menu\

* Shortcut Cleaned: C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome\Google Chrome.lnk => C:\Program Files\Google\Chrome\Application\chrome.exe http://www.key-find.com/?type=sc&ts=...S18PJDNSA10144

* Shortcut Cleaned: C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox\Mozilla Firefox (Safe Mode).lnk => C:\Program Files\Mozilla Firefox\firefox.exe http://www.key-find.com/?type=sc&ts=...S18PJDNSA10144

* Shortcut Cleaned: C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox\Mozilla Firefox.lnk => C:\Program Files\Mozilla Firefox\firefox.exe http://www.key-find.com/?type=sc&ts=...S18PJDNSA10144

Searching C:\Documents and Settings\kenneth\Application Data\Microsoft\Internet Explorer\Quick Launch\

* Shortcut Cleaned: C:\Documents and Settings\kenneth\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => C:\Program Files\Google\Chrome\Application\chrome.exe http://www.key-find.com/?type=sc&ts=...S18PJDNSA10144

* Shortcut Cleaned: C:\Documents and Settings\kenneth\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.key-find.com/?type=sc&ts=...S18PJDNSA10144

Searching C:\Documents and Settings\All Users\Desktop\

* Shortcut Cleaned: C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk => C:\Program Files\Google\Chrome\Application\chrome.exe http://www.key-find.com/?type=sc&ts=...S18PJDNSA10144

Searching C:\Documents and Settings\kenneth\Desktop


8 bad shortcuts found.

Program finished at: 04/09/2014 01:22:18 PM
Execution time: 0 hours(s), 0 minute(s), and 11 seconds(s)