Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hearing unknown noises and advertisements while no program is open


  • This topic is locked This topic is locked
7 replies to this topic

#1 Mikex246

Mikex246

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 PM

Posted 15 March 2017 - 05:20 PM

I have been experiencing this weird phenomenon of hearing advertisements in my own language rather than English for few days. Also I have been hearing unknown noises and distant talk.

 

I Googled around and people told me to run Mbam and I ran it, after that I ran AVG Internet Security scan and still nothing. I am creeped out by this phenomenon and also my webcam turns off and on out of blue, and only thing that helps (and is probably the best choice) is disconnecting the camera from the pc. These sounds occur on random periods, it is not scheduled by any means and it could happen now or a hour or two from now. Something on my PC keeps playing these noises and adverts randomly.

 

 

 

Thanks, Mike

 

Edit: Just noticed that I accidentally put this on wrong board, can a moderator please switch this to Am I infected? What do I do?


Edited by Mikex246, 15 March 2017 - 05:41 PM.


BC AdBot (Login to Remove)

 


#2 Mikex246

Mikex246
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 PM

Posted 15 March 2017 - 05:47 PM

Update: Ran AVG again and all the text disappeared from the program

 

Edit: Also cannot remove the threats

Attached Files


Edited by Mikex246, 15 March 2017 - 05:47 PM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:02 PM

Posted 16 March 2017 - 07:43 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.

Wait for further instructions.

#4 Mikex246

Mikex246
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 PM

Posted 16 March 2017 - 12:56 PM

I couldn't post the FSRT log as it is too long for the forums. However I attached the addition.txt on this post.


RogueKiller V12.10.0.0 (x64) [Mar 13 2017] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : User [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 03/16/2017 19:03:11 (Duration : 00:31:31)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 10 ¤¤¤
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\AVG Tuneup -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update service (C:\Program Files (x86)\Popcorn Time\Updater.exe) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5d0dd9e2-ecb6-458f-bcfc-9cacbc7edf48} | DhcpNameServer : 172.20.10.1 ([])  -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DBCB5710-73FD-4706-BE87-CC5F8F916CF0} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| [-] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D5037D9C-56D0-4585-A0F5-225646468B0A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| [-] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A5E1B3B8-659E-4868-88AF-EE2603F6A6D6} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| [-] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F606CE74-E312-4442-8657-AF4EF3784A3F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| [-] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B89813E3-7BA9-4CBC-9ECB-136752E8A807} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [7] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7B4EC9CC-4D5B-403E-804B-525DF7922454} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [7] -> Found
[Suspicious.Path|VT.Unknown] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{4450582E-E8B9-4C47-9192-DF0F0826FE9B}C:\users\user\appdata\local\electronic arts\dawngate\game\dawngate.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\user\appdata\local\electronic arts\dawngate\game\dawngate.exe|Name=dawngate.exe|Desc=dawngate.exe|Defer=User| [7] -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 16 ¤¤¤
[PUP.Gen1][Folder] C:\ProgramData\AVG Secure Search -> Found
[PUP.Gen1][Folder] C:\ProgramData\AVG Web TuneUp -> Found
[PUP.Gen1][File] C:\Users\Public\Desktop\Popcorn Time.lnk [LNK@] C:\PROGRA~2\POPCOR~1\POPCOR~1.EXE --no-proxy-server -> Found
[PUP.Gen1][Folder] C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Popcorn Time -> Found
[Tr.Gen0][File] C:\Users\User\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\User\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\User\AppData\Roaming\uTorrent\updates\3.4.5_41865\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\User\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Found
[PUP.Gen1][Folder] C:\Users\User\AppData\Local\AVG Web TuneUp -> Found
[PUP.Gen1][Folder] C:\ProgramData\AVG Secure Search -> Found
[PUP.Gen1][Folder] C:\ProgramData\AVG Web TuneUp -> Found
[PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Popcorn Time -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\AVG Web TuneUp -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\Popcorn Time -> Found
[PUP.Gen1][File] C:\Users\Public\Desktop\Popcorn Time.lnk [LNK@] C:\PROGRA~2\POPCOR~1\POPCOR~1.EXE --no-proxy-server -> Found
[PUP.Gen1][Folder] C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Popcorn Time -> Found
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Intel Raid 0 Volume SCSI Disk Device +++++
--- User ---
[MBR] 70d32809c2cd6c33cdabb90b2233cae1
[BSP] a125c6d550d970ad5cfe2c1fd63118bf : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 200 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 411648 | Size: 228282 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 467935232 | Size: 457 MB
User = LL1 ... OK
Error reading LL2 MBR! NOT VALID!
 
+++++ PhysicalDrive1: WDC WD20EZRX-00D8PB0 SCSI Disk Device +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 1907600 MB
User = LL1 ... OK
User = LL2 ... OK

Attached Files


Edited by Mikex246, 16 March 2017 - 12:59 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:02 PM

Posted 16 March 2017 - 01:08 PM

Please attach the FRST log.

If still too long beak the log in 2 or 3 sections and and paste each one of them in it's own post.

#6 Mikex246

Mikex246
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 PM

Posted 16 March 2017 - 01:52 PM

Please attach the FRST log.

If still too long beak the log in 2 or 3 sections and and paste each one of them in it's own post.

Attached Files

  • Attached File  FRST.txt   188.57KB   1 downloads


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:02 PM

Posted 17 March 2017 - 08:00 AM


Remove these programs in bold via the Control Panel > Programs > Programs and Features.

Java 8 Update 66 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218066F0}) (Version: 8.0.660.18 - Oracle Corporation)
Java 8 Update 73 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418073F0}) (Version: 8.0.730.2 - Oracle Corporation)
Java SE Development Kit 8 Update 73 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180730}) (Version: 8.0.730.2 - Oracle Corporation)
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2088977303-3324652526-1427108503-1000\...\Run: [BingSvc] => C:\Users\User\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-04-07] (© 2015 Microsoft Corporation)
FF Plugin: @esn/npbattlelog,version=2.5.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.0\npbattlelogx64.dll [No File]
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.1.6\\npsitesafety.dll [No File]
FF Plugin-x32: @esn/npbattlelog,version=2.5.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.0\npbattlelog.dll [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-2088977303-3324652526-1427108503-1000: @kaneva.com/KanevaPatch -> C:\Program Files (x86)\Kaneva\npkanevapatch.dll [No File]
CHR CHR Extension: (Virtus.Pro) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\iamgecknilaefpihdedoikhgcclbcklk [2017-03-13]
CHR Extension: (Chrome Web Storen maksut) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-13]
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-13]
CHR HKU\S-1-5-21-2088977303-3324652526-1427108503-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fkkcgfbgohboipdhliafmacjnhjbhmim] - hxxps://clients2.google.com/service/update2/crx
U3 idsvc; no ImagePath
CustomCLSID: HKU\S-1-5-21-2088977303-3324652526-1427108503-1000_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-A53DA100DCA5}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
Task: {00AAD76C-FC2C-4263-90F1-BCEA3A6B5890} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {01C513DF-BBB7-4F68-8F5C-B3A648182E11} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {0912225D-ECC7-45DB-AF25-90B9F074690E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {1053FCD1-955D-421B-AAA0-AD8ECB41FB2C} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {28AD2719-573A-4B1E-9BD7-2E869D5141B4} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {9DCF8475-9696-4C2D-8F80-EC1BD673C11C} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {A96A31CD-0FB4-45C1-A78F-FDA5664F73AC} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {BD62C289-BFDA-4617-B4E3-569144F8AB56} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {D772AA7B-EBC4-4A2F-B339-72B2FD623ABF} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {F37A82EE-6DB4-4927-82E7-219250B501C7} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {F5B0C46D-7F16-4E7A-BDA5-C37872B8EEAE} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {FCE3C503-EEF2-4D5F-A844-6B7B92CA972D} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please post the log and let me know if the problem persists with this computer.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:02 PM

Posted 23 March 2017 - 07:25 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users