Trojans + Google Redirect

Discussion in 'Malware Help (A Specialist Will Reply)' started by BoSoxJim, Jul 25, 2012.

  1. BoSoxJim

    BoSoxJim Private E-2

    Hi,

    This is my first post. I am thankful there is a forum like this with people willing to help people like me that have kids who surf to places they shouldn't.

    Anyway about a couple weeks ago, I noticed that when I tried to perform a search in Google, I would get redirected to another type of search page (both Firefox and IE). Also, websites would pop-up from time to time.

    A few times I would get a message that an antivirus program had finished installing and was ready to scan. I killed the process each time that appeared.

    Before finding this site, I ran the Malwarebytes software as well as the TDSSKiller software. But that did not solve the redirect problem (or additional websites popping up).

    I would appreciate any help you could give me.

    Thank you.
     

    Attached Files:

    BoSoxJim, Jul 25, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download ComboFix to your desktop and run it. Do not do anything while it runs. Attach the log when it is finished.
     
    TimW, Jul 25, 2012
    #2
  3. BoSoxJim

    BoSoxJim Private E-2

    thank you for responding.

    unfortunately, i have been unable to get combofix to run to completion.

    i get as far as the backup of the registry. then a dialog box opens and closes in the blink of an eye and then nothing.

    i removed all drive emulators. and closed/disabled running programs. but still no luck.

    please advise.

    thank you.
     
    BoSoxJim, Jul 27, 2012
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please do the below so that we can boot to System Recovery Options to run a scan. There will be two options to choose from. One if you do not have your Windows 7 boot DVD and another when you have your DVD.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Option1: Enter System Recovery Options from the Advanced Boot Options:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    Option2: Enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
    TimW, Jul 27, 2012
    #4
  5. BoSoxJim

    BoSoxJim Private E-2

    sorry for the delay in responding. had a crazy weekend with the kids and no time for myself. i picked up a flash drive and will perform the taks you require and will post the results monday night.
     
    BoSoxJim, Jul 30, 2012
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not a problem. We will be here. ;)
     
    TimW, Jul 30, 2012
    #6
  7. BoSoxJim

    BoSoxJim Private E-2

    again, sorry for the delay in responding.

    i promise to have the results to you by wednesday night. it was the kids on the weekend and now work has been crazy.

    i appreciate everything you are doing for me and again apologize for the delays.
     
    BoSoxJim, Jul 31, 2012
    #7
  8. BoSoxJim

    BoSoxJim Private E-2

    ok, i finally got a chance to run the test you requested. i have attached the file.

    thank you for your patience.
     

    Attached Files:

    BoSoxJim, Aug 2, 2012
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Save fixlist.txt to your flash drive.

    • You should now have both fixlist.txt and FRST.exe on your flash drive.

    Now reboot back into the System Recovery Options as you did previously.
    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now boot into normal Windows can continue with the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * Fixlist.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     

    Attached Files:

    TimW, Aug 2, 2012
    #9
  10. BoSoxJim

    BoSoxJim Private E-2

    ok. i got the mgtools scan to work (never mind, the scan worked the first time). i am attaching the requested files.

    i'm still getting redirected.
     

    Attached Files:

    BoSoxJim, Aug 2, 2012
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download OTCby Old Timer and save it to your Desktop.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
:killallprocesses
:files
C:\Users\Jim_Kristine\AppData\Roaming\Azheyg
C:\Users\Jim_Kristine\AppData\Roaming\Esru
C:\Users\Jim_Kristine\AppData\Roaming\F2467312
C:\Users\Jim_Kristine\AppData\Roaming\Icfyu
C:\Users\Jim_Kristine\AppData\Roaming\mehsop.dll
C:\Users\Jim_Kristine\AppData\Roaming\pmapi.dll
C:\Users\Jim_Kristine\AppData\Roaming\Steinberg
C:\Users\Jim_Kristine\AppData\Roaming\xsecva
C:\Users\Jim_Kristine\AppData\Roaming\Microsoft\Windows\Templates\re15525dl3y7e4hemd3d26i4u6tdmmy
C:\ProgramData\Steinberg
C:\Program Files\Steinberg
C:\Program Files\Common Files\Steinberg
C:\Users\Jim_Kristine\AppData\Local\Temp\224kkk290347.exe
C:\\Users\\Jim_Kristine\\AppData\\Roaming\\Azheyg\\caynv.exe
C:\\Users\\Jim_Kristine\\AppData\\Roaming\\mehsop.dll
C:\\Users\\Jim_Kristine\\AppData\\Roaming\\pmapi.dll

:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Aug 3, 2012
    #11
  12. BoSoxJim

    BoSoxJim Private E-2

    i will be able to post the results for the latest test on wednesday (maybe later tonight).

    again, i apologize for the delays...they can't be helped right now.

    i appreciate all that you are doing to help me.
     
    BoSoxJim, Aug 7, 2012
    #12
  13. BoSoxJim

    BoSoxJim Private E-2

    i finally had a chance to do everything you needed me too. i have included the logs as requested.

    Make sure that you tell me if you receive a success message about adding the above to the registry.

    I received the success message.

    Make sure you tell me how things are working now!

    it was odd. my first search (well it was a search i ran before running the fixes), redirected me. but i am performing other searches without any re-direction.

    i've checked both firefox and IE, and it seems the re-direction problem is gone.

    i am unsure if there are more steps left, so i withhold my tears of joy for the time being.

    i again thank you for all of your help and patience. i will wait to hear back about further steps.
     

    Attached Files:

    BoSoxJim, Aug 10, 2012
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good. I can only suggest now that you run CCleaner to clean out your temp folders.





    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link:
    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, Aug 10, 2012
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds