Jump to content

Random Audio Ads playing in background! svchost.exe or rpcss.dll system files infected?


Recommended Posts

As the title says, there are audio ads that randomly pop up in the background, which are really annoying and are slowing my computer.  I first noticed it about 3-4 days ago.  I've done some research since then, and found out that my previous AVG antivirus is basically worthless.  I've been directed to Malwarebytes, as well as RKill, RogueKiller, and Kaspersky TDSSKiller.  RogueKiller seems to be the only one that finds it and always closes the audio ads, which seem to be in the svchost.exe system file.  But then the ads always come back within a few minutes.  I can also see a "Name not available" channel for the audio ads being created in my Volume Mixer.  That's all I can really do to explain it.  All other information requested will be posted below.  I've only had this computer for about half a year and need it for work, so I really hope Malwarebytes can help me out!

 

 

1.  I did the full Threat Scan with Malwarebytes Anti-Malware (Trial) 2.0.1.1004 while the audio ads were playing in the background.  It found no objects infected.

 

 

2.  I scanned my computer with the Farbar Recovery Scan Tool and attached the logs to this post.  

 

 

Just let me know if there's any other information you need.  Thanks in advance! 

FRST.txt

Addition.txt

Link to post
Share on other sites

Welcome to the forum.

Please run a Quick Scan with Malwarebytes like this:

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

If you're using Malwarebytes 2.0, please run a Threat Scan

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

Then.......

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Thanks for the quick reply!

In my version of Malwarebytes (2.0.1.1004), there isn't a "Scanner Settings" tab anywhere, and there also isn't anywhere to select "Show in Results List and Check for Removal". So I'm assuming that is for an older version of Malwarebytes.

Here is the log from the Malwarebytes Threat Scan:



Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/8/2014
Scan Time: 10:50:59 PM
Logfile: malwarebyteslog.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.08.09
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Reagan

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 272046
Time Elapsed: 9 min, 30 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 
And here is the report from the RogueKiller scan:


RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Reagan [Admin rights]
Mode : Scan -- Date : 04/08/2014 23:12:37
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[sVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
[Address] EAT @explorer.exe (nvCoprocThunk) : profapi.dll -> HOOKED (C:\Windows\system32\nvinitx.dll @ 0xFBEDA4B0)
[Address] EAT @explorer.exe (nvGetRegistryBasePath) : profapi.dll -> HOOKED (C:\Windows\system32\nvinitx.dll @ 0xFBED8310)
[Address] EAT @explorer.exe (nvUnloadShim) : profapi.dll -> HOOKED (C:\Windows\system32\nvinitx.dll @ 0xFBED7FF0)
[Address] EAT @explorer.exe (DllCanUnloadNow) : api-ms-win-downlevel-shlwapi-l2-1-0.dll -> HOOKED (C:\Windows\system32\wpdshserviceobj.dll @ 0xF72C3D60)
[Address] EAT @explorer.exe (DllGetClassObject) : api-ms-win-downlevel-shlwapi-l2-1-0.dll -> HOOKED (C:\Windows\system32\wpdshserviceobj.dll @ 0xF72C1A74)
[Address] EAT @explorer.exe (DllRegisterServer) : api-ms-win-downlevel-shlwapi-l2-1-0.dll -> HOOKED (C:\Windows\system32\wpdshserviceobj.dll @ 0xF72C6070)
[Address] EAT @explorer.exe (DllUnregisterServer) : api-ms-win-downlevel-shlwapi-l2-1-0.dll -> HOOKED (C:\Windows\system32\wpdshserviceobj.dll @ 0xF72C6278)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) WDC WD7500BPKT-75PK4T0 +++++
--- User ---
[MBR] d913d8ef41a0d581eb122bc757a81b7b
[bSP] 96aa01e06a5fa47dfa93a207ec55b8fa : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 16042 MB
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 32935936 | Size: 699321 MB
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_04082014_231237.txt >>
RKreport[0]_D_04062014_045803.txt;RKreport[0]_D_04062014_171503.txt;RKreport[0]_D_04062014_181429.txt
RKreport[0]_D_04062014_183527.txt;RKreport[0]_D_04062014_183936.txt;RKreport[0]_D_04062014_191216.txt
RKreport[0]_D_04062014_194926.txt;RKreport[0]_D_04062014_204404.txt;RKreport[0]_D_04062014_205826.txt
RKreport[0]_D_04062014_211732.txt;RKreport[0]_H_04062014_171442.txt;RKreport[0]_S_04062014_045131.txt
RKreport[0]_S_04062014_171324.txt;RKreport[0]_S_04062014_172448.txt;RKreport[0]_S_04062014_174954.txt
RKreport[0]_S_04062014_180053.txt;RKreport[0]_S_04062014_180806.txt;RKreport[0]_S_04062014_181415.txt
RKreport[0]_S_04062014_182429.txt;RKreport[0]_S_04062014_183428.txt;RKreport[0]_S_04062014_183928.txt
RKreport[0]_S_04062014_191208.txt;RKreport[0]_S_04062014_194919.txt;RKreport[0]_S_04062014_204357.txt
RKreport[0]_S_04062014_205815.txt;RKreport[0]_S_04062014_211723.txt;RKreport[0]_S_04062014_213905.txt



 

Link to post
Share on other sites

In my instructions it did say.....

If you're using Malwarebytes 2.0, please run a Threat Scan

----------------------------------

Lets run some scans:

Make sure you have created that system restore point before you continue!

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)

    image000q.png

  • Put a checkmark beside loaded modules.

    2012081514h0118.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    clip.jpg

  • Click the Start Scan button.

    19695967.jpg

  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    67776163.jpg

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If in doubt about an entry....please ask or choose Skip

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    62117367.jpg

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Then...........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

I decided to just cut my losses and do a system restore.  I need this computer for my job and couldn't put up with the malware any longer.

 

But thank you very much for your help!  I'll definitely consider Malwarebytes as my next antivirus software.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.