Malware Audio Ads

Discussion in 'Malware Help (A Specialist Will Reply)' started by Panamena, Jul 12, 2014.

  1. Panamena

    Panamena Private E-2

    I have a problem with random audio ads running and have been searching through variouis online forums for solutions. To date I have run MalwareBytes and TDSSKILLER which found nothing. After reading another post in this forum, I ran RogueKiller but don't know how to interpret the results, and I don't seem to be able to get rid of anything I believe is malware. The problem has gotten worse since I started scanning. This is the report from the RogueKiller scan: (Thanks for your help)

    RogueKiller V9.2.2.0 (x64) [Jul 11 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Lois [Admin rights]
    Mode : Remove -- Date : 07/12/2014 11:31:27

    ¤¤¤ Bad processes : 3 ¤¤¤
    [Suspicious.Path] PCShowServerPMWrapper.exe -- C:\Users\Lois\AppData\Local\NDS\PCShow\PCShowServerPMWrapper.exe[7] -> KILLED [TermProc]
    [Suspicious.Path] AmazonCloudDriveW.exe -- C:\Users\Lois\AppData\Local\Apps\2.0\99YRAAO7.TK8\Z86EWE2Y.OO9\amaz..tion_f2fa081ea2183235_0002.0004_9f25fd1982bf3008\LocalServiceJre\bin\AmazonCloudDriveW.exe[7] -> KILLED [TermProc]
    [Suspicious.Path] NDSPCShowServer.exe -- C:\Users\Lois\AppData\Local\NDS\PCShow\NDSPCShowServer.exe[7] -> KILLED [TermThr]

    ¤¤¤ Registry Entries : 12 ¤¤¤
    [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3609227432-1406814932-2550530014-1001\Software\Microsoft\Windows\CurrentVersion\Run | PCShowServer : C:\Users\Lois\AppData\Local\NDS\PCShow\PCShowServerPMWrapper.exe [x] -> DELETED
    [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3609227432-1406814932-2550530014-1001\Software\Microsoft\Windows\CurrentVersion\Run | PCShowServer : C:\Users\Lois\AppData\Local\NDS\PCShow\PCShowServerPMWrapper.exe -> ERROR [2]
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3609227432-1406814932-2550530014-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49185;https=127.0.0.1:49185 -> NOT SELECTED
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3609227432-1406814932-2550530014-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49185;https=127.0.0.1:49185 -> NOT SELECTED
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 192.168.0.1 -> NOT SELECTED
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 192.168.0.1 -> NOT SELECTED
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{284A96E0-8F95-43DD-860C-ABD75760A9BC} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 192.168.0.1 -> NOT SELECTED
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{284A96E0-8F95-43DD-860C-ABD75760A9BC} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 192.168.0.1 -> NOT SELECTED
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED

    ¤¤¤ Scheduled tasks : 2 ¤¤¤
    [Suspicious.Path] \\{50A12DFE-2FFA-4E64-B296-CE6725D7E09B} -- C:\Users\Lois\AppData\Local\Amazon\Kindle\application\Kindle.exe -> DELETED
    [Suspicious.Path] \\{FDCF7B34-28C5-4B3D-9B25-AFD614F27523} -- C:\Users\Lois\AppData\Local\Amazon\Kindle\application\Kindle.exe -> DELETED

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ HOSTS File : 0 ¤¤¤

    ¤¤¤ Antirootkit : 20 (Driver: LOADED) ¤¤¤
    [EAT:Addr] (explorer.exe) SqmApi.dll - CoCreateActivity : C:\Windows\system32\comsvcs.dll @ 0x7fedcbcfcb0
    [EAT:Addr] (explorer.exe) SqmApi.dll - CoEnterServiceDomain : C:\Windows\system32\comsvcs.dll @ 0x7fedcbc0668
    [EAT:Addr] (explorer.exe) SqmApi.dll - CoLeaveServiceDomain : C:\Windows\system32\comsvcs.dll @ 0x7fedcbc0938
    [EAT:Addr] (explorer.exe) SqmApi.dll - CoLoadServices : C:\Windows\system32\comsvcs.dll @ 0x7fedcc0992c
    [EAT:Addr] (explorer.exe) SqmApi.dll - ComSvcsExceptionFilter : C:\Windows\system32\comsvcs.dll @ 0x7fedcbadc14
    [EAT:Addr] (explorer.exe) SqmApi.dll - ComSvcsLogError : C:\Windows\system32\comsvcs.dll @ 0x7fedcbc0e2c
    [EAT:Addr] (explorer.exe) SqmApi.dll - CosGetCallContext : C:\Windows\system32\comsvcs.dll @ 0x7fedcbc4c74
    [EAT:Addr] (explorer.exe) SqmApi.dll - DispManGetContext : C:\Windows\system32\comsvcs.dll @ 0x7fedcba3d70
    [EAT:Addr] (explorer.exe) SqmApi.dll - DllCanUnloadNow : C:\Windows\system32\comsvcs.dll @ 0x7fedcbad808
    [EAT:Addr] (explorer.exe) SqmApi.dll - DllGetClassObject : C:\Windows\system32\comsvcs.dll @ 0x7fedcba36b0
    [EAT:Addr] (explorer.exe) SqmApi.dll - DllRegisterServer : C:\Windows\system32\comsvcs.dll @ 0x7fedcba3494
    [EAT:Addr] (explorer.exe) SqmApi.dll - DllUnregisterServer : C:\Windows\system32\comsvcs.dll @ 0x7fedcba3494
    [EAT:Addr] (explorer.exe) SqmApi.dll - GetMTAThreadPoolMetrics : C:\Windows\system32\comsvcs.dll @ 0x7fedcbade20
    [EAT:Addr] (explorer.exe) SqmApi.dll - GetManagedExtensions : C:\Windows\system32\comsvcs.dll @ 0x7fedcbae1b4
    [EAT:Addr] (explorer.exe) SqmApi.dll - GetObjectContext : C:\Windows\system32\comsvcs.dll @ 0x7fedcbc0dfc
    [EAT:Addr] (explorer.exe) SqmApi.dll - GetTrkSvrObject : C:\Windows\system32\comsvcs.dll @ 0x7fedcbadd48
    [EAT:Addr] (explorer.exe) SqmApi.dll - MTSCreateActivity : C:\Windows\system32\comsvcs.dll @ 0x7fedcbcfd90
    [EAT:Addr] (explorer.exe) SqmApi.dll - MiniDumpW : C:\Windows\system32\comsvcs.dll @ 0x7fedcbadea4
    [EAT:Addr] (explorer.exe) SqmApi.dll - RecycleSurrogate : C:\Windows\system32\comsvcs.dll @ 0x7fedcbc116c
    [EAT:Addr] (explorer.exe) SqmApi.dll - SafeRef : C:\Windows\system32\comsvcs.dll @ 0x7fedcbc0f14

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: TOSHIBA MK5076GSX SATA Disk Device +++++
    --- User ---
    [MBR] 92c97bf0253d54d390bc46af93c31ea5
    [BSP] c4608c5fe7096ecb80b4047334cbbf39 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 452111 MB
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 926332928 | Size: 20565 MB
    3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 968450048 | Size: 4063 MB
    User = LL1 ... OK
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] ec5f79520dc6e7a678a9d30b2b943023
    [BSP] bee1f23af191fbaa51922b5a56c0af45 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 452111 MB
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 926332928 | Size: 20565 MB
    3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 968450048 | Size: 4063 MB

    +++++ PhysicalDrive1: SanDisk Cruzer USB Device +++++
    --- User ---
    [MBR] 335652206c5eb22b729747fac57d532d
    [BSP] 2ec7d5611cdb8beeb7cf7eb3f752406d : Unknown MBR Code
    Partition table:
    0 - [XXXXXX] FAT16 (0x6) [VISIBLE] Offset (sectors): 129 | Size: 1907 MB
    User = LL1 ... OK
    Error reading LL2 MBR! ([32] The request is not supported. )

    +++++ PhysicalDrive2: USB Flash Disk USB Device +++++
    --- User ---
    [MBR] 9df7e9b710e0d9801a4b130275cf4814
    [BSP] 0acad258d7cb0686713adae37b796be3 : Unknown MBR Code
    Partition table:
    0 - [ACTIVE] FAT32 (0xb) [VISIBLE] Offset (sectors): 56 | Size: 7765 MB
    User = LL1 ... OK
    Error reading LL2 MBR! ([32] The request is not supported. )


    ============================================
    RKreport_SCN_07122014_113029.log
     
    Panamena, Jul 12, 2014
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please take note of the instructions in our sticky/pinned threads. We do not want any logs posted inline with your messages. We require all logs to be attachments.

    Please read ALL of this message including the notes before doing anything.

    If you suspect that your problem is due to malware then please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
     
    chaslang, Jul 12, 2014
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds