Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Audio Advertisements Playing on my Computer. Virus?


  • Please log in to reply
10 replies to this topic

#1 weez2k6

weez2k6

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:51 PM

Posted 15 November 2009 - 02:34 PM

I recently aquired some sort of virus that causes audio advertisements to play on my computer at random times. I have tried running norton, ad aware, and hijack this to determine what is causing the problem. I havent had any luck so far. I have also noticed that iexplorer.exe is running in my processes even when it is not opened on the desktop.

If anybody could help me out or point me in the right direction that would be great.

Michael

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 15 November 2009 - 05:53 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.


Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 weez2k6

weez2k6
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:51 PM

Posted 15 November 2009 - 07:33 PM

Hey! Thanks for the reply.

I tried running the Malwarebyte's Anti Malware after I installed it but nothing would happen. The program would start to load but suddenly went away. I disabled my Norton and even tried to rename the file after i installed it, but mbam.exe was not in the file. I installed Malwarebytes on my other computer to see if it would work on there and it did. I noticed when i installed it on my other computer the file mbam.exe was there and i could run the program.

I believe that maybe the virus is deleting file?? I dont know much about computers though.

I will keep trying to install and run the program. If you have any advice or if I am doing something wrong let me know.

THanks,
Michael

#4 weez2k6

weez2k6
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:51 PM

Posted 15 November 2009 - 10:10 PM

I transfered the missing file from my other computer to this one. The MBAM is now running. I will post the log as soon as it finishes.

#5 weez2k6

weez2k6
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:51 PM

Posted 16 November 2009 - 07:15 AM

Here are the results


Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/16/2009 6:13:05 AM
mbam-log-2009-11-16 (06-13-05).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 268962
Time elapsed: 1 hour(s), 50 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hphupd08 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\90488635 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\90488635\90488635 .exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\90488635\90488635.bat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ropofotu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 16 November 2009 - 07:46 AM

Can you please update your Malwarebytes database as it is outdated. You can do so by going to the "Update" tab, and then run a Quick Scan and post back the log.
Computer Pro

#7 weez2k6

weez2k6
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:51 PM

Posted 16 November 2009 - 08:24 PM

Updated the MBAM

Malwarebytes' Anti-Malware 1.41
Database version: 3183
Windows 5.1.2600 Service Pack 3

11/16/2009 6:43:21 PM
mbam-log-2009-11-16 (18-43-21).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 280661
Time elapsed: 1 hour(s), 46 minute(s), 8 second(s)

Memory Processes Infected: 5
Memory Modules Infected: 2
Registry Keys Infected: 2
Registry Values Infected: 14
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 36

Memory Processes Infected:
C:\Program Files\Adobe\acrotray.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Program Files\Adobe\acrotray.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Program Files\Adobe\acrotray .exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Program Files\Adobe\acrotray .exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\surulepe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\limowuyu.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{607c58be-805a-49b3-9ff4-e7e907e297d7} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1954a374-396e-496f-bd15-ada4b94ff94b} (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swg (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google update (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\ctfmon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmascheduler (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\recguard (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpbootop (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hp software update (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituneshelper (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\Update_OB\realsched.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tkbellexe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuwshcem (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuwshcem (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\surulepe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\limowuyu.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Adobe\acrotray.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\acrotray .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ctfmon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SMINST\recguard.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\hpbootop .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\iTunes\iTunesHelper.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Real\Update_OB\realsched.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\aywdthl.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\excbx.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\penmrdya.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\Clone\BHC5D1.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\Clone\BHC5D2.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\Clone\BHC5D3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\Clone\BHC5D4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\Clone\BHC5D9.tmp (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\brxplb\cpulsysguard .exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\d8d25153.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\pifsvc.exe.delme157 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-2903654313-338230050-804648231-1008\Dc15.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP884\A0155434.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP885\A0155561.exe (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll (Virus.Mariofev) -> Quarantined and deleted successfully.
C:\WINDOWS\ServicePackFiles\i386\user32.dll (Virus.Mariofev) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallKB890859$\user32.dll (Virus.Mariofev) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtServicePackUninstall$\user32.dll (Virus.Mariofev) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mezutilo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ribodapi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 18 November 2009 - 04:50 PM

Please give me awhile to consult with some other helpers about your log
Computer Pro

#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 18 November 2009 - 07:49 PM

Ok, now please update Malwarebytes by using the Update tab, and then rerun a Quick scan and post back the log.

After you have posted the log, then please:



Run the ESET online scanner:

Please perform a scan with ESET Online Scanner
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use

Now click Start.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
Answer Yes to install and download the ActiveX controls that allows the scan to run.

Click Start. (the Onlinescanner will now prepare itself for running on your pc)

To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
Press Scan to start the online scan. (this could take some time to complete)
When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.

Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt

The scan results will open in Notepad.

Copy and paste the log results in your next reply.


Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn\ them back on after you are finished.
Computer Pro

#10 jellybean_po420

jellybean_po420

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NY
  • Local time:07:51 PM

Posted 05 December 2009 - 03:55 PM

I have had this problem since about the 20th of November this year myself. I have tried everything from Malwarebytes, Norton, Iobit Security, Fix-It utilities etc., nothing has worked. I've looked numerous places online and a few said it was AIM, that has since been uninstalled. I am right now running the ESET scan and has already found one Adware threat. After it finishes I will repost the log and let you know if I still have a problem.

#11 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 05 December 2009 - 07:39 PM

Jellybean,

Please start your own topic to avoid confusion.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users