Solved Random audio clips and random pop-ups

Status
Not open for further replies.

AKFH

Posts: 106   +0
In the past 3-4 weeks I believe, I have been hearing random audio being played (even right now, it happened 3-4 times within 2 minutes or even less intervals.) It is usually music, audio, noise or sounds from video games, on-line or PC, or ranges from radio snips, and advertisement sounds. Frustrating. Also, my IE and Mozilla FireFox have been exceptionally slow on YouTube videos, Facebook Videos, and Typing on Twitter, and on YouTube Profiles (the typed words' appearances are delayed drastically.)

Secondly, in the same time span, Pop-ups have been coming up, independently, using the Internet Explorer Browser icon on the top left corner. At first, I found this as a minor factor in my investigation, but soon I got tiresome of the pop-ups, and I un-installed my internet explorer web browser. To my surprise, it pop-ups up again (and again and again now-a-days) more frequently and STILL using the IE browser. That was when I deemed it worthy to ask for professional help...

I am no good with computers..
I attached a hijackit log incase it is needed.

**EDIT**: P.S., I forgot to say, I have over-due subscription from Norton Anti-Virus, so I stopped using it. I started using AVG 9.0 Free Anti-Virus, and also downloaded Malwarebytes' Anti-Malware, Spyware Terminator, and Ad-aware. I have went in 'Safe Mode with Networking' and did a full scan with Malwarebytes' Anti-Malware and Ad-aware. They found 2 Trojan Backdoors and terminated them. I thought that that would fix the problem, but it did not. The pop-ups and random audios (about 10-15 minutes ago) started to act up VERY frequently, with intervals smaller than 1-2 minutes...

I really hope someone can help me, and quick. I really hope it isn't too late!!!!

Thank you a tonne in advance!!!

- Anthony.
 

Attachments

  • hijackthis.log
    12.3 KB · Views: 2
Kindly follow these 8-steps and post logs for analysis on "Malware and Virus Removal Forum".

@Moderators
Please move this thread to appropriate forum. Regards
 
I followed the instructions (DDS.txt & Attach.zip attached below)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4327

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

28/07/2010 12:36:07 PM
mbam-log-2010-07-28 (12-36-07).txt

Scan type: Quick scan
Objects scanned: 177141
Time elapsed: 55 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----------------------------------------------------------------------------------------------------------------------------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-28 12:49:43
Windows 5.1.2600 Service Pack 3
Running: s8yz7n82.exe; Driver: C:\DOCUME~1\Ant\LOCALS~1\Temp\pxwiqfow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

---- Processes - GMER 1.0.15 ----

Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 3552

---- EOF - GMER 1.0.15 ----
----------------------------------------------------------------------------------------------------------------------------------

The DDS programme told me to make the Attach.txt zipped.

Thank you a tonne!
 

Attachments

  • DDS.txt
    21.4 KB · Views: 1
  • Attach.zip
    3.7 KB · Views: 1
Thanks to our Moderators for moving your thread! Hopefully you have subscribed to it.

There are numerous entries to be removed. Please run the following 2 programs and include the logs in your next reply. I will be setting up some script to be run later:

Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
=========================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

Question: Was there any reason you went into Safe Mode with Networking to do the scans? They are better done in Normal Mode- unless otherwise instructed. If Mbm was run in Safe Mode, please rerun it in Normal Mode and include the new log with the other 2 logs from the above programs.
 
Answering to your 'QUESTION'

Because I seeked assistance on-line on Yahoo and checked other sites. They said to go into Safe Mode with Networking, and run full computer scans. So I did. The MBM log that I posted in my SECOND post was ran with Quick Scan (The first sca available) and it was in Normal Mode, no Safe Mode was used after I posted the question on this site.

ESET On-line Scanner is still scanning, but I finished ComboFix, I will post it again after I am done with ESET as well.

Do you wish for me to Copy and Paste
- ComboFix's Log
- ESET On-line Scanner's Log
Or attach the onto my next reply?

- Anthony
 
'ComboFix' and 'ESET On-line Scanner' Logs

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=84fe6fcbab49f74c8ec31b6112b41cef
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-28 11:18:09
# local_time=2010-07-28 07:18:09 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1029 16777173 100 94 0 12740299 0 0
# compatibility_mode=1536 16777215 100 0 0 0 0 0
# compatibility_mode=7937 16777213 100 100 0 4567129 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=99775
# found=0
# cleaned=0
# scan_time=11846

I think ComboFix's log might be too long, so I attached the log onto this reply.

So far, everything says that my computer is clean, no infected files. Which I could hardly believe is true....

**UPDATE**: I am hearing random music currently. A 3-5 second music part of a song, melody, or SOMETHING just started playing. And I muted it because it freaks me out how random music comes on.....
 
Okay, but if you go to a different place to get help, it is best that you follow the steps that have been set up. Some processes don't run in Safe Mode, so we might not see them. One the other hand, some scans and features must be run in Safe Mode to work correctly. But always use Normal Mode unless you are told specifically not to.

You don't need to rerun Malwarebytes if it is current and was in Normal Mode.

"Do you wish for me to Copy and Paste"
- ComboFix's Log> Paste
- ESET On-line Scanner's Log> Attach is okay for this one

When the logs are pasted in, I can do any searches to identify an entry directly from my browser using the special malware add-ons I have and it saves a lot of time. When they are attached, I have to copy and paste anything I need to search for and it can be very time consuming.

Thanks you for asking, Anthony.

Edit: We were posting at the same time. No need to do over.
 
Thank you, and ComboFix was a long one so I decided to attach it, sorry!!

Thank you in advance :) I know I probably have a really strong virus... since it hid from all my scanners...


**EDIT**: I had an occurance, of audio being played again, this time, it was REALLY close together, almost a 5 second interval. Same music too.

My MBM found 2 Backdoor Trojans after its scan in Safe Mode with Networking, and I thought those two were probably the reason for Pop-ups (being one of the Backdoors) and Random Audio (being the other.) Clearly, i was wrong....

All that information about MBM, was about... 4-5 days ago, not today nor yesturday. So, all I've been doing is following your instructions on running the programmes requested, suggested and shown.

Also, I have question, maybe you have the answer, but my iTunes, every single time I double-click it, or I click it on my Quick Launch bar, it ALWAYS ALWAYS has to 'configure' itself.

Example: I double-click/click on the iTunes on my Desktop/QuickLaunchBar, a small window pops up and says 'Please wait while iTunes configures itself' (or something along those lines.) After a while, iTunes came up, the screen and all was up. I click [X] and close it. Then I re-do the double-click/click form Desktop/QuickLaunchBar and it has to configure itself AGAIN. It happens all the time, even if you've configured it already.

The only time it won't is when I plug in an iPod of any kind, and it automatically opens up iTunes. No configuration window. Straight to the opening.

Thanks in advance, Bobbye.
 
Two things to deal with right off the top!
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

MBR is infected with the Whistler Bootkit !!


Download Bootkit Remover and save to your Desktop
  1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  3. You will see a Black screen with some data on it.
  4. Right click on the screen and click Select All.
  5. Press CTRL+C to Copy
  6. Open a Notepad and press CTRL+V to Paste.
  7. Include the report in your next post.
==============================
You need to get the Recovery Console on the system- you may have to wait until the malware is cleaned up- or it can be done the next time you run Combofix. Let's see how extensive the bootkit is first.

And we'll focus on the configuration problem after the malware has been handled.
 
Bookit Remover Log Report Response

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 019d40f3bfdda209e10eafcb8fc77fa7

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

=================================================================
I attached it as well incase you wanted an attachment instead.

**EDIT**: That attached file actually isn't what is pasted above. It's something else, I don't know what it is..... Sorry!!

And alright, thank you for your help. This virus looks tricky.....
 

Attachments

  • bootkit_remover_debug_log.txt
    32.7 KB · Views: 1
I don't need that debugger- you can delete it. Do this instead:
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive0
    EXIT
  • Go File > Save As
  • Save as Type choose All Files
  • For File Name type fix.bat
  • Save In> choose Desktop
  • Save
  • Double click to Run fix.bat
(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!
 
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...
 
Um, last night, I still had random pop-ups of advertisements using Internet Explorer Browser.

Random sounds seemed to have stopped, but I cannot be 100% sure. Not even 50% sure, because usually, they stop for some time, and they have no specific time of activating. They happen randomly. But I will update my post when I encounter noise again.

Even after that post, I still had occurances of random advertisement pop-ups.
 
I'd like you to try something please. You have a 'hidden' iexplore.exe. You're going to find the good one and the bad one:

Right click on the Taskbar> Task Manager> with IE open, find iexplore.exe> write down the PID number to the right of the process.

Now using Windows explorer: Windows key + E> Double click on Local Drive (C)> Programs> Double click on Internet Explorer> on the right screen right click on iexplore.exe> Properties> note if there is a check in either Read or Hidden.

While still in WE, go to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'Hide system folders (Recommended).

Then go back to Internet Explorer in Program and double click again>> do you see another ixplore.exe? Is the 'Hidden' box checked?

The audio is coming either from itunes helper or WMP, hiding in IE.

Please run this again also:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
 
On my Process, It says iexplorer.exe and when I scroll down, i found explorer.exe
is there something wrong? At first I thought it'd be the Windows Explorer, so I closed it, but it's still there.
 
Please don't close processes when you don't know what they are. ieplore.exe is the process for Internet Explorer. Explore.exe is the Windows File Manager. The system won't run without that.

Open the Task Manager> Click in View> Choose 'Select Columns'> Check PID box. You might want to check the CPU box if that column doesn't show. The PID is the Process Identifier.
 
Okay, so I have 2 Internet Explorer processess on. One of them has a PID of '4852' and the other one has a PID of '4628'
 
I opened 2 Internet Explorers, and followed your instructions:

One of the iexplorer.exe has a PID of 4852
The other iexplorer.exe has a PID of 4628
 
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=84fe6fcbab49f74c8ec31b6112b41cef
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-01 03:58:40
# local_time=2010-07-31 11:58:40 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1029 16777173 100 94 0 13017639 0 0
# compatibility_mode=1536 16777215 100 0 0 0 0 0
# compatibility_mode=7937 16777213 100 100 0 4844469 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=101611
# found=0
# cleaned=0
# scan_time=10535
 
Yep, 'heard' you both times! But you didn't give me the information I asked for:

One of the iexplorer.exe has a PID of 4852
The other iexplorer.exe has a PID of 4628

[QUOTERight click on the Taskbar> Task Manager> with IE open, find iexplore.exe> write down the PID number to the right of the process. ????
[/quote]
Then go back to Internet Explorer in Program and double click again>> do you see another ixplore.exe???? Is the 'Hidden' box checked????

Are you understanding what I'm trying to find out?

By the way, be sure to go back an re-hide the files and folders.
 
Not really....

and I only double-posted because I did not realise that we made it to another page. and I thought my post did not make it to the forum. That's why I double-posted.
 
Status
Not open for further replies.
Back