Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random sounds, google redirect, scirpt errors


  • This topic is locked This topic is locked
9 replies to this topic

#1 jpfaffy

jpfaffy

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 24 April 2011 - 09:51 PM

I have 3 problems, one is what appears to be a google redirect virus that takes me to a different site when clicking on google search results. The second is I get these random sound clips playing (only when connected to the internet), some are advertisements but others are just parts and peices of different things. Lastly, I also get strange "Internet Explorer Script Error" messages when I am connected to the internet whether or not I actually have my browser running. I've tried watching the task manager for processes and disabling some startup processes through msconfig, but can't seem to nail down these problems. I'm using Windows XP Home edition. I am running CA antivures, spybot, adaware, malwarebytes. I was able to get rid of some other nasty stuff, but the problems described above continue to plague me. Can anyone help?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:40 PM

Posted 25 April 2011 - 07:38 AM

Please post the results of your last MBAM scan for review (even if nothing was found).

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
    -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd



Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.

    Posted Image
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

    Posted Image
  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

    Posted Image
  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jpfaffy

jpfaffy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 25 April 2011 - 10:32 PM

I am posting this from another PC...I was unable to run TDSSKiller despite changing the file name both before and after downloading. I even tried booting in safe mode without any success in getting the program to run. While I was composing this reply my Internet explorer unexpectedly shut down and a fraudulent windows anti-virus scanner started. It also hijacked my security center & I am unable to turn Windows automatic updates back on, even after running Malwarebytes again. Here is the log from tonight...I thought I had already gotten rid of some of this stuff!!

__________________________________________________

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6444

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/25/2011 11:08:28 PM
mbam-log-2011-04-25 (23-08-28).txt

Scan type: Quick scan
Objects scanned: 149590
Time elapsed: 7 minute(s), 9 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
c:\documents and settings\jonathan pfaff\local settings\application data\qwg.exe (Spyware.Agent) -> 5908 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Jonathan Pfaff\Local Settings\Application Data\qwg.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\jonathan pfaff\local settings\application data\qwg.exe (Spyware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\jonathan pfaff\local settings\Temp\jar_cache8593.tmp (Spyware.Agent) -> Delete on reboot.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:40 PM

Posted 26 April 2011 - 06:52 AM

I was unable to run TDSSKiller despite changing the file name both before and after downloading

The malware infection was blocking it from running. This is not uncommon especially when a tool like this can remove the infector if it is allowed to perform its routines.

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please download SUPERAntiSpyware Free and follow these instructions for performing a scan.

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • Be sure to update the definitions before scanning by selecting "Check for Updates".
    If you encounter any problems while downloading the updates, manually download them from here.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.
  • Please copy and paste the Scan Log results in your next reply.
-- Some types of malware will disable security tools. If SUPERAntiSpyware will not install, please refer to these instructions for using the SUPERAntiSpyware Installer. If SUPERAntiSpyware is already installed but will not run, then follow the instructions for using RUNSAS.EXE to launch the program.

-- Alternatively, you can download and use the SUPERAntiSpyware Portable Scanner or perform a SUPERAntiSpyware Online Safe Scan (both listed under Popular Links) instead. If you cannot download from the infected computer, save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer it. Then double-click on the file to launch the portable version and scan. The file is randomly named to help keep malware from blocking the scanner.

Then try running TDSSKiller again. If it still will not run, then disinfection will probably require the use of more powerful tools than we recommend in this forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jpfaffy

jpfaffy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 27 April 2011 - 11:55 PM

Below is the Malwarebytes log(full scan) and the SUPERAntiSpyware logs(quick & complete scans). I am able to run both of these, as well as spybot, adaware, & CA Antivirus, but am still not able to run TDSSKiller. I even tried downloading it from another computer, renaming it & transferring it on a flash drive with no luck. If you have any other advice or if these logs give you any insight into my problem(s), please let me know. Thanks for all your help thus far.

_________________________________________________

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6459

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/27/2011 6:17:03 PM
mbam-log-2011-04-27 (18-17-03).txt

Scan type: Full scan (C:\|)
Objects scanned: 215930
Time elapsed: 1 hour(s), 27 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

________________________________________________

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/27/2011 at 06:46 PM

Application Version : 4.51.1000

Core Rules Database Version : 6941
Trace Rules Database Version: 4753

Scan type : Quick Scan
Total Scan Time : 00:10:28

Memory items scanned : 573
Memory threats detected : 0
Registry items scanned : 2118
Registry threats detected : 1
File items scanned : 8709
File threats detected : 2

System.BrokenFileAssociation
HKCR\.exe

Adware.Tracking Cookie
media.mtvnservices.com [ C:\Documents and Settings\Jonathan Pfaff\Application Data\Macromedia\Flash Player\#SharedObjects\JWS58XJU ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Jonathan Pfaff\Application Data\Macromedia\Flash Player\#SharedObjects\JWS58XJU ]

____________________________________________________________


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/27/2011 at 11:36 PM

Application Version : 4.51.1000

Core Rules Database Version : 6941
Trace Rules Database Version: 4753

Scan type : Complete Scan
Total Scan Time : 00:40:06

Memory items scanned : 563
Memory threats detected : 0
Registry items scanned : 7865
Registry threats detected : 1
File items scanned : 25716
File threats detected : 0

System.BrokenFileAssociation
HKCR\.exe

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:40 PM

Posted 28 April 2011 - 06:22 AM

Please download Norman TDSS Cleaner and save to your Desktop.
  • Double-click on Norman_TDSS_Cleaner.exe to run the tool.
  • Read the agreement and click Accept.
  • When the program window opens, click Start scan.
  • After the scan has finished, a log file named NFix_date_time (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
  • Copy and paste the contents of that file in your next reply.

Then perform a scan with Windows Live OneCare safety scan.
  • Close all open programs and do not use the computer during the scan.
  • Click "Full Service Scan" in the middle of the page.
  • Allow the download of the ActiveX controls that the scan needs to run.
  • Choose "Complete Scan" in the window that opens and then click "Next"
  • The scan may take several hours...be patient and allow the scan complete.
If using Firefox, please refer to these special instructions provided by Microsoft.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jpfaffy

jpfaffy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 28 April 2011 - 10:28 PM

I was able to run Norman TDSS Cleaner & I have posted logs from 2 scans. The scans lasted about 1-2 seconds each & found nothing. Is that normal? I also ran Windows Live OneCare safety scan, but it found nothing. I still get a Windows Security Alert in my system tray telling me that my Automatic Updates have been turned off & I am unable to turn them back on when opening the Security Center. I also still have random sound clips playing, only when I am connected to the internet. When I turn off my wireless card the sounds clips stop. TDSSKiller still will not run. What else can I try?

_________________________________________________________________________

Norman TDSS Cleaner
Version 2.0.2
Copyright 1990 - 2010, Norman ASA. Built 2010/11/12 06:32:24

Scan started: 2011/04/28 18:24:45

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Home 5.1.2600 Service Pack 3
Logged on user: D65L0NG1\Jonathan Pfaff


Scanning kernel...

Scan complete

____________________________________________________________________

Norman TDSS Cleaner
Version 2.0.2
Copyright 1990 - 2010, Norman ASA. Built 2010/11/12 06:32:24

Scan started: 2011/04/28 18:26:48

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Home 5.1.2600 Service Pack 3
Logged on user: D65L0NG1\Jonathan Pfaff


Scanning kernel...

Scan complete

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:40 PM

Posted 29 April 2011 - 06:50 AM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself or infect critical system files which cannot be cleaned. Sometimes there is an undetected hidden piece of malware such as a rootkit which protects malicious files and registry keys so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 jpfaffy

jpfaffy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 29 April 2011 - 10:30 PM

Random sound clips, Internet Explorer Script Errors Don't know how to remove -in- Virus, Trojan, Spyware, and Malware Removal Logs forum

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:40 PM

Posted 29 April 2011 - 10:53 PM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users