Avast WEBforum

Other => Viruses and worms => Topic started by: scener42 on November 27, 2013, 08:52:18 PM

Title: Stij.exe virus?!
Post by: scener42 on November 27, 2013, 08:52:18 PM

So I was browsing the Internet earlier today and was download a game, but the site I was downloading the game from wouldn't let me download it unless I downloaded their downloader along with it. Naively, I decided to as I was in a hurry and had somewhere to be. After I got home, the download was finished, but my computer was a mess! A toolbar would pop up on every website I visited, around 3 or 4 more programs were installed on my computer, and my computer that is generally really fast was going slow as molasses. Avast said nothing was wrong with my computer, so I looked in my Task Manager and found a process called stij.exe and stij.exe *32. I have been advised on many websites to use AdwCleaner, but on the Logs topic on this forum it advised AdwCleaner as superfluous. What should I use to get rid of my virus? Please help!!

Title: Re: Stij.exe virus?!
Post by: Pondus on November 27, 2013, 09:02:01 PM

we need some logs before we can help you....

attach (not copy and paste) Malwarebytes / OTL  logs.    http://forum.avast.com/index.php?topic=53253.0

 

Title: Re: Stij.exe virus?!
Post by: scener42 on November 27, 2013, 09:42:40 PM

Here are my logs, I used OTL

Title: Re: Stij.exe virus?!
Post by: essexboy on November 27, 2013, 10:20:14 PM

It is not that AdwCleaner is superfluous but MBAM will kill the majority of items as well, so it is to cut down the initial tools that we removed it

 Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  (https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
SRV:64bit: - [2013-09-17 12:25:42 | 001,761,584 | ---- | M] () [Auto | Running] -- C:\Windows\SysNative\dmwu.exe -- (IBUpdaterService)
SRV - [2013-11-13 15:07:10 | 000,066,848 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\SecretSauce\updateSecretSauce.exe -- (Update SecretSauce)
SRV - [2013-09-22 06:57:32 | 000,220,960 | ---- | M] (Conduit) [Auto | Running] -- C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe -- (CltMngSvc)
IE - HKLM\..\URLSearchHook: {707dca12-3f99-4d94-afea-06dcc0ae0108} - C:\Program Files (x86)\SweetPacks_A11\prxtbSwee.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {EDF3EA19-AF7C-4DA5-B8C0-C82D94DA51E1}
IE - HKU\S-1-5-21-2625895798-646920419-2108830663-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&CUI=UN23036949171083610&UM=2&ctid=CT3316071/
IE - HKU\S-1-5-21-2625895798-646920419-2108830663-1003\..\URLSearchHook: {707dca12-3f99-4d94-afea-06dcc0ae0108} - C:\Program Files (x86)\SweetPacks_A11\prxtbSwee.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-2625895798-646920419-2108830663-1003\..\SearchScopes,DefaultScope = {EDF3EA19-AF7C-4DA5-B8C0-C82D94DA51E1}
IE - HKU\S-1-5-21-2625895798-646920419-2108830663-1003\..\SearchScopes\{EDF3EA19-AF7C-4DA5-B8C0-C82D94DA51E1}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3316071&CUI=UN23036949171083610&UM=2
FF - prefs.js..CT3316071.browser.search.defaultthis.engineName: "true"
FF - prefs.js..browser.search.defaultenginename: "SweetPacks A11 Customized Web Search"
FF - prefs.js..browser.search.defaultthis.engineName: "SweetPacks A11 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3316071&CUI=UN27369629377920316&UM=2&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "SweetPacks A11 Customized Web Search"
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3316071&octid=CT3316071&SearchSource=61&CUI=UN27369629377920316&UM=2&UP=SP36B24A88-3F9D-4325-BC40-E90A08B8E033&SSPV="
[2013-11-27 13:48:01 | 000,000,000 | ---D | M] (SweetPacks A11) -- C:\Users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\x8vbgo9x.default\extensions\{707dca12-3f99-4d94-afea-06dcc0ae0108}
[2013-11-13 15:07:10 | 000,007,143 | ---- | M] () (No name found) -- C:\Users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\x8vbgo9x.default\extensions\firefox@secretsauce.biz.xpi
[2013-11-27 13:48:07 | 000,001,005 | ---- | M] () -- C:\Users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\x8vbgo9x.default\searchplugins\conduit.xml
[2013-11-27 13:47:27 | 000,002,115 | ---- | M] () -- C:\Users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\x8vbgo9x.default\searchplugins\MyStart Search.xml
O2 - BHO: (SaveSense) - {0f21b1e5-5afc-43c9-9c66-515046e92ec2} - C:\Program Files (x86)\SaveSense\SaveSenseIE.dll (SaveSense)
O2 - BHO: (SecretSauce) - {0ffd0ef2-dbe9-483a-80c4-d2c331da1ce4} - C:\Program Files (x86)\SecretSauce\SecretSauceBHO.dll (SecretSauce)
O2 - BHO: (Coupon Companion) - {11111111-1111-1111-1111-110011441193} - C:\Program Files (x86)\Coupon Companion\Coupon Companion.dll File not found
O2 - BHO: (SweetPacks A11 Toolbar) - {707dca12-3f99-4d94-afea-06dcc0ae0108} - C:\Program Files (x86)\SweetPacks_A11\prxtbSwee.dll (Conduit Ltd.)
O2 - BHO: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - No CLSID value found.
O3 - HKLM\..\Toolbar: (SweetPacks A11 Toolbar) - {707dca12-3f99-4d94-afea-06dcc0ae0108} - C:\Program Files (x86)\SweetPacks_A11\prxtbSwee.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [iSkysoft Helper Compact.exe] C:\Program Files (x86)\Common Files\iSkysoft\iSkysoft Helper Compact\ISHelper.exe File not found
O4 - HKLM..\Run: [SearchProtectAll] C:\Program Files (x86)\SearchProtect\bin\cltmng.exe (Conduit)
O4 - HKU\S-1-5-21-2625895798-646920419-2108830663-1003..\Run: [BackgroundContainer] C:\Users\Kids\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll (Conduit Ltd.)
O4 - HKU\S-1-5-21-2625895798-646920419-2108830663-1003..\Run: [ConduitFloatingPlugin_opfedmikikmahmpaimpfelmikhaigobp] C:\Users\Kids\AppData\Local\Temp\CT3316071\plugins\TBVerifier.dll (Conduit Ltd.)
O4 - HKU\S-1-5-21-2625895798-646920419-2108830663-1003..\Run: [Optimizer Pro] C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe ()
O4 - HKU\S-1-5-21-2625895798-646920419-2108830663-1003..\Run: [SearchProtect] C:\Users\Kids\AppData\Roaming\SearchProtect\bin\cltmng.exe (Conduit)
[2013-11-27 13:57:19 | 000,000,000 | ---D | C] -- C:\Users\Kids\Documents\Optimizer Pro
[2013-11-27 13:57:18 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Roaming\Optimizer Pro
[2013-11-27 13:53:21 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SaveSense
[2013-11-27 13:53:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SaveSense
[2013-11-27 13:52:57 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Local\GCC
[2013-11-27 13:52:41 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Local\SwvUpdater
[2013-11-27 13:52:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2
[2013-11-27 13:51:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Optimizer Pro
[2013-11-27 13:49:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Conduit
[2013-11-27 13:49:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SweetPacks_A11
[2013-11-27 13:48:45 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Local\NativeMessaging
[2013-11-27 13:48:42 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Local\Conduit
[2013-11-27 13:48:39 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Local\CRE
[2013-11-27 13:48:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Conduit
[2013-11-27 13:48:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SearchProtect
[2013-11-27 13:48:10 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Roaming\SearchProtect
[2013-11-27 13:47:18 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\ljkb
[2013-11-27 13:47:18 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\jmdp
[2013-11-27 13:47:09 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\ARFC
[2013-11-27 13:47:06 | 000,033,792 | ---- | C] (IncrediMail, Ltd.) -- C:\Windows\SysNative\ImHttpComm.dll
[2013-11-27 13:47:06 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\WNLT
[2013-11-27 13:46:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SecretSauce
[2013-11-27 13:46:11 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Local\Cool_Mirage
[2013-11-27 13:45:51 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SockshareDownloader.com
[2013-11-27 13:45:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SockshareDownloader.com
[2013-11-27 13:52:42 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\AmiUpdXp.job
[2013-11-27 13:52:01 | 000,001,064 | ---- | M] () -- C:\Users\Kids\Desktop\Optimizer Pro.lnk
[2013-11-27 13:45:51 | 000,000,948 | ---- | M] () -- C:\Users\Kids\Desktop\SockshareDownloader.lnk
[2013-11-27 13:47:22 | 000,000,000 | ---- | C] () -- C:\END
[2013-11-27 13:47:06 | 001,761,584 | ---- | C] () -- C:\Windows\SysNative\dmwu.exe
[2013-11-27 13:45:51 | 000,000,948 | ---- | C] () -- C:\Users\Kids\Desktop\SockshareDownloader.lnk
[2013-11-27 13:57:18 | 000,000,000 | ---D | M] -- C:\Users\Kids\AppData\Roaming\Optimizer Pro

:Files
C:\Program Files (x86)\SecretSauce
C:\Users\Kids\AppData\Roaming\SearchProtect
C:\Windows\SysWOW64\jmdp
C:\Users\Kids\AppData\Local\GCC
C:\Users\Kids\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbpebffoameokfhnaaedmefjncfboino
C:\Users\Kids\AppData\Local\Google\Chrome\User Data\Default\Extensions\khcceooakamlehbimaepcldnnlnkcmfk
C:\Users\Kids\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfedmikikmahmpaimpfelmikhaigobp

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download Junkware Removal Tool (http://thisisudax.org/downloads/JRT.exe) to your desktop.

• Right-mouse click JRT.exe and select "Run as Administrator" the tool will open and start scanning your system
• please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• post the contents of JRT.txt into your next message.

Title: Re: Stij.exe virus?!
Post by: scener42 on November 27, 2013, 10:55:56 PM

Do you know where I can locate the fix logs OTL produces? I've checked Downloads, it's not there. I'm trying to attach it so you can see it.

Title: Re: Stij.exe virus?!
Post by: Pondus on November 27, 2013, 11:02:43 PM

logs should be at same place OTL is located.....

run a new OTL scan as instructed under the OTL pic in essexboys post above...attach that log and he will see

Title: Re: Stij.exe virus?!
Post by: essexboy on November 27, 2013, 11:18:31 PM

It should be in C:\_OTL\MovedFiles as a text document with the date and time of the run

Title: Re: Stij.exe virus?!
Post by: scener42 on November 28, 2013, 12:03:46 AM

From what Pondus said, you don't need that file and just need the JRT file and the one from the OTL quick scan, so I did those and here are the logs.
If you do want that file let me know and I'll upload that aswell

Title: Re: Stij.exe virus?!
Post by: essexboy on November 28, 2013, 03:06:05 PM

There is no sign of it running now .. How is the computer behaving ?

Title: Re: Stij.exe virus?!
Post by: scener42 on November 28, 2013, 05:58:25 PM

It's working fine! Not lagging out, I don't see something installed every 5 minutes or so, I think the virus is gone!
Btw - Just to be sure, is it safe to uninstall SecretSauce and the SweetPacks toolbar or will that just bring the virus back? I want to remove the progrms that caused me the initial problems.

Title: Re: Stij.exe virus?!
Post by: essexboy on November 28, 2013, 07:51:51 PM

Secret sauce and sweetpacks should now be history..  If you see any remaining elements let me know

Title: Re: Stij.exe virus?!
Post by: scener42 on November 29, 2013, 10:01:27 PM

Yeah, all I see is it in the Add/Remove Programs, so I was wondering if it were safe to remove them.

Title: Re: Stij.exe virus?!
Post by: essexboy on November 29, 2013, 10:07:22 PM

Yes press uninstall .. windows will then offer to remove the entry

Title: Re: Stij.exe virus?!
Post by: scener42 on December 02, 2013, 01:54:59 AM

Sorry to drag this on, but ever since I applied your fix whenever I restart my computer and logon, my BackgroundContainer takes around a minute to load and at first, the screen is black with an error message - Failed to execute AppData/Conduit/BackgroundContainer.dll. What is that and how can I fix it?
Along with that, I don't know if this is directly related, but I have two different instances of explorer.exe running on my computer, as I found from going on Task Manager. In fact, I'm hardly able to load Task Manager without using the shorcut because my taskbar is frozen and I can't click a single thing on it. What is going on??

Edit: I tried shutting it off and now the "Logging off..." is just looped, it's said that for about 7 minutes now, I'm seriously worried.

Title: Re: Stij.exe virus?!
Post by: essexboy on December 02, 2013, 03:42:44 PM

OK that will be a hidden task

Download and run Autoruns from here http://technet.microsoft.com/en-gb/sysinternals/bb963902.aspx

Select the scheduled tasks tab 
Locate the conduit container entry and remove the tick.
Reboot and it should no longer happen