Jump to content



Photo

Virus Removal Help, Random Sound

win7

  • Please log in to reply
12 replies to this topic

#1 Hendrick

Hendrick

    Neowinian

  • Joined: 14-November 07

Posted 03 May 2013 - 22:40

Hi Everyone-

While I'm not sure what happened, my parents computer has a virus, and now random ads, and sometimes music play in the background (no... IE, FF, Chrome, Safari, Opera, whatever are all closed). This happens on start-up, so I'm sure a hidden open program. If I pull up the Sound Mixer, I can see it under the application, but it is listed as "Name Not Available"

I've run Malwarebytes, Avira, Spybot S&D, and SuperAntiMalware, however I cannot seem to get rid of it.

I'll attach the log files from HijackThis, DDS, and GMER. While I'm all for re-imaging, my parents really want to avoid that.

Thanks for any help in identifying/removing this thing.

HijackThis: Attached File  hijackthis.txt   8.29KB   98 downloads
GMER: Attached File  gmer.txt   3.86KB   61 downloads
DDS:Attached File  DDS.txt   12.69KB   40 downloads | Attached File  Attach.txt   4.21KB   35 downloads


#2 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 03 May 2013 - 22:45

2013-05-02 00:51:47 -------- d-----w- c:\users\main\appdata\roaming\Kodae
2013-05-02 00:51:46 -------- d-----w- c:\users\main\appdata\roaming\Xoyb
2013-05-02 00:51:46 -------- d-----w- c:\users\main\appdata\roaming\Qazeax
2013-05-02 00:50:25 0 ----a-w- C:\flashplayer.exe
2013-05-02 00:42:15 0 ----a-w- C:\skype.exe
2013-05-02 00:41:36 -------- d-----w- c:\users\main\appdata\roaming\Ytuwmo
2013-05-02 00:41:36 -------- d-----w- c:\users\main\appdata\roaming\Ewpau
2013-05-02 00:41:36 -------- d-----w- c:\users\main\appdata\roaming\Awac
2013-05-02 00:41:32 0 ----a-w- C:\teamviewer.exe

These are throwing up some red flags. What are in those folders?

I also saw from the logs that the computer also has java installed and it's out of date (More than likely the cause of the infection). If you don't need java get rid of it, and if you do need it for an app then disable it in the browser.

I'd recommend scanning the system externally with a kaspersky rescue disc. But to make the process go faster I would first run ccleaner and remove a lot of the temp files.

I would also recommend running patchmypc http://www.patchmypc.net and updating all of the 3rd party applications it finds to be out of date.

#3 xendrome

xendrome

    In God We Trust; All Others We Monitor

  • Tech Issues Solved: 10
  • Joined: 05-December 01
  • OS: Windows 8.1 Pro x64

Posted 03 May 2013 - 22:53

Run Combofix on it as well

#4 Circaflex

Circaflex

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 18-August 02
  • Location: California
  • OS: 8 x64, 7 x64, Mountain Lion, Ubuntu
  • Phone: hammerhead

Posted 03 May 2013 - 23:04

ive seen combofix screw up more computers than actually fix it, you need to run a rescue disc to actually clean those out

you can try norton power eraser as well

#5 xendrome

xendrome

    In God We Trust; All Others We Monitor

  • Tech Issues Solved: 10
  • Joined: 05-December 01
  • OS: Windows 8.1 Pro x64

Posted 03 May 2013 - 23:22

ive seen combofix screw up more computers than actually fix it, you need to run a rescue disc to actually clean those out


Never had it do anything bad to a system, you have to make sure you are running Combofix from normal mode not safe mode... plus, it's not really combofix's fault the system is jacked up in the first place.

#6 OP Hendrick

Hendrick

    Neowinian

  • Joined: 14-November 07

Posted 03 May 2013 - 23:44

I also saw from the logs that the computer also has java installed and it's out of date (More than likely the cause of the infection). If you don't need java get rid of it, and if you do need it for an app then disable it in the browser.


My initial instinct was that it was a Java vulnerability, I just didn't take the time to hunt it down. Like I said, it's my parents computer, so I never (normally) touch it.

Thank-you to everyone for the suggestions, I'll try them in a half hour when I get home, and I'll let you know how it goes.

#7 SlasherKG

SlasherKG

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 06-November 01

Posted 04 May 2013 - 00:10

Actually, I ran into this a couple weeks ago. It's a rootkit virus. But I can't remember what tool I ran to fix it, I think it was a free Kaspersky tool?

EDIT: I believe this is it - http://support.kaspe...m/5350?el=88446

#8 OP Hendrick

Hendrick

    Neowinian

  • Joined: 14-November 07

Posted 04 May 2013 - 00:37

Well the Kaspersky Rescue Disk is running now, but the ETA is 6 hours. Guess I'll post back in the morning with the results. Still have to try TDSSKiller and ComboFix.

And to answer warwagon's question:

2013-05-02 00:51:47 -------- d-----w- c:\users\main\appdata\roaming\Kodae lafu.ulo
2013-05-02 00:51:46 -------- d-----w- c:\users\main\appdata\roaming\Xoyb kyaq.yci
2013-05-02 00:51:46 -------- d-----w- c:\users\main\appdata\roaming\Qazeax Empty
2013-05-02 00:50:25 0 ----a-w- C:\flashplayer.exe
2013-05-02 00:42:15 0 ----a-w- C:\skype.exe
2013-05-02 00:41:36 -------- d-----w- c:\users\main\appdata\roaming\Ytuwmo eqesn.huy
2013-05-02 00:41:36 -------- d-----w- c:\users\main\appdata\roaming\Ewpau okih.tmp okih.vop
2013-05-02 00:41:36 -------- d-----w- c:\users\main\appdata\roaming\Awac Empty
2013-05-02 00:41:32 0 ----a-w- C:\teamviewer.exe


Answers are bolded or italiced. Seems like all random files. The ones in the root directory of the disk are all 0 bytes.

#9 CougarDan

CougarDan

    Neowinian

  • Joined: 31-December 08

Posted 04 May 2013 - 00:42

TDSSkiller will fix it. Sounds like Pihar rootkit.

#10 SlasherKG

SlasherKG

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 06-November 01

Posted 04 May 2013 - 00:43

Wow, hope the rescue disk finds it. The TDSSKiller only took about 5-10 minutes as I recall, and it definitely fixed this exact issue. Random audio ads playing and the same "Name Not Available" showing in the Volume Mixer. Good luck!

#11 OP Hendrick

Hendrick

    Neowinian

  • Joined: 14-November 07

Posted 04 May 2013 - 01:33

Ended up killing the rescue disk and trying TDSSKiller. It appears to be gone! Thanks to everyone for the help!

#12 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 04 May 2013 - 01:50

Hmm never had the rescue disc take that long.. If you cleaner first. It should have also found the root kit I'm assuming mbr rootki

#13 megan425

megan425

    Resident One Post Wonder

  • Joined: 05-July 13

Posted 05 July 2013 - 05:32

TDSSkiller worked for me.  Thank you.  After a day of reasearch and trying various things I found this thread.  So very glad I did.