win32:BHO-ALX

I came back to my computer this morning and noticed that it stalled out at 3 % because of an infection with this Trojan. I selected “delete all” and the program finished in about an hour and a half.

I hear that this is a bad trojan. I want to do a manual removal. Does anyone have any instructions?

Let me clarify. I was running a boot-time scan that stalled out.

I hear that this is a bad trojan. I want to do a manual removal. Does anyone have any instructions?
Instructions are found in the guide above your post....

This is part of my Malwarebytes log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.02.28.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16518
Bruce :: BRUCE-PC [administrator]

2/28/2014 10:44:28 AM
MBAM-log-2014-02-28 (10-50-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 248174
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Detected: 4
C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe (PUP.Optional.Savingsbull) → 2232 → No action taken.
C:\Program Files (x86)\FindRight\updateFindRight.exe (PUP.Optional.FindRight.A) → 2660 → No action taken.
C:\Program Files (x86)\FindRight\bin\utilFindRight.exe (PUP.Optional.FindRight.A) → 2848 → No action taken.
C:\Program Files\SavingsbullFilter\SavingsbullFilterService64.exe (PUP.Optional.SavingsBull.A) → 2560 → No action taken.

Memory Modules Detected: 1
C:\Program Files (x86)\FindRight\bin\FindRight.BrowserFilter.Helper.dll (PUP.Optional.FindRight.A) → No action taken.

Registry Keys Detected: 45
HKLM\SYSTEM\CurrentControlSet\Services\Level Quality Watcher (PUP.Optional.Savingsbull) → No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\Update FindRight (PUP.Optional.FindRight.A) → No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\Util FindRight (PUP.Optional.FindRight.A) → No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\CltMngSvc (PUP.Optional.Conduit.A) → No action taken.
HKCR\CLSID{EF5625A3-37AB-4BDB-9875-2A3D91CD0DFD} (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\mysearchdial.mysearchdialHlpr.1 (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\mysearchdial.mysearchdialHlpr (PUP.Optional.MySearchDial.A) → No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{EF5625A3-37AB-4BDB-9875-2A3D91CD0DFD} (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\CLSID{2c774641-5504-46a8-b63f-6715ae3fe376} (PUP.Optional.FindRight.A) → No action taken.
HKCR\TypeLib{c638abe2-47da-4351-b170-e6a673d25ca3} (PUP.Optional.FindRight.A) → No action taken.
HKCR\Interface{4CCADDA1-60AD-48AA-97C2-FA892D2499FB} (PUP.Optional.FindRight.A) → No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{2C774641-5504-46A8-B63F-6715AE3FE376} (PUP.Optional.FindRight.A) → No action taken.
HKCR\AppID{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8} (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\CLSID{10AD2C61-0898-4348-8600-14A342F22AC3} (PUP.Optional.ScorpionSaver) → No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{10AD2C61-0898-4348-8600-14A342F22AC3} (PUP.Optional.ScorpionSaver) → No action taken.
HKCR\CLSID{3004627E-F8E9-4E8B-909D-316753CBA923} (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\mysearchdial.mysearchdialdskBnd.1 (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\mysearchdial.mysearchdialdskBnd (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\CLSID{4AA46D49-459F-4358-B4D1-169048547C23} (PUP.Optional.BrowseFox.A) → No action taken.
HKCR\CLSID{D40753C7-8A59-4C1F-BE88-C300F4624D5B} (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\TypeLib{C292AD0A-C11F-479B-B8DB-743E72D283B0} (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\esrv.mysearchdialESrvc.1 (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\esrv.mysearchdialESrvc (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\Typelib{FBC322D5-407E-4854-8C0B-555B951FD8E3} (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\Interface{0400EBCA-042C-4000-AA89-9713FBEDB671} (PUP.Optional.MySearchDial.A) → No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{219046AE-358F-4CF1-B1FD-2B4DE83642A8} (PUP.Optional.MySearchDial.A) → No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\SavingsbullFilterService64 (PUP.Optional.SavingsBull.A) → No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect (PUP.Optional.SearchProtect.A) → No action taken.
HKCU\Software\FindRight (PUP.Optional.FindRight.A) → No action taken.
HKCU\Software\mysearchdial (PUP.Optional.MySearchDial.A) → No action taken.
HKCU\Software\SavingsBull (PUP.Optional.SavingsBull.A) → No action taken.
HKCU\Software\AppDataLow\Software\Savings Bull (PUP.Optional.SavingsBull.A) → No action taken.
HKCU\Software\AppDataLow\Software\SavingsBull (PUP.Optional.SavingsBull.A) → No action taken.
HKCU\Software\InstallCore\1I1T1Q1S (PUP.Optional.InstallCore.A) → No action taken.
HKCU\Software\InstallCore\mysearchdial (PUP.Optional.MySearchDial.A) → No action taken.
HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) → No action taken.
HKLM\SOFTWARE\SavingsbullFilter (PUP.Optional.SavingsBull.A) → No action taken.
HKLM\SOFTWARE\InstallCore\mysearchdial (PUP.Optional.MySearchDial.A) → No action taken.
HKLM\Software\FindRight (PUP.Optional.FindRight.A) → No action taken.
HKCR\CLSID{C358B3D0-B911-41E3-A276-E7D43A6BA56D} (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\mysearchdial.mysearchdialappCore.1 (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\mysearchdial.mysearchdialappCore (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\CLSID{4ED063C9-4A0B-4B44-A9DC-23AFF424A0D3} (PUP.Optional.MySearchDial.A) → No action taken.
HKCR\m (PUP.Optional.MySearchDial.A) → No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mysearchdial (PUP.Optional.MySearchDial.A) → No action taken.

Second part of Malwarebytes log:

Registry Values Detected: 3
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{3004627E-F8E9-4E8B-909D-316753CBA923} (PUP.Optional.MySearchDial.A) → Data: mysearchdial Toolbar → No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar{3004627E-F8E9-4E8B-909D-316753CBA923} (PUP.Optional.MySearchDial.A) → Data: → No action taken.
HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) → Data: 0B1G1O1S0V1G1F → No action taken.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs (PUP.Optional.Conduit.A) → Bad: (C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll) Good: () → No action taken.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.Conduit.A) → Bad: (http://search.conduit.com/?ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPB97A5AB8-4383-4EEA-8628-44F329809854&SSPV=) Good: (http://www.google.com) → No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.MySearchDial.A) → Bad: (http://start.mysearchdial.com/?f=1&a=dsites0202&cd=2XzuyEtN2Y1L1QzutDtDtBtAyDyEzy0EyD0A0ByCzy0ByDtCtN0D0Tzu0SyBzzyBtN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=1527863448&ir=) Good: (http://www.google.com) → No action taken.

Folders Detected: 33
C:\Program Files (x86)\FindRight (PUP.Optional.FindRight.A) → No action taken.
C:\Program Files (x86)\FindRight\bin (PUP.Optional.FindRight.A) → No action taken.
C:\Program Files (x86)\FindRight\bin\plugins (PUP.Optional.FindRight.A) → No action taken.
C:\Program Files\SavingsbullFilter (PUP.Optional.SavingsBull.A) → No action taken.
C:\Program Files (x86)\SearchProtect (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\Main (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\Main\bin (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\Main\Logs (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\Main\rep (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\SearchProtect (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\SearchProtect\bin (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\SearchProtect\rep (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\UI (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\UI\bin (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\UI\dialogs (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\UI\dialogs\bubble (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\UI\dialogs\Images (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\UI\dialogs\libs (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\UI\dialogs\protection (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\UI\dialogs\protectionDS (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\UI\dialogs\settings (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\UI\dialogs\uninstall (PUP.Optional.SearchProtect.A) → No action taken.
C:\Program Files (x86)\SearchProtect\UI\rep (PUP.Optional.SearchProtect.A) → No action taken.
C:\Users\Bruce\AppData\Roaming\mysearchdial (PUP.Optional.MySearchDial.A) → No action taken.
C:\Users\Bruce\AppData\Roaming\mysearchdial\icons_2.2.15.1631 (PUP.Optional.MySearchDial.A) → No action taken.
C:\Users\Bruce\AppData\Roaming\mysearchdial\UpdateProc (PUP.Optional.MySearchDial.A) → No action taken.
C:\Program Files (x86)\Mysearchdial (PUP.Optional.MySearchDial.A) → No action taken.
C:\Program Files (x86)\Mysearchdial\1.8.21.0 (PUP.Optional.MySearchDial.A) → No action taken.
C:\Program Files (x86)\Mysearchdial\1.8.21.0\bh (PUP.Optional.MySearchDial.A) → No action taken.
C:\Program Files\Level Quality Watcher\v1.01 (PUP.Optional.Adpeak) → No action taken.
C:\Users\Bruce\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngaeinfoeljecnggcbonnohnjpepenmb (PUP.Optional.SavingsBull.A) → No action taken.
C:\Users\Bruce\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngaeinfoeljecnggcbonnohnjpepenmb\5.0_0 (PUP.Optional.SavingsBull.A) → No action taken.
C:\Program Files (x86)\SavingsBull (PUP.Optional.SavingsBull.A) → No action taken.

Files Detected: 227
C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe (PUP.Optional.Savingsbull) → No action taken.
C:\Program Files (x86)\FindRight\updateFindRight.exe (PUP.Optional.FindRight.A) → No action taken.
C:\Program Files (x86)\FindRight\bin\utilFindRight.exe (PUP.Optional.FindRight.A) → No action taken.
C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe (PUP.Optional.Conduit.A) → No action taken.
C:\Program Files (x86)\SearchProtect\SearchProtect\bin\cltmng.exe (PUP.Optional.Conduit.A) → No action taken.
C:\Program Files (x86)\SearchProtect\UI\bin\cltmngui.exe (PUP.Optional.Conduit.A) → No action taken.
C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC32.dll (PUP.Optional.Conduit.A) → No action taken.
C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC32Loader.dll (PUP.Optional.Conduit.A) → No action taken.
C:\Program Files (x86)\Mysearchdial\1.8.21.0\bh\mysearchdial.dll (PUP.Optional.MySearchDial.A) → No action taken.
C:\Program Files (x86)\FindRight\FindRightBHO.dll (PUP.Optional.FindRight.A) → No action taken.
C:\Program Files (x86)\SavingsBull\IEOptimizer.dll (PUP.Optional.ScorpionSaver) → No action taken.
C:\Program Files (x86)\Mysearchdial\1.8.21.0\mysearchdialTlbr.dll (PUP.Optional.MySearchDial.A) → No action taken.
C:\Program Files (x86)\Mysearchdial\1.8.21.0\mysearchdialsrv.exe (PUP.Optional.MySearchDial.A) → No action taken.
C:\Users\Bruce\AppData\Local\Temp\nsbCE0B.exe (PUP.Optional.SearchProtect.A) → No action taken.
C:\Users\Bruce\AppData\Local\Temp\nsbCFE0.exe (PUP.Optional.SearchProtect.A) → No action taken.
C:\Users\Bruce\AppData\Local\Temp\nsgF7EC.exe (PUP.Optional.SearchProtect.A) → No action taken.
C:\Users\Bruce\AppData\Local\Temp\nsqF9B1.exe (PUP.Optional.SearchProtect.A) → No action taken.
C:\Users\Bruce\AppData\Local\Temp\is1242154493\72665231_stp\Mysearchdial.exe (PUP.Optional.MySpeedDial.A) → No action taken.
C:\Users\Bruce\AppData\Local\Temp\is1242154493\72665267_stp\FindRightSetup.exe (PUP.Optional.FindRight.A) → No action taken.
C:\Users\Bruce\AppData\Local\Temp\nsqAAC1\SpSetup.exe (PUP.Optional.Conduit.A) → No action taken.
C:\Users\Bruce\Downloads\FileOpenerSetup.exe (PUP.Optional.InstallCore) → No action taken.
C:\Users\Bruce\Local Settings\Temporary Internet Files\Content.IE5\G8P627SY\spstub[1].exe (PUP.Optional.Conduit.A) → No action taken.
C:\Users\Bruce\Local Settings\Temporary Internet Files\Content.IE5\RMD72O20\Setup[1].exe (PUP.Optional.FindRight.A) → No action taken.
C:\Users\Bruce\Local Settings\Temporary Internet Files\Content.IE5\V2IOTMDK\SPSetup[1].exe (PUP.Optional.Conduit.A) → No action taken.
C:\Program Files (x86)\FindRight\FindRight.ico (PUP.Optional.FindRight.A) → No action taken.
C:\Program Files (x86)\FindRight\7za.exe (PUP.Optional.FindRight.A) → No action taken.
C:\Program Files (x86)\FindRight\FindRightUninstall.exe (PUP.Optional.FindRight.A) → No action taken.
C:\Program Files (x86)\FindRight\updateFindRight.InstallState (PUP.Optional.FindRight.A) → No action taken.
C:\Program Files (x86)\FindRight\bin\FindRight.BrowserFilter.Helper.dll (PUP.Optional.FindRight.A) → No action taken.
C:\Program Files (x86)\FindRight\bin\FindRight.BrowserFilter.Helper.dll.old.7a830ced-5aa3-47dd-b6f7-c5b14914175a (PUP.Optional.FindRight.A) → No action taken.

attach the logs…not copy and paste
and your Malwarebytes log say NO ACTION TAKEN … after scan, make sure evrything detected is marked for removal and click remove selected button…attach new log

then OTL log…

Oh! Sorry.

Here is the log from the Malwarebytes quickscan:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.02.28.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16518
Bruce :: BRUCE-PC [administrator]

2/28/2014 10:59:17 AM
mbam-log-2014-02-28 (10-59-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 247060
Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Does this mean it was cleared up? It seems too easy.

Should I do a full scan now?

no…we need OTL log to check for leftovers…and it MUST be attached…not copy and paste

see below the txt box you write in here Attachments and other options

Here are the OTL logs.

malware experts are notified and should be online soon…

Does this mean I have a problem?

Will someone contact me for a chat session?

What about these instructions in the guide?:

"Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan "

Hi @belix379

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dsites0202&cd=2XzuyEtN2Y1L1QzutDtDtBtAyDyEzy0EyD0A0ByCzy0ByDtCtN0D0Tzu0SyBzzyBtN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=1527863448&ir=
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0202&cd=2XzuyEtN2Y1L1QzutDtDtBtAyDyEzy0EyD0A0ByCzy0ByDtCtN0D0Tzu0SyBzzyBtN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=1527863448&ir=
IE - HKU\S-1-5-21-724286703-2107181808-1087732598-1000\..\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}: "URL" = http://search.conduit.com/Results.aspx?ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SPB97A5AB8-4383-4EEA-8628-44F329809854&q={searchTerms}&SSPV=
IE - HKU\S-1-5-21-724286703-2107181808-1087732598-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0202&cd=2XzuyEtN2Y1L1QzutDtDtBtAyDyEzy0EyD0A0ByCzy0ByDtCtN0D0Tzu0SyBzzyBtN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=1527863448&ir=
CHR - homepage: http://search.conduit.com/?ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPB97A5AB8-4383-4EEA-8628-44F329809854&SSPV=

:commands
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

.

---- > Next

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Thanks! Here is the log report.

Follow the instructions for Farbar (FRST).

You guys are unbelievably helpful! I can’t thank you enough.

Pretty sure I need to worry about this log entry:

SavingsBull (HKLM.…\Level Quality Watcher) (Version: SavingsBull - SavingsBull) <==== ATTENTION
SavingsBull (x32 Version: 1.0.0.0 - SavingsBull) Hidden
SavingsbullFilter (Version: 1.0.0.0 - SavingsBull Filter) Hidden <==== ATTENTION

This too:

ile Opener Packages (HKCU.…\File Opener Packages) (Version: - ) <==== ATTENTION
FileOpener (HKLM-x32.…\Tweaks FileOpener) (Version: 1.1.1 - Tweaks)
FindRight (HKLM.…\FindRight) (Version: 2014.02.26.012524 - FindRight) <==== ATTENTION