Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unsure of infection type, very stubborn


  • This topic is locked This topic is locked
23 replies to this topic

#1 kotoroshinoto

kotoroshinoto

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 04 December 2014 - 02:14 AM

pieces of it were removed and isolated etc by spybot S&D avast and AVG, i'm STILL hearing random audio ads that sound like radio ads. I have not been able to identify what is generating this.

source of infection was a disguised ad that looked like a flash video waiting to be played, it downloaded an EXE that I should have KNOWN was infected, but it slipped in I was used to the idea of having a player or plugin for things like icefilms, after I went through the install I immediately realized my error and have been attempting to remove the infection.

OS: windows 7

attached is a DDS log. I'm willing to scan with whatever it takes, but these ads are freaking annoying.

 

Attached Files

  • Attached File  DDS.txt   55.43KB   4 downloads


BC AdBot (Login to Remove)

 


#2 kotoroshinoto

kotoroshinoto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 04 December 2014 - 02:26 AM

AVG scan results were:

 
"";"Potentially harmful program Downloader.CIC, C:\Users\Xiaowen\Downloads\Installation.exe";"Secured"
"";"Found MalSign.Rungnapa.9F5, C:\Users\Xiaowen\Downloads\FLVPlayer-Chrome.exe";"Secured"
"";"Found MalSign.Generic.C6A, G:\Setup.exe";"Secured"
"";"Found MalSign.Generic.C6A, G:\Setup v2 1 (1).exe";"Secured"
"";"Found MalSign.Generic.C6A, G:\Setup v2 1.exe";"Secured"
"";"Found MalSign.BitCocktail.0E0, C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\update[1]";"Secured"
"";"Adware Toolbar.PT, C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\update[2]";"Secured"
"";"Trojan horse SHeur3.BNBY, E:\Users\Michael\AppData\Roaming\Thunderbird\Profiles\f63az98h.default\ImapMail\f.com\INBOX.sbd\Shipping.sbd\UPS";"Secured"
"";"Trojan horse Generic35.BTEK, C:\ProgramData\InstallMate\{182455E5-333C-4E03-ACE8-7B1EC3C77713}\Custom.dll";"Secured"
"";"Trojan horse Generic35.BTEK, C:\ProgramData\InstallMate\{48CEC1F1-B477-4084-A26F-FC55932DE307}\Custom.dll";"Secured"
"";"Trojan horse Generic35.BTEK, C:\ProgramData\InstallMate\{2A37FBD7-E873-4AD0-A83B-A051F1D4D921}\Custom.dll";"Secured"
"";"Trojan horse Dropper.Generic4.ARVX, F:\old_crud\dead rising 2 pc game\crack\DR2Launcher.exe";"Secured"


obviously whatever i've still got wasn't removed, but i'd like it gone. I do believe I was aware of the trojan in the dr2 launcher, which is why i stopped using it a long time ago. I forgot to delete it, (i dont clean house nearly enough)
 

Edited by kotoroshinoto, 04 December 2014 - 02:28 AM.


#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 06 December 2014 - 11:09 AM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#4 kotoroshinoto

kotoroshinoto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 09 December 2014 - 03:31 AM

here are the 2 scan files

Attached Files



#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 09 December 2014 - 11:45 AM

Please do this next:

icon11.gif  Go to this page and download Malwarebytes Anti-Rootkit (MBAR)

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • MBAR will create logs that you will find in the same folder you found MBAR.exe.  Please post those for me to review.

icon11.gif   Please download AdwCleaner by Xplode and save to your Desktop.


  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


Please include the following in your next post:

  • adwCleaner log
  • MBAR log(s)

Edited by RPMcMurphy, 09 December 2014 - 11:45 AM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 kotoroshinoto

kotoroshinoto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 14 December 2014 - 08:14 AM

There are some previous adwcleaner runs, I'll include those for comparison.

C:\Boost is legitimate, I built it from source code.

If you think I should remove AVG, i'll do that as well.

Attached Files


Edited by kotoroshinoto, 14 December 2014 - 08:28 AM.


#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 14 December 2014 - 11:49 AM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

ProxyServer: [S-1-5-21-1167924731-1708654919-1974063509-1000] => localhost:8080
EmptyTemp:
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:
  • How is the computer running now?
  • Fixlog report
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 kotoroshinoto

kotoroshinoto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 14 December 2014 - 12:30 PM

I should mention I DO have a gitserver and http server running. I believe git uses https, but i don't know if any of that showed up.

Not that any of that matters. I'm in the process of doiing the above, the FRST wants me to restart, I guess i'll resume the second part when I load back up


Edited by kotoroshinoto, 14 December 2014 - 12:36 PM.


#9 kotoroshinoto

kotoroshinoto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 17 December 2014 - 07:38 AM

It is running considerably better than before. Have not heard any of the annoying audio ads for a while.

Attached Files



#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 17 December 2014 - 08:20 PM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

C:\Users\Michael\AppData\Local\PMB Files\Upgrade41270\PMB_update.exe
C:\Users\Xiaowen\Downloads\91assistant_3.9.6.2_295.apk    
E:\Users\Michael\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\3c9bd404-2f38a0d5
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 kotoroshinoto

kotoroshinoto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 18 December 2014 - 12:49 PM

i had removed 2 of those manually already myself. (knowing they should not have existed). The third thing was removed by FRST

i have been noticing a roboticization of audio from youtube vids, that hasn't gone away, dunno what could be causing it.

Attached Files



#12 kotoroshinoto

kotoroshinoto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 18 December 2014 - 02:06 PM

The audio lag (that makes things sound like theyre "vibrating" or like a robot happens outisde of browsers too, even playing mp3s, but I havent' been able to diagnose what causes it. It happens even if my cpu core usages are very low  (8 core system)



#13 kotoroshinoto

kotoroshinoto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 18 December 2014 - 11:32 PM

Had an error in one of my applications: Class not registered, ClassID:

{56FDF344-FD6D-11D0-958A-006097C9A090}.

is this related to something we did?

 



#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 18 December 2014 - 11:41 PM

Not sure what is going on with your audio, or that error.  In all honesty, most of what I have done has been diagnostic and housekeeping.  I've only removed a few items, none of which seem to relate to that CLISD.  Run another FRST scan for me, please and post that log.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 AM

Posted 31 December 2014 - 11:05 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users