Random Audio Ads in Background

Seems I have gotten the random audio ad playing virus.....no IE8 windows open on the desktop but if you watch in trask manager they are opening and going to random websites and playing some sort of ad.
Windows XP SP3. Malware Bytes and Symantec aren't detecting it. Logs attached. Computer used for work and home.
Thanks in advance for any help!

 

original post had the logs but apparently they did not go through...here they are....

 

Welcome to MajorGeeks, Bockwinkle

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• DAEMON Tools Lite <- Or run DeFogger as was requested in the Read and Run Me First.
• Java(TM) 6 Update 20 <- Outdated

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

/!\ Install and Run CCleaner which was requested by the Read and Run Me First.

/!\ Please Disable Spybot's TeaTimer as was requested by the Windows XP Malware Removal/Cleaning Procedure.
Leave it disabled for the remainder of malware removal.

__

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

__

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

DONE log attached

 

Are these items you put inside your hosts file?

Code:

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1       localhost
10.0.0.17	nova-file
10.0.0.14	nova-corp-mail2
10.0.0.16	nova-corp-mail
10.0.0.20	nova-timberline

I'd like to reset hosts to default but if you know what these are for we can leave them alone.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:otl[/COLOR]
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ultra)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (i2omp)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbdev.sys -- (hwusbdev)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbmdm.sys -- (hwdatacard)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpn)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbnet.sys -- (ewusbnet)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dac960nt)
DRV - File not found [Kernel | Disabled | Unknown] --  -- (dac2w2k)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (cd20xrnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
IE - HKU\S-1-5-21-1482476501-1715567821-839522115-3185\..\SearchScopes\{899BF521-C0BC-43F9-972F-6820A1557543}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ATU2&o=14674&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=T9&apn_dtid=YYYYYYYYUS&apn_uid=28948d03-396b-4316-b32c-3491d84a2239&apn_sauid=2304B20B-5B64-4F3F-92F5-2CB9F6B05A19
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://nova-corpsupport.webex.com/client/T27LD/support/ieatgpc.cab (GpcContainer Class)
O32 - AutoRun File - [2010/01/30 02:34:34 | 000,000,090 | ---- | M] () - D:\AUTORUN.INF -- [ FAT32 ]
O33 - MountPoints2\{4e920a78-45bc-11e1-9cff-00216a89c7d4}\Shell - "" = AutoRun
O33 - MountPoints2\{4e920a78-45bc-11e1-9cff-00216a89c7d4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4e920a78-45bc-11e1-9cff-00216a89c7d4}\Shell\AutoRun\command - "" = G:\LaunchU3.exe
O33 - MountPoints2\{4e920a7a-45bc-11e1-9cff-00216a89c7d4}\Shell - "" = AutoRun
O33 - MountPoints2\{4e920a7a-45bc-11e1-9cff-00216a89c7d4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4e920a7a-45bc-11e1-9cff-00216a89c7d4}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2011/06/14 09:38:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Txewotigiha.bin
[COLOR="DarkRed"]:files[/COLOR]
C:\Documents and Settings\beb\Librarys\wgesdwx\svchost.exe
C:\Documents and Settings\All Users\Application Data\Ask
dir /s "C:\Documents and Settings\beb\Librarys\wgesdwx" /c
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-
"DAEMON Tools Lite"=-
[HKEY_USERS\S-1-5-21-1482476501-1715567821-839522115-3185\Software\Microsoft\Windows\CurrentVersion\run]
"SpybotSD TeaTimer"=-
"DAEMON Tools Lite"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"startup"=dword:00000000
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{899BF521-C0BC-43F9-972F-6820A1557543}]
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

-- done see attached

 

How are things running at this point?

 

I haven't gotten the "your last browsing session ended unexpectedly" message nor have I heard a random ad play since the last reboot.....all clean?

 

Possibly, give it a day or so to make sure it's gone.
How often was this audio ad playing? Types of answers I am looking for:

• As soon as I turn on the computer the audio ads would appear
• The audio ad would go off every 1-2 minutes.
• Usually every 5-10 minutes I would hear an audio ad.
• Every hour I would hear an audio ad.

Can you zip this file and upload it here for further analysis?

• C:\_OTL\MovedFiles\07032012_133354\C_Documents and Settings\beb\Librarys\wgesdwx\svchost.exe

Also you never answered my question about the hosts file entries. Were these legit or not?

 

-- done

 

they would manifest every 5-10 minutes but sometimes more frequently...and they would last anywhere from 2 seconds to 15 minutes in duration....some actually sounded like movies playing. If I went into the task manager and looked at the iexplorer application that had a huge mem charge I would end the task and the ads would instantly stop. If I visited the history list in IE I would see dozens of websites that I had never visited that I assume was being opened by the virus to access the audio.

Whenever I would get a random "your last session ended unexpectedly" message I knew the ads were going to start up again...I guess the way the virus opens IE windows in the background it must abruptly close them too causing that message to spawn.

attached in the previous post is the file as requested......awaiting your response.

 

What about the hosts entries?

 

yes those are network drives/servers that I connect to so they are ok.

 

Thanks for uploading the file and for clarifying.

Here are the final instructions for whenever you are ready:

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Is there any harm in leaving the tools installed on the computer other than the mgtools.exe might be detected as a virus?

I created a new system restore point at this time in case of a relapse. (incidently my system restore had not been enabled or else I could have tried that to get rid of this virus)

Thank you so so much for all of your timely help. You should be promoted to Lt. Col.

One last thing.......what was the "name" or nature of this virus? where did it reside? If it was a java exploit for the love of pete could someone do something about that....every virus that I have gotten in the last 5 years has been through java.

I'll try to be safe.....but no promises!

 

You're welcome

I won't be able to experiment with the file you attached until later but I have sent it off to Malwarebytes so they can analyze and add it to their databases.

It was hiding here: C:\Documents and Settings\beb\Librarys\wgesdwx\svchost.exe

It could have been from a java exploit as you had a much older version of Java installed (Java 6 Update 20) -> current version is Java 7 Update 5
If you must use Java, make sure it's always up to date as this will reduce your chances of being infected via Java exploits. Or, if you do not need Java for anything, simply do not install it.

 

I guess this is sort of a follow up issue......I get a ton of thumbnails with the red X in them on every webpage....if I right click and hit show picture still get the red x.....show pictures is enabled in the multimedia section of Internet Properties.....security setting is medium-high and this happens on every website.....any idea how I can get IE8 back to showing webpage content?

Thanks in advance!

 

Try this program: Complete Internet Repair
Choose the Repair Internet Explorer 8.0 option and then click GO!

 

hmmm I ran it but same problem......about 1/2 of the images on websites aren't displayed.....tried messing with the settings and cannot get them to display.....

 

UPDATE - it seems the only pictures that are not displaying are PNG images for some reason.....hope this sheds some light as to the issue.....

a quick goodle search reveals: "Your MIME types may be set improperly (probably due to past spyware or failed addons)." thanks in advance as always for help!

 

Try this:

http://img205.imageshack.us/img205/4783/regeditb.gif Open Notepad and copy everything in the code box below into it.

Code:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/png]
"Extension"=".png"
"Image Filter CLSID"="{A3CCEDF7-2DE2-11D0-86F4-00A0C913F750}"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/png\Bits]
"0"=hex:08,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,89,50,4e,47,0d,0a,1a,0a

• File -> Save As -> Save as type: "All Files" -> File Name: fixme.reg > Save.

Now merge this into the registry by double-clicking it.
If merge was successful, then reboot your computer and see if the problem persists.

 

merged it and rebooted.....still red x's for all png files and it says hyper text transfer protocol now for type.

 

Try merging this registry file I've attached to this message. Reboot afterwards.

 

That did it! Many Many Many thanks Thisisu!

 

You're welcome
Be safe.