Unknown/unauthorized audio

My system is MS XP Home with service pack 3 and all available updates of which I am aware. Browser is IE8, likewise with all available updates. I am reasonably sure that my system is somehow infected with "something". I get intermittent unauthorized audio that usually sounds like TV commercials. Sometimes like a SciFi soundtrack. Not often, I see momentary (two seconds, or less) messages about the program having to close, but it never does. The audio is often heard when no program (other than startup items) is running...no programs including the browser. When using the browser, it will occasionally become "un-selected" (I don't know what to call this...the intense blue bar at the top of the page becomes muted). From a Clean Boot, I have used the MS Safety Scanner to scan the entire system (not quick scan) and the scanner reports no problems found. I have likewise scanned the entire system (not quick scan) using Malwarebytes Anti-Malware software and the software reports nothing found. I have used Kaspersky TDSSKiller to scan for root-kits and that software reports nothing found. I have used Spybot to scan the entire system and it always (of course) finds a few items, but when these are "killed", no improvement is made. I have "cleansed" the system using CCleaner, but with no obvious improvement to the problem. I have scanned the entire system using my AVG 2012 Anti-virus software. It reports no problems found. All of these software items have been updated to today's date. The symptoms persist. Are there other techniques that I should use to find the problem? TIA for any assistance that can be offered. Logs are attached.

 

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  %systemdrive%\iexplore.exe /s /md5
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Thank you for your help. File you requested is attached. The OTL also left a file called Extras.txt and I have retained that in case you need to see it also.

 

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [Auto | Stopped] -- C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe -- (KSS)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\CORDRA~1\LOCALS~1\Temp\catchme.sys -- (catchme)
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
[2010/03/04 15:47:03 | 000,000,000 | ---D | M] ("Ask Toolbar for Firefox") -- C:\Documents and Settings\Cordray Family\Application Data\Mozilla\Firefox\Profiles\fvqrqweu.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-854245398-115176313-839522115-1007\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/06/05 22:14:47 | 000,001,320 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\734ic5kl480kc2nvg31
[2011/06/05 22:14:47 | 000,001,320 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\734ic5kl480kc2nvg31
[2011/06/01 12:14:16 | 000,001,336 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\66n6lvrb687k554gr24ny0m34451n0ef0m430sw3r75t7oh
[2011/06/01 12:14:16 | 000,001,336 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\66n6lvrb687k554gr24ny0m34451n0ef0m430sw3r75t7oh
[2010/12/08 22:47:50 | 000,101,608 | ---- | C] () -- C:\WINDOWS\ohecigenoguqutoq.dll
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
[COLOR="DarkRed"]:files[/COLOR]
C:\Program Files\AskBarDis
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\3E0AING0 /d
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\H6V4V050 /d
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\MHUMFO9G /d
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\P89K6PZ9 /d
C:\Documents and Settings\Cordray Family\Desktop\%USERPROFILE%
C:\TDSSKiller*.txt /d
C:\Documents and Settings\Cordray Family\Local Settings\Application Data\dt.dat
C:\Documents and Settings\Cordray Family\Local Settings\temp\2D.tmp
c:\mglogs.zip /d
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 11
• Java(TM) 6 Update 7

__

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

__

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

I have performed work as you described. Files attached per your message. Many thanks.

 

Having trouble with IE8. It will open, but operates erratically. I can access Hotmail, but it "freezes" and I cannot close it without closing IE8 or once had to power down the whole computer. I don't seem to have any Java loaded right now. Is that the problem? Thank you.

 

Your latest logs look fine.
Java shouldn't have anything to do with Hotmail. Is it only Hotmail that you are having trouble with now? Are you still having trouble with the unauthorized audio?

 

Hotmail is unusable (I just tried again). I can open the feature and I can see incoming messages, and I can open a message. But when I try to do anything (e.g., scroll down the message, move it to another folder, etc....no pattern that I can see), Hotmail will lockup completely and remain unusable. I am able to return to the homepage tab of IE8 (homepage is MSN.com) and I can open items from there, or I can go to the MG site (as I am doing now). But IE8 is somewhat goofy also. If you are familiar with the MSN.com site, at the top of the page are a series of usually-seven "feature stories". Associated with those are forward-backward arrows that I can use to scroll thru these stories. Today, there are only two stories and the arrows are gone. I have not tried to use IE8 extensively, since this problem only started last night. I just received the MS bee-boop signal and a message, something about lack of memory at line 55 (sorry, I only saw it momentarily). AVG2012 has also been giving me messages about the browser using excessive amounts of memory. Usually on the order of 300-500 Mb, but today it is 1Gb. AVG recommends closing the browser and restarting, but I have typically been ignoring these messages since the browser seemed to be working OK (I don't actually know what AVG is trying to tell me.). These messages are not new following your last recommended work. I have been getting these for several days, but assumed they were associated with whatever has been bugging my system. The Hotmail problems and IE8 goofiness are new following the last recommended work. When Hotmail is "stuck" and I interrogate Task Manager, I find CPU usage at 50-60% and Page File usage at +/- 2Gb. As if Hotmail is in a tizzy doing something and is completely ignoring all my other requests (such as...CLOSE). Right now (typing this message, Hotmail is not open), CPU usage is very low (0-5%) and Page File usage is 533 Mb. I was in the process of typing this message previously (Hotmail "open" and "stuck") when I suddenly received a message from Microsoft Visual C++ Runtime Library. It stated, "Runtime error! Program C:\Program Files\Internet Explorer\iexplore.exe This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information". When I clicked OK, I lost everything (Grrrrrr!) when IE8 and Hotmail all shut-down. So, I hope I have accurately re-portrayed what I was originally trying to tell you.

Regarding original problems (unknown audio and occasional program closure messages), these seem to be gone. I am not absolutely sure since these were sporadic and sometimes required extended computer run time to occur. With the problems that I have been having today, I have been using the machine for 2.5 hrs and no audio or closure messages thus far. Indications are very good that those problems are gone. But the IE8 and Hotmail problems are completely new following recommended work from last night.

Sorry for the grief!

 

Additional info re: IE8. Ordinarily when I access a story on MSN.com, large arrows appear on either side of the chosen story to be used to advance or retreat in their story-list. Today, those arrows are gone. When I mouse over the ordinary location for these, a shadowy figure of these appears as if the info is superimposed over the chosen story, but not completely visible.

Another data-point.

 

I'm not sure about the current issues you are having with Hotmail and MSN but here are a few things to try:

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: here

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Register System Files
  • Repair Internet Explorer
  • Repair Winsock & DNS Cache
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

 

Thanks for sticking with me. Java is installed and I confirmed by observing the Add/Remove programs within the control panel. I ran the Windows Repair as you requested and it seemed to operate as intended. When the system restarted, I noticed at least one thing that is different from before. I have been noticing that the Windows firewall has been very late in starting. Lately I have been seeing a message that says the firewall was not operating. If I waited a little, the firewall would install and the message would go away. Now, I get no such message. So, something has changed. Unfortunately, IE8 and Hotmail are as before. Hotmail maybe a little worse as now it is again "stuck" (as I type this) and I was unable even to open the first message. I am trying to send this quickly because the system is acting funny and I don't want to lose this message again. I have again seen the Out of Memory at line 55 message. Must stop and send this.

 

I misspoke. Firewall message continues to appear as before. The firewall apparently loads very late. Sorry for the confusion.

 

New information. I opened IE8 without add-ons (start; all programs; accessories; system tools; internet explorer (no add-ons)). While IE8 and Hotmail continue to exhibit some strange appearance characteristics (primarily in navigation tools), I am able to run both programs in a pretty normal fashion. No lock-ups; CPU usage is low; memory usage is less than 100 Mb; in general, pretty normal except for navigation aids. Intuition would tell me that the problem lies in some add-on or other, but I'm not sure how to determine which is the culprit.

The original problem of unauthorized audio and program shutdown messages seems to be gone. I haven't heard or seen any such thing since the last instruction that you gave me (before the IE8 problems). Many thanks for your help with that.

I welcome any further advice that you might be able to give me about the IE8 and Hotmail problem.

 

Run the FixIt tool here: http://support.microsoft.com/kb/923737

 

I am so confused I could spit. Tonight, before reading your reply, I again started IE8 with no add-ons and I entered Hotmail the same way. I saw your reply in my Inbox and I opened your reply. As I scrolled down the reply, Hotmail suddenly went into its old habit of locking-up and I was unable to get it to do anything. This time, I was able to finally close it by closing IE8 using Task Manager. Earlier in the afternoon (see earlier message), I was in Hotmail doing pretty much anything I wanted. I moved files, deleted files, read files, etc. with absolutely no problem. Tonight....no go. After killing IE8 (as above), I restarted it and opened MG website and followed your instruction. I used both methods of resetting IE (browser running and browser closed). This has apparently had no effect as IE8 and Hotmail are continuing to struggle. I did notice one thing about which I am totally confused. When I closed IE8 (as stated above), Task Manager continued to show high CPU usage and high memory usage....and nothing was running. I went to the Processes tab and found three individual line items for iexplore.exe and they were all three using memory and CPU. When I went to the Applications tab, it showed no tasks were running. I killed each line item iexplore.exe using End Process on the Processes tab, and CPU and memory usage declined dramatically. What in the world is that all about?

 

I do not know but since your are no longer experiencing malware related issues, it is time for us to wrap up here.

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Hmmmm....well, OK. But one more thing. The audio is back, and Microsoft tells me that multiple processes on the Task Manager (as I reported to you) is often caused by...wait for it....MALWARE. Let's see ....the audio is still here and now my software is screwed by work that I did at your direction. Hmmmmmm.....

 

That really isn't called for :\ I was trying to help you but if you want to smart *** me then forget about it.

Let Microsoft help you since you want to take their word for it even though I'm the one actually reviewing your logs (which includes processes).

P.S. Hotmail is not "software".

Thread closed