Unable to remove pesky infection

Status
Not open for further replies.
T

Talon7

New member
Hi,

I strongly suspect my computer has been infected with something. While I am connected to the Internet (and only when I'm connected), my CPU will be bombarded by over a dozen processes called "dllhost.exe*32" COM Surrogates. More frequently, however, a process called iexplore.exe will come up and eat up memory (sometimes multiple processes will appear). Before it shows up, it is preceded by a bunch of processes called ctfmon.exe with a description of "CTF Loader". Internet Explorer was uninstalled long ago so I know for sure this is NOT IE.

Attached is the aswMBR Log and the attach.txt file, but for some reason the DDS log cannot be formed no matter how I try to run the tool. No other major processes are running while I try and use the tool to create a DDS log. I have run Spybot and AVG and this problem has not gone away. Nothing in my network is wrong, it is JUST this computer.

Thanks in advance!

(The attach.txt file would not be attached when I tried to add it compressed as a winrar file, apologies.)
 

Attachments

Hi and welcome


Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure which version: Start --> Computer (right click) --> properties)
(To use correct version for your system.....Which system am I using?)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt
  • The first time the tool is run it generates another log Addition.txt - Please also paste that along with the FRST.txt into your reply.
 
Juliet, thank you!

Apparently both files exceed a file size limit here on the forums. I uploaded both files to dropbox; would it be all right to post them or is there some other method you want me to upload them?
 
Can you break up the logs into multiple post or attach the txt?
 
yikes, your system is heavily infected.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

start
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => "C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll" File Not Found
AppInit_DLLs-x32: c:\progra~2\browse~1\sprote~1.dll => "c:\progra~2\browse~1\sprote~1.dll" File Not Found
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File
URLSearchHook: HKCU - (No Name) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - No File
SearchScopes: HKLM - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKLM-x32 - DefaultScope {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2269050
SearchScopes: HKLM-x32 - {01bd49d7-c76b-4310-8beb-14d7e5f322c6} URL = http://search.easylifeapp.com/?q={searchTerms}&pid=388&src=ie2&r=2013/05/12&hid=3446745559&lg=EN&cc=US
SearchScopes: HKLM-x32 - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2269050
SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKCU - {01bd49d7-c76b-4310-8beb-14d7e5f322c6} URL = http://search.easylifeapp.com/?q={searchTerms}&pid=388&src=ie2&r=2013/05/12&hid=3446745559&lg=EN&cc=US
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2269050
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO-x32: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKCU - No Name - {872B5B88-9DB5-4310-BDD0-AC189557E5F5} - No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
FF NewTab: hxxp://search.conduit.com/?ctid=CT3319733&octid=EB_ORIGINAL_CTID&SearchSource=69&CUI=&SSPV=&Lay=1&UM=4&UP=SPC00D18AC-2904-4750-B950-0949C7CAC3CF
FF SearchEngineOrder.1: EasyLife
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "EasyLife");: user_pref("browser.search.order.1,S", "EasyLife");
FF Homepage: google.com
FF Keyword.URL: hxxp://search.easylifeapp.com/?pid=388&src=ff2&r=2013/05/12&hid=3446745559&lg=EN&cc=US&l=1&q=
FF user.js: detected! => C:\Users\talon\AppData\Roaming\Mozilla\Firefox\Profiles\lv532xay.default\user.js
FF SearchPlugin: C:\Users\talon\AppData\Roaming\Mozilla\Firefox\Profiles\lv532xay.default\searchplugins\trovi-search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml
FF Extension: Conduit Engine - C:\Users\talon\AppData\Roaming\Mozilla\Firefox\Profiles\lv532xay.default\Extensions\engine@conduit.com [2011-05-09]
CHR HomePage: http:\/\/search.conduit.com\/?ctid=CT3319733&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPC00D18AC-2904-4750-B950-0949C7CAC3CF&SSPV=
CHR StartupUrls: "hxxp://search.conduit.com/?ctid=CT3319733&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPC00D18AC-2904-4750-B950-0949C7CAC3CF&SSPV="
CHR DefaultSearchKeyword: trovi.search
CHR DefaultSearchURL: http:\/\/search.conduit.com\/Results.aspx?gd=&ctid=CT3319733&octid=EB_ORIGINAL_CTID&ISID=&SearchSource=58&CUI=&UM=5&UP=SPC00D18AC-2904-4750-B950-0949C7CAC3CF&q={searchTerms}&SSPV=CHR DefaultNewTabURL:
CHR Extension: (Extutil) - C:\Users\talon\AppData\Local\Temp\D7ADFCCA-EE7E-442C-9999-C4D14FEF360B [2014-01-28]
CHR Extension: (Managera) - C:\Users\talon\AppData\Local\Temp\38fdaae5-8e0e-493c-88ec-e05c3be06e42 [2014-01-28]
CHR HKLM-x32\...\Chrome\Extension: [dhdepfaagokllfmhfbcfmocaeigmoebo] - C:\Users\talon\AppData\Local\Savings Sidekick\Chrome\Savings Sidekick.crx [2013-10-03]
C:\Users\talon\AppData\Local\Temp\6_Offer_15.exe
C:\Users\talon\AppData\Local\Temp\ApplicationUpdate.Client.dll
C:\Users\talon\AppData\Local\Temp\DM.exe
C:\Users\talon\AppData\Local\Temp\drm_dyndata_7380015.dll
C:\Users\talon\AppData\Local\Temp\Gw2.exe
C:\Users\talon\AppData\Local\Temp\ICReinstall_Setup.exe
C:\Users\talon\AppData\Local\Temp\nscA614.exe
C:\Users\talon\AppData\Local\Temp\nsdA8D4.exe
C:\Users\talon\AppData\Local\Temp\nseAB94.exe
C:\Users\talon\AppData\Local\Temp\nspF986.exe
C:\Users\talon\AppData\Local\Temp\nsrFC47.exe
C:\Users\talon\AppData\Local\Temp\nssFF07.exe
C:\Users\talon\AppData\Local\Temp\nv3DVStreaming.dll
C:\Users\talon\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\talon\AppData\Local\Temp\nvSCPAPISvr.exe
C:\Users\talon\AppData\Local\Temp\nvStereoApiI.dll
C:\Users\talon\AppData\Local\Temp\nvStInst.exe
C:\Users\talon\AppData\Local\Temp\ose00000.exe
C:\Users\talon\AppData\Local\Temp\patcher_lib.dll
C:\Users\talon\AppData\Local\Temp\patcher_update.exe
C:\Users\talon\AppData\Local\Temp\rootsupd.exe
C:\Users\talon\AppData\Local\Temp\SearchProtectINT.exe
C:\Users\talon\AppData\Local\Temp\Shockwave_Installer_FF.exe
C:\Users\talon\AppData\Local\Temp\TempRealCharacterBuilderUpdater.exe
C:\Users\talon\AppData\Local\Temp\UNINSTALLER-6352.exe
C:\Users\talon\AppData\Local\Temp\vcredist_x64.exe
Savings Sidekick (HKLM-x32\...\Savings Sidekick) (Version: 1.18.149.149 - 215 Apps) <==== ATTENTION
end
Click to expand...

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.



NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system



****************

AdwCleaner by Xplode

Click on this link to download : ADWCleaner
Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.

Do not click on any links in the top Advertisment.


Close all open windows and browsers.


  • Right click the AdwCleaner icon
    RightClickonAdwCleanerIcon.jpg
    on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.

    *****
    AdwCleaner.GIF


  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.


************************

Please download Malwarebytes Anti-Malware to your desktop
http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits



Go back to the Dashboard and select Threat Scan and then click on Scan Now



If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.



On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log


Please post:
fixlist.txt
C:\AdwCleaner.txt
MBAM log

may need to make multiple post.
 
All right, here are the three files. I'm not sure if this is relevant but as Malwarebyte was scanning, AVG had detected the various infections (mostly the Trojans) that it detected. When it asked if it wanted me to remove them I did not accept since I let Malwarebyte do that.

Another thing is that "Internet Explorer" will continue to start even after all of this.
 

Attachments

OK, we're removing a little bit at a time.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
 
The first AdwCleaner log you posted was an old one.
# AdwCleaner v2.300 - Logfile created 05/11/2013 at 20:41:41
# Updated 28/04/2013 by Xplode

I guess MBAM took it out cause the last one you ran was clean.

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.
Emergency Backup Procedure - Tech Support Forum

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

How to use ComboFix

Download ComboFix from here:
Link 1
Link 2
Link 3

Place ComboFix.exe on your Desktop <--Important
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.



    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
    ---------------------------------------------------------------------------------------------
  • If there are Internet issues after running ComboFix:
    Internet Explorer:
    Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.
    Firefox:
    Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
    Chrome:
    Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
    Safari
    Launch Safari
    Go to general settings menu
    Then in Preferences/ Advanced
    Then on line click Proxies change settings ...
    Click Internet Options, then click the Connections tab, click Network Settings.
    Disable option (uncheck) for the use of proxy server ...

~~~~~~~~~~~~~~~~~~`
 
Hey Juliet,

Well looks like the virus infected the boot sector, because when my computer restarted it would not start. System restore wouldn't work, even loading a command prompt wouldn't work. Hard lesson learned I guess.

Thank you anyway for helping out, you've been very helpful!
 
Talon7 said:
Hey Juliet,

Well looks like the virus infected the boot sector, because when my computer restarted it would not start. System restore wouldn't work, even loading a command prompt wouldn't work. Hard lesson learned I guess.

Thank you anyway for helping out, you've been very helpful!
Click to expand...

When you ran the last tool did it state there was a boot sector virus? Scans we ran previously did not mention this and they also scan the boot sector.
Does it load in safe mode?
 
Won't even load in safe mode. I was actually about to download ComboFix but that's when the computer restarted.
 
Talon7 said:
Won't even load in safe mode. I was actually about to download ComboFix but that's when the computer restarted.
Click to expand...

Well.....oh dear.
You know, could also be hardware related since it died out like that, thats what it sounds like to me.
I am so sorry Talon, but this I cannot fix. Wish I could but right now it's probably a good idea to take it to a repair shop for this.
 
No problem, thank you again for your help.

Yeah I was hoping it was hardware related, but when I found an account simply called "unknown" I'm certain it's malware. But again thank you, you certainly made me more aware about securing my computer.
 
Hmm, that would make more sense actually, I'll keep that in mind for future reference. I'm still gonna do a hard reboot for a fresh start since nothing important or sensitive will be lost.
 
Glad we could help. :)
sparkle.gif


Since this issue appears resolved ... this Topic is closed.
 
Status
Not open for further replies.
Back
Top