Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Audio Ads/Clips Randomly Playing even after Trojan.Viknok.b Removal


  • This topic is locked This topic is locked
43 replies to this topic

#1 HiggiStardust

HiggiStardust

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 AM

Posted 28 April 2014 - 05:36 PM

Greetings...I noticed a few weeks ago that my computer was playing unwanted audio ads/clips after I turned on my speakers to view an online video. At first I thought this was a glitch with the video, but then I discovered it to be an ongoing problem after I turned on my speakers and noticed the audio playing even without my Google Chrome or IE10 web browser launched.

 

Subsequently, I downloaded and ran TDSSKiller and was able to identify 2 "medium risk" items/files defined as potential threats: DotComLaunch and RpcSs.dll. TDSSKiller gave me the option of sending the items to Quarantine or Skip - I decided to skip until I knew more about what was going on with my computer.

 

Since TDSSKiller did not detect any malware that I could Cure or Remove, I decided to download Malwarebytes Anti-Malware and see if it could find any threats that could be removed. While I was running the full Threat Scan, a message from my Norton 360 anti-virus popped up and it indicated that it was working on processing a HIGH level threat named Trojan.Viknok.b. Norton 360 indicated that the trojan was quarantined and removed, and that I didn't need to take any further action. The Malwarebytes scan ended soon after and indicated that there were a couple PUPs on my computer that may be threats - seemed to be related to Google Chrome and some type of photography program - so I sent them into quarantine (which I have not yet deleted).

 

My computer speakers remained quiet for about an hour, but then the unwanted audio came back in spurts - it seemed to be having trouble playing, but it was still playing. Uhg!

 

After doing extensive research online, it appears that there are still remnants of the trojan on my computer and my options include - and may be a combination - of the following:

 

1. Restore my computer to an earlier point in time

2. Replace the infected RpcSs.dll file with a clean RpcSs.dll file (32-bit, Windows 7 compatible)

3. Download and execute a series of anti-malware/anti-spyware/anti-adware software programs to stop the malware processes and then remove the trojan / infection and the various traces it has left behind so that it will not come back.

 

I know I still have some work to do in order to permanently evict my unwanted guest, since the unwanted audio still returns sporadically and Malwarebytes has provided three pop up messages indicating that unauthorized websites are trying to access my Svchost.exe program file (I clicked 'Exclude Website' each time on these messages).

 

The malware removal techs at BleepingComputer.com seem to have a lot of experience eradicating these type of trojans and file infections, so I'm hoping you can help me finish the job (while helping many others along the way)...


Edited by HiggiStardust, 28 April 2014 - 05:39 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:03 AM

Posted 28 April 2014 - 05:46 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  • Next please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

Regards,

Georgi


cXfZ4wS.png


#3 HiggiStardust

HiggiStardust
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 AM

Posted 28 April 2014 - 09:33 PM

Thanks for the quick response Georgi. I downloaded and ran FRST, and have attached the requested log text files for your review...

 

Please note that before I ran FRST I noticed that Malwarebytes was blocking "outbound" web connections from my Svchost.exe file to such websites as searchnet.blinkxcore.com (no, I don't visit porn sites on my computer). I also realized that when I clicked on the "Exclude website" option on the Malwarebytes' threat popup that I was actually exposing my computer to additional threats by allowing my Svchost.exe file to connect to these sites. Subsequently, I cleared the exclusion list to block all of these sites from connecting - it now seems to be doing a pretty good job of stopping the unwanted audio programs from playing, but I still hear the sounds stuttering now and then so I know the trojan / infection has not been entirely eradicated from my computer.

 

Please let me know what you recommend I do next after you review my FRST log text files. Thanks!

Attached Files


Edited by HiggiStardust, 28 April 2014 - 09:36 PM.


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:03 AM

Posted 29 April 2014 - 03:08 AM

Hello,

 

 

 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#5 HiggiStardust

HiggiStardust
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 AM

Posted 29 April 2014 - 09:21 PM

Hi Georgi...thanks again for the follow up. I downloaded the fixlist.txt file that you provided and ran FRST like you instructed by clicking on the FIX button. A message popped up indicating that my computer would reboot in order to complete the fix - I was admittedly a bit nervous that I may get the dreaded black screen. However, my computer completed the reboot and I allowed FRST to run. A message then popped up indicating that the fix had completed successfully. Attached is the Fixlog.txt file for your review.

 

Subsequently, I have launched both my Google Chrome and IE 10 browsers and everything seems to be functioning normally. I have not seen any messages from Malwarebytes indicating that my Svchost.exe file is trying to connect to 'Malicious Websites' so I'm assuming this is a very good thing. I also watched a few YouTube.com videos and have not experienced an occurrence of the unwanted background audio ads/clips, so I'm really hoping that you're going to tell me that we've removed the remnants of the trojan that was infecting my computer.  :guitar: 

 

Looking forward to receiving your analysis of my Fixlog.txt file, and any further instructions...

Attached Files


Edited by HiggiStardust, 29 April 2014 - 09:24 PM.


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:03 AM

Posted 29 April 2014 - 11:48 PM

Hello,

 

Nice work! We managed to deal with the trojan. :)

 

However I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

Please download Malwarebytes Anti-Malware to your desktop.
 

  • Double-click mbam-setup-2.0.2.1007.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 5

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#7 HiggiStardust

HiggiStardust
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 AM

Posted 30 April 2014 - 10:01 PM

Hi Georgi...I booted up my computer today to complete STEP 1 - RKill in your instructions posted above. However, before I began STEP 1, I decided to check some news online and about a 1/2 hour after my computer was on my Norton 360 detected Trojan.VikNok.C! and later indicated that it had quarantined and removed the threat with no further action needed other than to restart my computer (which I was able to do successfully). When I checked the details of the action, Norton 360 indicated that it had removed an infected rpcss.dll file, so I searched my computer and noticed that a presumably healthy rpcss.dll file still existed on my hard-drive.

 

I'm not sure if the FBRT fix you helped me complete yesterday exposed the infected rpccss.dll file, but my CPU now seems to be operating at normal levels and my Internet is running as quickly as ever now. Also, I thought I'd provide confirmation again that the unwanted audio ads/clips have not returned and Malwarebytes is not displaying messages that it is blocking any 'Malicious Websites' from connecting to my Svchost.exe file.

 

Thus, I just want to verify that you still want me to complete STEP 1 through STEP 5 listed in your instructions above? If so, I have a few more questions before I begin:

 

1. Is there much risk that I can damage my computer if I run RKIll, RogueKiller, TDSSKiller, Malwarebytes, and HitmanPro exactly as you have instructed?

2. Do I need to use Pastebin.com, or can I paste the logs to .txt files and attach them along with my subsequent posts?

3. Why did you include a HitmanPro "mirrorprogram download for both 32-bit and 64-bit operating systems?

 

Thanks again for your help, and I look forward to getting this issue resolved once and for all...  :warrior: 


Edited by HiggiStardust, 30 April 2014 - 10:12 PM.


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:03 AM

Posted 01 May 2014 - 08:37 AM

Hello,

 

I decided to check some news online and about a 1/2 hour after my computer was on my Norton 360 detected Trojan.VikNok.C!

 

Can you post an image of the Norton history for the latest detected threats for me?

 

I'm not sure if the FBRT fix you helped me complete yesterday exposed the infected rpccss.dll file, but my CPU now seems to be operating at normal levels and my Internet is running as quickly as ever now. Also, I thought I'd provide confirmation again that the unwanted audio ads/clips have not returned and Malwarebytes is not displaying messages that it is blocking any 'Malicious Websites' from connecting to my Svchost.exe file.

 

This is odd because we already managed to replace the infected rpcss.dll with a clean copy so if Norton cured rpcss.dll again then you probably got re-infected somehow (or probably Norton detected the infected copy of rpcss.dll in stored in the C:\FRST\Quarantine folder and that's why you thought that Norton cured rpcss.dll again...

 

Thus, I just want to verify that you still want me to complete STEP 1 through STEP 5 listed in your instructions above? If so, I have a few more questions before I begin:

 

Yes..I recommend that you proceed with the steps to verify that nothing is still lurking in your system and to check the computer for remnants.

 

1. Is there much risk that I can damage my computer if I run RKIll, RogueKiller, TDSSKiller, Malwarebytes, and HitmanPro exactly as you have instructed?

 

If you follow the instructions correctly and don't delete any entries found by the tools on your own the risk is reduced to minimum.

 

2. Do I need to use Pastebin.com, or can I paste the logs to .txt files and attach them along with my subsequent posts?

 

You can use pastebin only for very long files like the one from TDSSKiller for example. Feel free to post or attach the rest of the logs directly to your next reply if you prefer. :)

 

3. Why did you include a HitmanPro "mirrorprogram download for both 32-bit and 64-bit operating systems?

 

Just in case if you have troubles downloading the tool from the main link(s). :)

 

 

Regards,

Georgi


cXfZ4wS.png


#9 HiggiStardust

HiggiStardust
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 AM

Posted 01 May 2014 - 09:33 PM

Здравейте Georgi...I checked the details on the Trojan.Viknok.C! infection and it looks like it did try to enter my C:\windows\system32 folder yesterday and it was apparently trying to change the RpcSc and DotcomLaunch services before my Norton 360 anti-virus was able to terminate the changes and quarantine the trojan, "Resolved - No Action Required". The only thing that I can think of is that my girlfriend was on the following Better Homes and Gardens website (and may have been entering various sweepstakes) while I was having dinner: http://www.bhg.com/free-stuff/?showSweeps=all

 

In any case, I went ahead and stopped the processes for my Norton 360 and Malwarebytes programs and then downloaded the RKill.exe program to my desktop. When I double-clicked the icon and selected YES to run the program, the black screen did appear and the program appeared to run successfully. However, after it posted the RKill.txt file to my desktop, the black screen did not disappear - I had to close out of the black screen manually by clicking X on the window. Did RKill run successfully? Attached is the RKill log file for your review.

 

Please let me know how things look, and if I should proceed to STEP 2 through STEP 5. Thanks again for your help and patience...

Attached Files


Edited by HiggiStardust, 01 May 2014 - 09:35 PM.


#10 HiggiStardust

HiggiStardust
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 AM

Posted 02 May 2014 - 08:08 PM

Hi Georgi...day off today?  :workout: 

 

I am continuing to work through the instructions you gave me to make sure nothing is "still lurking" on my computer hard-drive...

 

STEP 2 - ROGUE KILLER

 

Downloaded RogueKiller.exe successfully to my desktop. Selected 'Run as Administrator' and clicked SCAN after the program completed its pre-scan. Rogue Killer found 3 registry issues, but I didn't delete them since it didn't say to do so in your instructions. Attached is the RKreport log text file for your review.

 

I'll complete at least STEP 3 and STEP 4 over the weekend since I already have TDSSKiller and Malwarebytes loaded on my computer. We're getting close, Georgi! Look forward to hearing from you again soon...

 

Attached Files



#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:03 AM

Posted 03 May 2014 - 05:22 PM

Hello,

 

Sorry for the delay. There was a massive electric storm and I had to keep my computer turned off.

 

The log from Rkill is incomplete. Can you please give it another try?

 

Thanks! :)

 

 

Regards,

Georgi


cXfZ4wS.png


#12 HiggiStardust

HiggiStardust
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 AM

Posted 03 May 2014 - 07:29 PM

Georgi...just completed running TDSSKiller again - STEP 3. Since I already had TDSSKiller application on my desktop from a few weeks ago, it indicated that there was an update available and instead of updating my current application it gave me another zip file with the latest version of TDSSKiller. Thus, I deleted my previous copy and saved the newest copy to my desktop. I ran the program as you instructed and after the SCAN had completed it indicated that no threats had been found. Below is the TDSSKiller log text file for your review.

 

Also, I just noticed your recent post. Sorry to hear about the electrical storms but glad you're okay! I will attempt to run RKill again shortly and post the results within the hour...

 

Attached Files



#13 HiggiStardust

HiggiStardust
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 AM

Posted 03 May 2014 - 07:56 PM

Okay Georgi...I think I was able to run RKILL (STEP 1) successfully this time - noticed that I was only supposed to 'Run As Administrator' if I had Windows Vista. I am using Windows 7 so I did not select the administrator option this time. Attached is the RKill log text file for your review.

 

After I hear your feedback about my log files from STEP 1 through STEP 3, I will proceed with STEP 4 and STEP 5. Sound okay? Talk to you soon...

Attached Files


Edited by HiggiStardust, 03 May 2014 - 07:57 PM.


#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:03 AM

Posted 04 May 2014 - 03:00 AM

Hello,

 

The logs from RogueKiller and TDSSKiller are both clean but however the log from Rkill indicates that you are probably re-infected 9and rpcss.dll is patched again lol.

Please run a new scan with FRST as described in post 2 and post the new log.

 

Thanks! :)

 

 

Regards,

Georgi


cXfZ4wS.png


#15 HiggiStardust

HiggiStardust
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 AM

Posted 04 May 2014 - 02:04 PM

Ugh...sweepstakes websites are now banned on my computer! Do you think the rpcss.dll issue is the result of the recent Trojan.Viknok.C! infection that was CURED by Norton 360, or are you telling me that rpcss.dll was just re-infected again? In any case, I will definitely have to buy you a "few beers" when this is all over with - what kind of beers are popular in Bulgaria?

 

Anyway, I re-ran FRST per your instructions and attached are the most recent log files for your review. I'm not going to proceed to STEP 4 and STEP 5 today, since I'm assuming you will be sending me another Fixlist text file to FIX with FRST?

 

Well, thanks for your quick response and I will eagerly await your next post...   :crazy: 

 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users