Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
This topic is locked
Hi!
I've been having a serious problem with unwanted audio ads constantly playing in the background of my computer. This occurs whether or not I have my browser (IE) open, and even happens when my network connection is unplugged. The ads are short (about 30 seconds) - some of them are for companies I've heard of (like Bank of America or UPS), but some I don't recognize. Some are gibberish.
I've run Malwarebytes and McAfee, both of which have found nothing. I also used a secure erase program to delete all cookies and temporary files (one site suggested that might help), with no luck. It's driving me crazy.
Here is the HijackThis log I ran this morning:
Run by V at 7:53:51.00 on Fri 03/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1260 [GMT -4:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: McAfee Personal Firewall *enabled*
FW: Norton Internet Security 2006 *disabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\servicelayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Vanessa\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061207
uSearch Bar =
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061207
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [servicelayer] c:\windows\servicelayer.exe
dRun: [userinit] c:\windows\system32\ntos.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.mpix.com/customer/uploading/activex/ImageUploader5.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Filter: text/html - {4cd7fc71-b56a-4b14-a570-cb923b0e637a} -
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: niavfw.dll
STS: IPC Configuration Utility - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-7 201320]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-7 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-7 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-7 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-7 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-7 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-7 33832]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-7 40488]
S2 0076491221204103mcinstcleanup;McAfee Application Installer Cleanup (0076491221204103);c:\windows\temp\007649~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\007649~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
=============== Created Last 30 ================
2009-03-26 07:01 <DIR> --dsh--- C:\found.000
2009-03-21 08:22 282,624 a------- c:\windows\servicelayer.exe
2009-03-21 08:21 109 a--sh--- c:\windows\system32\1552041908.dat
2009-03-01 00:00 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0
2009-02-28 23:58 <DIR> --d----- c:\program files\common files\Intuit
2009-02-28 23:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2009-02-28 23:58 <DIR> --d----- c:\program files\TurboTax
2009-02-28 23:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Amazon
==================== Find3M ====================
2009-03-02 22:37 2,516 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-09-30 17:57 61,224 a------- c:\documents and settings\vanessa\GoToAssistDownloadHelper.exe
============= FINISH: 7:54:28.25 ===============
Also, the script debugger launches whenever the ads come on, and shows a ton of scripts running in the background from sites I know nothing about. I tracked down files with the names of some of those websites (like filmannex.com or entrepreneur.com) in Flash Player, and deleted them. But the ads persist.
Finally, I ran Rooter, and received the following log:
Microsoft Windows XP Professional (5.1.2600) Service Pack 2
A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:71468 Mo/Free:4046 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
Fri 03/27/2009| 7:59
----------------------\\ Processes..
--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
---------- C:\WINDOWS\system32\CTsvcCDA.exe
---------- C:\WINDOWS\eHome\ehRecvr.exe
---------- C:\WINDOWS\eHome\ehSched.exe
---------- C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
---------- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
---------- C:\Program Files\McAfee\MBK\MBackMonitor.exe
---------- C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
---------- c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
---------- c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
---------- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\Program Files\McAfee\MPF\MPFSrv.exe
---------- C:\WINDOWS\system32\nvsvc32.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\ehome\mcrdsvc.exe
---------- C:\Program Files\Canon\CAL\CALMAIN.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\WINDOWS\system32\dllhost.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
---------- c:\PROGRA~1\mcafee.com\agent\mcagent.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\Dell Support\DSAgnt.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
---------- C:\WINDOWS\servicelayer.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\Documents and Settings\Vanessa\Desktop\dds.scr
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\WINDOWS\system32\notepad.exe
---------- C:\WINDOWS\system32\cscript.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe
----------------------\\ Search..
C:\WINDOWS\System32\TDSSxidvjood.dat
==> TDSS.. <==
----------------------\\ ROOTKIT !!
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS
HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_TDSSSERV.SYS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS
1 - "C:\Rooter$\Rooter_1.txt" - Fri 03/27/2009| 8:00
----------------------\\ Scan completed at 8:00
I hope you can help The ads aren't playing at the moment, but I know they'll be back!
Thanks so much for your help in advance.
Back to top
