Cannot remove spyware/adware dnschanger trojan

[Austin0751]

I have run every single anti virus, malwarebytes, hitmanpro, windows defender, even Avira and everytime they find upwards of 70 - 280 infections all trojans, dnschangers and no matter what I have endless browser redirects to random webpages.  The first issue I noticed was when my chrome browser was being redirected to search-online.com and no matter how many times I ran anti-malware, safe-mode it would always come back.  I have attached my addition.txt and FRST.txt files below.  I am at a loss here on how to remove this dnschanger trojan that I seem to have now.

Addition.txt

FRST.txt

 

Update: I cannot find chrome in the page to select a default browser anymore, Microsoft Edge has no internet connection, every time I open up the chrome browser I am met with a very slow computer, and it opens to alphashoppers.com or whatever.  I started having these trojan issues after I tried to install a program that I downloaded over peer 2 peer, so I believe the program I tried to install was infected.

Edited October 29, 2017 by Austin0751

[Austin0751]

Bump

Edited October 31, 2017 by Austin0751

[kevinf80]

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please open Malwarebytes Anti-Malware.   On the Settings tab > Protection Scroll to and make sure the following are selected: Scan for Rootkits Scan within Archives   Scroll further to Potential Threat Protection make sure the following are set as follows: Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended) Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)   Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following:   Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror   Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...   Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Let me see those logs in your reply, also tell me if you have any remaining issues or concerns... Thank you, Kevin

 

fixlist.txt

[Austin0751]

I ran through everything except for the Sophos tool so far (It's currently in the process but it is going so slow it is on pace to take at least a couple hours to scan)

I am responding now because I mostly got rid of the infections that were causing my pc troubles, but I still have the browser hijacker that was affecting my browsers before the fixes.  It would seem that is causing anytime I try to use a browser (for google) search engine it redirects me to search60.com.  I have google set as my default search engine in chrome and in edge and both browsers redirect to search60.com. If I set my default search engine to bing I did not get redirected.

I understand you expect the Sophos tool to run for a long time, I'm just wondering if you are expecting the Sophos scan to find out if theres any infections still left over, in that case I will have to wait till I sleep tonight to run the tool overnight.

Here are the logs so far below.

AdwCleaner[C2].txt

10-31-17 mb3 scan.txt

Fixlog.txt

AdwCleaner[S3].txt

Edited October 31, 2017 by Austin0751

[kevinf80]

I prefer to see Sophos log before we progress... Also I see Malwarebytes log shows "No Action By User" against found entries, any reason why those entries were not quarantined...

[Austin0751]

25 minutes ago, kevinf80 said:

I prefer to see Sophos log before we progress... Also I see Malwarebytes log shows "No Action By User" against found entries, any reason why those entries were not quarantined...

I saved the log right before I quarantined the entries and then restarted, I never actually saved the log when I logged back in, but I did quarantine them.

[kevinf80]

Thanks for the update, I guess we just wait for Sophos log... Is midnight local time for me so i`m calling time... Catch up later..

[Austin0751]

Ok thanks for the help, I am 3/4th done with the Sophos scan.

Another thing I have noticed since these issues is that whenever I play online games on my pc (Overwatch) I have higher than average ping, with packet loss and all sorts of very abnormal latency connectivity issues. The amount of bandwidth I have is normal at 85 Mbps but it almost seems as if my packets are being interfered with as far as internet connectivity goes, leading to packet loss and high latency. I am fairly certain it is related to this issue. Is it possible the issue has become network or router related?

[Austin0751]

Sophos scan returned no threats found at the end of the scan.

I restarted my computer and the search60 page has not returned since.  My internet still has issues and I noticed an odd process in Resource Monitor called "Tihevna.exe" which returns no google searches whatsoever but it seems to be sending and receiving a lot of B/sec.

 

[kevinf80]

Yes totally agree, that seems to be a very suspicious entry. Can you run the following and post the produced log:

Run FRST one more time:

Type the following in the edit box after "Search:".

Tihevna.exe

Click Search Files button and post the log (Search.txt) it makes to your reply.

Thank you,

Kevin

[Austin0751]

First time I booted my PC, I saw no tihevna.exe, ran the search and nothing showed up. Restarted my pc and then saw tihevna.exe popping up on resource monitor again, I ran the search again and nothing seems to have shown up again. I have attached the log file below and a screenshot of resource monitor and the FRST search.

Search.txt

Edited November 1, 2017 by Austin0751

[kevinf80]

Have just checked back over your previous logs, I actually had that file up for removal with FRST fix, the produced log showed as "Not Found" I believe the best course of action is to run FRST via the Recovery Environment, see what a log shows in that mode... if we find it in that mode we should be able to remove it...

That .exe was listed here: C:\Users\Austin Solecitto\AppData\Local\vdswuto\tihevna.exe in FRST.txt

If you have a USB flash drive do the following:

Please download Farbar Recovery Scan Tool from here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit... Next, From your Desktop select the start Flag (bottom lefthand corner of screen) Hold down the "Shift key" of your keyboard, keep it down and select "Restart" Your PC should open to the "Choose an Option" window.... release shift key. From that window select "Troubleshoot" From the next window select "Advance Options" From that Window select "Command Prompt" Ensure to plug the flash drive into a USB port... You should now be in Recovery Environment with the Command Prompt Window open...... Continue with the following:   In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. <<<----vey important The tool will start to run. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC... To boot back to windows, type exit at the prompt and hit enter Please copy and paste or attach FRST log to your reply. Thanks, Kevin...

 

[Austin0751]

Addition.txt

FRST.txt

[kevinf80]

You ran FRST from Safe mode, I want you to run it from the Recovery Environment... have another look at my last reply

[Austin0751]

Yeah my shift+restart combination never works for boot into safe, neither does doing it from settings > advanced restart. I just had to force it to boot to recovery mode by powering off my pc every time I saw the windows logo. I did it from legacy command prompt the first time

FRST.txt

[Austin0751]

So I can see the vdswuto folder in AppData\Local\Vdswuto but I cannot open the folder, where I know tihevna.exe is located in. It says I do not have the access to open the folder and I am the admin of the PC.

[kevinf80]

Yes that was the reason to access the recovery environment and run FRST from there, usually in that mode we can see all parts of the infection, compile our fix and use that via the recovery environment... Strange thing is none of the files are showing in that mode... I`ll attach a zip file boot_into_RE_2.zip unzip that to your Desktop so you have boot_into_RE_2.bat

You can run that batch file to access the recovery environment.... I want you to run the following:

Save the attached file fixlist.txt to your flash drive, same place as FRST.
Now please enter System Recovery Options as you did to get the log. Or use the batch file, right click on it and select "Run as Administrator"

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

fixlist.txt

boot_into_RE_2.zip

Edited November 1, 2017 by kevinf80

[Austin0751]

The boot batch didnt work for my PC so I had to force restart it twice again, the fixlist was unable to find the vdswuto folder and vdnewkt.  I tried using admin account to take ownership of the folder and no matter what I do I cannot get ownership of the folder or files inside.

Fixlog.txt

[kevinf80]

Boot back to safemode with networking, in that mode I want you to run Malwarebytes threat scan with the following settings:

Please open Malwarebytes Anti-Malware.   On the Settings tab > Protection Scroll to and make sure the following are selected: Scan for Rootkits Scan within Archives   Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following:   Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

 

[Austin0751]

Found nothing in safemode with networking

11-1 scan.txt

[kevinf80]

When you are in Normal mode are you able to see the following folders:

C:\Users\Austin Solecitto\AppData\Local\vdnewkt
C:\Users\Austin Solecitto\AppData\Local\vdswuto

[Austin0751]

I can see the folders but I cant open them. I do have admin, even when I take ownership I can't do anything with the folders.

Edited November 1, 2017 by Austin0751

[kevinf80]

Stay in Normal mode and run the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

 

fixlist.txt

Edited November 1, 2017 by kevinf80

[Austin0751]

These folders are starting to piss me off

Fixlog.txt

[kevinf80]

Yes they do that to me. Normally we can fix this kind of malware via the Recovery Environment, Can you navigate to the following:

C:\Users\Austin Solecitto\AppData\Local

At present you have no access to the following folders:

C:\Users\Austin Solecitto\AppData\Local\vdnewkt
C:\Users\Austin Solecitto\AppData\Local\vdswuto

Can you check other folders under Local do you have normal access, or no access similar to the two above..