google redirect + ransomware, logs attached

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by asdfqwe, Sep 12, 2012.

  1. asdfqwe

    asdfqwe Private E-2

    The problem started with random, infrequent google redirects in firefox to fake sites seemingly intended to aid identity theft. After installing and running malewarebytes, a trojan was quarantined. However, the redirects continued, except malwarebytes was able to prevent the redirect site from actually loading, and gave a warning that it had prevented going to a potentially harmful site. Then, after a reboot, the trojan totally shut malwarebytes down and prevented it from being restarted, while also locking out most other functions of the PC. A fake antivirus program came up, called "Live Security Platinum" which gave continuous fake warnings about infection. A simple reboot allowed malwarebytes to reload, but the infection persists, as malwarebytes detects the infection with every reboot as a new .exe with a 4 random letter and number name, labeled Trojan.LameShield in the quarantine.

    I first noticed these issues on Monday when Windows Security Essentials reported a trojan. I initially tried removing with WSE, and when that did not work I disabled WSE and installed malwarebytes. I have run some other scans, but have not attempted removal of anything except as recommended here (e.g. malwarebytes instructions were to attempt to remove).

    I have followed all steps from Read and Run Me First and the follow-up Malware Removal/Cleaning Procedure thread.
     

    Attached Files:

    asdfqwe, Sep 12, 2012
    #1
  2. asdfqwe

    asdfqwe Private E-2

    I need to add some info: when I wrote my post, I had forgotten that yesterday I ran combofix after reading some of the other threads here about redirect problems. All of my logs attached were made today, so hopefully things are not too confused now.
     
    asdfqwe, Sep 12, 2012
    #2
  3. asdfqwe

    asdfqwe Private E-2

    I also forgot to add:

    This is a dell laptop, which means it has the dell recovery partition and datasafe local backup 2.0.

    I am quite willing to simply wipe the hard drive and re-install windows; I have done this many times before. However, I want to be 100% sure after this that my PC is clean, so I would use something like dban (http://www.dban.org/).

    My problem is then how do I not only reinstall windows 7, which is easy, but also restore the dell recovery partition.

    Maybe this is not such an important thing - I backup important files to external hard drives, and this dell recovery seems like more trouble that it's worth considering once the mbr is infected, the dell backup won't fully clean the system anyway. But still, if it's not too difficult to keep around, an additional backup option can't hurt.
     
    asdfqwe, Sep 13, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we resort to formatting, let's have a pop at it! :)


    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [RUN][SUSP PATH] HKCU\[...]\Run : Alqmqm (C:\Users\Aaron\AppData\Roaming\Alqmqm.scr) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-3861633413-2440449767-1503428881-1001[...]\Run : Alqmqm (C:\Users\Aaron\AppData\Roaming\Alqmqm.scr) -> FOUND
    • [TASK][SUSP PATH] At18.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At17.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At16.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At15.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At14.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At13.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At12.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At11.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At10.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At1.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At27.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At26.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At25.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At24.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At23.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At22.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At21.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At20.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At2.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At19.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At36.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At35.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At34.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At33.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At32.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At31.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At30.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At3.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At29.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At28.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At45.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At44.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At43.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At42.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At41.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At40.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At4.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At39.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At38.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At37.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At9.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At8.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At7.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At6.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At5.job : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At48.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At47.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At46.job : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At1 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At10 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At11 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At12 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At13 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At14 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At15 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At16 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At17 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At18 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At19 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At2 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At20 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At21 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At22 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At23 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At24 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At25 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At26 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At27 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At28 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At29 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At3 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At30 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At31 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At32 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At33 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At34 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At35 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At36 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At37 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At38 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At39 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At4 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At40 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At41 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At42 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At43 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At44 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At45 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At46 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At47 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At48 : C:\ProgramData\5J54e2u5.exe_ -> FOUND
    • [TASK][SUSP PATH] At5 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At6 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At7 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At8 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [TASK][SUSP PATH] At9 : C:\ProgramData\5J54e2u5.exe -> FOUND
    • [HJ] HKLM\[...]\Wow6432Node\Security Center : AntiVirusDisableNotify (1) -> FOUND
    • [HJ] HKLM\[...]\Wow6432Node\Security Center : FirewallDisableNotify (1) -> FOUND
    • [HJ] HKLM\[...]\Wow6432Node\Security Center : UpdatesDisableNotify (1) -> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.
    Re run RogueKiller and attach that log too.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Sep 13, 2012
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds