Searches redirecting and constant globalroot\systemroot\svchost.exe processes

So basically each time I run various anti whatever programs it will seem to fix it but eventually all my searches will start getting Hijacked. So I got avast free and did a full scan and after that I started having various things blocked by network shield. The objects were always different but the process would always be globalroot\systemroot\svchost.exe. And my searches still get hijacked. So ran a full bootup scan and eventually got that finished as well as MBAM and it had me restart too and still have the problem so creating new topic like the logs to assist thread says.

do you have more logs ?.. malwarebytes / aswMBR

I see you are running AVG and avast

running multiple AV will create all kind of windows errors and false positive detections…so you have to uninstall one

it is also recomended to run a removal tool so all leftover file(s) that can conflict is gone

run and reboot - Uninstallers – Security Software
http://singularlabs.com/uninstallers/security-software/

Ta Pondus ;D

I will need to see the aswMBR log please so that I can deterrmine the variant

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll () O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll () O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-21-3799292957-1194181936-1802369922-1000\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()

:Files
ipconfig /flushdns /c
C:\Program Files (x86)\Search Toolbar

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

aswMBR log

Ah which do I do or all that stuff?

Run the OTL fix please and then

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Ok did all that and combofix started preparing a log on startup… and it’s just been like that for about 20 minutes now.

Also just got the same avast warning.

Oh guess I just didn’t wait long enough…

And yes still getting alot of alerts about globalroot\systemroot\svchost.exe. And thanks for all the help so far.

Also might add one of my processes is taking up pretty much more memory than everything else combine if I look on task manager. It’s the only svchost.exe*32 currently up the description is winscrmde and it’s taking up ~1,500,000k.

Also reruning some of these programs turns up new stuff

Something new here

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:

:regfind
winscrmde
WS2IFSL

[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

System look

Edit: Haven’t had any alerts from avast for awhile now and so far none of my searches have been hijacked… most recent scans turn up nothing. But not sure what’s changed since it still was right after last fix. Also that one process is still really big

as a side note for essexboy i found a threatexpert report related to what he is investigating[may not be accurate report though] may be this may help essexboy:
http://www.threatexpert.com/files/ws2ifsl.exe.html

OK that is the legitmate sys file ;D

If all is well tomorrow let me know and I will tidy up

Still getting the same network shield alerts but they are to be less frequent Only know they happening because I check the log.

Any reason why that one process sometimes runs so much memory? I mean it litterally is more than everything else combine. Granted I wasn’t running much but that is a serious chunk my memory. It’s been doing that for awhile sometimes. Lags me down tons and sometimes actually makes me run out of memory.

Edit: Guess said that too soon. Alot more alerts now

WS2IFSL.sys is the “Winsock IFS Driver” and is used for non standard ISP type connections

Is this the one taking all your memory up ?

OK lets do a deep analysis - this programme will produce a zip file for me to look at… Could you upload it to mediafire and post the sharing link

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPfront.gif

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpsettings.gif

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif

On completion click the link to locate the zip file to upload and attach to your next post

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif

Not sure how to check that WS2IFSl.sys thing. Don’t seen it on tastk manager.

Sorry scan took so long but it was a long scan and computer accidentally got bumped half way thru first one then it told me to restart after second scan. As such I think the saved doesn’t have all the viruses on it. Also to note I can’t seem to even get to the location where any of these files are. Basically there is no appdata folder under my user folder…

Anyways sysinfo stuff

http://www.mediafire.com/?6ivpvog69qf3por

3/1/2012 9:44:41 AM Disinfected Trojan program Rootkit.Boot.Pihar.b \Device\Harddisk0\DR0 High

Ok that appears to have been the problem

AVG is still showing a bunch of drivers

How is the computer now ?

I don’t think I’ve gotten another alert since the last scan finished. No more svchost.exe*32s running right now even though I have all the same programs I normally have up and lag as been normalish. Looks like last one did it.

Yeah the first scan or 2 had alot of stuff in avg. I want to say a total of 60-70 threats. Which was almost all of them.

Thanks for all the help. And that last scanner is a beast. Found so much the others didn’t. Too bad it takes forever

If all is well tomorrow let me know and I will remove my tools

Yep that did it thanks again