Redirect and trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by eleasmom, Dec 21, 2012.

  1. eleasmom

    eleasmom Private E-2

    Happy Solstice!

    I was away on vacation for two weeks, and came back to a laptop that suddenly had trojans and google redirect issues. I keep SuperAntiSpyware running in the background, and the first thing that happened is that I got a real-time alert, so I ran a full scan, and got a trojan. (Quarantined and removed.) I ran Malwarebytes also, and got a *different* trojan, quarantined, and removed. Seemed to be OK for the rest of the day. (This was several days ago...) Next day, I started getting Google re-directs, and also immediately got a real-time alert from SAS. I ran full-scans again, and got one trojan from SAS and nothing from MBAM. Since then, I haven't had any real-time alerts, just the occasional re-direct. (And if I back-page and then re-click, it doesn't re-direct a second time.)

    It hasn't been annoying enough to need to deal with it, until today, when I rebooted and the machine was basically locked up for 15 minutes or so. Ctrl-Alt-Del showed about 7 iexplore processes running (and I never use iexplore, I only ever use Firefox), and I couldn't stop them. And...I'm still getting the redirect. And, there's occasionally that click-pop noise that you get, when you are in the menu tree, and go from folder to folder - except that I'm not actually doing anything.

    So, I ran through the "redirect read me first," which didn't stop the problem. So I ran the general "malware read me first," and I think it looks like I've still got stuff on my computer, and I'm still getting re-directed, so here are the logs.

    And, tomorrow will have TWO SECONDS more daylight than today. How can that be wrong?
     

    Attached Files:

    eleasmom, Dec 21, 2012
    #1
  2. eleasmom

    eleasmom Private E-2

    The rest of the logs. Did I forget any?
     

    Attached Files:

    eleasmom, Dec 21, 2012
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 4 detections:

    • [RUN][SUSP PATH] HKCU\[...]\Run : bimgeta (rundll32 "C:\Documents and Settings\Donna\Local Settings\Application Data\bimgeta.dll",bimgeta) -> FOUND
    • [RUN][SUSP PATH] HKLM\[...]\Run : ksdsv ("C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Donna\Application Data\ksdsv.dll",Int_FromLong) -> FOUND
    • [RUN][SUSP PATH] HKLM\[...]\Run : thuiat ("C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Donna\Application Data\thuiat.dll",get_header_ver) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-2754825429-1985977346-3869023744-1006[...]\Run : bimgeta (rundll32 "C:\Documents and Settings\Donna\Local Settings\Application Data\bimgeta.dll",bimgeta) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    ...and the same for items on file/folder tab please:

    • [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$e1e527cce3fd94f64975b5a450ce4c5a\@ --> FOUND
    • [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-2754825429-1985977346-3869023744-1006\$e1e527cce3fd94f64975b5a450ce4c5a\@ --> FOUND
    • [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$e1e527cce3fd94f64975b5a450ce4c5a\U --> FOUND
    • [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-2754825429-1985977346-3869023744-1006\$e1e527cce3fd94f64975b5a450ce4c5a\U --> FOUND
    • [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$e1e527cce3fd94f64975b5a450ce4c5a\L --> FOUND
    • [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-2754825429-1985977346-3869023744-1006\$e1e527cce3fd94f64975b5a450ce4c5a\L --> FOUND
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.


    You can also re run Hitman and have it delete all that it finds.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;127.0.0.1:9421;
    • O4 - HKLM\..\Run: [ksdsv] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Donna\Application Data\ksdsv.dll",Int_FromLong
    • O4 - HKLM\..\Run: [thuiat] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Donna\Application Data\thuiat.dll",get_header_ver
    • O4 - HKCU\..\Run: [bimgeta] rundll32 "C:\Documents and Settings\Donna\Local Settings\Application Data\bimgeta.dll",bimgeta

    After clicking Fix exit HJT.



    Delete these:
    • C:\Documents and Settings\Donna\Local Settings\Application Data\a8c66a09-d5fe-4797-8ee3-1f98586064a3.crx
    • C:\Documents and Settings\Donna\Local Settings\Application Data\i18obj90

    Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

    Run the new MGTools.exe and attach the new MGlogs.zip
     
    Kestrel13!, Dec 22, 2012
    #3
  4. eleasmom

    eleasmom Private E-2

    OK, I did everything as written, as best I could. I just did about ten google searches and haven't been redirected, but only time will tell...

    After I deleted the items in the Registry tab via RogueKiller, the items in the Files tab were already gone.

    I did run Hitman, and it found three things that it thought were Trojans, including a bimgeta somewhere, and two others that I don't remember. I deleted them, but I wasn't able to save a log, because it told me to reboot. And, I did. And it didn't save a log.

    I went into HJT, and only the first item was listed:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;127.0.0.1:9421;

    The other three weren't there.

    Also, this one wasn't there:

    C:\Documents and Settings\Donna\Local Settings\Application Data\a8c66a09-d5fe-4797-8ee3-1f98586064a3.crx
     

    Attached Files:

    eleasmom, Dec 22, 2012
    #4
  5. eleasmom

    eleasmom Private E-2

    Sigh. I've been online this morning for about an hour. I've done about...oh...a dozen various searches. And, sigh, I just got redirected. So, something still isn't cleaned out properly.

    :-(
     
    eleasmom, Dec 23, 2012
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please run the below procedure to reset Firefox to defaults:
    Reset Firefox to Defaults

    Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

    After clicking Fix, exit HJT.

    Now uninstall the below:
    Ask Toolbar


    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
:Files
C:\WINDOWS\browser.exe
C:\Documents and Settings\Donna\Local Settings\Application Data\bimgeta.dll
C:\Documents and Settings\Donna\Application Data\ksdsv.dll
C:\Documents and Settings\Donna\Application Data\thuiat.dll
C:\Documents and Settings\Donna\Local Settings\Application Data\a8c66a09-d5fe-4797-8ee3-1f98586064a3.crx
C:\Documents and Settings\All Users\Application Data\3C70281957950B4300003C6FEBAE0FE7
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
C:\WINDOWS\Temp\toolbar_log.txt
C:\WINDOWS\Temp\{0F41E3CB-BA0B-4EDD-9DFF-593B7815B5CC}.exe
C:\WINDOWS\Temp\{7E60C050-365F-466F-AC8A-A14DE308F1FD}.exe
C:\WINDOWS\Temp\*.tmp
C:\Documents and Settings\Donna\Local Settings\temp\*.*
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bimgeta]
[HKEY_USERS\S-1-5-21-2754825429-1985977346-3869023744-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bimgeta"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\isecurity]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{051D1FB6-F34B-4571-A11C-1C223AF263B6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 23, 2012
    #6
  7. eleasmom

    eleasmom Private E-2

    OK, did the next set of steps, logs attached. So far, so good...
     

    Attached Files:

    eleasmom, Dec 23, 2012
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do not rename the MGlogs.zip files that are created. You need to leave them exactly as the program creates them so that our cleanup process will work. There is no reason to rename anything or save them since they are all save here in your messages.

    Looks good now. Test it for a while longer and if all is good, continue with the below.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Dec 23, 2012
    #8
  9. eleasmom

    eleasmom Private E-2

    Sigh. I used the computer for a day or two, and it seemed to have no problems. Then, I went out of town for about a week or so and did not take it with me. When I came back, it had a very slow start-up time, gradually getting worse, to the point that it would take about 15 minutes of being locked up to work. I just did a SAS scan, and found a trojan. It's doing this thing where it works for about two seconds, and then pauses for about ten seconds. It'll do that for about five minutes, then work well for a while, and then do that again for about five minutes...

    Do I need to start the whole "do this first" process again, or is there something specific I should do?

    Thanks...

    Donna
     
    eleasmom, Jan 10, 2013
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you need to start over and create a new thread as this is a new problem. It is not a redirect problem anymore and it is possible that it is not even malware. I'm closing this current thread. Please post followup messages in a new thread along with your new logs and be sure to describe your problems in the new thread.

    Also please do not rename the MGlogs.zip files. Just attach exactly what we ask for which is C:\MGlogs.zip. You don't need to date them.
     
    chaslang, Jan 10, 2013
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds