Author Topic: Stij.exe virus?!  (Read 11091 times)

0 Members and 1 Guest are viewing this topic.

Offline scener42

  • Newbie
  • *
  • Posts: 7
Stij.exe virus?!
« on: November 27, 2013, 08:52:18 PM »
So I was browsing the Internet earlier today and was download a game, but the site I was downloading the game from wouldn't let me download it unless I downloaded their downloader along with it. Naively, I decided to as I was in a hurry and had somewhere to be. After I got home, the download was finished, but my computer was a mess! A toolbar would pop up on every website I visited, around 3 or 4 more programs were installed on my computer, and my computer that is generally really fast was going slow as molasses. Avast said nothing was wrong with my computer, so I looked in my Task Manager and found a process called stij.exe and stij.exe *32. I have been advised on many websites to use AdwCleaner, but on the Logs topic on this forum it advised AdwCleaner as superfluous. What should I use to get rid of my virus? Please help!!
« Last Edit: November 27, 2013, 08:55:36 PM by scener42 »

Offline Pondus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 27128
Re: Stij.exe virus?!
« Reply #1 on: November 27, 2013, 09:02:01 PM »
we need some logs before we can help you....

attach (not copy and paste) Malwarebytes / OTL  logs.    http://forum.avast.com/index.php?topic=53253.0

 
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline scener42

  • Newbie
  • *
  • Posts: 7
Re: Stij.exe virus?!
« Reply #2 on: November 27, 2013, 09:42:40 PM »
Here are my logs, I used OTL

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37352
  • Dragons by Sasha
    • Malware fixes
Re: Stij.exe virus?!
« Reply #3 on: November 27, 2013, 10:20:14 PM »
It is not that AdwCleaner is superfluous but MBAM will kill the majority of items as well, so it is to cut down the initial tools that we removed it

 Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
SRV:64bit: - [2013-09-17 12:25:42 | 001,761,584 | ---- | M] () [Auto | Running] -- C:\Windows\SysNative\dmwu.exe -- (IBUpdaterService)
SRV - [2013-11-13 15:07:10 | 000,066,848 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\SecretSauce\updateSecretSauce.exe -- (Update SecretSauce)
SRV - [2013-09-22 06:57:32 | 000,220,960 | ---- | M] (Conduit) [Auto | Running] -- C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe -- (CltMngSvc)
IE - HKLM\..\URLSearchHook: {707dca12-3f99-4d94-afea-06dcc0ae0108} - C:\Program Files (x86)\SweetPacks_A11\prxtbSwee.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {EDF3EA19-AF7C-4DA5-B8C0-C82D94DA51E1}
IE - HKU\S-1-5-21-2625895798-646920419-2108830663-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&CUI=UN23036949171083610&UM=2&ctid=CT3316071/
IE - HKU\S-1-5-21-2625895798-646920419-2108830663-1003\..\URLSearchHook: {707dca12-3f99-4d94-afea-06dcc0ae0108} - C:\Program Files (x86)\SweetPacks_A11\prxtbSwee.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-2625895798-646920419-2108830663-1003\..\SearchScopes,DefaultScope = {EDF3EA19-AF7C-4DA5-B8C0-C82D94DA51E1}
IE - HKU\S-1-5-21-2625895798-646920419-2108830663-1003\..\SearchScopes\{EDF3EA19-AF7C-4DA5-B8C0-C82D94DA51E1}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3316071&CUI=UN23036949171083610&UM=2
FF - prefs.js..CT3316071.browser.search.defaultthis.engineName: "true"
FF - prefs.js..browser.search.defaultenginename: "SweetPacks A11 Customized Web Search"
FF - prefs.js..browser.search.defaultthis.engineName: "SweetPacks A11 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3316071&CUI=UN27369629377920316&UM=2&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "SweetPacks A11 Customized Web Search"
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3316071&octid=CT3316071&SearchSource=61&CUI=UN27369629377920316&UM=2&UP=SP36B24A88-3F9D-4325-BC40-E90A08B8E033&SSPV="
[2013-11-27 13:48:01 | 000,000,000 | ---D | M] (SweetPacks A11) -- C:\Users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\x8vbgo9x.default\extensions\{707dca12-3f99-4d94-afea-06dcc0ae0108}
[2013-11-13 15:07:10 | 000,007,143 | ---- | M] () (No name found) -- C:\Users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\x8vbgo9x.default\extensions\firefox@secretsauce.biz.xpi
[2013-11-27 13:48:07 | 000,001,005 | ---- | M] () -- C:\Users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\x8vbgo9x.default\searchplugins\conduit.xml
[2013-11-27 13:47:27 | 000,002,115 | ---- | M] () -- C:\Users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\x8vbgo9x.default\searchplugins\MyStart Search.xml
O2 - BHO: (SaveSense) - {0f21b1e5-5afc-43c9-9c66-515046e92ec2} - C:\Program Files (x86)\SaveSense\SaveSenseIE.dll (SaveSense)
O2 - BHO: (SecretSauce) - {0ffd0ef2-dbe9-483a-80c4-d2c331da1ce4} - C:\Program Files (x86)\SecretSauce\SecretSauceBHO.dll (SecretSauce)
O2 - BHO: (Coupon Companion) - {11111111-1111-1111-1111-110011441193} - C:\Program Files (x86)\Coupon Companion\Coupon Companion.dll File not found
O2 - BHO: (SweetPacks A11 Toolbar) - {707dca12-3f99-4d94-afea-06dcc0ae0108} - C:\Program Files (x86)\SweetPacks_A11\prxtbSwee.dll (Conduit Ltd.)
O2 - BHO: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - No CLSID value found.
O3 - HKLM\..\Toolbar: (SweetPacks A11 Toolbar) - {707dca12-3f99-4d94-afea-06dcc0ae0108} - C:\Program Files (x86)\SweetPacks_A11\prxtbSwee.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [iSkysoft Helper Compact.exe] C:\Program Files (x86)\Common Files\iSkysoft\iSkysoft Helper Compact\ISHelper.exe File not found
O4 - HKLM..\Run: [SearchProtectAll] C:\Program Files (x86)\SearchProtect\bin\cltmng.exe (Conduit)
O4 - HKU\S-1-5-21-2625895798-646920419-2108830663-1003..\Run: [BackgroundContainer] C:\Users\Kids\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll (Conduit Ltd.)
O4 - HKU\S-1-5-21-2625895798-646920419-2108830663-1003..\Run: [ConduitFloatingPlugin_opfedmikikmahmpaimpfelmikhaigobp] C:\Users\Kids\AppData\Local\Temp\CT3316071\plugins\TBVerifier.dll (Conduit Ltd.)
O4 - HKU\S-1-5-21-2625895798-646920419-2108830663-1003..\Run: [Optimizer Pro] C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe ()
O4 - HKU\S-1-5-21-2625895798-646920419-2108830663-1003..\Run: [SearchProtect] C:\Users\Kids\AppData\Roaming\SearchProtect\bin\cltmng.exe (Conduit)
[2013-11-27 13:57:19 | 000,000,000 | ---D | C] -- C:\Users\Kids\Documents\Optimizer Pro
[2013-11-27 13:57:18 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Roaming\Optimizer Pro
[2013-11-27 13:53:21 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SaveSense
[2013-11-27 13:53:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SaveSense
[2013-11-27 13:52:57 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Local\GCC
[2013-11-27 13:52:41 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Local\SwvUpdater
[2013-11-27 13:52:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2
[2013-11-27 13:51:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Optimizer Pro
[2013-11-27 13:49:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Conduit
[2013-11-27 13:49:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SweetPacks_A11
[2013-11-27 13:48:45 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Local\NativeMessaging
[2013-11-27 13:48:42 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Local\Conduit
[2013-11-27 13:48:39 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Local\CRE
[2013-11-27 13:48:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Conduit
[2013-11-27 13:48:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SearchProtect
[2013-11-27 13:48:10 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Roaming\SearchProtect
[2013-11-27 13:47:18 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\ljkb
[2013-11-27 13:47:18 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\jmdp
[2013-11-27 13:47:09 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\ARFC
[2013-11-27 13:47:06 | 000,033,792 | ---- | C] (IncrediMail, Ltd.) -- C:\Windows\SysNative\ImHttpComm.dll
[2013-11-27 13:47:06 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\WNLT
[2013-11-27 13:46:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SecretSauce
[2013-11-27 13:46:11 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Local\Cool_Mirage
[2013-11-27 13:45:51 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SockshareDownloader.com
[2013-11-27 13:45:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SockshareDownloader.com
[2013-11-27 13:52:42 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\AmiUpdXp.job
[2013-11-27 13:52:01 | 000,001,064 | ---- | M] () -- C:\Users\Kids\Desktop\Optimizer Pro.lnk
[2013-11-27 13:45:51 | 000,000,948 | ---- | M] () -- C:\Users\Kids\Desktop\SockshareDownloader.lnk
[2013-11-27 13:47:22 | 000,000,000 | ---- | C] () -- C:\END
[2013-11-27 13:47:06 | 001,761,584 | ---- | C] () -- C:\Windows\SysNative\dmwu.exe
[2013-11-27 13:45:51 | 000,000,948 | ---- | C] () -- C:\Users\Kids\Desktop\SockshareDownloader.lnk
[2013-11-27 13:57:18 | 000,000,000 | ---D | M] -- C:\Users\Kids\AppData\Roaming\Optimizer Pro

:Files
C:\Program Files (x86)\SecretSauce
C:\Users\Kids\AppData\Roaming\SearchProtect
C:\Windows\SysWOW64\jmdp
C:\Users\Kids\AppData\Local\GCC
C:\Users\Kids\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbpebffoameokfhnaaedmefjncfboino
C:\Users\Kids\AppData\Local\Google\Chrome\User Data\Default\Extensions\khcceooakamlehbimaepcldnnlnkcmfk
C:\Users\Kids\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfedmikikmahmpaimpfelmikhaigobp

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Please download Junkware Removal Tool to your desktop.
  • Right-mouse click JRT.exe and select "Run as Administrator" the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • post the contents of JRT.txt into your next message.

Offline scener42

  • Newbie
  • *
  • Posts: 7
Re: Stij.exe virus?!
« Reply #4 on: November 27, 2013, 10:55:56 PM »
Do you know where I can locate the fix logs OTL produces? I've checked Downloads, it's not there. I'm trying to attach it so you can see it.

Offline Pondus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 27128
Re: Stij.exe virus?!
« Reply #5 on: November 27, 2013, 11:02:43 PM »
logs should be at same place OTL is located.....

run a new OTL scan as instructed under the OTL pic in essexboys post above...attach that log and he will see

« Last Edit: November 27, 2013, 11:10:02 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37352
  • Dragons by Sasha
    • Malware fixes
Re: Stij.exe virus?!
« Reply #6 on: November 27, 2013, 11:18:31 PM »
It should be in C:\_OTL\MovedFiles as a text document with the date and time of the run

Offline scener42

  • Newbie
  • *
  • Posts: 7
Re: Stij.exe virus?!
« Reply #7 on: November 28, 2013, 12:03:46 AM »
From what Pondus said, you don't need that file and just need the JRT file and the one from the OTL quick scan, so I did those and here are the logs.
If you do want that file let me know and I'll upload that aswell
« Last Edit: November 28, 2013, 12:08:04 AM by scener42 »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37352
  • Dragons by Sasha
    • Malware fixes
Re: Stij.exe virus?!
« Reply #8 on: November 28, 2013, 03:06:05 PM »
There is no sign of it running now .. How is the computer behaving ?

Offline scener42

  • Newbie
  • *
  • Posts: 7
Re: Stij.exe virus?!
« Reply #9 on: November 28, 2013, 05:58:25 PM »
It's working fine! Not lagging out, I don't see something installed every 5 minutes or so, I think the virus is gone!
Btw - Just to be sure, is it safe to uninstall SecretSauce and the SweetPacks toolbar or will that just bring the virus back? I want to remove the progrms that caused me the initial problems.
« Last Edit: November 28, 2013, 06:01:47 PM by scener42 »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37352
  • Dragons by Sasha
    • Malware fixes
Re: Stij.exe virus?!
« Reply #10 on: November 28, 2013, 07:51:51 PM »
Secret sauce and sweetpacks should now be history..  If you see any remaining elements let me know


Offline scener42

  • Newbie
  • *
  • Posts: 7
Re: Stij.exe virus?!
« Reply #11 on: November 29, 2013, 10:01:27 PM »
Yeah, all I see is it in the Add/Remove Programs, so I was wondering if it were safe to remove them.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37352
  • Dragons by Sasha
    • Malware fixes
Re: Stij.exe virus?!
« Reply #12 on: November 29, 2013, 10:07:22 PM »
Yes press uninstall .. windows will then offer to remove the entry

Offline scener42

  • Newbie
  • *
  • Posts: 7
Re: Stij.exe virus?!
« Reply #13 on: December 02, 2013, 01:54:59 AM »
Sorry to drag this on, but ever since I applied your fix whenever I restart my computer and logon, my BackgroundContainer takes around a minute to load and at first, the screen is black with an error message - Failed to execute AppData/Conduit/BackgroundContainer.dll. What is that and how can I fix it?
Along with that, I don't know if this is directly related, but I have two different instances of explorer.exe running on my computer, as I found from going on Task Manager. In fact, I'm hardly able to load Task Manager without using the shorcut because my taskbar is frozen and I can't click a single thing on it. What is going on??

Edit: I tried shutting it off and now the "Logging off..." is just looped, it's said that for about 7 minutes now, I'm seriously worried.
« Last Edit: December 02, 2013, 02:57:42 AM by scener42 »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37352
  • Dragons by Sasha
    • Malware fixes
Re: Stij.exe virus?!
« Reply #14 on: December 02, 2013, 03:42:44 PM »
OK that will be a hidden task

Download and run Autoruns from here http://technet.microsoft.com/en-gb/sysinternals/bb963902.aspx

Select the scheduled tasks tab 
Locate the conduit container entry and remove the tick.
Reboot and it should no longer happen