Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: artscott on July 08, 2012, 05:20:12 PM
-
I just got an audio virus....do not know how or where as I have not downloaded anything or opened any emails that were not scanned........ it is a loop playing some version of "Somewhere over the rainbow" with a male voice and ukulele .... I am currently doing a complete system scann with avast and also with SUPER Anti Spyware ....
This thing is driving me nuts, as I cannot lsiten to anything but that stupid loop.
I do know it is not associated with any one of my 265 open FireFox tabs....i closed all the tabes and browser it was still playing........
Any one got any ideas on how to destroy this thing????
-
Yep ;D
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
(http://dl.dropbox.com/u/73555776/aswMBRscan.png)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://dl.dropbox.com/u/73555776/aswMBRlog.png)
THEN
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-08 23:30:50
-----------------------------
23:30:50.653 OS Version: Windows x64 6.1.7601 Service Pack 1
23:30:50.653 Number of processors: 2 586 0x170A
23:30:50.655 ComputerName: KRKONOSE UserName:
23:31:03.479 Initialize success
23:31:09.468 AVAST engine defs: 12070801
23:31:15.176 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:31:15.190 Disk 0 Vendor: ST950042 0003 Size: 476940MB BusType: 3
23:31:15.196 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
23:31:15.208 Disk 1 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
23:31:15.219 Disk 2 \Device\Harddisk2\SR0 -> \Device\SdBus-0
23:31:15.224 Disk 2 Vendor: ( Size: 1876MB BusType: 12
23:31:15.268 Disk 0 MBR read successfully
23:31:15.276 Disk 0 MBR scan
23:31:15.282 Disk 0 Windows 7 default MBR code
23:31:15.297 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 78 MB offset 63
23:31:15.322 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 9642 MB offset 161792
23:31:15.352 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 467218 MB offset 19908608
23:31:15.369 Disk 0 scanning C:\Windows\system32\drivers
23:31:40.108 Service scanning
23:32:16.045 Modules scanning
23:32:16.074 Disk 0 trace - called modules:
23:32:16.101 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys
23:32:16.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80057c3160]
23:32:16.117 3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004ae7050]
23:32:18.406 AVAST engine scan C:\Windows
23:32:31.132 AVAST engine scan C:\Windows\system32
23:36:43.938 AVAST engine scan C:\Windows\system32\drivers
23:37:12.228 AVAST engine scan C:\Users\ART SCOTT FOTOGRAFIE
23:39:30.948 Disk 0 MBR has been saved successfully to "C:\Users\ART SCOTT FOTOGRAFIE\Documents\aswMBR log\MBR.dat"
23:39:31.150 The log file has been saved successfully to "C:\Users\ART SCOTT FOTOGRAFIE\Documents\aswMBR log\aswMBR.txt"
-
Gettin a server busy on the OLT.exe.....
-
Please ATTACH your files. Thank you.
Now I've got that song in my head! :P
-
What files do you want me to attach?? And how.....I am not the smartest when it comes to this stuff....sorry.
Why did I not run the "FIX MBR"?
It is all quiet this morning....ran Avast overnight....Of course this thing could have a timer to only run late at night I guess...when I am trying to sleep and have a playlist of favorite music going...that is when I first noticed it...my music was garbled due tho this thing.......
Before i forget...thank you for trying to help....I am a dummy when it comes to this stuff.
-
Hi the main G2G site is down at the moment
Here is a secondary link http://majorgeeks.com/OTL_OldTimers_List-It_d7074.html
Do not fix MBR as Avast is not indicating that to be a problem area
-
Do not fix MBR as Avast is not indicating that to be a problem area
ok....clicked on the OTL link above and it started running with out me ticking all the boxes and pasteing in the code for the custom box...since it does not have a stop button...I will try to rerun as spoon as it is done...Thanx for all the help so far.
-
OK G2G is back up now ;D
-
I THANK YOU FOR THE GREAT HELP...GETTING READY TO RUN.
-
rna OTL twice and I onoy get 1 note pad file to save...here it is:
-
OK that has shown me where to go.. This will be a busy fix
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
IE - HKLM\..\SearchScopes\{9230cb90-79de-4945-88a4-762244a25bc8}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YKxdm069YYus&ptb=71F7AA70-49AA-49F2-B9A3-3BBD43C053BD&ind=2011121716&ptnrS=YKxdm069YYus&si=&n=77df4834&psa=&st=sb&searchfor={searchTerms}
IE - HKU\S-1-5-21-976585497-1788263173-2779139924-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=14542
IE - HKU\S-1-5-21-976585497-1788263173-2779139924-1000\..\SearchScopes\{9230cb90-79de-4945-88a4-762244a25bc8}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YKxdm069YYus&ptb=71F7AA70-49AA-49F2-B9A3-3BBD43C053BD&ind=2011121716&ptnrS=YKxdm069YYus&si=&n=77df4834&psa=&st=sb&searchfor={searchTerms}
IE - HKU\S-1-5-21-976585497-1788263173-2779139924-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421;<local>
[2010/10/08 23:51:45 | 000,002,226 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (WeCareReminder Class) - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (We-Care.com)
:Files
C:\Users\ART SCOTT FOTOGRAFIE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
C:\Users\ART SCOTT FOTOGRAFIE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
NEXT
Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application
(http://dl.dropbox.com/u/73555776/TDSSFront.JPG)
- Then click on Change parameters.
(http://dl.dropbox.com/u/73555776/TDSSConfig.JPG)
- Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
(http://dl.dropbox.com/u/73555776/TDSSFound.JPG)
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Get the report by selecting Reports
(http://dl.dropbox.com/u/73555776/TDSSEnd.JPG)
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please attach its contents on your next reply.
AND FINALLY
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
reading your instructions you say: "Run OTL
Under the Custom Scans/Fixes box at the bottom, paste in the following". Am I supposed to paste in the same code as i did before or the whole of the blue box posted in your response above?? Sorry... I qm not the brightest lamp in the room...
-
Not a problem
Copy and paste just the part in the quote box in the last post as this is the fix
-
fix report and now off the download and run the TDSSKILLER....
-
TDSS KILLER REPORT -
-
Dobry den ...
I was listening too this little ditty as I posted the above TDSS report file....but I have not heard it since 7-12-2012 at 1PM Central Daylight time (US) .......
Dekuju.
-
Could you post the combofix log please and let me know of any remaining problems
-
Was just getting into some David Koller music on Spotify ....and Damn it came back ..... or probably never gone....on my way to appointment i will try to find combpo fix log....when I ran TDSS it only showed one log posted above and the OTL only gave 1 notepad log posted a few above also.... Sorry... but will look thru when I return in a few hours....
Dekuju!
-
It should be at C:\combofix txt... If not could you re-run Combofix for me please
This is not an MBR infection so I think I will need to double check your BHO's
-
I am such an idiot....I keep stopping at the end of each thing I had to run, not reading the whole dang post you made...my stupidity...here is the combofix log:
Mockrát děkuji!
-
Do you still have the music... Does it start when you run any specific programme
-
right now ... 6:41pm it is not playing......and as far as it coming on with particular program....no...it came on with some Spotify Music or my own wav files (all my CD's were converted to wav, not MP3 ... ... now I need HDD space and need to reconvert to MP3.....) of music or even when watching a DVD movie or if I was trying to do my Foreign Language lessons or on the net......
If it comes back I will let you know....i figure if it is gone for the next 72 hours then I am clean....ot it has some sort of built in calendar or clock... ... ... because when i first heard it it was constant 24hrs a day and that was when I realized that Avast was not showing on my tool bar, then when I got avast back on it was not connected to any account (weird casue I knew I had registered it and found my key code), then it became intermittent as I said previously, I thought it was gone as it had not shown up for over 24 hrs...then it was back as I was really getting in some David Korell ... So I am hoping it is gone for good....
Mockrát děkuji!
-
I wonder if there is a problem within spotify ?
Never used it myself so I could not be sure... But it does seem to be the one consistent area
Any way lets see how it goes
-
Dobry den!!
So far all is quiet.......which is great....truly appreciate all the kind help.......I know it can be hard when helping someone like me .....that is computer technically challenged.
Mockrát děkuji!
-
Lets run for one more day to be sure, then if you are happy I will remove my tools ;D
-
Well I was all excited...there had been no sign of that damn song ....was ready to give an all clear.....I have no idea where it is or came from or how it hides.....I went thru all of my email accounts and purged everything ..... I closed all 250 of my tabs in FireFox......I have no clue....this thing starts playing when I am in Photoshop or Lightroom......so I have no idea....I am aobut read to do a HDD format.
Thank You EVERYONE for all the help.....
-
So it just re-appeared ? This does not really make sense... It's not part of a programme is it .. Photoshop, lightroom ?
-
no it is not part of any of my programs....if it were it would be causing one heck of a buzz on those forums.....i agree it does not make sense.....well as I said Thanks for all of your help... as I said I guess I will just have to do a HDD format and start loading all software from ground up again....
THANX AGAIN.
-
OH well, I have just found another o these over at Geeks to Go. So I will be playing with that one now to try and find a solution
-
This is really screwy ...... all I did since last post was to shut down my computer...a quick restart .... and brought all the same programs (spotify, Kindle, and Avast...) and the 250 FF tabs that I had open when I last posted....that restart was a little over a hr ago...all is quiet ................again.....sorta funny....and sorta not....have fun with the one over at Geeks to Go....
-
Sometimes when something new/old comes up, the solution can be hard to pin down. If I had what you have had, it would bother me. At least for you, it is quiet for now. As essexboy will be looking for a common link between here and Geeks to Go, once he finds it, you will be good to go.
-
Aye once the fella gets back to me ;D