IE running in background, random audio clips playing

[dannyrowe22]

Hi, I have seen this problem all over the internet and was wondering if you could help me..

Internet Explorer is running on my PC when I don't even use the browser, I try to end the process via Task Manager and it almost instantly reappears. I am also hearing random audio clips every 15-30 minutes even when all internet browsers are closed which drives me insane. Any ideas on what could be causing this?

Cheers

[CatByte]

Hi,

Please do the following:

Please download DDS from either of these links

LINK 1

LINK 2

and save it to your desktop.

• Disable any script blocking protection
  
• Double click dds to run the tool.
  
• When done, two DDS.txt's will open.
  
• Save both reports to your desktop.
  

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt.

NEXT

Please download aswMBR to your desktop.

• Double click the aswMBR.exe icon to run it
  
• When asked if you want to download Avast's virus definitions please select Yes.
  
• Click the Scan button to start the scan
  
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  
• You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well
  

[dannyrowe22]

I appreciate your help (:

Attach.txt

DDS.txt

aswMBR.txt

MBR.zip

[CatByte]

Hi

Please run the following:

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.

• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\frst64.exe and press Enter.
  

Note: Replace letter e with the drive letter of your flash drive.

• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
  
• Uncheck the Whitlelist boxes next to Registry, Services, Drivers, and known DLL's
  
• Place a check next to List Drivers MD5
  
• Press Scan button.
  
• FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
  services.exe
  
• now press the search button
  
• when the search is complete, search.txt will also be written to your USB
  
• type exit and reboot the computer normally
  
• please copy and paste both logs in your reply.(FRST.txt and Search.txt)

[CatByte]

do you still need help with your machine?

[dannyrowe22]

yes sorry been a bit busy lately, here are the two logs

FRST.txt

Search.txt

[CatByte]

Hi

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\OEM\...\Run: [tmp455A] "C:\Users\OEM\AppData\Local\Temp\tmp4559.tmp.exe" [x]
HKU\OEM\...\Run: [tmp7752] "C:\Users\OEM\AppData\Local\Temp\tmp7751.tmp.exe" [x]
HKU\OEM\...\Run: [tmp4D07] "C:\Users\OEM\AppData\Local\Temp\tmp4D06.tmp.exe" [x]
HKU\OEM\...\Run: [tmpCB2B] "C:\Users\OEM\AppData\Local\Temp\tmpCACD.tmp.exe" [x]
HKU\OEM\...\Run: [{21FB968C-E0EA-68C7-E04B-482E4D0E28A2}] C:\Users\OEM\AppData\Roaming\Uzuc\vyhy.exe [141312 2010-03-21] ()
HKU\OEM\...\Run: [tmp8881] "C:\Users\OEM\AppData\Local\Temp\tmp8880.tmp.exe" [x]
HKU\OEM\...\Run: [tmpD0C7] "C:\Users\OEM\AppData\Local\Temp\tmpD0C6.tmp.exe" [x]
HKU\OEM\...\Run: [tmpEF6D] "C:\Users\OEM\AppData\Local\Temp\tmpEEF0.tmp.exe" [x]
HKU\OEM\...\Run: [tmp6D92] "C:\Users\OEM\AppData\Local\Temp\tmp6D91.tmp.exe" [x]
HKU\OEM\...\Run: [HKCU] C:\Users\OEM\AppData\Roaming\Winbooterr\svchost.exe [280064 2005-09-23] ()
HKU\OEM\...\Run: [tmp8640] "C:\Users\OEM\AppData\Local\Temp\tmp8610.tmp.exe" [683008 2012-04-11] (i?hllrKIrKGšllIGSGlIl?oššrhinN)
HKLM\...\Policies\Explorer\Run: [Policies] C:\Users\OEM\AppData\Roaming\Winbooterr\svchost.exe [280064 2005-09-23] ()
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
NETSVC: websenseuserservice -> C:\Windows\system32\sqlagent$sony_mediamgr.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
C:\Windows\system32\sqlagent$sony_mediamgr.dll
2012-07-06 21:27 - 2012-07-06 21:27 - 00000000 ____D C:\Users\OEM\Downloads\Adobe Photoshop CS5 Extended (Crack + Instructions)
2012-06-20 03:19 - 2012-05-23 16:18 - 00084480 ____A C:\Windows\SysWOW64\TI22sGJa.exe
2012-06-20 03:19 - 2012-05-23 16:18 - 00084480 ____A C:\Windows\SysWOW64\pBSM5m1r.exe
2012-06-20 03:19 - 2012-05-23 16:18 - 00084480 ____A C:\Windows\SysWOW64\cXclsvs5.exe
cmd: del /a/f/q c:\windows\tasks\at*.job
2012-05-23 16:18 - 2012-05-23 16:50 - 00084480 ____A C:\Users\All Users\3867K7JY.exe
2012-05-20 17:18 - 2012-05-20 17:18 - 00439107 ____A C:\Users\OEM\Downloads\- Hotmail Password Hacker 3.0.rar
2012-05-19 22:40 - 2012-05-19 22:38 - 10567741 ____A C:\Users\OEM\Downloads\Pro Facebook Hack v 1.5 2012.rar
2012-05-19 22:39 - 2012-05-19 22:35 - 20971520 ____A (Microsoft Corporation) C:\Users\OEM\Downloads\Facebook_Hacker_v3.0.exe
2012-05-19 21:47 - 2012-05-19 21:47 - 00377477 ____A C:\Users\OEM\Downloads\Facebook Multi Extractor.zip
2012-05-19 21:39 - 2012-05-19 21:38 - 00844642 ____A C:\Users\OEM\Downloads\Facebook Password Hacker v1.3.rar
2012-05-19 21:30 - 2012-05-19 21:30 - 00026112 ____A C:\Users\OEM\Downloads\HACKERTOOLS.exe
c:\Windows\System32\consrv.dll
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

NEXT

Refer to the ComboFix User's Guide

1. Download ComboFix from the following location:
   Link
   * IMPORTANT !!! Place ComboFix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on ComboFix.exe & follow the prompts.
   
4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
5. When finished, it shall produce a log for you. Post that log in your next reply
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------
   

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[dannyrowe22]

alright so i ran combofix, about half way through my computer bluescreened and my desktop was completely blacked out (even start menu etc) after rebooting. pc was fine once i rebooted again. should i continue with combofix?

[CatByte]

yes please,

run it in safe mode

To Enter Safemode

• Go to Start> Shut off your Computer> Restart
  
• As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  
• this will bring up a menu.
  
• Use the Up and Down Arrow Keys to scroll up to Safemode
  
• Then press the Enter Key on your Keyboard
  
• go into your usual account
  

[dannyrowe22]

alright so i got it to run in safemode but it did not produce a log file? heres the first file you requested

thanks

Fixlog.txt

[CatByte]

Please have a look at C:\ComboFix.txt, see if there is a log there,

the FRST Fix didn't look quite right, so let's run OTL and have a look at that, then we may need to run FRST again

Please run the following:

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Select All Users
  
• Under the Custom Scan box paste this in
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  services.exe
  /md5stop
  %systemroot%\*. /rp /s
  DRIVES
  CREATERESTOREPOINT
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs
    

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!