audio ads but no webpages open

I seem to be having a strange issue on my wife's computer. you see there are times when audio from web advertisements are playing but there are no internet explorer windows open nor are there any processes of it open in the task manager.

it's a win 7 64 bit home premium laptop made by asus

has an intel proc with radeon graphics (not sure if this is relevant)

below are the logs from the sticky except the mgtools log (still waiting for it to finish)

it appears that roguekiller, malwarebytes, and hitmanpro all found something but i did not want to proceed further untill i had a second opinion as it seems there might be a rootkit in this machine.

please help

thanks in advance!
edit: the hitman log did not post. there was something about an invalid file... how can i post this to you guys?

 

here is the MGtools log zip

 

Welcome to MajorGeeks, Luraziel

Zip the file up and then attach it
Refer back to HitmanPro - How to scan and obtain a log if you need help with this.

 

D'oh!!! oh man why diddnt i think of this sooner!!! lol :banghead

here's the log!!

 

http://img805.imageshack.us/img805/9659/rktigzy.gif Open RogueKiller.

• Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
• When it opens, press the Scan button again.
• Now press the Delete button.
• After deleting has finished, press the Fix DNS button.
• After that has finished, press the Fix Host button.
• When these tasks are finished, there should be a few new logs on your desktop.
• Attach RKreport[2].txt RKreport[3].txt and RKreport[4].txt to your next message. (How to attach)

__

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif - Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.
Leave the other detections alone (Ignore them).
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

_

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif Once you are back in Windows, run another scan with HitmanPro and then attach the latest hitmanpro.zip log. (How to attach)

 

done and done. here are the requested logs

for the record. the DNS changes were made by me, they are the DNS servers used by my isp. i manually enter them into all of my internet connected devices to ensure max stability to the internet (there appears to be some kind of firmware/packet timeout issue with my brand of modem. it's all over the web if it's googled)

for the purposes of fixing this computer and per your instructions i did click fix DNS though.

thanks!

 

here is the hitman pro log as well

btw should I be concerned with the U/ thing it found? it calls it zeroaccess which is the same thing roguekiller said it found :/

 

Yes it's part of the infection you have but we have removed the bulk of it via RogueKiller and HitmanPro.

Delete these folders if they are still present:

• c:\windows\installer\{02aa5060-33eb-f51c-18da-7d0f5d47f555}
• C:\Users\Risha\AppData\Local\{02aa5060-33eb-f51c-18da-7d0f5d47f555}

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

mgtools log incoming

also I deleted this folder
c:\windows\installer\{02aa5060-33eb-f51c-18da-7d0f5d47f555}
the other was not present

thank you for your help! :major

 

Logs look much better.

http://img825.imageshack.us/img825/2648/hjt.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

• O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

__

The rest of your logs are clean. If you are still having malware related problems, let me know, otherwise you may proceed with the below:

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Recommend reading for you: How to deal with startup processes - do not use MSconfig
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

thanks a whole lot! i'll finish this up tonight and give it a few days to see if the audio comes back!

not sure how she got infected cause she only goes on facebook and plays WOW and diablo 3 on it.

either way thank you very much for your help!

 

You're welcome