PDA

View Full Version : Unable to remove pesky infection



Talon7
2014-07-06, 03:51
Hi,

I strongly suspect my computer has been infected with something. While I am connected to the Internet (and only when I'm connected), my CPU will be bombarded by over a dozen processes called "dllhost.exe*32" COM Surrogates. More frequently, however, a process called iexplore.exe will come up and eat up memory (sometimes multiple processes will appear). Before it shows up, it is preceded by a bunch of processes called ctfmon.exe with a description of "CTF Loader". Internet Explorer was uninstalled long ago so I know for sure this is NOT IE.

Attached is the aswMBR Log and the attach.txt file, but for some reason the DDS log cannot be formed no matter how I try to run the tool. No other major processes are running while I try and use the tool to create a DDS log. I have run Spybot and AVG and this problem has not gone away. Nothing in my network is wrong, it is JUST this computer.

Thanks in advance!

(The attach.txt file would not be attached when I tried to add it compressed as a winrar file, apologies.)

Juliet
2014-07-07, 04:00
Hi and welcome


Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) (If not sure which version: Start --> Computer (right click) --> properties)
(To use correct version for your system.....Which system am I using? (http://support.microsoft.com/kb/827218))


Run FRST.
Donīt change one of the checkboxes and hit Scan.
Logfiles are created on your desktop.
Poste the FRST.txt
The first time the tool is run it generates another log Addition.txt - Please also paste that along with the FRST.txt into your reply.

Talon7
2014-07-07, 05:09
Juliet, thank you!

Apparently both files exceed a file size limit here on the forums. I uploaded both files to dropbox; would it be all right to post them or is there some other method you want me to upload them?

Juliet
2014-07-07, 12:38
Can you break up the logs into multiple post or attach the txt?

Talon7
2014-07-07, 23:55
Ach, not sure why I didn't think of that. Here you go.

Juliet
2014-07-08, 00:55
yikes, your system is heavily infected.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)



start
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => "C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll" File Not Found
AppInit_DLLs-x32: c:\progra~2\browse~1\sprote~1.dll => "c:\progra~2\browse~1\sprote~1.dll" File Not Found
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File
URLSearchHook: HKCU - (No Name) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - No File
SearchScopes: HKLM - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKLM-x32 - DefaultScope {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2269050
SearchScopes: HKLM-x32 - {01bd49d7-c76b-4310-8beb-14d7e5f322c6} URL = http://search.easylifeapp.com/?q={searchTerms}&pid=388&src=ie2&r=2013/05/12&hid=3446745559&lg=EN&cc=US
SearchScopes: HKLM-x32 - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2269050
SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKCU - {01bd49d7-c76b-4310-8beb-14d7e5f322c6} URL = http://search.easylifeapp.com/?q={searchTerms}&pid=388&src=ie2&r=2013/05/12&hid=3446745559&lg=EN&cc=US
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2269050
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO-x32: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKCU - No Name - {872B5B88-9DB5-4310-BDD0-AC189557E5F5} - No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
FF NewTab: hxxp://search.conduit.com/?ctid=CT3319733&octid=EB_ORIGINAL_CTID&SearchSource=69&CUI=&SSPV=&Lay=1&UM=4&UP=SPC00D18AC-2904-4750-B950-0949C7CAC3CF
FF SearchEngineOrder.1: EasyLife
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "EasyLife");: user_pref("browser.search.order.1,S", "EasyLife");
FF Homepage: google.com
FF Keyword.URL: hxxp://search.easylifeapp.com/?pid=388&src=ff2&r=2013/05/12&hid=3446745559&lg=EN&cc=US&l=1&q=
FF user.js: detected! => C:\Users\talon\AppData\Roaming\Mozilla\Firefox\Profiles\lv532xay.default\user.js
FF SearchPlugin: C:\Users\talon\AppData\Roaming\Mozilla\Firefox\Profiles\lv532xay.default\searchplugins\trovi-search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml
FF Extension: Conduit Engine - C:\Users\talon\AppData\Roaming\Mozilla\Firefox\Profiles\lv532xay.default\Extensions\engine@conduit.com [2011-05-09]
CHR HomePage: http:\/\/search.conduit.com\/?ctid=CT3319733&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPC00D18AC-2904-4750-B950-0949C7CAC3CF&SSPV=
CHR StartupUrls: "hxxp://search.conduit.com/?ctid=CT3319733&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPC00D18AC-2904-4750-B950-0949C7CAC3CF&SSPV="
CHR DefaultSearchKeyword: trovi.search
CHR DefaultSearchURL: http:\/\/search.conduit.com\/Results.aspx?gd=&ctid=CT3319733&octid=EB_ORIGINAL_CTID&ISID=&SearchSource=58&CUI=&UM=5&UP=SPC00D18AC-2904-4750-B950-0949C7CAC3CF&q={searchTerms}&SSPV=CHR DefaultNewTabURL:
CHR Extension: (Extutil) - C:\Users\talon\AppData\Local\Temp\D7ADFCCA-EE7E-442C-9999-C4D14FEF360B [2014-01-28]
CHR Extension: (Managera) - C:\Users\talon\AppData\Local\Temp\38fdaae5-8e0e-493c-88ec-e05c3be06e42 [2014-01-28]
CHR HKLM-x32\...\Chrome\Extension: [dhdepfaagokllfmhfbcfmocaeigmoebo] - C:\Users\talon\AppData\Local\Savings Sidekick\Chrome\Savings Sidekick.crx [2013-10-03]
C:\Users\talon\AppData\Local\Temp\6_Offer_15.exe
C:\Users\talon\AppData\Local\Temp\ApplicationUpdate.Client.dll
C:\Users\talon\AppData\Local\Temp\DM.exe
C:\Users\talon\AppData\Local\Temp\drm_dyndata_7380015.dll
C:\Users\talon\AppData\Local\Temp\Gw2.exe
C:\Users\talon\AppData\Local\Temp\ICReinstall_Setup.exe
C:\Users\talon\AppData\Local\Temp\nscA614.exe
C:\Users\talon\AppData\Local\Temp\nsdA8D4.exe
C:\Users\talon\AppData\Local\Temp\nseAB94.exe
C:\Users\talon\AppData\Local\Temp\nspF986.exe
C:\Users\talon\AppData\Local\Temp\nsrFC47.exe
C:\Users\talon\AppData\Local\Temp\nssFF07.exe
C:\Users\talon\AppData\Local\Temp\nv3DVStreaming.dll
C:\Users\talon\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\talon\AppData\Local\Temp\nvSCPAPISvr.exe
C:\Users\talon\AppData\Local\Temp\nvStereoApiI.dll
C:\Users\talon\AppData\Local\Temp\nvStInst.exe
C:\Users\talon\AppData\Local\Temp\ose00000.exe
C:\Users\talon\AppData\Local\Temp\patcher_lib.dll
C:\Users\talon\AppData\Local\Temp\patcher_update.exe
C:\Users\talon\AppData\Local\Temp\rootsupd.exe
C:\Users\talon\AppData\Local\Temp\SearchProtectINT.exe
C:\Users\talon\AppData\Local\Temp\Shockwave_Installer_FF.exe
C:\Users\talon\AppData\Local\Temp\TempRealCharacterBuilderUpdater.exe
C:\Users\talon\AppData\Local\Temp\UNINSTALLER-6352.exe
C:\Users\talon\AppData\Local\Temp\vcredist_x64.exe
Savings Sidekick (HKLM-x32\...\Savings Sidekick) (Version: 1.18.149.149 - 215 Apps) <==== ATTENTION
end


Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.



NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system



****************

AdwCleaner by Xplode

Click on this link to download : ADWCleaner (http://www.bleepingcomputer.com/download/adwcleaner/)
Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.

Do not click on any links in the top Advertisment.


Close all open windows and browsers.



Right click the AdwCleaner icon http://i1059.photobucket.com/albums/t432/cinjo23/RightClickonAdwCleanerIcon.jpg on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.

*****
https://dl.dropbox.com/u/73555776/AdwCleaner.GIF


Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Scan.
After the scan is complete click on "Clean"
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.
NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why (http://www.im-infected.com/hijacker/isearch-avg-comsearch-hijacker.html) and Here (http://nojesusnopeas.blogspot.com/2012/08/sorry-but-avg-secure-search-is-malware.html). You can always Reinstall (http://www.avg.com/us-en/secure-search) it.


************************

Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/update/)to your desktop
http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits



Go back to the Dashboard and select Threat Scan and then click on Scan Now



If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.



On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log


Please post:
fixlist.txt
C:\AdwCleaner.txt
MBAM log

may need to make multiple post.

Talon7
2014-07-08, 03:07
All right, here are the three files. I'm not sure if this is relevant but as Malwarebyte was scanning, AVG had detected the various infections (mostly the Trojans) that it detected. When it asked if it wanted me to remove them I did not accept since I let Malwarebyte do that.

Another thing is that "Internet Explorer" will continue to start even after all of this.

Juliet
2014-07-08, 03:19
OK, we're removing a little bit at a time.


Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Scan.
After the scan is complete click on "Clean"
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.

Talon7
2014-07-08, 03:44
All right, here is the file.

Juliet
2014-07-08, 03:59
The first AdwCleaner log you posted was an old one.
# AdwCleaner v2.300 - Logfile created 05/11/2013 at 20:41:41
# Updated 28/04/2013 by Xplode

I guess MBAM took it out cause the last one you ran was clean.

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.
Emergency Backup Procedure - Tech Support Forum (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/306529-emergency-backup-procedure.html)

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Download ComboFix from here:
Link 1 (http://www.bleepingcomputer.com/download/combofix/)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

Place ComboFix.exe on your Desktop <--Important

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.



You can get help on disabling your protection programs here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html)
Double click on ComboFix.exe & follow the prompts.
You may be asked to install or update the Recovery Console (http://en.wikipedia.org/wiki/Recovery_Console) (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
---------------------------------------------------------------------------------------------
If there are Internet issues after running ComboFix:
Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.
Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
Safari
Launch Safari
Go to general settings menu
Then in Preferences/ Advanced
Then on line click Proxies change settings ...
Click Internet Options, then click the Connections tab, click Network Settings.
Disable option (uncheck) for the use of proxy server ...



~~~~~~~~~~~~~~~~~~`

Talon7
2014-07-09, 01:11
Hey Juliet,

Well looks like the virus infected the boot sector, because when my computer restarted it would not start. System restore wouldn't work, even loading a command prompt wouldn't work. Hard lesson learned I guess.

Thank you anyway for helping out, you've been very helpful!

Juliet
2014-07-09, 02:20
Hey Juliet,

Well looks like the virus infected the boot sector, because when my computer restarted it would not start. System restore wouldn't work, even loading a command prompt wouldn't work. Hard lesson learned I guess.

Thank you anyway for helping out, you've been very helpful!

When you ran the last tool did it state there was a boot sector virus? Scans we ran previously did not mention this and they also scan the boot sector.
Does it load in safe mode?

Talon7
2014-07-09, 02:37
Won't even load in safe mode. I was actually about to download ComboFix but that's when the computer restarted.

Juliet
2014-07-09, 02:57
Won't even load in safe mode. I was actually about to download ComboFix but that's when the computer restarted.

Well.....oh dear.
You know, could also be hardware related since it died out like that, thats what it sounds like to me.
I am so sorry Talon, but this I cannot fix. Wish I could but right now it's probably a good idea to take it to a repair shop for this.

Talon7
2014-07-09, 03:20
No problem, thank you again for your help.

Yeah I was hoping it was hardware related, but when I found an account simply called "unknown" I'm certain it's malware. But again thank you, you certainly made me more aware about securing my computer.

Juliet
2014-07-09, 03:34
It may not be malicious

http://answers.microsoft.com/en-us/windows/forum/windows_7-security/account-unknown-under-security-tab-in-my-user/4186d0c9-2d9d-4aef-897c-f889178d7397
http://www.sevenforums.com/installation-setup/184141-unknown-user-account.html

Talon7
2014-07-09, 03:43
Hmm, that would make more sense actually, I'll keep that in mind for future reference. I'm still gonna do a hard reboot for a fresh start since nothing important or sensitive will be lost.

Juliet
2014-07-09, 03:46
Wont hurt anything to try.

Juliet
2014-07-09, 21:03
still with me?

Juliet
2014-07-13, 15:40
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Since this issue appears resolved ... this Topic is closed.