Hi, my computer was recently infected with a virus.

Yesterday I was searching for something using google. I opened up a webpage and immediately got 21 warnings in a row from avast. It said that the items were moved to the virus chest before they could harm my computer. Since then I’ve gotten many more warnings and I’ve noticed a significant difference in my computer’s performance. I downloaded a trial version of malwarebytes and successfully removed a few items. But after that I did several full scans with avast and more infections showed up each time. The last few scans said that the items could not be moved to the virus chest because they were read-only files. Malwarebytes has not detected anything else. Any help you can provide would be greatly appreciated.

The last popup said the following…

Object: C:\windows\system32\dllhost.exe
Infection: Win32:Expiro-CL
Action:
Process: C:\Program Files\Alwil Software\Avast\AvastSvc.exe

hi 360,

You need to begin a cleansing routine under the care of a certified malware removal expert. One will be contacted soon after you’ve run and attached the following logs from these 4 programs in your next reply:

[ol]- AdwCleaner

• Malwarebytes
• OTL
• aswMBR.exe[/ol]

(For Malwarebytes attach your first log produced with quarantine removal entries)

You can get these 4 programs here: http://forum.avast.com/index.php?topic=53253.0

Once this is done, a malware expert will be contacted.

https://www.virustotal.com/en/file/05faf1bd119433f1a8ac81de27448c59770c1fd581c334c704b87b97258c6b6e/analysis/

Thank you for the reply. The logs from AdwCleaner, aswMBR, and OTL are attached.

… and here’s the one from Malwarebytes earlier.

Good job.

As your volunteer certified malware expert may be getting up to go to work, expect a reply a bit later on. Be patient, he will come onboard in a few hours or so. Can’t exactly say when as he may live in a different time zone than you.

It may take a bit to analyze your logs for a customised fix just for your system, too.

Be patient, you do have an infection, and you are in good hands.

Hi,

Step#1

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Step#2

Scan with Combofix:

[*] Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

ok, here are the reports from FRST and ComboFix.

Also, I just received a new message from avast (see the picture attached). I wasn’t sure what to do so I left it alone.

Don’t do anything. Magna86 will come back and have a look and propose fixes just for you based upon what he finds in the logs you’ve just submitted. Follow his advice and make no changes without his OK, just as you’ve done here. Otherwise, you could easily get into quite the mess, but you will not, but you won’t only if you do as he instructs.

Hi,

Hm…this is nasty one. Please follow three steps.
It is important to stay with me till the end, until I give you ‘All Clean’ light.
Before I proceed with fixing, I shall require some additional information.

Step#1

Re-run FRST64

[*]Double-click to run it.
[*]Under Optional Scan ensure “Addition.txt” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]FRST shall create another log (Addition.txt). Please attach it to your reply.

Step#2

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type svchost.exe;dllhost.exe;msiexec.exe; into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

…and as Step#3 please follow this:

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

SaveMbr: Drive=0

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

=> Also, on your Desktop, you should get MBRDUMP.txt. Please attach it here.

here are the files from steps 1 & 2

… and step 3.

Hi,

1. Again…temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
2. Delete old ComboFix (drag&drop CF icon in RecycleBin) and download fresh copy of ComboFix. ComboFix download link
3. Open notepad and copy/paste the text present inside the code box below:

KillAll::

FCopy::
C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe|c:\windows\SysWow64\svchost.exe
C:\Windows\winsxs\x86_microsoft-windows-installer-executable_31bf3856ad364e35_6.1.7600.16385_none_4957caefe76d7816\msiexec.exe|C:\windows\system32\msiexec.exe

SRPeek::
c:\windows\System32\dllhost.exe
c:\windows\SysWOW64\dllhost.exe

FileLook::
c:\windows\System32\dllhost.exe
c:\windows\SysWOW64\dllhost.exe

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

----------------------- Next ----------------------

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type svchost.exe;dllhost.exe;msiexec.exe; into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

ok, the files are attached.

Ok, Next…

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
BHO: Frostwire Toolbar - {46575637-0076-A76A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\FWV7\Passport_x64.dll (APN LLC.)
BHO-x32: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll No File
BHO-x32: Frostwire Toolbar - {46575637-0076-A76A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\FWV7\Passport.dll (APN LLC.)
Toolbar: HKLM - Frostwire Toolbar - {46575637-0076-A76A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\FWV7\Passport_x64.dll (APN LLC.)
Toolbar: HKLM-x32 - Frostwire Toolbar - {46575637-0076-A76A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\FWV7\Passport.dll (APN LLC.)
CHR Extension: (cwwogwaoa) - C:\Users\Kanen\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0
CHR HKLM-x32\...\Chrome\Extension: [aaaaiognmpgbjoffachmpnnppfnokcbe] - C:\ProgramData\AskPartnerNetwork\Toolbar\FWV7\CRX\ToolbarCR.crx
CHR HKLM-x32\...\Chrome\Extension: [jplinpmadfkdgipabgcdchbdikologlh] - C:\Program Files (x86)\1ClickDownload\1click12.crx
C:\Program Files (x86)\AskPartnerNetwork
C:\Program Files (x86)\AVG
C:\Users\Kanen\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm
C:\Program Files (x86)\1ClickDownload
UNLOCK: S3 COMSysApp; C:\Windows\system32\dllhost.exe [562688 2013-10-28] ()
UNLOCK: S3 COMSysApp; C:\Windows\SysWow64\dllhost.exe [560128 2013-10-28] ()
UNLOCK: S2 msiserver; C:\Windows\SysWow64\msiexec.exe [626176 2013-10-28] (
S3 COMSysApp; C:\Windows\system32\dllhost.exe [562688 2013-10-28] ()
S3 COMSysApp; C:\Windows\SysWow64\dllhost.exe [560128 2013-10-28] ()
S2 msiserver; C:\Windows\SysWow64\msiexec.exe [626176 2013-10-28] (
C:\Windows\system32\dllhost.exe
C:\Windows\SysWow64\dllhost.exe
C:\Windows\SysWow64\msiexec.exe
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
FILE: C:\Windows\system32\svchost.exe
End

2.

Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

------ Next ------

Re-run ComboFix by duble-clicking and post me fresh created ComboFix.txt logreport.

------ Next ------

Re-run FRST Scan:

[*]Double-click to run it.
[*]Under Optional Scan ensure “Addition.txt” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]FRST shall also create another log (Addition.txt). Please attach it to your reply.

sorry for the delay. I had some issues with ComboFix this time… it didn’t produce a log after it finished. Instead all of the icons on my desktop disappeared and nothing was working aside from the start button. I restarted my computer and then ComboFix began preparing the log report. The .txt file appeared shortly afterward so hopefully this doesn’t complicate things…

Ok, here are next steps.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
File: c:\windows\System32\rundll32.exe
File: c:\windows\SysWOW64\rundll32.exe
File: c:\windows\SysWow64\svchost.exe
File: c:\windows\system32\msiexec.exe
File: c:\windows\system32\dllhost.exe
c:\users\SK\AppData\Local\AskPartnerNetwork
CHR Extension: (cwwogwaoa) - C:\Users\Kanen\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0
C:\Users\Kanen\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm
U3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} [x]
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
U5 MSIServer; C:\Windows\System32\msiexec.exe [73216 2009-07-13] (Microsoft Corporation)
U3 VSS;
End

2.

Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

---------------- Next -------------

Re-run ComboFix by duble-clicking and post me fresh created ComboFix.txt logreport.

---------------- Next -------------

Re-run FRST Scan:

[*]Double-click to run it.
[*]Under Optional Scan ensure “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

done. I also received a new message from avast.

Hi.

Thanks for the screenshot.

As before, you are under Magna’s care and he will certainly look into it. Please be patient and proceed with every step needed he says you need to do.

What you’re seeing is avast! working as it should and detecting things, but Magna will manually remove all traces of this infection by the logs you attach and the programs he has you run, and you will, soon enough, be clean once again. Hang in there.