Go Back   WorldStart Tech & Computer Help Forums > Virus And Malware Help

Reply
 
Thread Tools Display Modes
  #1  
Old 01-11-2013, 03:44 AM
trollitrade trollitrade is offline
Member
 
Join Date: Apr 2008
Posts: 99
IRP Hook Malware? Phantom Audio?

Hello, everyone. I'm not sure how I keep getting into Malware trouble with my computers, but here I go again.

For starters, I'm on my laptop right now, but my desktop computer is a PC running Windows 7 Home Premium. The desktop is on right now, but it's sitting in safe mode again because regular mode is going crazy.

I actually haven't used my desktop computer in months, so I was surprised to finally need it and have a pretty bizarre issue.

At first, it looked like my search engines had been hijacked - Google and Gmail would reach screens like the "Website cannot be found" screen, except it was randomly in Chinese. When I tried to web search things, both Google and Yahoo would come up with maybe 2 related results and the links didn't lead where they should. I tried to update my AVG 2012 and run a scan, but in the middle of that attempt, the computer blue screened and restarted itself.

I tried to run an AVG scan in Safe Mode (I don't know if I was supposed to do that, but it seemed logical at the time...) and it said it put away a bunch of trojans in the virus vault. When the scan finished, I went back into normal mode and tried to run a scan, and things got even weirder.

Now random audio is blaring through my computer speakers - they're various short commercials, like the ones you sometimes hear in the sidebars of websites or before videos, and sometimes multiple commercials overlap each other in a parade of noise. These bursts of noise happen every couple of minutes and then last for a while. I went to my computer's volume mixer to see where it was playing from, but the source was listed as "Name Not Available". (After "Speakers" and "System Sounds")

Tried to run AVG scans and Malware Bytes and neither of them managed to finish before the computer blue screened again, but AVG did list me these things to look into... These were all things that showed up in the "infection" list, or were "blocked" by AVG during the scan:

------------------------------
judge.beartraptruffle.com/news/virtual

IRP hook, /Driver/atapi IRP_MJ_CREATE -> 0xFFFFFA8008236650
(that was only one of 28 IRP hooks listed)

c:\Windows\System32\services.exe
-----------------------------------

Last odd coincidence, maybe, was that Team Viewer auto-started when the computer started again, and it doesn't usually do that. Is Team Viewer a "peer to peer" program? I read here that I should delete P2Ps, but I don't know if Team Viewer counts... It's what my brother and I use when I have computer issues, but he's under way on a ship right now.

Any advice will be much appreciated! Sorry to bother you!
Reply With Quote
  #2  
Old 01-11-2013, 07:15 AM
MikeN.
Guest
 
Posts: n/a
Team Viewer would not be considered a peer to peer program in my view.

Since you have Malwarebytes installed try using the Chameleon feature of that program first which will seek out infection processes and hopefully stop them allowing Malwarebytes to actually run.

Please run MBA-M this way:

Go to Start, All Programs, Malwarebytes' Anti-Malware. Click on the entry ONCE to open it, scroll down to the Tools Folder and Choose Malwarebytes' Anti-Malware Chameleon double click that because that is how you need to run this scan for this infection. Follow the directions given here

http://helpdesk.malwarebytes.org/ent...fected-systems

Once the scan is complete have it remove ALL items found, reboot the system and post back here with the log.
Reply With Quote
  #3  
Old 01-11-2013, 12:13 PM
trollitrade trollitrade is offline
Member
 
Join Date: Apr 2008
Posts: 99
Hello, Mike. Thank you, I'll give that a try and get back to you soon.

[EDIT] Sorry, should I do that in regular mode or safe mode? I think I need to try it in regular and see if the programs can finish what they're doing before they get bluescreened. I actually have MBAM on a thumb drive.
Reply With Quote
  #4  
Old 01-11-2013, 12:32 PM
MikeN.
Guest
 
Posts: n/a
Quote:
Originally Posted by trollitrade View Post
Hello, Mike. Thank you, I'll give that a try and get back to you soon.

[EDIT] Sorry, should I do that in regular mode or safe mode? I think I need to try it in regular and see if the programs can finish what they're doing before they get bluescreened. I actually have MBAM on a thumb drive.
Please dont go back and edit a post to add another question, hit reply and send, may not see what you added. Try it in normal mode first. If not then yes Safe Mode. If you get it to run in Safe Mode, immediately boot to normal mode and run it again as Safe Mode doesnt work as well
Reply With Quote
  #5  
Old 01-11-2013, 12:47 PM
trollitrade trollitrade is offline
Member
 
Join Date: Apr 2008
Posts: 99
Oh! Sorry, of course. I guess double-posting on a help forum like this wouldn't be considered against the rules.

I'm running Chameleon on normal mode right now. The audio starting going crazy again even from the log-in screen when I was going to normal mode, but the program seems to be running fine. It's at the stage where it says "Killing known malicious processes, please wait..."

I will check in with the logs once it is finished. Hopefully I'll be able to use the internet on the desktop to communicate at that point, because posting the logs may be difficult from the laptop when the logs will be done on the desktop.

Thank you again for your help!
Reply With Quote
  #6  
Old 01-11-2013, 12:52 PM
MikeN.
Guest
 
Posts: n/a
Double posting? Its easier to keep track of your questions and whats been posted by doing a new reply rather than hopping back each time to add something to an old post...Very very confusing then. We have threads that literally have hundreds of posts
Reply With Quote
  #7  
Old 01-11-2013, 01:06 PM
trollitrade trollitrade is offline
Member
 
Join Date: Apr 2008
Posts: 99
That makes sense - I can see how it would be confusing! Double-posting is a rule from other forums I use, but they're really not the same kind of forum as here, so I should have thought of that. Thanks!

I got the log from MBAM, but the audio is currently going crazy. Hmm... I've definitely got some more work to do!

=======================================
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.11.11

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Chantelle Sundeen :: CN-DESKTOP [administrator]

1/11/2013 10:48:36 AM
mbam-log-2013-01-11 (10-48-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System |

Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 242607
Time elapsed: 1 minute(s), 48 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 1760 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCR\.exe\shell\open\command| (Hijack.ExeFile) -> Data: "C:\Users

\Chantelle Sundeen\AppData\Local\omf.exe" -a "%1" %* ->

Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet

Settings|ProxyServer (PUM.Bad.Proxy) -> Data:

http=127.0.0.1:49362 -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.E XE\shell

\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users

\Chantelle Sundeen\AppData\Local\omf.exe" -a "C:\Program Files

(x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) ->

Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Windows\Installer\{0a5555ba-3d57-09d3-f4a1-

973b2569c64b}\U\00000008.@ (Trojan.Dropper.BCMiner) ->

Quarantined and deleted successfully.
C:\Windows\Installer\{0a5555ba-3d57-09d3-f4a1-

973b2569c64b}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and

deleted successfully.
C:\Windows\Installer\{0a5555ba-3d57-09d3-f4a1-

973b2569c64b}\U\80000032.@ (Trojan.Clicker) -> Quarantined and

deleted successfully.
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)
Reply With Quote
  #8  
Old 01-11-2013, 01:10 PM
MikeN.
Guest
 
Posts: n/a
You did a Quick scan, that scan does not touch the whole drive. Please update Malwarebytes again if you can and run a Full scan, again removing everything and post the log. You might have to use Chameleon again. Just turn the volume off! Reboot the machine to remove what was found in that first scan. Also, turn off WordWrap in Notepad

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Chantelle Sundeen :: CN-DESKTOP [administrator]

1/11/2013 10:48:36 AM
mbam-log-2013-01-11 (10-48-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System |
Reply With Quote
  #9  
Old 01-11-2013, 01:18 PM
trollitrade trollitrade is offline
Member
 
Join Date: Apr 2008
Posts: 99
I did figure I would need to run a full scan next - the quick scan is just what MBAM managed to do as soon as Chameleon let the program get started, so I didn't want to interrupt it. I will do a new scan now.

Also, no worries! I muted the crazy audio, of course - but I can see from my speaker levels that the "Name Not Available" thing is going and it's making a ruckus. I'll report back soon.
Reply With Quote
  #10  
Old 01-11-2013, 01:31 PM
MikeN.
Guest
 
Posts: n/a
You seem to have a handle on things right now, post the log from the Full scan and then look for more directions as there will be some. Far from done here
Reply With Quote
  #11  
Old 01-11-2013, 02:54 PM
trollitrade trollitrade is offline
Member
 
Join Date: Apr 2008
Posts: 99
As an update, the blue screen got me again after about 1hr and 1/2 of MBAM scanning. It had found 3 objects so far.

The volume on my computer is still muted, but I could see that eight different "Name Not Available" programs had started playing the audio. Usually it was only one at a time, like one of the audio programs would finally stop, and then another would start. (I'm not sure what any of that means exactly, but I thought it seemed relevant enough to mention as an update on the situation)

I'll see if I can get the full scan to run after a chameleon, and if that doesn't work, I'll try to do the full scan through safe mode.
Reply With Quote
  #12  
Old 01-11-2013, 02:56 PM
MikeN.
Guest
 
Posts: n/a
sounds good
Reply With Quote
  #13  
Old 01-11-2013, 04:27 PM
trollitrade trollitrade is offline
Member
 
Join Date: Apr 2008
Posts: 99
By the way, I'm 1 hour and 2 minutes into the MBAM full computer scan (it has found 2 objects so far), but my AVG program seems to be trying to do something on its own.

The AVG Resident Shield Alert is popping up with five things listed. It did this last time, too, but I didn't mess with it because I was trying to let MBAM do its thing.

--------------------------------------------------------------------
AVG Resident Shield Alert says:
c:\Windows\System32\services.exe ... Trojan horse Patched_c.MIS
c:\Windows\System32\services.exe ... Trojan horse Patched_c.MIS
c:\Windows\System32\services.exe ... Trojan horse Patched_c.MIS

c:\Windows\assembly\GAC_32\Desktop.ini ... Trojan horse BackDoor.Generic15.AXLA
c:\Windows\assembly\GAC_64\Desktop.ini ... Trojan horse Generic28.ANIC
--------------------------------------------------------------------

The first three things appear to be the same thing, and AVG says "Object is white-listed (critical system file that should not be removed)".

The second two have the red bar that says "INFECTED".

I have the option on the AVG Resident Shield to "Remove all unhealed", but I haven't been touching AVG Resident Shield because I'm letting MBAM do its work and I'm not sure if AVG is trying to interfere or not.

Should I ignore what AVG is doing, or should I be telling it to remove unhealed?

Thank you!

I will post the MBAM log as soon as I can, but it's not finished scanning yet and I need to go to work soon.
Reply With Quote
  #14  
Old 01-11-2013, 04:48 PM
nojmit's Avatar
nojmit nojmit is offline
Still Hanging Around
 
Join Date: Dec 2004
Location: Grandville, MI.
Posts: 3,326
It sounds like they might be fighting each other for control. I personally would shut down the resident shield on AVG and let MBAM run unobstructed.
__________________
"Knowing how to think, empowers you far beyond those who only know what to think" - Neil deGrasse Tyson

Tims Computer Specs
Reply With Quote
  #15  
Old 01-11-2013, 05:33 PM
trollitrade trollitrade is offline
Member
 
Join Date: Apr 2008
Posts: 99
Hello again!

So I should turn off AVG? Whenever I get my computer to start up again, AVG always has a message saying,

Threat detected: c:\Windows\System32\services.exe
Threat name: Trojan horse Patched_c.MIS
Detected on Open

And then the only option it gives in "Ignore the Threat". Again, I'm not sure what all of this means, but if it's getting in MBAM's way, I'll turn it off.

I need to go to work now, but MBAM actually just finished with the full computer scan and I was able to restart like it asked me to. Here are the logs:
================================================== =======

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.11.14

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Chantelle Sundeen :: CN-DESKTOP [administrator]

1/11/2013 1:19:15 PM
mbam-log-2013-01-11 (13-19-15).txt

Scan type: Full scan (A:\|C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 560032
Time elapsed: 2 hour(s), 6 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\Installer\{0a5555ba-3d57-09d3-f4a1-973b2569c64b}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{0a5555ba-3d57-09d3-f4a1-973b2569c64b}\U\80000032.@ (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

================================================== =======

Thank you very much! I'll be back later after work.
Reply With Quote
  #16  
Old 01-11-2013, 06:27 PM
jholland1964's Avatar
jholland1964 jholland1964 is offline
Almost Really Old Member
 
Join Date: Feb 2004
Location: The Middle
Posts: 30,941
You can actually Uninstall the AVG, it is very likely damaged and you wouldn't want to use or trust it, plus it didn't do a thing to protect you as you can see. If it worked well you likely would not have these infections on there.

That infected computer needs to be 100% taken offline
.

The computer has been hijacked by an outside user, who may still be in control in fact, and has at least one rootkit. possibly more, on there also which cannot be removed by either of the tools you are using. Rootkits require specialized tools.
If you note the same infections have already been removed multiple times.
When you return don't put it online, use your other computer. Hopefully you have a flash drive you can use in order to get the new tools that will be required for use in that infected computer, there are several. The best thing to do is download them on the clean computer, move them to the flash drive and then put them on the infected computer. If that is not possible then you'll have to work around that but we'll wait until you return to figure this out.
__________________

1. Dell Inspiron N5040;
Windows 7 64bit SP1
Firefox v.33, IE11;WLM2012; Avira Free, Windows Firewall, MBAM, SpywareBlaster, SUPERAntispyware

2.Dell Inspiron N7010; Windows 7 64bit SP1
*same programs as computer 1 above*


Help Us To Help You

System Restore

Stick with the Clean up
Reply With Quote
  #17  
Old 01-11-2013, 10:57 PM
trollitrade trollitrade is offline
Member
 
Join Date: Apr 2008
Posts: 99
Hello again, I'm home from work and ready to continue tackling this thing. Thank you all very much for your help so far. I really appreciate what you do - I'm actually a 3rd generation user - my father and grandmother have always highly recommended your help, so thank you!

I took my desktop completely offline and I'm working on uninstalling AVG 2012 so it'll quit getting in the way. Getting hijacked by an outside user sounds a bit daunting, hmm...

I do have a flash drive to use for file transferring. That's where I keep the MBAM program, the "DDS", and the "C Cleaner"...? I've forgotten exactly what the last two were called, but they were two of the programs used for general PC cleaning, I think.

AVG says I should "Restart Now" to finish uninstalling the program, but I won't do that yet unless someone says I should. I'm on my laptop now.
Reply With Quote
  #18  
Old 01-11-2013, 11:28 PM
jholland1964's Avatar
jholland1964 jholland1964 is offline
Almost Really Old Member
 
Join Date: Feb 2004
Location: The Middle
Posts: 30,941
Quote:
Originally Posted by trollitrade View Post

AVG says I should "Restart Now" to finish uninstalling the program, but I won't do that yet unless someone says I should. I'm on my laptop now.
Go ahead and restart to finish the removal of AVG.
When that's completed let me know
__________________

1. Dell Inspiron N5040;
Windows 7 64bit SP1
Firefox v.33, IE11;WLM2012; Avira Free, Windows Firewall, MBAM, SpywareBlaster, SUPERAntispyware

2.Dell Inspiron N7010; Windows 7 64bit SP1
*same programs as computer 1 above*


Help Us To Help You

System Restore

Stick with the Clean up
Reply With Quote
  #19  
Old 01-11-2013, 11:34 PM
trollitrade trollitrade is offline
Member
 
Join Date: Apr 2008
Posts: 99
Hello again - I've restarted the computer to complete the AVG 2012 removal. The desktop computer is on again, and I'm ready for the next instructions.

Thank you!
Reply With Quote
  #20  
Old 01-11-2013, 11:50 PM
jholland1964's Avatar
jholland1964 jholland1964 is offline
Almost Really Old Member
 
Join Date: Feb 2004
Location: The Middle
Posts: 30,941
You can Try to download these to the infected computer using Safe Mode with Networking, though I am not certain that will work, but try it first. The programs must be ON the Desktop, not in some download folder. So be sure that is where they are located. If you do get them downloaded ok, then go back offline and into Normal mode if possible and continue with the instructions.

If you cannot get them to download to the infected computer using Safe Mode with Networking then you will need to download these programs to the clean computer, move them from there to the Flash Drive and take the flash drive to the infected computer which is Offline and in Normal Mode.

These programs must be moved FROM the Flash drive onto the infected computer. They cannot be run From the flash drive but must actually be on the Desktop of the infected computer.
Once you have moved those to the infected computer you need to remove that Flash Drive.

Note to all reading this thread, these tools are for THIS particular computer. These are not tools one would keep and use. They are for specific infections, not for general usage.


Follow these instructions:

Please download AdwCleaner by Xplode onto your desktop.

http://general-changelog-team.fr/fr/...e/2-adwcleaner


Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Download & SAVE to your Desktop RogueKiller

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe

Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller+

Post back here with both logs.

Now it is nearly 1 A.M. where I live so I may not be here when you return. I will leave other instructions and links for other tools if that is the case then run those tools, post the logs and I will look at them tomorrow.
Turn off the computer completely after all tools are run. Don't turn it back on until you have received notification of another post here. I have a meeting tomorrow so it will likely be in the afternoon before I can return. Mike may check in however and give additional instructions, depending on what tools you have been able to run. Either way, know you won't be left hanging, hopefully we can get this cleaned up and then get you a good av program to install, certainly not AVG again.
__________________

1. Dell Inspiron N5040;
Windows 7 64bit SP1
Firefox v.33, IE11;WLM2012; Avira Free, Windows Firewall, MBAM, SpywareBlaster, SUPERAntispyware

2.Dell Inspiron N7010; Windows 7 64bit SP1
*same programs as computer 1 above*


Help Us To Help You

System Restore

Stick with the Clean up
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 12:10 AM.


Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 2000-2011 WorldStart, Inc