Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack.Sound


  • Please log in to reply
11 replies to this topic

#1 baltimoron

baltimoron

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 March 2009 - 09:21 AM

Hi. I seem to be having a similar problem to another user ((see here). Yesterday, I caught one of the fake anti-spyware programs. I was careful not to click on the fake program, and instead forced a shutdown and ran AVG command line scanner and MBAM in safe mode. This seemed to get ride of the rogue installers, but I still have 8 Hijack.Sound files that I'm unable to get rid of. MBAM finds them, and then claims to have quarantined and deleted them successfully, but they reappear on subsequent scans. The same thing happens in safe mode as in full mode.

AVG and Spybot Search and Destroy don't find anything.


Also, when I started up just now in full mode, I got the following messages:

AVG8TrayRunningScansWnd: avgtray.exe - Application Error
The instruction at "0x011e2336" referenced memory at "0x011e2336." The memory could not be "read."
Click on OK to terminate the program.
Click on CANCEL to debug the program.

avgtray.exe - Application Error
The instruction at "0x011e9bbf" referenced memory at "0x011e9bbf". The memory could not be "read".
Click on OK to terminate the program.
Click on CANCEL to debug the program.

I am running Windows XP Pro, version 2002, service pack 3.

I'll edit to add my MBAM log in just a sec (have to switch to the infected computer to copy/paste it).

Thanks in advance.


MBAM log:

Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 3

3/2/2009 5:38:24 PM
mbam-log-2009-03-02 (17-38-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 142015
Time elapsed: 50 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LOCALS~1\APPLIC~1\MACROM~1\Common\3bbaa04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LOCALS~1\APPLIC~1\MACROM~1\Common\3bbaa04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LOCALS~1\APPLIC~1\MACROM~1\Common\3bbaa04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LOCALS~1\APPLIC~1\MACROM~1\Common\3bbaa04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\Kathleen\APPLIC~1\MACROM~1\Common\3bbaa04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\Kathleen\APPLIC~1\MACROM~1\Common\3bbaa04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LOCALS~1\APPLIC~1\MACROM~1\Common\3bbaa04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LOCALS~1\APPLIC~1\MACROM~1\Common\3bbaa04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by baltimoron, 03 March 2009 - 09:24 AM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:11 AM

Posted 03 March 2009 - 10:52 AM

Hi and welcome to BC.

I am waiting to see what extremeboy does to fix this infection. At this point I would say to hold for a moment until that thread completes. We can take it from there.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 baltimoron

baltimoron
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 March 2009 - 10:55 AM

Thanks, Rigel. I'll continue to keep an eye on what extreme boy and Kanko are doing in the other thread.

#4 baltimoron

baltimoron
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 March 2009 - 12:40 PM

In the meantime, I ran Super AntiSpyware. It found 6 "Rogue.Component/Trace" They are now listed as quarantined:

HKLM\Software\Microsoft\90140298\
HKLM\Software\Microsoft\90140298\(90140298 - tzNESQAAAAA=)
HKLM\Software\Microsoft\90140298\(9014af18 - UU1NSQMWFlpRS1ZXXF0XWlZUAwEJOQ==)
HKLM\Software\Microsoft\90140298\(9014c6fd - UU1NSQMWFgEMFwgLFw0KFwEPAwEJOQ==)
HKLM\Software\Microsoft\90140298\(Version - affid=166840&resid=zdez)
HKUS\S-1-5-21-3313443987-3719379617-3280216788-1005\Software\Microsoft\FIAS4018


Unlike Kanko, I was able to run SDFix successfully. But looking at the log, I don't think it detected anything?


SDFix: Version 1.240
Run by Kathleen on Tue 03/03/2009 at 12:08 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 12:17:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\keyacc32.exe"="C:\\WINDOWS\\keyacc32.exe:*:Enabled:KeyAccess"
"C:\\Program Files\\BCDC++\\DCPlusPlus.exe"="C:\\Program Files\\BCDC++\\DCPlusPlus.exe:*:Enabled:BCDC++"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 9 Sep 2008 0 A.SH. --- "C:\WINDOWS\system32\jijepudi.dll"
Tue 9 Sep 2008 0 A.SH. --- "C:\WINDOWS\system32\kozozari.dll"
Tue 9 Sep 2008 0 A.SH. --- "C:\WINDOWS\system32\tosumiye.dll"
Mon 4 Feb 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 4 Feb 2008 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv12.bak"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\RECYCLER\S-1-5-21-3313443987-3719379617-3280216788-1005\Dc25\advcheck.dll"
Mon 4 Feb 2008 4,348 ...H. --- "C:\Documents and Settings\Kathleen\My Documents\My Music\License Backup\drmv1key.bak"
Mon 4 Feb 2008 401 A..H. --- "C:\Documents and Settings\Kathleen\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 12 Oct 2007 312 A.SH. --- "C:\Documents and Settings\Kathleen\My Documents\My Music\License Backup\drmv2key.bak"
Wed 9 Nov 2005 21,504 A..H. --- "C:\Documents and Settings\Kathleen\My Documents\AAA SORT\School\ENGL 304\~WRL0001.tmp"

Finished!


I have class for two hours, so I'm going to leave MBAM running again to see if it still picks up those 8 files.

#5 baltimoron

baltimoron
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 March 2009 - 02:15 PM

....and the files are still there. Got the same MBAM result as in the first post.

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:11 AM

Posted 03 March 2009 - 03:48 PM

Yes... this is a rootkit that is protected by something hidden. We may end up working this out in the HJT forum.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 baltimoron

baltimoron
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 March 2009 - 03:48 PM

I've already downloaded Hijack This. Should I go ahead and run it and start a HJT thread?

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:11 AM

Posted 03 March 2009 - 03:59 PM

Honestly... not yet. If you start an HJT thread, we need to close this one. Also... there is around a 5 day wait there. Still, I will leave that up to you.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 baltimoron

baltimoron
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 March 2009 - 04:13 PM

Is this something that I could fix by backing up my data and reloading windows from scratch?

My dilemma (and I appreciate it is probably the dilemma of most people here, and that you guys are very busy) is that I'm in professional school and need to resolve this as quickly as possible. If wiping the disk will fix things, then I'm willing to do that.

If starting over isn't an option or won't fix the problem, is it advisable to keep using the computer in the meantime? Obviously, I'd refrain from doing banking or anything money-related, but the infected laptop is my primary computer and the larger screen makes it much easier to conduct research on.


edited to add: Would it be safe to move my personal files (music, pictures, documents) to a USB drive? Or are they likely to be infected as well? I have an online backup of my school files, but there's plenty of other stuff I'd like to save. I just don't want to try to load it onto a clean machine and end up reinfected.

Edited by baltimoron, 03 March 2009 - 04:32 PM.


#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:11 AM

Posted 03 March 2009 - 06:24 PM

There are two answers to your question...

1) Some malware specialists would say that nothing is safe after a computer has been infected by a rootkit.

2) The others would say that the rootkit you have doesn't usually attack documents. It would rather steal your information and let you use your computer as much as possible. It may also invite other pieces of malware to infect you as well.

With all the scans you have done, I would think it would be safe to move your files to the flash drive and then scan and rescan the files before moving them back.
  • Before you place those files back on your fresh computer, please make sure you have antivirus installed and have it updated,
  • Have Windows updated as far as it can be. SP3 and updates.
  • Have a firewall in place.
  • Consider use of a HOSTS file.
That is the minimums I would consider.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 baltimoron

baltimoron
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 March 2009 - 06:34 PM

Thank you! I think I'm going to try to save my files. I ordered a 32GB flash drive and when it arrives, I'll take the files off and reformat.

I'm not quite clear on the HOSTS file stuff, but I'll be looking at the information you linked to and attempting to use one on the clean system.

Thanks again for your help.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 AM

Posted 03 March 2009 - 06:52 PM

Hello.

I never knew there were 32gb flash-drives.. I should get one of those.

Anyways, here's a brief intro of the hosts file.

Hosts file is located at the following location: C:\WINDOWS\system32\drivers\etc\hosts <- This file

You can open it using Notepad. Hosts file are mainly used to block certain websites by redirecting them to a certain address. You can also use it to speed up certain sites by finding the corresponding IP address to that site.

Spybot and Hosts Manager adds a whole bunch of sites that are known to be "bad" and redirects to your localhost which gives you the "404 error" or "Page not found" message if you go to that site. That means you will not be able to view the contents of that website or download from it because it's blocked by your hosts. :trumpet: That's basically what the hosts can help you with. There are other things you can do with the hosts, but I will not go into details with that :flowers:

You can find more information on it with the link Rigel provided for you :inlove:

Below are some prevention tips.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbsup:

Good luck on the format! :huh:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users