Audio Advertisements Randomly Playing

Viruses and worms
1

I have a Windows XP desktop computer that randomly plays audio advertisements and sometimes just produces odd sounds over the speakers for a few seconds at a time.
Though the computer has many browsers installed, Firefox is primarily used.
The suggested log files at attached.
Any help in resolving this issue is ereately apprecaited.
Thank you!

2

I am not sure if the first run will kill it, could you let me know if it stops

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-1708537768-1767777339-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "about:newtab" <======= ATTENTION 2015-01-24 21:17 - 2013-01-27 21:26 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\boost_interprocess EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

3

Thank you Essexboy!
Ran the fix, rebooted, ran ADWCleaner, rebooted and attached the logs.
This problem does not surface often so will need some time before concluding this to be resolved but so far so good.
Thank you for all of your help.

4

I would like to run one more scan to check out the MBR

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please attach its contents on your next reply.

5

Thank you again.
TDSSKiller scan complete with options selected and nothing detected.
Log attached.
So far I have not heard the audio advertisements again.

6

Any further problems ?

7

It did it again today! All seemed ok since my last email until today, but it just played a three second advertisement with nothing open but Firefox and Outlook. The machine otherwise seems fine. Any suggestions?
Thank you!

8

OK bigger hammer

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

9

Ran ComboFix.
I don’t think it found anything.
Made me notice that it loads TrippLite software that probably went with a battery backup that i no longer have. Now have an APC battery backup that is also loaded.
Log Attached.
Thank you.

10

No, it nailed what appears to be a Windows Media File: wmsysprx.prx

11

Let me guess…
The file is around 300kb…

Please attach new Farbar logs to your next post.
Also export your registry, compress the the file and try to attach it.
I say try because it can be large and I am not sure if this webboard allows it, so please use maximum (ultra) compression.

12

Now run the system as normal for a day or so and let me know if it has gone for good

13

Thanks everyone.
Will give it a couple of days to see if it returns and post a follow up then.
Regards,

14

Heard another short burst of audio advertisement today.
Ran a fresh copy of FRST and attached the logs.
Any suggestion on how to proceed greately apprecaited
Thank you!

15

Nothing evident there

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

16

Essexboy,
what about this ?

Start
CreateRestorePoint:
Closeprocesses:
Emptytemp:
HKLM\...\Policies\Explorer: [NoCDBurning] 0
Startup: C:\Documents and Settings\SSL\Start Menu\Programs\Startup\My Computer.lnk
ShortcutTarget: My Computer.lnk ->  (No File)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1708537768-1767777339-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1708537768-1767777339-725345543-1003 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = 
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll No File
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION
S3 catchme; \??\C:\DOCUME~1\SSL\LOCALS~1\Temp\catchme.sys [X]
S4 IntelIde; No ImagePath
CMD: bitsadmin /reset /allusers
End
17

I need to see if there is an MBR problem first as they have re-appeared since the last fix