Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Audio from advertisements plays in background with no programs running


  • This topic is locked This topic is locked
4 replies to this topic

#1 indiansoup

indiansoup

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 01 January 2014 - 09:25 PM

In the last couple of days or so, my computer has had advertisements playing in the background with no programs running what-so-ever. I've tried a few programs to no avail. Norton Antivirus wasnt able to pick up anything, nor has Malwarebytes or Kaspersky's TDSSKiller. Any help would be greatly appreciated!

 

DDS:
 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16450  BrowserJavaVersion: 10.45.2
Run by Sneh at 20:12:21 on 2014-01-01
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://msn.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://start.qone8.com/?type=hp&ts=1383426972&from=amt&uid=ST3320418AS_6VMA5Y6FXXXX6VMA5Y6F
mStart Page = hxxp://start.qone8.com/?type=hp&ts=1383426972&from=amt&uid=ST3320418AS_6VMA5Y6FXXXX6VMA5Y6F
mSearch Page = hxxp://start.qone8.com/web/?type=ds&ts=1383426972&from=amt&uid=ST3320418AS_6VMA5Y6FXXXX6VMA5Y6F&q={searchTerms}
mDefault_Page_URL = hxxp://start.qone8.com/?type=hp&ts=1383426972&from=amt&uid=ST3320418AS_6VMA5Y6FXXXX6VMA5Y6F
mDefault_Search_URL = hxxp://start.qone8.com/web/?type=ds&ts=1383426972&from=amt&uid=ST3320418AS_6VMA5Y6FXXXX6VMA5Y6F&q={searchTerms}
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Google Update] "c:\users\sneh\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Facebook Update] "c:\users\sneh\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [tDBapiCres] rundll32.exe "c:\users\sneh\appdata\roaming\tdbapicres\tDBapiCres.dll",DesktopUserWan SyncUsermon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [CloneCDElbyCDFL] "c:\program files\elaborate bytes\clonecd\ElbyCheck.exe" /L ElbyCDFL
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\programdata\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ncdown~1.lnk - c:\program files\solibo ltd\ncdownloader\NCdownloader.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{E5A041BA-B996-43CD-9B51-4A21FC1400C7} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
STS: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - c:\windows\system32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sneh\appdata\roaming\mozilla\firefox\profiles\gvlcxyb4.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=714647&p=
FF - prefs.js: network.proxy.ftp - 115.248.234.252
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.http - 115.248.234.252
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 115.248.234.252
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 115.248.234.252
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.8\npapicomadapter.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\users\sneh\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\sneh\appdata\local\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
FF - ExtSQL: 2013-12-08 19:11; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2013-12-27 02:38:09    --------    d-----w-    c:\users\sneh\Dhoom 3 (2013) DVDScr x1CD AAC x264 MaNuDiL SilverRG
2013-12-25 03:06:27    --------    d-----w-    c:\users\sneh\Dhoom Machale(Dhooom 3) HD Video Song
2013-12-25 02:37:42    --------    d-----w-    c:\users\sneh\appdata\local\Geckofx
2013-12-25 02:37:08    --------    d-----w-    c:\program files\AviSynth 2.5
2013-12-23 05:03:41    --------    d-----w-    c:\users\sneh\Season 9
2013-12-20 05:51:17    --------    d-----w-    c:\users\sneh\appdata\roaming\DictAddon
2013-12-17 21:06:52    --------    d-----w-    c:\program files\common files\DivX Shared
2013-12-17 21:05:48    --------    d-----w-    c:\program files\DivX
2013-12-17 21:05:21    --------    d-----w-    c:\programdata\DivX
2013-12-16 02:20:43    --------    d-----w-    c:\users\sneh\appdata\roaming\HpUpdate
2013-12-09 01:12:15    --------    d-----w-    c:\programdata\WEBREG
2013-12-09 01:11:26    --------    d-----w-    c:\programdata\HP Photo Creations
2013-12-09 01:11:26    --------    d-----w-    c:\program files\HP Photo Creations
2013-12-08 23:59:14    --------    d-----w-    c:\users\sneh\appdata\roaming\TonidoSyncData
2013-12-08 23:55:28    --------    d-----w-    c:\users\sneh\appdata\roaming\Tonido
.
==================== Find3M  ====================
.
2013-12-11 18:57:37    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 18:57:37    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-10-08 12:50:41    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
.
============= FINISH: 20:14:24.88 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,311 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:32 PM

Posted 03 January 2014 - 08:36 AM

Hello, my name is Elise and I'll assist you with this issue.

We need to run a custom batch script:
  • Click on the Start Orb, then the Search box, enter notepad and press Enter.
  • Copy and paste the entire text below into the blank notepad document:
    @echo off
    regedit /e "%userprofile%\desktop\svchost.txt" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Svchost"
    start notepad "%userprofile%\desktop\svchost.txt"
    exit
    
  • Click on File > Save As... to save the file to your desktop
  • In the File Name box, type in Fix.bat
  • Press Save.
  • Close Notepad
  • Right click Fix.bat on your desktop, and choose Run as Administrator
  • Press Yes if prompted by User Account Control
  • When complete a log file will pop up, and a copy will be saved to your desktop as svchost.txt, please post it in your next reply

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 indiansoup

indiansoup
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 05 January 2014 - 03:20 PM

alrighty, thanks so much for helping me out!. give me one more day and ill get back to you!



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,311 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:32 PM

Posted 05 January 2014 - 03:26 PM

Thats okay. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,311 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:32 PM

Posted 19 January 2014 - 04:39 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users