Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Website redirect torjan/virus


  • This topic is locked This topic is locked
5 replies to this topic

#1 LK Martin

LK Martin

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 19 September 2014 - 05:18 AM

Hi.

 

I have gotten a nasty virus lately and whatever I do I can not seem to get rid of it.

What it does is that it pops up the notification saying "Additional login information may be required" Now I know that is a lie since I am connected through fiber and my ISP does not require any login.

 

What it does next is starting to reroute all my acces to websites to one of their own, looking like a usual swedish ISP saying that my allocated mobile surf has run out and I need to buy more...

I am on a stationary computer with limitless fiberconnection so this is also abvious lie/fake.

 

I am currentrly on Windows 7 Pro. I dont know if you need more system information than that to help me if so ask.

 

 

What I have tried:

Virus scan - I am running AVG Free 2014 and did a full system scan, no results.

System restore. Unfortunately I only have one restore point that is not far enough back. When I run it also pops up error saying it could not complete and to turn off anti-virus Seems like something from the virus itself because recovery notes the action as completed.

 

 

I just cant get rid of it please help, I am at my wits end.



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 19 September 2014 - 05:33 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 
 
 
 
HijackThis is not the preferred initial scanning tool in this forum. With today's malware, a more comprehensive set of logs is required to determine the presence of malware.
 
 
 
 
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)
 
  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 
 
 
 
 Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 LK Martin

LK Martin
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 19 September 2014 - 09:42 AM

Hi thanks for the quick reply.

 

I have been trying some more things in safe mode after posting this and hopefully got rid of it now, but ofcourse as you said no symptoms is no guarrantee.

 

After some advice from an ask thread I found the antimalware program malwarebytes and ran this in safe mode.

 

This detected 6 infected files with Trojans, among them SvHost.exe where I think my problems whas.

 

I will hold off on following your instructions untill tomorrow and do some more diagnosis in the meantime.

I will make a new post tomorrow to let you know how things are going, I will look for logs from MalwareBytes and post in a post here.

 

English is not my native language either so please dont mind any spelling misstakes.



#4 LK Martin

LK Martin
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 19 September 2014 - 09:47 AM

Here is the log from MalwareBytes. I have changed the username of folder locations to ---- to protect my privacy.

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2014/09/19 13:17:32 +0200</date>
<logfile>mbam-log-2014-09-19 (13-17-32).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.00.2.1012</version>
<malware-database>v2014.09.19.03</malware-database>
<rootkit-database>v2014.09.18.01</rootkit-database>
<license>trial</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<osversion>Windows 7 Service Pack 1</osversion>
<arch>x64</arch>
<username>-----</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>322681</objects>
<time>252</time>
<processes>0</processes>
<modules>0</modules>
<keys>0</keys>
<values>1</values>
<datas>0</datas>
<folders>3</folders>
<files>5</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>enabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<value><path>HKU\S-1-5-21-1059892711-2425033833-1676352690-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE</path><valuename>MFC Managed Interfaces Library</valuename><vendor>Trojan.Agent</vendor><action>success</action><valuedata>C:\Users\----\Videos\HelpPanel.exe</valuedata><hash>57c59a55017a2c0a96e0bfa028dcb050</hash></value>
<folder><path>C:\Users\----\AppData\Roaming\dclogs</path><vendor>Stolen.Data</vendor><action>success</action><hash>64b83db289f2ce68705642c7dd276f91</hash></folder>
<folder><path>C:\Users\----\AppData\Roaming\OpenCandy</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>1507ca2565169b9b1870a035b2506b95</hash></folder>
<folder><path>C:\Users\----\AppData\Roaming\OpenCandy\AF370717E77A4E0FBD239FFF561A3AAB</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>1507ca2565169b9b1870a035b2506b95</hash></folder>
<file><path>C:\Users\----\AppData\Roaming\WinDir\Svchost.exe</path><vendor>Trojan.Agent</vendor><action>success</action><hash>38e447a80c6f0e28dc9a509356adfb05</hash></file>
<file><path>C:\Users\----\AppData\Roaming\dclogs\2012-06-16-7.dc</path><vendor>Stolen.Data</vendor><action>success</action><hash>64b83db289f2ce68705642c7dd276f91</hash></file>
<file><path>C:\Users\----\AppData\Roaming\-----wchelper.dll</path><vendor>Trojan.Agent.Gen</vendor><action>success</action><hash>67b5aa4529529b9b24ac49e39e662dd3</hash></file>
<file><path>C:\Users\----\Videos\HelpPanel.exe</path><vendor>Trojan.Agent</vendor><action>success</action><hash>57c59a55017a2c0a96e0bfa028dcb050</hash></file>
<file><path>C:\Users\----\AppData\Roaming\OpenCandy\AF370717E77A4E0FBD239FFF561A3AAB\winzip180mul-64.msi</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>1507ca2565169b9b1870a035b2506b95</hash></file>
</items>
</mbam-log>


#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 22 September 2014 - 03:22 AM

I did not want to see a Malwarebytes log.

Please provide the requested information.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 13 October 2014 - 08:04 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users