Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Help with virus/adware.
New Posts  All Forums:Forum Nav:

Help with virus/adware.

post #1 of 14
Thread Starter 
I noticed my system acting up, so I ran a Mbam scan. It found 17 objects, which is very strange for my system. Items were cleared successfully, but I had a new problem. There were programs (typical "Free Smileys" crap) that were almost entirely faded out, running in the background. It has also installed numerous uninstallable toolbars. Every so often, a new one would open up, then get shunted to the background and off of the task bar. Because of that, I'm not able to close them. I'll have like 6 of them open and I can't do anything in the space they're open in. I've run additional scans, each one reveals more and more adware. Mbam is picking it up as FunWeb if that helps.
15" rMPB
(7 items)
 
  
CPUGraphicsRAMHard Drive
Intel i7-2820QM Intel Iris Pro DDR3-1600 PCIe Solid State Drive 
OSMonitorAudio
Mac OS X 10.9.4 Mavericks 2880x1800 15" Retina Display Focusrite 2i2 -> Beyerdynamic T50p 
  hide details  
Reply
15" rMPB
(7 items)
 
  
CPUGraphicsRAMHard Drive
Intel i7-2820QM Intel Iris Pro DDR3-1600 PCIe Solid State Drive 
OSMonitorAudio
Mac OS X 10.9.4 Mavericks 2880x1800 15" Retina Display Focusrite 2i2 -> Beyerdynamic T50p 
  hide details  
Reply
post #2 of 14
Thread Starter 
HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:38:31 PM, on 10/7/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
C:\Windows\SysWOW64\HsMgr.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE
C:\Users\Administrator\AppData\Local\Temp\vcheck.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Folding@home\Folding@home-gpu\Folding@home.exe
C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Program Files (x86)\MSI Afterburner\Bundle\OSDServer\RTSS.exe
C:\Program Files (x86)\foobar2000\foobar2000.exe
C:\Users\Administrator\AppData\Roaming\Folding@home-gpu\FahCore_15.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Administrator\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" -automount
O4 - HKCU\..\Run: [vcheck] C:\Users\ADMINI~1\AppData\Local\Temp\vcheck.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-302535130-1294833097-3992166512-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser')
O4 - Startup: Folding@home-gpu.lnk = ?
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AODService - Unknown owner - C:\Program Files (x86)\AMD\OverDrive\AODAssist.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Futuremark SystemInfo Service - Futuremark Corporation - C:\Program Files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MotoHelper Service (MotoHelper) - Unknown owner - C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7392 bytes
15" rMPB
(7 items)
 
  
CPUGraphicsRAMHard Drive
Intel i7-2820QM Intel Iris Pro DDR3-1600 PCIe Solid State Drive 
OSMonitorAudio
Mac OS X 10.9.4 Mavericks 2880x1800 15" Retina Display Focusrite 2i2 -> Beyerdynamic T50p 
  hide details  
Reply
15" rMPB
(7 items)
 
  
CPUGraphicsRAMHard Drive
Intel i7-2820QM Intel Iris Pro DDR3-1600 PCIe Solid State Drive 
OSMonitorAudio
Mac OS X 10.9.4 Mavericks 2880x1800 15" Retina Display Focusrite 2i2 -> Beyerdynamic T50p 
  hide details  
Reply
post #3 of 14
Post a hijackthis log.

Old tutorial how to do it (if you can't figure it out but it's not too hard), but concepts are the same.
FreeNAS
(9 items)
 
Beast
(14 items)
 
Alura :)
(11 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1245 v5 SuperMicro X11SSM-F-O C236 Integrated 2 x 16GB Kingston ValueRAM ECC KVR21E15D8/16 
Hard DriveCoolingOSPower
5 x 8TB Seagate IronWolf Pro in ZF2 Array CoolerMaster Hyper 212 Evo FreeNAS 11 EVGA SuperNOVA G2 550W Gold 
Case
Fractal Design Node 804 
CPUMotherboardGraphicsRAM
i7 4790k Asus Z97 Pro WIFI-AC Sapphire Nitro Radeon R9 Fury Tri-X OC+  G.Skill 4 x 8GB F3-2133C9D-16GXH 
Hard DriveOptical DriveCoolingOS
2 x Intel 730 480GB SSD in RAID 0 Asus DRW-24B1ST/BLK/B/AS Noctua NH-D15 Winblows 10 Pro x64 
MonitorKeyboardPowerCase
Pixio PX277 Logitech G510 Seasonic SS-660XP2 Fractal Design R4 Blackout 
MouseMouse Pad
Logitech G500 Xtrac Ripper 
CPUMotherboardGraphicsRAM
i5 2500k Asus P8Z68-V Pro MSI R7970 Lightning BE 2 x 4GB G.Skill Ripjaws 2133mhz 
Hard DriveOptical DriveCoolingOS
Mushkin Enhanced Chronos 240GB and WD Black 1TB Asus DRW-24B1ST Cooler Master Hyper 212 EVO Windows 7 Ultimate x64 
MonitorPowerCase
Hannspree 24 inch Thermaltake Tough Power TP-750P 750W Gold Cooler Master HAF 932 
  hide details  
Reply
FreeNAS
(9 items)
 
Beast
(14 items)
 
Alura :)
(11 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1245 v5 SuperMicro X11SSM-F-O C236 Integrated 2 x 16GB Kingston ValueRAM ECC KVR21E15D8/16 
Hard DriveCoolingOSPower
5 x 8TB Seagate IronWolf Pro in ZF2 Array CoolerMaster Hyper 212 Evo FreeNAS 11 EVGA SuperNOVA G2 550W Gold 
Case
Fractal Design Node 804 
CPUMotherboardGraphicsRAM
i7 4790k Asus Z97 Pro WIFI-AC Sapphire Nitro Radeon R9 Fury Tri-X OC+  G.Skill 4 x 8GB F3-2133C9D-16GXH 
Hard DriveOptical DriveCoolingOS
2 x Intel 730 480GB SSD in RAID 0 Asus DRW-24B1ST/BLK/B/AS Noctua NH-D15 Winblows 10 Pro x64 
MonitorKeyboardPowerCase
Pixio PX277 Logitech G510 Seasonic SS-660XP2 Fractal Design R4 Blackout 
MouseMouse Pad
Logitech G500 Xtrac Ripper 
CPUMotherboardGraphicsRAM
i5 2500k Asus P8Z68-V Pro MSI R7970 Lightning BE 2 x 4GB G.Skill Ripjaws 2133mhz 
Hard DriveOptical DriveCoolingOS
Mushkin Enhanced Chronos 240GB and WD Black 1TB Asus DRW-24B1ST Cooler Master Hyper 212 EVO Windows 7 Ultimate x64 
MonitorPowerCase
Hannspree 24 inch Thermaltake Tough Power TP-750P 750W Gold Cooler Master HAF 932 
  hide details  
Reply
post #4 of 14
try running a virus/adware scan in safe mode.
post #5 of 14
Start up in Safe Mode , then run Mbam
Torch's Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6750 w/G0 ASUS P5KC Sapphire HD5770 1GB 4 GB G.Skill DDR3 1333 
Hard DriveOptical DriveOSMonitor
ADATA S510 120GB SSD, (2)Samsung F3 1TB, Seaga... Asus SATA DVD LinuxMint 13 x86 w/Mate Asus 23" HD 1080p HDMI LED LCD 
KeyboardPowerCaseMouse
Microsoft Sidewinder X4 610w PC Power & Cool Silencer Rosewill Blackbone Logitech G400 
Mouse Pad
DOLICA 
  hide details  
Reply
Torch's Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6750 w/G0 ASUS P5KC Sapphire HD5770 1GB 4 GB G.Skill DDR3 1333 
Hard DriveOptical DriveOSMonitor
ADATA S510 120GB SSD, (2)Samsung F3 1TB, Seaga... Asus SATA DVD LinuxMint 13 x86 w/Mate Asus 23" HD 1080p HDMI LED LCD 
KeyboardPowerCaseMouse
Microsoft Sidewinder X4 610w PC Power & Cool Silencer Rosewill Blackbone Logitech G400 
Mouse Pad
DOLICA 
  hide details  
Reply
post #6 of 14
Thread Starter 
HiJackThis log posted, will restart in safe mode.
15" rMPB
(7 items)
 
  
CPUGraphicsRAMHard Drive
Intel i7-2820QM Intel Iris Pro DDR3-1600 PCIe Solid State Drive 
OSMonitorAudio
Mac OS X 10.9.4 Mavericks 2880x1800 15" Retina Display Focusrite 2i2 -> Beyerdynamic T50p 
  hide details  
Reply
15" rMPB
(7 items)
 
  
CPUGraphicsRAMHard Drive
Intel i7-2820QM Intel Iris Pro DDR3-1600 PCIe Solid State Drive 
OSMonitorAudio
Mac OS X 10.9.4 Mavericks 2880x1800 15" Retina Display Focusrite 2i2 -> Beyerdynamic T50p 
  hide details  
Reply
post #7 of 14
As the above posters said, go to safe mode and then run a full scan. After you've done that, restart, and check your processes to ensure there's no malicious processes. You're probably also going to have to manually remove the toolbars in safe mode as well, so be sure to get them all before returning to normal boot.

After all that, set your proxy settings back to default just in case re-directions were an issue so you don't get re-infected.
post #8 of 14
Clean up all your missing file entries... you have far too many.

HKCU\..\Run: [vcheck] C:\Users\ADMINI~1\AppData\Local\Temp\vcheck.exe is very suspicious.

SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
could be malware, or it could be legit I'm not familiar with Vista anymore.
FreeNAS
(9 items)
 
Beast
(14 items)
 
Alura :)
(11 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1245 v5 SuperMicro X11SSM-F-O C236 Integrated 2 x 16GB Kingston ValueRAM ECC KVR21E15D8/16 
Hard DriveCoolingOSPower
5 x 8TB Seagate IronWolf Pro in ZF2 Array CoolerMaster Hyper 212 Evo FreeNAS 11 EVGA SuperNOVA G2 550W Gold 
Case
Fractal Design Node 804 
CPUMotherboardGraphicsRAM
i7 4790k Asus Z97 Pro WIFI-AC Sapphire Nitro Radeon R9 Fury Tri-X OC+  G.Skill 4 x 8GB F3-2133C9D-16GXH 
Hard DriveOptical DriveCoolingOS
2 x Intel 730 480GB SSD in RAID 0 Asus DRW-24B1ST/BLK/B/AS Noctua NH-D15 Winblows 10 Pro x64 
MonitorKeyboardPowerCase
Pixio PX277 Logitech G510 Seasonic SS-660XP2 Fractal Design R4 Blackout 
MouseMouse Pad
Logitech G500 Xtrac Ripper 
CPUMotherboardGraphicsRAM
i5 2500k Asus P8Z68-V Pro MSI R7970 Lightning BE 2 x 4GB G.Skill Ripjaws 2133mhz 
Hard DriveOptical DriveCoolingOS
Mushkin Enhanced Chronos 240GB and WD Black 1TB Asus DRW-24B1ST Cooler Master Hyper 212 EVO Windows 7 Ultimate x64 
MonitorPowerCase
Hannspree 24 inch Thermaltake Tough Power TP-750P 750W Gold Cooler Master HAF 932 
  hide details  
Reply
FreeNAS
(9 items)
 
Beast
(14 items)
 
Alura :)
(11 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1245 v5 SuperMicro X11SSM-F-O C236 Integrated 2 x 16GB Kingston ValueRAM ECC KVR21E15D8/16 
Hard DriveCoolingOSPower
5 x 8TB Seagate IronWolf Pro in ZF2 Array CoolerMaster Hyper 212 Evo FreeNAS 11 EVGA SuperNOVA G2 550W Gold 
Case
Fractal Design Node 804 
CPUMotherboardGraphicsRAM
i7 4790k Asus Z97 Pro WIFI-AC Sapphire Nitro Radeon R9 Fury Tri-X OC+  G.Skill 4 x 8GB F3-2133C9D-16GXH 
Hard DriveOptical DriveCoolingOS
2 x Intel 730 480GB SSD in RAID 0 Asus DRW-24B1ST/BLK/B/AS Noctua NH-D15 Winblows 10 Pro x64 
MonitorKeyboardPowerCase
Pixio PX277 Logitech G510 Seasonic SS-660XP2 Fractal Design R4 Blackout 
MouseMouse Pad
Logitech G500 Xtrac Ripper 
CPUMotherboardGraphicsRAM
i5 2500k Asus P8Z68-V Pro MSI R7970 Lightning BE 2 x 4GB G.Skill Ripjaws 2133mhz 
Hard DriveOptical DriveCoolingOS
Mushkin Enhanced Chronos 240GB and WD Black 1TB Asus DRW-24B1ST Cooler Master Hyper 212 EVO Windows 7 Ultimate x64 
MonitorPowerCase
Hannspree 24 inch Thermaltake Tough Power TP-750P 750W Gold Cooler Master HAF 932 
  hide details  
Reply
post #9 of 14
Quote:
Originally Posted by Dopamin3;15229664 

SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
could be malware, or it could be legit I'm not familiar with Vista anymore.

This DLL is necessary if you are using the Internet Explorer web browser, as it is part of the shell browser library.

It's legit if the file path is : c:\windows\system32\browseui.dll
post #10 of 14
Thread Starter 
Quote:
Originally Posted by Dopamin3;15229664 
Clean up all your missing file entries... you have far too many.

HKCU\..\Run: [vcheck] C:\Users\ADMINI~1\AppData\Local\Temp\vcheck.exe is very suspicious.

SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
could be malware, or it could be legit I'm not familiar with Vista anymore.

Rkill picked up vcheck as malicious, that's probably it.
15" rMPB
(7 items)
 
  
CPUGraphicsRAMHard Drive
Intel i7-2820QM Intel Iris Pro DDR3-1600 PCIe Solid State Drive 
OSMonitorAudio
Mac OS X 10.9.4 Mavericks 2880x1800 15" Retina Display Focusrite 2i2 -> Beyerdynamic T50p 
  hide details  
Reply
15" rMPB
(7 items)
 
  
CPUGraphicsRAMHard Drive
Intel i7-2820QM Intel Iris Pro DDR3-1600 PCIe Solid State Drive 
OSMonitorAudio
Mac OS X 10.9.4 Mavericks 2880x1800 15" Retina Display Focusrite 2i2 -> Beyerdynamic T50p 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Help with virus/adware.