Author Topic: Searches redirecting and constant globalroot\systemroot\svchost.exe processes  (Read 6565 times)

0 Members and 1 Guest are viewing this topic.

dasva

  • Guest
So basically each time I run various anti whatever programs it will seem to fix it but eventually all my searches will start getting Hijacked. So I got avast free and did a full scan and after that I started having various things blocked by network shield. The objects were always different but the process would always be globalroot\systemroot\svchost.exe. And my searches still get hijacked. So ran a full bootup scan and eventually got that finished as well as MBAM and it had me restart too and still have the problem so creating new topic like the logs to assist thread says.


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
do you have more logs ?..... malwarebytes / aswMBR

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
I see you are running AVG and avast

running multiple AV will create all kind of windows errors and false positive detections...so you have to uninstall one

it is also recomended to run a removal tool so all leftover file(s) that can conflict is gone

run and reboot - Uninstallers – Security Software
http://singularlabs.com/uninstallers/security-software/

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Ta Pondus  ;D

I will need to see the aswMBR log please so that I can deterrmine the variant

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :OTL
    O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
    O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\S-1-5-21-3799292957-1194181936-1802369922-1000\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()


    :Files
    ipconfig /flushdns /c
    C:\Program Files (x86)\Search Toolbar

    :Commands
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

dasva

  • Guest
aswMBR log


dasva

  • Guest
Ah which do I do or all that stuff?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Run the OTL fix please and then

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

dasva

  • Guest
Ok did all that and combofix started preparing a log on startup...  and it's just been like that for about 20 minutes now.

Also just got the same avast warning.
« Last Edit: February 27, 2012, 12:45:29 AM by dasva »

dasva

  • Guest
Oh guess I just didn't wait long enough...

And yes still getting alot of alerts about globalroot\systemroot\svchost.exe. And thanks for all the help so far.

Also might add one of my processes is taking up pretty much more memory than everything else combine if I look on task manager. It's the only svchost.exe*32 currently up the description is winscrmde and it's taking up ~1,500,000k.

Also reruning some of these programs turns up new stuff
« Last Edit: February 27, 2012, 07:16:06 AM by dasva »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Something new here

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: [Select]
:regfind
winscrmde
WS2IFSL
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

dasva

  • Guest
System look

Edit: Haven't had any alerts from avast for awhile now and so far none of my searches have been hijacked... most recent scans turn up nothing. But not sure what's changed since it still was right after last fix. Also that one process is still really big
« Last Edit: February 28, 2012, 05:07:16 AM by dasva »

true indian

  • Guest
as a side note for essexboy i found a threatexpert report related to what he is investigating[may not be accurate report though] may be this may help essexboy:
 http://www.threatexpert.com/files/ws2ifsl.exe.html
« Last Edit: February 28, 2012, 01:18:22 PM by true indian »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
OK that is the legitmate sys file  ;D

If all is well tomorrow let me know and I will tidy up

dasva

  • Guest
Still getting the same network shield alerts but they are to be less frequent Only know they happening because I check the log.

Any reason why that one process sometimes runs so much memory? I mean it litterally is more than everything else combine. Granted I wasn't running much but that is a serious chunk my memory. It's been doing that for awhile sometimes. Lags me down tons and sometimes actually makes me run out of memory.

Edit: Guess said that too soon. Alot more alerts now
« Last Edit: February 29, 2012, 03:20:16 PM by dasva »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
WS2IFSL.sys is the "Winsock IFS Driver" and is used for non standard ISP type connections

Is this the one taking all your memory up ?

OK lets do a deep analysis - this programme will produce a zip file for me to look at..  Could you upload it to mediafire and post the sharing link

Download AVPTool from Here to your desktop 
   
Run the programme you have just downloaded to your desktop (it will be randomly named ) 
 
First we will run a virus scan  
 
Click the cog in the upper right 

 
 
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan 

 
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
 
 
Now the Analysis
 
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information 
 

 
On completion click the link to locate the zip file to upload and attach to your next post