Solved

Virus

Posted on 2014-01-20
16
323 Views
Last Modified: 2014-01-22
I have a vicious malware that randomly plays audio clips. It loads it self upon boot up at the user login screen. After loggin in, the mixer shows a noname source is active.

I have AVG free running. I have run Combofix, MalwareBytes, fixTDSS, and Sophos with negative results.

It appears to be streaming because it only plays when I am connected to the internet.
Also, I can't identify any services or processes that point to the culprit.

I can't find any useful references on Google, so this must be fairly new.
0
Comment
Question by:jsmitter
  • 7
  • 3
  • 3
  • +2
16 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39794438
Check your scheduled tasks and look over the system with Autoruns.  Never heard of a virus like this and doubt it's actually a virus would think someone is playing a trick on them.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39794494
A look into the startup items in msconfig may show some unnamed process or service. I would deactivate any of those found and reboot.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 39794604
jsmitter--
When you have IE running and you can hear the audio, run Process Explorer.
http://technet.microsoft.com/en-us/sysinternals/bb896653
See if you can pick out the audio file from the list that will be presented.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:jsmitter
ID: 39794614
There is nothing listed in Scheduled Tasks and disabling local services items in msconfig has no effect.

It's interesting to note that SP1 is not installed and when trying to use Microsoft Update to upgrade it, Microsoft reports that it doesn't recognize the OS???
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39794640
Try a scan with Windows Defender Offline

http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline

This runs the the A/V utility outside of the OS and not subject to possible manipulation by the virus.
0
 

Author Comment

by:jsmitter
ID: 39794652
Procmon errors out because it can't exract itself for some reason. The OS is 64 bit, so I don't know why it won't run, Will try Windows Defender now.
0
 

Author Comment

by:jsmitter
ID: 39794781
Since Windows Defender is part of Windows, I am looking for a recommendation for a "safe" website to download it from? In the meantime, I ran MS Windows safety Scanner which came up clean.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 39794808
jsmitter--Since you are using Win 7, Microsoft Security Essentials is a better choice than Windows Defender.
http://windows.microsoft.com/en-us/windows/security-essentials-download

See
http://blogs.msdn.com/b/securitytipstalk/archive/2013/11/14/windows-defender-and-microsoft-security-essentials-which-one-do-i-need.aspx
for a comparison of MSSE and Windows Defender on Win7

Earlier I suggested Process Explorer and you said "procmon errors out".  Did you mean procmon?  That has been superseded by Process Monitor
http://technet.microsoft.com/en-us/sysinternals/bb896645
0
 

Author Comment

by:jsmitter
ID: 39794944
I had to extract the process monitor file and now it executes.

It revealed that there are lot of tmp files being generated. For example, all the file names contain the three letter prefix "fla" followed by a hexadecimal number. For example one is listed as "flaE815.tmp". A new one is created just before a new clip begins to play through the mixer. It contains a different hex number in its file name.

Is there a way to see what program is launching the file?
0
 

Author Comment

by:jsmitter
ID: 39795046
The  Process Monitor under Event Properties - Process Tab, shows these files to have the following parameters -
 
"Path" C:\Windows\system32\svchost.exe
 "Command Line": C:\Windows\system32\svchost.exe -k DcomLaunch
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 39795119
jsmitter--
regrettably I do not think either of those files are the problem.  
Both are Windows files
http://windows.microsoft.com/en-us/windows/what-is-svchost-exe#1TC=windows-7

DComLaunch is a Windows Service.
0
 

Author Comment

by:jsmitter
ID: 39795726
Sorry Firebar, I didn't realize that there was a product called "Windows Defender Offline". I followed Microsoft's instructions and ran it from a usb flash drive. It produced a clean report.

Still no solution.
0
 
LVL 92

Accepted Solution

by:
nobus earned 500 total points
ID: 39796220
try roguekiller then :  http://majorgeeks.com/RogueKiller_d6983.html                  Roguekiller
and post the hijackthis log :   http://sourceforge.net/projects/hjt/
0
 
LVL 92

Expert Comment

by:nobus
ID: 39799249
jsmitter, what was your solution?
0
 

Author Comment

by:jsmitter
ID: 39801369
Sorry, I thought I posted it.

The culprit was the Zekos Trojan. RogueKiller V8.8.2 did a superb job in removing it. They documented the Trojan component thoroughly, as can be seen on their website http://www.adlice.com/zekos-removal-roguekiller/. It was the cleanest and most complete restoration of the OS that I have ever seen . The system has been performing perfectly and Win 7 SP1 installed as normal (although I'm not sure why it didn't install before).

I love this site!
0
 
LVL 92

Expert Comment

by:nobus
ID: 39802235
jsmitter -tx for the info -always useful to know what worked, and what not.
have a nice day!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sequence of icacls to permit specific user but deny all users access to a file 8 35
Windows Updates question 2 30
Windows NLB cluster 3 30
PDF to JPG 13 45
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question