[Solved] Invisible audio spyware?

By IHAVEPROBLEMS
Jul 30, 2010
Topic Status:
Not open for further replies.
  1. So all of a sudden i am having problems with my computer

    sometimes randomly (like while i am using youtube) i hear random ads but i cannot see them like for cedar point or television shows. Other times i hear a brief message like congrats "you've won a mac book!"

    Ive tried ad aware and spybot.

    I have seen this thread http://www.techspot.com/vb/topic113230.html but i do not know if it applies to me.

    I can also provide a hijackthis log if needed.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Let's get something more current: Are you also getting IE pop-ups?

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. IHAVEPROBLEMS

    IHAVEPROBLEMS Newcomer, in training Topic Starter Posts: 16

    Okay so i tried my best to follow all the things on that page, the only thing that i wasn't sure about was the GMER program, if I did it incorrectly please tell me what i did wrong and I'll try to fix it ASAP also yes i am also getting random IE pop-ups.

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please run this:


    Download Bootkit Remover and save to your Desktop
    1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    3. You will see a Black screen with some data on it.
    4. Right click on the screen and click Select All.
    5. Press CTRL+C to Copy
    6. Open a Notepad and press CTRL+V to Paste.
    7. Include the report in your next post.
  5. IHAVEPROBLEMS

    IHAVEPROBLEMS Newcomer, in training Topic Starter Posts: 16

    OK so i followed your instructions and here is what i got.

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:
      Code:
      
      @ECHO OFF
      START 
      remover.exe fix \\.\PhysicalDrive0
      EXIT
      
    • Go File > Save As
    • Save as Type choose All Files
    • For File Name type fix.bat
    • Save In> choose Desktop
    • Save
    • Double click to Run fix.bat
    (You may see a black box appear; this is normal.)

    Run remover.exe again and post its output.

    Do NOT reboot computer!
  7. IHAVEPROBLEMS

    IHAVEPROBLEMS Newcomer, in training Topic Starter Posts: 16

    ok i used the fix.bat and ran remover.exe and here's what i got.

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Okay, so that's been handled. Please run the following 2 programs. When finished, paste the Combofix report in your next reply. OK to attach the Eset log:

    Please download ComboFix HERE and save to your desktop:

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ======================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  9. IHAVEPROBLEMS

    IHAVEPROBLEMS Newcomer, in training Topic Starter Posts: 16

    I have followed your instructions, but my combofix log was too long to fit in a post so i attached it instead.

    I have attached the Eset Online Scanner Log; some of the threats detected were from Hot Spot Shield which changes my IP to a U.S. IP if that changes anything.

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Message from Bobbye:

    ======================================================================

    How are the issues?

    Combofix log looks clean :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  11. IHAVEPROBLEMS

    IHAVEPROBLEMS Newcomer, in training Topic Starter Posts: 16

    I have done what you have said and will attach the files to this post.

    I also want to thank you for helping me in Bobbye's stead.

    Attached Files:

     
  12. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    You're welcome :)

    You didn't say, if you're having any current issues....

    Your computer would greatly benefit from installing another 512MB of RAM.


    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
      O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
      O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll File not found
      [2010/07/18 12:55:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\AVG9
      [2010/07/15 12:08:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  13. IHAVEPROBLEMS

    IHAVEPROBLEMS Newcomer, in training Topic Starter Posts: 16

    Sorry for not telling you about any current problems, but the fact is that i don't have any problems at this time.

    I will attach the logs to this post as i did before.

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Wonderful :)

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
  15. IHAVEPROBLEMS

    IHAVEPROBLEMS Newcomer, in training Topic Starter Posts: 16

    YES! Finally the last scans are complete!(I hope...) so i have followed your directions for all the scans and will attach my system check log and Kasperky online scanner report.

    There is one thing that has come to my concern, suddenly my computer has hidden file extensions; i know how to fix this, but i think that it hides the extensions again when i reboot my computer. Please tell me if this is anything of concern or if i just accidentally checked the box in folder options>view

    THANK YOU!! :)

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Very nice :)

    I'm not sure, what you're saying.
    It shows "known file type extensions", or it shows hidden files?

    Now.....

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    =======================================================================

    Your computer is clean [​IMG]


    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI). The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how is your computer doing.
  17. IHAVEPROBLEMS

    IHAVEPROBLEMS Newcomer, in training Topic Starter Posts: 16

    Well it hides known file extensions so i don't know if its me who accidentally checked the box or if something is wrong with my computer and i will get to the cleanup soon
  18. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Open Windows Explorer.
    Go Tools>Folder options>View tab
    UN-check "Hide extensions for known file types".
     
  19. IHAVEPROBLEMS

    IHAVEPROBLEMS Newcomer, in training Topic Starter Posts: 16

    Thanks! :) and how do i check if windows updates are current?
  20. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Start>All Programs>Windows Updates
    See, if it'll find any not installed yet.
  21. IHAVEPROBLEMS

    IHAVEPROBLEMS Newcomer, in training Topic Starter Posts: 16

    Sorry i accidentally added this post and i don't know how to delete a post
  22. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    You have IE8, so there is no update for it, unless there is some patch listed,
  23. IHAVEPROBLEMS

    IHAVEPROBLEMS Newcomer, in training Topic Starter Posts: 16

    it wants me to install Genuine Windows Validation and the last time i had that it told me that i didn't have a genuine windows software and annoyed me a lot because the pop-up never went away, so do i download it?
  24. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Is your Windows legit?
  25. IHAVEPROBLEMS

    IHAVEPROBLEMS Newcomer, in training Topic Starter Posts: 16

    i thinks so (lol), but i don't think i should download it.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.