Virus Removal Help, Random Sound

[Hendrick]

Hi Everyone-

While I'm not sure what happened, my parents computer has a virus, and now random ads, and sometimes music play in the background (no... IE, FF, Chrome, Safari, Opera, whatever are all closed). This happens on start-up, so I'm sure a hidden open program. If I pull up the Sound Mixer, I can see it under the application, but it is listed as "Name Not Available"

I've run Malwarebytes, Avira, Spybot S&D, and SuperAntiMalware, however I cannot seem to get rid of it.

I'll attach the log files from HijackThis, DDS, and GMER. While I'm all for re-imaging, my parents really want to avoid that.

Thanks for any help in identifying/removing this thing.

HijackThis: hijackthis.txt

GMER: gmer.txt

DDS:DDS.txt | Attach.txt

[+Warwagon MVC]

2013-05-02 00:51:47 -------- d-----w- c:\users\main\appdata\roaming\Kodae

2013-05-02 00:51:46 -------- d-----w- c:\users\main\appdata\roaming\Xoyb

2013-05-02 00:51:46 -------- d-----w- c:\users\main\appdata\roaming\Qazeax

2013-05-02 00:50:25 0 ----a-w- C:\flashplayer.exe

2013-05-02 00:42:15 0 ----a-w- C:\skype.exe

2013-05-02 00:41:36 -------- d-----w- c:\users\main\appdata\roaming\Ytuwmo

2013-05-02 00:41:36 -------- d-----w- c:\users\main\appdata\roaming\Ewpau

2013-05-02 00:41:36 -------- d-----w- c:\users\main\appdata\roaming\Awac

2013-05-02 00:41:32 0 ----a-w- C:\teamviewer.exe

These are throwing up some red flags. What are in those folders?

I also saw from the logs that the computer also has java installed and it's out of date (More than likely the cause of the infection). If you don't need java get rid of it, and if you do need it for an app then disable it in the browser.

I'd recommend scanning the system externally with a kaspersky rescue disc. But to make the process go faster I would first run ccleaner and remove a lot of the temp files.

I would also recommend running patchmypc http://www.patchmypc.net and updating all of the 3rd party applications it finds to be out of date.

[xendrome]

Run Combofix on it as well

[Circaflex]

ive seen combofix screw up more computers than actually fix it, you need to run a rescue disc to actually clean those out

you can try norton power eraser as well

[xendrome]

ive seen combofix screw up more computers than actually fix it, you need to run a rescue disc to actually clean those out

Never had it do anything bad to a system, you have to make sure you are running Combofix from normal mode not safe mode... plus, it's not really combofix's fault the system is jacked up in the first place.

[Hendrick]

I also saw from the logs that the computer also has java installed and it's out of date (More than likely the cause of the infection). If you don't need java get rid of it, and if you do need it for an app then disable it in the browser.

My initial instinct was that it was a Java vulnerability, I just didn't take the time to hunt it down. Like I said, it's my parents computer, so I never (normally) touch it.

Thank-you to everyone for the suggestions, I'll try them in a half hour when I get home, and I'll let you know how it goes.

[SlasherKG]

Actually, I ran into this a couple weeks ago. It's a rootkit virus. But I can't remember what tool I ran to fix it, I think it was a free Kaspersky tool?

EDIT: I believe this is it - http://support.kaspersky.com/5350?el=88446

[Hendrick]

Well the Kaspersky Rescue Disk is running now, but the ETA is 6 hours. Guess I'll post back in the morning with the results. Still have to try TDSSKiller and ComboFix.

And to answer warwagon's question:

2013-05-02 00:51:47 -------- d-----w- c:\users\main\appdata\roaming\Kodae lafu.ulo

2013-05-02 00:51:46 -------- d-----w- c:\users\main\appdata\roaming\Xoyb kyaq.yci

2013-05-02 00:51:46 -------- d-----w- c:\users\main\appdata\roaming\Qazeax Empty

2013-05-02 00:50:25 0 ----a-w- C:\flashplayer.exe

2013-05-02 00:42:15 0 ----a-w- C:\skype.exe

2013-05-02 00:41:36 -------- d-----w- c:\users\main\appdata\roaming\Ytuwmo eqesn.huy

2013-05-02 00:41:36 -------- d-----w- c:\users\main\appdata\roaming\Ewpau okih.tmp okih.vop

2013-05-02 00:41:36 -------- d-----w- c:\users\main\appdata\roaming\Awac Empty

2013-05-02 00:41:32 0 ----a-w- C:\teamviewer.exe

Answers are bolded or italiced. Seems like all random files. The ones in the root directory of the disk are all 0 bytes.

[CougarDan]

TDSSkiller will fix it. Sounds like Pihar rootkit.

[SlasherKG]

Wow, hope the rescue disk finds it. The TDSSKiller only took about 5-10 minutes as I recall, and it definitely fixed this exact issue. Random audio ads playing and the same "Name Not Available" showing in the Volume Mixer. Good luck!

[Hendrick]

Ended up killing the rescue disk and trying TDSSKiller. It appears to be gone! Thanks to everyone for the help!

[+Warwagon MVC]

Hmm never had the rescue disc take that long.. If you cleaner first. It should have also found the root kit I'm assuming mbr rootki

[megan425]

TDSSkiller worked for me.  Thank you.  After a day of reasearch and trying various things I found this thread.  So very glad I did.