Jump to content

Malware (Audio Ads) Won't remove


Recommended Posts

Hi,

 

I'm having the hardest time getting rid of some sort of audio ad malware. The machine I'm working on for my niece had some malware on it before I started. Was able to remove quite a bit with Malwarebytes, used Hitman Pro, TDS Killer, Rkill, JRT, ComboFix, ADWcleaner, and even ran Emisoft Emergency Kit/Scanner to look for malware. After doing all that, the system showed no infections. Installed Norton Internet Security on the machine, updated, then scanned, no virus/malware found. Then we noticed audio start from no where. Checked the logs for Anti-Malware and saw the following: 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Detection, 4/8/2014 1:15:19 PM, SYSTEM, GENEVA-HP, Protection, Malicious Website Protection, IP, 66.45.56.109, searchnet.blinkxcore.com, 51052, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 4/8/2014 1:15:19 PM, SYSTEM, GENEVA-HP, Protection, Malicious Website Protection, IP, 66.45.56.109, searchnet.blinkxcore.com, 51052, Outbound, C:\Windows\System32\svchost.exe, 
Protection, 4/8/2014 1:22:19 PM, SYSTEM, GENEVA-HP, Protection, Malware Protection, Starting, 
Protection, 4/8/2014 1:22:19 PM, SYSTEM, GENEVA-HP, Protection, Malware Protection, Started, 
Protection, 4/8/2014 1:22:19 PM, SYSTEM, GENEVA-HP, Protection, Malicious Website Protection, Starting, 
Protection, 4/8/2014 1:22:24 PM, SYSTEM, GENEVA-HP, Protection, Malicious Website Protection, Started, 
Detection, 4/8/2014 1:23:20 PM, SYSTEM, GENEVA-HP, Protection, Malicious Website Protection, IP, 66.45.56.109, searchnet.blinkxcore.com, 49166, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 4/8/2014 1:23:20 PM, SYSTEM, GENEVA-HP, Protection, Malicious Website Protection, IP, 66.45.56.109, searchnet.blinkxcore.com, 49166, Outbound, C:\Windows\System32\svchost.exe, 
Protection, 4/8/2014 1:28:46 PM, SYSTEM, GENEVA-HP, Protection, Malware Protection, Starting, 
Protection, 4/8/2014 1:28:46 PM, SYSTEM, GENEVA-HP, Protection, Malware Protection, Started, 
Protection, 4/8/2014 1:28:46 PM, SYSTEM, GENEVA-HP, Protection, Malicious Website Protection, Starting, 
Protection, 4/8/2014 1:28:50 PM, SYSTEM, GENEVA-HP, Protection, Malicious Website Protection, Started, 
Detection, 4/8/2014 1:30:43 PM, SYSTEM, GENEVA-HP, Protection, Malicious Website Protection, IP, 66.45.56.109, searchnet.blinkxcore.com, 49164, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 4/8/2014 1:30:43 PM, SYSTEM, GENEVA-HP, Protection, Malicious Website Protection, IP, 66.45.56.109, searchnet.blinkxcore.com, 49164, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 4/8/2014 1:49:49 PM, SYSTEM, GENEVA-HP, Protection, Malicious Website Protection, IP, 66.45.56.109, searchnet.blinkxcore.com, 49773, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 4/8/2014 1:57:57 PM, SYSTEM, GENEVA-HP, Protection, Malicious Website Protection, IP, 66.45.56.109, searchnet.blinkxcore.com, 50138, Outbound, C:\Windows\System32\svchost.exe, 
 
Ran again different scans, even through safe mode, no malware found, yet, same issue with the audio ads. I noticed an entry in the volume mixer in Windows 7 that shows up anytime the audio starts to stream, attached screen shot of that. 
 
Have gone through different posts here and via google to try to figure out how to rid this malware without having to wipe the machine and re-install Windows 7. Any help to get rid of this would be highly appreciated. I've attached the log files requested from the Farbar Tool...
 

post-160931-0-57886800-1397500589_thumb.

Addition.txt

FRST.txt

Link to post
Share on other sites

Welcome to the forum

Please download SystemLook from the link below and save it to your Desktop.

http://jpshortstuff.247fixes.com/SystemLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :Filefindrpcss.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Link to post
Share on other sites

Hi, and many thanks for the welcome and help. Below I posted the info requested:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 18:53 on 14/04/2014 by Geneva
Administrator - Elevation successful
 
========== Filefind ==========
 
Searching for "rpcss.dll"
C:\Windows\System32\rpcss.dll --a---- 520192 bytes [03:24 21/11/2010] [03:24 21/11/2010] 2EF9A04EE55A70AB0F15330BDDE57A2D
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll --a---- 512000 bytes [03:24 21/11/2010] [03:24 21/11/2010] 5C627D1B1138676C0A7AB2C2C190D123
 
-= EOF =-
Link to post
Share on other sites

Hi, below is the info, I'm going to let it run a few hours to see if any audio ads start to stream and report back later. Thanks again for your help on this..

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-04-2014
Ran by Geneva at 2014-04-14 20:46:03 Run:1
Running from C:\Users\Geneva\Downloads\Temp
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll 
 
 
*****************
 
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll
 
==== End of Fixlog ====
Link to post
Share on other sites

Well I think that was it... didn't hear any audio all day via the laptop and no malware/virus found via scans. I'm hitting myself as we speak for not finding this solution, but totally thank you for the help on this. I want you to know that you helping others doesn't get overlooked by someone like myself, so I sent you something via paypal.. Thanks again and keep up the great work. I hope people value the help on these forums.. I guess this topic can be closed, hopefully, no more issues!! Take care!!

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.