Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: Random Audio Advertisements


  • Please log in to reply
5 replies to this topic

#1 M0SEPH

M0SEPH

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 28 September 2008 - 04:03 PM

I've got a recurring problem with these random audio advertisements, probably caused by a trojan of some sort.
Mabidwe.exe is running, and it might be the source of my problem. Help me out, please?

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,414 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:10 AM

Posted 28 September 2008 - 04:42 PM

MABIDWE.EXE is Trojan/Backdoor.

What program identified the malware?

Use Super Antispyware to find and remove the malware. Allow it to remove whatever it finds.
http://www.superantispyware.com/ After installing and updating SAS, boot into "safe mode" and run the SAS scan.

Post the log.

To retrieve the removal information ( the log )after reboot, launch SUPERAntispyware again.

* Click Preferences, then click the Statistics/Logs tab.
* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
* If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.

EDIT: provide added info
Malware such as the backdoor that you are infected with, allows hackers to remotely control your computer, steal critical system information and download and execute files.

I suggest you disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.


When and how should I reformat?
http://www.dslreports.com/faq/10063

Edited by buddy215, 28 September 2008 - 06:42 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:10 AM

Posted 28 September 2008 - 05:08 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry944365

Malwarebytes works for that infection

I would try that next if SAS didn't remove

or just as a double check

It never hurts to be sure
Chewy

No. Try not. Do... or do not. There is no try.

#4 M0SEPH

M0SEPH
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 28 September 2008 - 06:55 PM

Thanks! I've had my computer disconnected from the internet since I noticed the audio sounds. I'm pretty cautious about things like that. I've been working off my desktop for the most part, connecting to the internet on this computer only to download those programs. Luckily this computer is only used for school and music storage. So I ran the program and got my log, which is below. What's my next step?



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/28/2008 at 07:19 PM

Application Version : 4.21.1004

Core Rules Database Version : 3581
Trace Rules Database Version: 1569

Scan type : Quick Scan
Total Scan Time : 00:31:05

Memory items scanned : 314
Memory threats detected : 0
Registry items scanned : 411
Registry threats detected : 60
File items scanned : 7257
File threats detected : 67

Trojan.WinFixer
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E55D9353-124A-4064-B1EA-972FD0AC5626}
HKCR\CLSID\{E55D9353-124A-4064-B1EA-972FD0AC5626}
HKCR\CLSID\{E55D9353-124A-4064-B1EA-972FD0AC5626}\InprocServer32
HKCR\CLSID\{E55D9353-124A-4064-B1EA-972FD0AC5626}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWVTU.DLL

Trojan.Agent/Service
HKLM\System\ControlSet001\Services\afisicx
C:\WINDOWS\SYSTEM32\AFISICX.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_afisicx
HKLM\System\ControlSet001\Services\mabidwe
C:\WINDOWS\SYSTEM32\MABIDWE.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_mabidwe
HKLM\System\ControlSet001\Services\noytcyr
C:\WINDOWS\SYSTEM32\NOYTCYR.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_noytcyr
HKLM\System\ControlSet001\Services\roytctm
C:\WINDOWS\SYSTEM32\ROYTCTM.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_roytctm
HKLM\System\ControlSet001\Services\soxpeca
C:\WINDOWS\SYSTEM32\SOXPECA.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_soxpeca
HKLM\System\ControlSet001\Services\tdydowkc
C:\WINDOWS\SYSTEM32\TDYDOWKC.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_tdydowkc
HKLM\System\ControlSet002\Services\afisicx
HKLM\System\ControlSet002\Enum\Root\LEGACY_afisicx
HKLM\System\ControlSet002\Services\mabidwe
HKLM\System\ControlSet002\Enum\Root\LEGACY_mabidwe
HKLM\System\ControlSet002\Services\noytcyr
HKLM\System\ControlSet002\Enum\Root\LEGACY_noytcyr
HKLM\System\ControlSet002\Services\roytctm
HKLM\System\ControlSet002\Enum\Root\LEGACY_roytctm
HKLM\System\ControlSet002\Services\soxpeca
HKLM\System\ControlSet002\Enum\Root\LEGACY_soxpeca
HKLM\System\ControlSet002\Services\tdydowkc
HKLM\System\ControlSet002\Enum\Root\LEGACY_tdydowkc
HKLM\System\CurrentControlSet\Services\afisicx
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_afisicx
HKLM\System\CurrentControlSet\Services\mabidwe
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_mabidwe
HKLM\System\CurrentControlSet\Services\noytcyr
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_noytcyr
HKLM\System\CurrentControlSet\Services\roytctm
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_roytctm
HKLM\System\CurrentControlSet\Services\soxpeca
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_soxpeca
HKLM\System\CurrentControlSet\Services\tdydowkc
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_tdydowkc
C:\WINDOWS\Prefetch\MABIDWE.EXE-234CCBA5.pf
C:\WINDOWS\Prefetch\SOXPECA.EXE-34410099.pf

Trojan.Dropper/Gen
HKLM\System\ControlSet001\Services\wsldoekd
C:\WINDOWS\SYSTEM32\WSLDOEKD.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_wsldoekd
HKLM\System\ControlSet002\Services\wsldoekd
HKLM\System\ControlSet002\Enum\Root\LEGACY_wsldoekd
HKLM\System\CurrentControlSet\Services\wsldoekd
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_wsldoekd


Adware.Unclassified/Spruce
C:\Program Files\Spruce\Spruce.dll.intermediate.manifest
C:\Program Files\Spruce\Spruce.original
C:\Program Files\Spruce\un_SpruceSetup_17737.txt
C:\Program Files\Spruce\X_Spruce.log
C:\Program Files\Spruce
HKLM\Software\Spruce
HKLM\Software\Spruce\Spruce
HKLM\Software\Spruce\Spruce#Version
HKLM\Software\Spruce\Spruce#ProgName
HKLM\Software\Spruce\Spruce#UnInstallString
HKLM\Software\Spruce\Spruce#InstallDir
HKLM\Software\Spruce\Spruce\1.0.0.25
HKCR\AppId\Spruce.DLL
HKCR\AppId\Spruce.DLL#AppID
HKCR\Spruce.SpruceBHO
HKCR\Spruce.SpruceBHO\CLSID
HKCR\Spruce.SpruceBHO\CurVer
HKCR\Spruce.SpruceBHO.1
HKCR\Spruce.SpruceBHO.1\CLSID

#5 buddy215

buddy215

  • Moderator
  • 13,414 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:10 AM

Posted 28 September 2008 - 08:26 PM

You should run another scan with SAS after 2 days and after updating. SAS updates almost daily. You should keep the free version and update it once a week or so in case you run into more malware. No need to have it run in background or startup.

Use a program such as Ccleaner to clean up temporary files, logs, cookies, etc. During install you will be offered the Yahoo Toolbar. UNcheck if NOT wanted.

Delete all restore points in System Restore as some are infected and may reinfect your computer if used.
Vista System Restore Guide
http://www.bleepingcomputer.com/tutorials/windows-vista-system-restore-guide/

XP System Restore Guide
http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

A lot of popular websites and others get compromised daily and you can protect your computer from "driveby installs" and popup ads that install malware when you attempt to close them and many others by using Firefox browser with the NoScript addon.

SAS identifies the backdoor as Trojan.Agent/Service so as you can see SAS removed it.

EDIT==Added info
If you have used a flash drive or CD's interchangably on both computers, you should scan the desktop, too.
I see you did a "quick scan" before. Do a full system scan the next time. I also wanted to caution you if you are using P2P programs they are well known to be a main source of some really bad malware.

Edited by buddy215, 28 September 2008 - 08:55 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:10 AM

Posted 28 September 2008 - 08:40 PM

Hello since you have chosen to try cleaning the PC, why not also run the MBAM scan recommended earlier by DaChew. Just to see what else may be on this machine.

Here are complete instructions to help you along.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users