Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Audio Ads playing in the background


  • Please log in to reply
11 replies to this topic

#1 xMassy

xMassy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 31 December 2013 - 02:03 AM

Hello! Earlier tonight my computer randomly restarted itself, and afterwards I've been having random audio ads playing in the background. It's not coming from my web browser, and my volume mixer is showing it as "name not available." I downloaded Avast! free and I'm currently running a full system scan, but it hasn't found anything, and the webshield is constantly popping up, telling me it's blocking multiple malware objects that are infecting my System32\svchost.exe. I haven't downloaded anything risky recently that I can remember, but I have streamed tv shows online on project free tv.

 

I've read a thread on here that had a similar problem and it ended up being a rootkit, and I think that might be the case here :(.

 

Any help would be appreciated!

 

I am running Windows 7 Ultimate 64bit



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:04 PM

Posted 31 December 2013 - 06:39 AM

Hi xMassy,
 
Run these for me:
 
Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
 
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

 

----------

 

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters
     
     
    tds2.jpg
  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now
     
     
    2012081514h0118.png
  • Click Start Scan and allow the scan process to run
     
     
    tds4-1.jpg
  • If threats are detected select Skip or Cure (if available) for all of them unless otherwise instructed.
    ***Do NOT select Delete!
  • Click Continue
     
     
    tds6.jpg
  • Click Reboot computer
  • Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply

 

----------
 
Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Double-click on the renamed file to install, then follow these instructions for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:04 AM

Posted 31 December 2013 - 06:40 AM

Edit: I was beaten to the punch....


Edited by InadequateInfirmity, 31 December 2013 - 06:41 AM.


#4 xMassy

xMassy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 31 December 2013 - 11:17 AM

Here's the MalwareByte log:

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.12.31.04
 
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Dillon :: DILLON-PC [administrator]
 
Protection: Enabled
 
12/31/2013 8:48:17 AM
mbam-log-2013-12-31 (08-48-17).txt
 
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 605162
Time elapsed: 1 hour(s), 23 minute(s), 45 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 1
HKCR\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} (PUP.Optional.Conduit) -> Quarantined and deleted successfully.
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.Conduit) -> Bad: (http://search.conduit.com?SearchSource=10&ctid=CT3225826) Good: (http://www.google.com) -> Quarantined and repaired successfully.
 
Folders Detected: 4
C:\Users\Dillon\AppData\Local\Temp\CT3225826 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Dillon\AppData\Local\Temp\CT3225826\xpi (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Dillon\AppData\Local\Temp\CT3225826\xpi\defaults (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Dillon\AppData\Local\Temp\CT3225826\xpi\defaults\preferences (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
 
Files Detected: 13
C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll (PUP.Optional.Conduit) -> Quarantined and deleted successfully.
C:\Users\Dillon\Downloads\The Exorcist 1973 DVDRip.avi.mp4__3039_i114067156_il1876239.exe (PUP.Optional.InstallMonetizer) -> Quarantined and deleted successfully.
C:\Users\Dillon\Downloads\Adobe Photoshop CS6 Extended\DLL FILE\32bit\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\Users\Dillon\Downloads\Adobe Photoshop CS6 Extended\DLL FILE\64bit\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\Users\Dillon\AppData\Local\Temp\CT3225826\conduit.xml (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Dillon\AppData\Local\Temp\CT3225826\CT3225826.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Dillon\AppData\Local\Temp\CT3225826\CT3225826.xpi (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Dillon\AppData\Local\Temp\CT3225826\dtime.csf (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Dillon\AppData\Local\Temp\CT3225826\initData.json (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Dillon\AppData\Local\Temp\CT3225826\manifest.json (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Dillon\AppData\Local\Temp\CT3225826\version.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Dillon\AppData\Local\Temp\CT3225826\xpi\install.rdf (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Dillon\AppData\Local\Temp\CT3225826\xpi\defaults\preferences\defaults.js (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
 
(end)
 
 
The TDSSKiller log is extremely big, and every time I try to copy and paste it into here, the website crashes. It ended up finding 4 things though, which I'll paste, since it's at the end of the log. If there's any other way for me to send the complete log, I'll do that.
 
TDSSKiller findings:
 
08:28:36.0652 5784  Detected object count: 4
08:28:36.0652 5784  Actual detected object count: 4
08:29:54.0768 5784  DcomLaunch ( UnsignedFile.Multi.Generic ) - skipped by user
08:29:54.0768 5784  DcomLaunch ( UnsignedFile.Multi.Generic ) - User select action: Skip 
08:29:54.0768 5784  Intel® ME Service ( UnsignedFile.Multi.Generic ) - skipped by user
08:29:54.0769 5784  Intel® ME Service ( UnsignedFile.Multi.Generic ) - User select action: Skip 
08:29:54.0769 5784  RpcSs ( UnsignedFile.Multi.Generic ) - skipped by user
08:29:54.0769 5784  RpcSs ( UnsignedFile.Multi.Generic ) - User select action: Skip 
08:29:54.0770 5784  SwitchBoard ( UnsignedFile.Multi.Generic ) - skipped by user
08:29:54.0770 5784  SwitchBoard ( UnsignedFile.Multi.Generic ) - User select action: Skip 
 
 
 
After following your steps, the audio ads have stopped, which I am extremely grateful for, but Avast is still giving constant popups telling me it's defending against malware that's trying to go through svchost.exe. any additional help would be appreciated, thanks!

 



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:04 PM

Posted 31 December 2013 - 12:22 PM

Hi xMassy,
 
Can you upload the TDSSKiller log to here for me and paste the url of the shared file in your next reply.
 
Also do this for me:

  • Please visit VirusTotal.
  • Click Choose File.
  • Copy and paste the following code into the search field and press enter:
C:\Windows\System32\svchost.exe
  • Click on Scan it.
  • If the file was already uploaded to VirusTotal before, click on Reanalyse.
  • VirusTotal will show you the results of the uploaded file. This may take some time. Please be patient.
  • After VirusTotal has finished analysing the file, please copy the link from your address bar and post it with your next answer.

 

---------

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

xXToffeeXx~


Edited by xXToffeeXx, 31 December 2013 - 12:23 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 xMassy

xMassy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 31 December 2013 - 10:47 PM

TDSSKiller Log:

 

http://speedy.sh/e4haa/TDSSKillerlog.txt

 

VirusTotal Log:

 

https://www.virustotal.com/en/file/121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2/analysis/1388510731/

 

ESET Log:

 

C:\Windows\SysWOW64\Adobe\Shockwave 12\gt.exe Win32/Bundled.Toolbar.Google.D application
C:\Program Files (x86)\BitTorrentControl_v12\BitTorrentControl_v12ToolbarHelper.exe Win32/Toolbar.Conduit.Q application cleaned by deleting - quarantined
C:\Program Files (x86)\BitTorrentControl_v12\ldrtbBitT.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined
C:\Program Files (x86)\BitTorrentControl_v12\prxtbBitT.dll Win32/Toolbar.Conduit.O application cleaned by deleting - quarantined
C:\Program Files (x86)\BitTorrentControl_v12\tbBitT.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined
C:\Users\Dillon\AppData\Local\Conduit\CT3225826\BitTorrentControl_v12AutoUpdateHelper.exe Win32/Toolbar.Conduit.F application cleaned by deleting - quarantined
C:\Users\Dillon\AppData\Local\Temp\tbedrs.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined
C:\Users\Dillon\AppData\LocalLow\BitTorrentControl_v12\ldrtbBit0.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined
C:\Users\Dillon\AppData\LocalLow\BitTorrentControl_v12\ldrtbBit2.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined
C:\Users\Dillon\AppData\LocalLow\BitTorrentControl_v12\ldrtbBitT.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined
C:\Users\Dillon\AppData\LocalLow\BitTorrentControl_v12\tbBit0.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined
C:\Users\Dillon\AppData\LocalLow\BitTorrentControl_v12\tbBit2.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined
C:\Users\Dillon\AppData\LocalLow\BitTorrentControl_v12\tbBitT.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined
C:\Users\Dillon\Downloads\cbsidlm-cbsi5_3_0_96-Free_WMA_to_MP3_Converter-SEO-10494267.exe a variant of Win32/CNETInstaller.B application cleaned by deleting - quarantined
C:\Users\Dillon\Downloads\Shockwave_Installer_Slim (1).exe Win32/Bundled.Toolbar.Google.D application cleaned by deleting - quarantined
C:\Users\Dillon\Downloads\Shockwave_Installer_Slim.exe Win32/Bundled.Toolbar.Google.D application cleaned by deleting - quarantined
C:\Users\Dillon\Downloads\Vegas 8.0.zip a variant of Win32/Keygen.AR application deleted - quarantined
C:\Users\Dillon\Downloads\WinZip175 (1).exe a variant of Win32/OpenInstall application cleaned by deleting - quarantined
C:\Users\Dillon\Downloads\WinZip175.exe a variant of Win32/OpenInstall application cleaned by deleting - quarantined
C:\Windows\System32\Adobe\Shockwave 12\gt.exe Win32/Bundled.Toolbar.Google.D application cleaned by deleting - quarantined

 



#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:04 PM

Posted 01 January 2014 - 08:01 AM

Hi xMassy,

 

Is Avast still warning you about svchost.exe being infected? If so a screenshot of the message would be most helpful

 

----------

 

Also do this for me:

  • Please visit VirusTotal.
  • Click Choose File.
  • Copy and paste the following code into the search field and press enter:

C:\Windows\system32\rpcss.dll
  • Click on Scan it.
  • If the file was already uploaded to VirusTotal before, click on Reanalyse.
  • VirusTotal will show you the results of the uploaded file. This may take some time. Please be patient.
  • After VirusTotal has finished analysing the file, please copy the link from your address bar and post it with your next answer.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 xMassy

xMassy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 01 January 2014 - 02:57 PM

Here's a pic of the popups I get when Avast blocks the malware. They happen so frequently I have to keep it on Silent mode. (also the object changed constantly, but the infection and process stay the same)

 

r06vec.jpg

 

 

Also, when going to VirusTotal, It says it can't find that file.

 

 

And, unfortunately... The audio ads started playing again when I rebooted my computer this morning :(


Edited by xMassy, 01 January 2014 - 02:58 PM.


#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:04 PM

Posted 01 January 2014 - 04:22 PM

Hi xMassy,

 

Revealing Hidden Files:

  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
  • Uncheck: Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.

 

Then try the virustotal steps again

 

==========

 

Running GMER on 32 and 64 bit Systems

--------------------

Please download GMER from one of the following locations and save it to your desktop:
 

  • Main Mirror which will download a randomly named file
  • Zipped Mirror - Unzip the file to its own folder such as C:\gmer
  • Disconnect from the Internet and close all running programs
  • Temporarily disable any real-time active protection
  • It is very important you do not use your computer while GMER is running
  • Double-click on the randomly named GMER gmericon_zps951fd5aa.jpg icon
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan
  • If you receive a warning about rootkit activity and are asked to fully scan your system click NO
  • Please check in the Quick scan box
  • Please uncheck the following:GMER2new_zpsdd936679.jpg
    • IAT/EAT
    • Show All <<< Important
  • Click Scan
  • If you see a rootkit warning window click OK
  • When the scan is finished, Save the results to your desktop as gmer.log
  • Click Copy then paste the results in your reply
  • Exit GMER and be sure to re-enable your Antivirus, Firewall and any other security programs you had disabled.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 xMassy

xMassy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 01 January 2014 - 05:03 PM

Here's the gmer log:

 

http://speedy.sh/t2qdD/gmerlog.txt

 

 

 

As for the VirusTotal scan, it still can't find the file even after allowing hidden files and protected windows files to be seen :(



#11 xMassy

xMassy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 01 January 2014 - 11:38 PM

Also, I'm now currently getting a popup every so often saying "you're about to visit a website with a secure connection" even though I'm not surfing the web currently >.<



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:04 PM

Posted 02 January 2014 - 06:12 AM

Hi xMassy,

 

You should still have rkill on your desktop, please run that again and post the text file named rkill which it produces in your next reply.

 

----------

 

We need to search for a few things with SystemLook:

  • Please download SystemLook by jpshortstuff and save it to your desktop
  • Double-click the program to run it, paste the entire text into the main text box:

:filefind
rpcss.dll
  • Click the Look button to start the scan
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users