Get BullGuard Premium Protection to stay safe from all threats:

  • Credit card frauds and identity theft
  • WannaCry, Petya / Golden Eye Virus and all ransomware
Buy Now 60% off

Possible Phishing Virus

Posted 12/15/2012 1:27 AM
#94819
User avatar

Chooxen Member

Date Joined Nov 2016
Total Posts: 2
Hello there.

I believe my laptop has a virus.

For a start, it won't let me access most well-known antivirus websites. When I click links to them, it 404s or goes to Google homepage. I managed to download Bullguard, but it won't let me install it.

The virus seems to have a practical purpose of phishing credit card information out of me when I log on to Facebook. I was having trouble getting some of Facebook's features to function in Chrome so logged on in IE and got redirected to this screen:
http://i.imgur.com/17SyO.jpg

The same happened in Firefox after I downloaded that. No issues in IE 64-bit funnily enough.

I'm looking for advice as to how to remove this, if anyone would be so kind as to help.

Thanks in advance,
Ben
Posted 12/15/2012 7:12 AM
#94821
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Hi Ben :-)



Please follow this guide:

[url] http://forum.bullguard.com/forum/9/Before-posting-a-log_43562.html [/url]

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 12/15/2012 5:12 PM
#94823
User avatar

Chooxen Member

Date Joined Nov 2016
Total Posts: 2
Hiya, below are logs. Issues I was having seem to be resolved for the timebeing. I am curious as to what this is though:

uRun: [Desiy] C:\Users\Ben\AppData\Roaming\Aspye\afepq.exe

Malwarebytes picked it up as a trojan and it crashed in Safe mode. Looks a bit suspect.

------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:59:31, on 15/12/2012
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16457)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
C:\Users\Ben\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\PROGRA~2\Jetico\BCWipe\BCResident.exe
C:\Windows\SysWOW64\RunDll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\YCMMirage.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPNOT/2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPNOT/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPNOT/2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
O2 - BHO: Increase performance and video formats for your HTML5
Posted 12/16/2012 12:37 AM
#94828
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976


C:\Users\Ben\AppData\Roaming\Aspye\afepq.exe





It also looks suspicious to me............

[/quote]

Please download AdwCleaner:[3] [/3]

[3] [/3]


  • ***Note: Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select – Run as admin

Click Delete.


  • Everything that was found will be deleted.
  • Save any open files and approve the reboot. A text file will open after the restart.

Post the log, along with a combofix log -





Please download Combofix from: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.



Open notepad and copy/paste the text in bold in below into it:



Snapshot::
Collect::
C:\Users\Ben\AppData\Roaming\Aspye\afepq.exe
ClearJavaCache::




Save this as:CFScript



User image



Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.


Combofix will create a logfile and display it after your computer has rebooted.

Usually located in c:\combofix.txt, please post it to your next reply.



When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed.

With the above script, ComboFix will capture a file to submit for analysis.




[3] [/3]

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Sunday, July 23, 2017, 12:39 PM (GMT +2)
There are a total of 61,305 posts in 13,482 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,066 registered members. Please welcome our newest member, tinytim4.
There are currently no users on-line.
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.