Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Audio Adverts With No Programs Open


  • This topic is locked This topic is locked
4 replies to this topic

#1 bustydeluxe

bustydeluxe

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 28 September 2010 - 03:16 PM

Hi, My computer started playing audio adverts when no programs were open. It happens randomly. My machine is Vista Home Premium.

After a while of hearing these ads my machine failed to start up and I was forced to do a factory reset. Whilst I was doing that and installing my programs I worked off my laptop. Both of these computers are on a wired network.

Once I finished installing everything on my Vista Machine (and I was unplugged from the network/internet whilst doing that) I plugged the machine back into the network and went on line. Within 10 minutes the audio adverts started up again. Worse still, whilst working on my laptop today that started playing them as well. The laptop has had no programs installed in over 6 months and the only sites I go to on it are trusted client sites and main-stream sites such as facebook and the BBC. Is it possible the laptop was infected over the network once I plugged my dodgey Vista machine back in to it?

Anyway, I now have 2 machines playing these adverts (I'd love to meet the person who created this bit of Malware if it is in fact Malware and let them know just how I feel). Any help you can give me will be greatly appreciated. I'll start with the Vista Machine and move over to the lap top once this one is clear.


Thanks
Ben

DDS Log and attached document, Attach.txt and Ark.txt (please ignore Zip Attachment, my mistake)


DDS (Ver_10-03-17.01) - NTFSx86
Run by BrotherLouis at 21:22:40.02 on 28/09/2010
Internet Explorer: 8.0.6001.18943
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3326.2249 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
svchost.exe 4
C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
svchost.exe 4
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WUDFHost.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\BrotherLouis\Desktop\New Folder\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.uk.acer.yahoo.com
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\brothe~1\appdata\roaming\mozilla\firefox\profiles\o0xg0xib.default\
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-9-25 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-9-25 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20100901.003\BHDrvx86.sys [2010-9-1 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-9-25 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20100927.001\IDSvix86.sys [2010-9-28 344112]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-9-25 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1108000.005\symtdiv.sys [2010-9-25 339504]
R2 NIHardwareService;NIHardwareService;c:\program files\common files\native instruments\hardware\NIHardwareService.exe [2009-7-17 3576320]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-9-25 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-9-25 102448]
R3 RDID1061;EDIROL UA-4FX;c:\windows\system32\drivers\Rdwm1061.sys [2010-8-21 140672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 NvnUsbAudio;Novation USB Audio Driver;c:\windows\system32\drivers\nvnusbaudio.sys [2010-9-26 27648]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-09-26 16:38:22 0 d-----w- c:\users\brothe~1\appdata\roaming\FabFilter
2010-09-26 14:55:55 7680 ----a-w- c:\windows\system32\nvnusbaudio_coinst.dll
2010-09-26 14:55:55 27648 ----a-w- c:\windows\system32\drivers\nvnusbaudio.sys
2010-09-26 14:55:55 0 d-----w- c:\program files\Novation
2010-09-26 14:54:12 0 d-----w- c:\windows\Downloaded Installations
2010-09-26 14:53:40 0 d-----w- c:\program files\KORG
2010-09-26 14:51:22 0 dc-h--w- c:\programdata\{C2686527-0D57-4F0B-ADAB-EE203CA30FC6}
2010-09-26 14:43:11 86016 ----a-w- c:\windows\unvise32.exe
2010-09-25 20:02:40 0 d-----w- c:\users\brothe~1\appdata\roaming\Waves Audio
2010-09-25 19:57:54 0 d-----w- c:\program files\Waves
2010-09-25 19:55:17 0 d-----w- c:\program files\TCWorks
2010-09-25 19:51:15 659456 ----a-w- c:\windows\iun6002.exe
2010-09-25 19:50:05 0 d-----w- c:\program files\PSP Nitro
2010-09-25 19:48:31 0 d-----w- c:\program files\PSPaudioware
2010-09-25 19:43:19 0 d-----w- c:\program files\common files\digidesign
2010-09-25 19:42:33 61440 ----a-w- c:\windows\system32\NI_DFD_1_5.dll
2010-09-25 19:42:33 393216 ----a-w- c:\windows\system32\NI_IRC_1_2.dll
2010-09-25 19:42:33 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-09-25 19:42:33 2045952 ----a-w- c:\windows\system32\kconvert.dll
2010-09-25 19:38:51 0 d-----w- c:\program files\Image-Line
2010-09-25 19:28:19 0 dc-h--w- c:\programdata\{D69A48BF-7653-4AA8-94BC-5847522A4573}
2010-09-25 19:27:32 0 d-----w- c:\programdata\Native Instruments
2010-09-25 19:27:30 0 dc-h--w- c:\programdata\{0CC51CB2-911C-40BB-BC1B-BD3CAC590222}
2010-09-25 19:26:40 0 dc-h--w- c:\programdata\{4F32CAF7-963B-404D-BF13-C48BA3F5F6A7}
2010-09-25 19:26:33 0 dc-h--w- c:\programdata\{D7CFB71A-972A-44FF-AE44-8780EB53ABB2}
2010-09-25 19:26:29 0 d-----w- c:\program files\Native Instruments
2010-09-25 19:26:29 0 d-----w- c:\program files\common files\Native Instruments
2010-09-25 19:23:12 0 d-----w- c:\program files\Elemental Audio Systems
2010-09-25 19:18:41 1177600 ----a-w- c:\windows\system32\SYNSOEMU.DLL
2010-09-25 19:18:34 0 d-----w- c:\program files\common files\VST3
2010-09-25 19:17:22 0 d-----w- c:\programdata\VST3 Presets
2010-09-25 19:08:12 0 d-----w- c:\programdata\Steinberg
2010-09-25 19:08:12 0 d-----w- c:\program files\common files\Steinberg
2010-09-25 19:06:14 0 d-----w- c:\users\brothe~1\appdata\roaming\Steinberg
2010-09-25 19:06:14 0 d-----w- c:\program files\Steinberg
2010-09-25 18:58:23 0 d-----w- c:\program files\PowerISO
2010-09-25 18:58:08 0 d-----w- c:\users\brothe~1\appdata\roaming\Helios
2010-09-25 18:56:08 0 d-----w- C:\Downloads
2010-09-25 17:46:10 0 d-----w- c:\program files\VideoLAN
2010-09-25 17:45:37 0 d-----w- c:\program files\TextPad 5
2010-09-25 17:42:37 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-09-25 17:42:37 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-09-25 17:42:37 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-09-25 17:42:36 0 d-----w- c:\program files\Symantec
2010-09-25 17:42:36 0 d-----w- c:\program files\common files\Symantec Shared
2010-09-25 17:42:15 0 d-----w- c:\windows\system32\drivers\NIS
2010-09-25 17:42:13 0 d-----w- c:\program files\Norton Internet Security
2010-09-25 17:42:12 0 d-----w- c:\programdata\Norton
2010-09-25 17:41:58 0 d-----w- c:\programdata\NortonInstaller
2010-09-25 17:41:57 0 d-----w- c:\program files\NortonInstaller
2010-09-25 17:30:56 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-25 17:29:54 502272 ----a-w- c:\windows\system32\usp10.dll
2010-09-25 17:29:53 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-25 17:29:52 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-25 17:29:51 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-25 08:54:26 376 ----a-w- c:\windows\ODBC.INI
2010-09-25 08:54:02 0 d-----w- c:\program files\Microsoft ActiveSync
2010-09-25 08:53:45 0 d-----w- c:\windows\ShellNew
2010-09-09 13:32:08 193744019 ----a-w- c:\windows\MEMORY.DMP
2010-09-01 09:34:52 0 d--h--w- c:\programdata\CanonBJ
2010-09-01 09:33:52 215040 ----a-w- c:\windows\system32\CNMLM92.DLL
2010-09-01 09:32:10 0 d-----w- c:\program files\Canon

==================== Find3M ====================

2010-09-26 14:56:09 86016 ----a-w- c:\windows\inf\infstor.dat
2010-09-26 14:56:09 51200 ----a-w- c:\windows\inf\infpub.dat
2010-09-26 14:56:09 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-08-21 13:22:36 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-08-21 13:21:56 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-08-01 19:11:20 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-07-30 12:03:08 36333 ----a-w- c:\programdata\nvModes.dat
2010-07-29 09:50:29 319456 ----a-w- c:\windows\DIFxAPI.dll
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 21:23:08.74 ===============

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 28 September 2010 - 04:02 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 PM

Posted 02 October 2010 - 03:41 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 bustydeluxe

bustydeluxe
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 03 October 2010 - 02:59 AM

Hi etavares,

Thanks for the reply. I did however bite the bullet last night and did a reformat on my drives and am now in the middle of a reinstall on both computers. I probably should have posted that last night before starting the reinstalls. sorry.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 PM

Posted 03 October 2010 - 06:10 AM

No problem. I think you made a good call as it was likely a backdoor rootkit. I'll leave this open for several days in case something comes up.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 PM

Posted 08 October 2010 - 05:54 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users