Background Audio Ads Rootkit Thingy

Oh, benevolent, wonderful crusaders against malware, I beseech thee for advices!

About two weeks ago, I contracted some kind of trojan horsery (horsery not hosery) that I presume runs a hidden internet explorer instance that accesses websites the likes I'd never visit resulting in random audio garbage.

I realized this after starting my machine up on Sunday morning and hearing random audio playing without any programs running. I immediately realized that there was something wrong. Now, I don't have any AV, I consider myself a very sensible surfer, so to speak, I have a home made machine that has run great for years without any indication of trouble.

I responded with the only thing I knew, and with my limited experience, maybe not the best decision:

I downloaded and installed Spybot S&D (which was something I'd used in the past but hadn't put on this computer build--2010).

I backed up my /user/ files to an external HDD.

I googled my problem after Spybot failed to do anything substantial. IExplorer was redirected many times, but I was able to read some posts.

I quarantined my computer and it has been disconnected from the Internet until last night when I was able to attempt problem tacklage.

Now, most of what I read on this particular nasty thingamabob was not good. And I have accepted that reinstallation may be my fate--I'm okay with that, I would consider it a spring cleaning and would welcome the opportunity to boost my performance with a newly installed lean installation--but I have 9 Hard Drives hooked up to this thing and I need to know I can reinstall my OS drive without propogating the trojan again.

I went through the process here as recommended (The Read Me and Run Me) at the school where I work, and burned a CD with all of the programs and web posts with directions, and reluctantly reconnected the computer to the Internet when I found I had downloaded the wrong HitmanPro (I needed 64bit).

The problem has persisted despite following every direction. I am extremely concerned with detection because reinstallation is blunt and inelegant and I fear backing up my /user/ files may have spread the trojan around.

Even now Malwarebytes is detecting and blocking background Internet connections and from what I can tell of the audio, it is also failing to block some Internet connections.

Oh help me, Major Geeks, you're my only hope.

 

And more logage!

Thank you so much for taking your time to help people out--it's really, really, really brilliant!

 

Welcome to MajorGeeks, MrDan

http://img194.imageshack.us/img194/4930/combofix.gif Please download and run ComboFix and attach its log.
Read these instructions on how to use it: How to use ComboFix
Do not uninstall ComboFix yet as we may need it to fix remaining malware issues.

__

Let me know if the problem still persists even after completing the above.

 

Wonderful, thank you sir!

I have administered the combofix, it deleted some files and generated a log, but now I can't establish an Internet connection despite automatic repair efforts (I'm transmitting via iPod Touch otherwise I would attach the log).

Windows reports:
Windows could not automatically detect this network's proxy settings.

 

Sorry to hear that. I have a couple of questions.

1) Do you have a USB Flash drive?
2) If you reboot your computer, is the internet connection restored?

Did ComboFix say anything while it was scanning / deleting items? Any details at all could help me diagnose.

 

It deleted the following:

c:\programdata\jmovaaa.tmp
c:\programdata\juuuaaa.tmp
c:\windows\SysWow64\FlashPlayerInstaller.exe
c:\windows\SysWow64\hookdll.dll
c:\windows\SysWow64\msvcsv60.dll
c:\windows\SysWow64\URTTemp
c:\windows\SysWow64\URTTemp\regtlib.exe
K:\install.exe
K:\setup.exe

I could probably get a hold of a flash drive, but I won't have access to another computer until Tuesday.

As I mentioned before, I am willing to reinstall--my concern is that it might be lurking about on another drive.

If you think it's unwise to reformat and reinstall at this point, I will abstain, but I won't be able to access another machine until Teusday (because of labor day weekend).

Let me know your thoughts or if there is another way I might transmit the information you require sooner.

Than you!

 

Actually, this might be worth mentioning, I just noticed that a process called "services.exe" is taking up 6.5GB of RAM.

 

Nothing interesting here.

I would recommend reinstalling then. How many hard drives have an operating system installed? Is there a chance you have a working OS on another drive (with internet access?)

With the exception of tools like Malwarebytes Anti-Malware which are capable of scanning each and every drive (Full Scan), most are incapable of this. You may want to run a Full Scan while making sure you selected all your hard disks before you start the scan. It's your call. I'll be here to help either way.

The logs you attached had nothing of significance in them.

There are some types of malware that modify services.exe, but the one in your logs is legit / clean.

Code:

    Showing Running Processes and Memory Usage                                  
    ----------------------------------------------------------------------------

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0         24 K
System                           4 Services                   0      2,568 K
smss.exe                       292 Services                   0      1,276 K
csrss.exe                      432 Services                   0      5,968 K
wininit.exe                    512 Services                   0      4,788 K
csrss.exe                      536 Console                    1     12,220 K
[COLOR="Green"]services.exe                   608 Services                   0      9,888 K[/COLOR]

Normal usage too

 

Hey,

I was able to get into my workplace and I've attached the combofix log.

My concern is that if I can't detect the trojan now, than I am not sure I will be able to detect it or any other malware it may have downloaded amongst my other files--backed up files.

I did run Malwarebytes full scan, and it only detected some plug-in installers that were fairly trivial--I deleted them as a precaution since I can re-download them from the manufacturer's website, but I have a feeling Malwarebytes isn't detecting this anyway.

If the combofix log doesn't reveal anything significant, I guess the only option is to reinstall, and while I will probably have to do that anyway (by the way, I left my computer on for a few hours and came back to find services.exe taking up 3.5GB of RAM but my overall system usage and ramped up to 15GB--so my guess is that combofix probably left a memory leak OR there is something malicious that is leaking memory, either way reinstall is probably the most prudent action).

My concern remains that if we can't detect this thing, then how will I know with any certainty that it has been eliminated, even after reinstallation.

Let me know your thoughts and as always, thank you so much.

 

ComboFix log is clean. I'm not sure why internet was broken after running ComboFix.

You mentioned in your first post that you were experiencing background audio ads. After reinstalling Windows, let me know if you still experience that or not.

 

Hey, I just wanted to conclude this thread by thanking you again for helping me and for volunteering your time and expertise to me and people like me. I really appreciate it!

I've performed a reinstallation, and though there were some bugs in the reinstall, so far everything is operating like normal and I have had minor interaction with my backed up files... thus far it doesn't appear as though anything malicious survived the reformat.

Nonetheless, I'm maintaining a level of caution as all efforts to detect this particular trojan thingy did not yield much success--and that's too bad, because more definitions result in more protection for future computers.

Anyway, thank you again, thisisu!

 

You're welcome, Dan