Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Speakers Coming On With Commercials


  • Please log in to reply
5 replies to this topic

#1 Ironwood

Ironwood

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 03 March 2008 - 05:09 PM

My computer speakers are coming on randomly with some type of music and people talking trying to promote different products and different web sites.
I have Norton anti virus which does not really seem to do a lot besides take money out of my account.

I ran the anit virus and it said that I had a tracking cookie which was a low risk, I went ahead and deleted it
Then I downloaded spybot and a few other anti spyware programs which I later found out that some of the other programs that I downloaded were not legit so I deleted them all except for spybot.

Today I ran norton and spybot and they said that everything was OK but just now I heard the music again for about 7 or 8 min. and it is now gone.

If anybody knows what is going on please let me know. Thanks

BC AdBot (Login to Remove)

 


#2 Da.One

Da.One

  • Banned
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 PM

Posted 03 March 2008 - 06:44 PM

I really want to laugh at this one as it's really funny. However, this is definately malware and should be treated seriously.
Does you computer open any programs to play the music/ads, or does it just come out of nothing?

Please list the programs that you downloaded before, even if you deleted them they may have left other malware on your computer.

Norton is not a bad scanner, but like all scanners can miss some malware. If the adware has gotten so deep that it can run sound files, then it really should have been detected.

Let's start by running SDfix. Follow the instructions here:
http://forums.majorgeeks.com/showthread.php?p=869653

Post your log back in your next reply.

#3 Ironwood

Ironwood
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 04 March 2008 - 10:25 AM

OK I did all of that and I will see if that repairs it. The music usually came on after I was on the computer for a couple of hours so I will let you know, thanks for the help.

If it is fixed I will laugh about it b/c some of the commercials were pretty funny but there was no program running them so the only way to get rid of them was to mute my speakers.



Here is the report>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

SDFix: Version 1.152

Run by Administrator on Tue 03/04/2008 at 08:52 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Installer\{ec4d317c-6e9d-462c-a3f9-1ec79bf47a1f}\CDService.dll - Deleted
C:\WINDOWS\fkxvkns.exe - Deleted
C:\WINDOWS\rs.txt - Deleted



Folder C:\WINDOWS\Installer\{ec4d317c-6e9d-462c-a3f9-1ec79bf47a1f} - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 09:12:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"="C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe:*:Enabled:Dell Network Assistant"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 21 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 2 Jan 2007 26,112 A..H. --- "C:\Documents and Settings\Neal Bilger\My Documents\Neal resume\~WRL0003.tmp"
Sun 8 Apr 2007 25,600 A..H. --- "C:\Documents and Settings\Neal Bilger\My Documents\Neal resume\~WRL0004.tmp"
Wed 30 Jan 2008 53,760 ...H. --- "C:\Documents and Settings\Neal Bilger\My Documents\Neal resume\~WRL1532.tmp"
Thu 31 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BITA.tmp"
Sun 9 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sun 9 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sun 9 Dec 2007 8 A..H. --- "C:\Documents and Settings\Kim Bilger\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 9 Dec 2007 8 A..H. --- "C:\Documents and Settings\Neal Bilger\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"

Finished!

#4 Ironwood

Ironwood
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 04 March 2008 - 10:28 AM

Sorry I forgot to tell you that I am not sure what programs I installed and then deleted. I know that was really dumb to do now, but I found them on a google search for spyware.

#5 Da.One

Da.One

  • Banned
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 PM

Posted 04 March 2008 - 03:28 PM

If you just Googled the anti malware program then I would expect them to be fairly safe, though I can't guarentee it. Google has put warnings on those fake ones like SpySheriff and SpyAxe etc.

Take a quick look at these fake anti malware programs here. These are the most common malware programs disguised as anti malware programs:

"Adware Sheriff", "Pest Trap", "SpywareNo", "Spylocked", "SpywareQuake", "SpyTrooper", "Spydawn", AntiVirGear, "Brave Sentry", "SpywareStrike", "SpyShredder", "Alpha Cleaner" and "SpyAxe".

I don't think the files deleted by SDfix were the source of the ads.

If the ads do occur again, first post back here obviously. Then try running the computer with the internet disabled. It is much more likely that the malware is loading the music files off the Net rather then actually saving a music file on your computer. If the ads still come on with the internet disabled, then we simply proceed to search for music files on your computer.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:53 PM

Posted 07 March 2008 - 05:11 PM

Hello Ironwood,

I see that you have Windows XP. Do you have Service Pack 1 installed? Do you have Service Pack 2 installed? Do you have the Home or Pro edition.

SDFix is not a tool used for removing Ad-Ware.

Can you tell us what security programs you have installed?

We need to know this information in order to provide you with proper disinfection instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users