We installed several computer games on Christmas Day (on our other computer which has DSL Internet access), and downloaded the patches/updates for each one. Since then, we’ve been getting virus alerts from Avast about a “Trojan horse” virus at bootup each time. We’ve run both quick scans and thorough scans with Avast, as well as a scan with AdAware (and a second AdAware scan now); we also had Spybot identify malware still present after the Avast and AdAware scans (but haven’t wanted to pay to register Spybot yet). We’re still getting the warning about the Trojan virus at bootup, even though we thought we had deleted it each time (or moved it to the “chest” the last couple of times).
The really annoying thing now is that the computer is now playing “gangsta rap” music (NOT to our taste) whether we’re doing anything else online or not – and there’s nothing we can click on to turn it off (other than the Mute button on the keyboard)! I tried doing a Yahoo search for “music virus” and ran across several references to a band named Virus, but not to viruses which cause the computer to play music against the user’s wishes.
My spouse downloaded Hijack This! and seems to have somehow used it just now to delete a lot of unnecessary stuff, including whatever was causing the unwanted music to play. Has anyone else had this music-related virus/malware show up on their computers? What is it exactly, and can it be gotten rid of any other way besides using Hijack This (which is powerful enough to eliminate stuff one wants to keep along with the bad stuff)?

we also had Spybot identify malware still present after the Avast and AdAware scans (but haven't wanted to pay to register Spybot yet).]we also had Spybot identify malware still present after the Avast and AdAware scans (but haven't wanted to pay to register Spybot yet).

There is no requirement to pay to register Spybot Search & Destroy, but there are many scam programs that play on the name of this product: are you sure you have the legitimate one?

http://www.safer-networking.org/index2.html

I’d suggest you post a copy of your latest HijackThis! log here so we can check it out.

To be sure you’re clean, I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

I’ve made a printout of this thread, so my spouse can try the steps both responding posters have suggested. Thanks for getting back to me so quickly, and Happy New Year!

The weird unwanted music came back a couple of times (although at least this morning it was more like old-time radio instead of “gangsta rap”). My spouse deleted it with Hijack This a couple of times (and we ran Avast, AdAware and Spybot a couple of times). Finally, I installed the Yahoo Toolbar and ran their new version of Yahoo Anti-Spy (produced for Yahoo by Computer Associates; the previous version was a Norton product) this morning. Yahoo Antispy found about 6-8 trojans (including one whose name sounded like a couple of musical genres “smushed” together – a likely candidate for the one causing the unwanted music), a couple of adware things, and a couple of hundred tracking cookies (from websites in the USA, UK, Australia, and Germany, from the country extensions in the website names I noticed for them). I also did a Thorough Scan with Avast again (nothing found after Yahoo Anti-Spy was done), and another Smart Scan with AdAware (a couple of dozen tracking cookies spotted AFTER Yahoo Anti-Spy had finished). I seem to be OK now – but I’ll want to see if that computer can stay “weird music”-free for at least 24 hours before I’ll be satisfied that we’ve got the problem taken care of.

Hi,
I’m having the exact same virus on my system.

One day all of a sudden rap music started playing, and I had no idea where it was coming from.
Glad I found this thread, so at least I know it is a virus and I’m not just going crazy.

So far here is what I’ve done.
I’ve ran Avast, and it finds stuff and I move it to the chest.
I’ve then ran it at boot time, and move anything it finds there to the chest.

I’ve ran SUPERantispyware, Trend Micro RootkitBuster, SpywareBlaster and did whatever they recommended.

I’ve reran hijack this, and I’m still seeing things that shouldn’t be there and not sure how to completely get rid of them.

One thing I saw right of the bat was, Nobicyt.exe and routing.exe.

They just keep coming back, and not sure how to get rid of them.
I have the windows restore points disabled now too.

any ideas?

Suspect: Upload the file/s to VirusTotal, Send a sample to avast if multiple detections at VT and Fix in HJT (see below)

C:\WINDOWS\system32\macidwe.exe
O23 - Service: macidwe - Unknown owner - C:\WINDOWS\system32\macidwe.exe
These seems associated with the music

C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\system32\tdxdowkc.exe

O23 - Service: sobicyt - Unknown owner - C:\WINDOWS\system32\sobicyt.exe

Fix:
O16 - DPF: {7D5DD829-6C90-42C5-B54C-2AFA82F988BA} - hXXp://www.av-xp-08.com/tools/virusremover.dll (URL edited to break link)

See - http://spywaredlls.prevx.com/RRGDCF44859403/VIRUSREMOVER.DLL.html - Trojan downloader send sample to avast as below.

Unknown:
O23 - Service: Microsoft Windows Voice Device Services (msjlksd) - Unknown owner - C:\WINDOWS\system32\msjlks.exe
O23 - Service: Microsoft Network Message Service (msmsnkd) - Unknown owner - C:\WINDOWS\system32\msmsn.exe
O23 - Service: NOBICYT Service (NOBICYT) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: sobicyt - Unknown owner - C:\WINDOWS\system32\sobicyt.exe
O23 - Service: tdxdowkc - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe

So all in all your system seems potentially riddled and because there is at least one trojan downloader you need a firewall that is going block unauthorised internet connections and that simply isn’t the windows firewall as it doesn’t even check outbound connections, see below, Firewalls.

Try running SAS from safe mode, but ensure that you have the latest version and update the signatures first.

Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.

Firewalls :
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

• There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
  See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
  See http://www.matousec.com/projects/firewall-challenge/results.php.

Thanks for replying, here is what I found so far by using the virustotal you recommended

So ya, my system is pretty hosed right now.
I’ll look into the firewall next (out of the ones listed, which one would you recommend?), and also going to send my chest contents to avast.
I’ve tried already removing the files from with hijack, but they always come back.

All of the results you did get back from VT confirm that at the very least they should be added to the chest, sent to avast and delete the file that is in the original location once you have it in the chest User Files section.

The ones that you get the error from VT are possibly protected in some way, what were the errors you got ?

The fact they come back in the HJT log is an indication of the active malware still at work and a firewall may help in that regard.

There are many forum users that use both comodo and and PC Tools (I use neither). Comodo can be a bit of a handful to start with as it will bombard you with questions about applications. PC Tools is said to be a little user friendly, but virtually anything is better than your current situation.

Since one of the detections also mentioned a possible rootkit, there are other tools that you can try.

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.

• Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
• Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
• F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight

Thanks,
Going to load Comodo after work today, and get that setup.

I’ve also ran the Panda anti root, and it found another and I deleted it.

How do I actually get rid of these other ones?
Like Nobicyt.exe, I’ve ended the process and deleted the file within the System32 folder.

But it seems as soon as I reboot, it comes back.

I’ve ran it seems every anti spy/virus program now, but I’m not sure if I’m making any progress since they always come back.

Thanks again for your help.
Chris.

Getting rid of a rootkit will often allow you to get rid of other stuff. You shoulf also try the other anti-rootkit tools.

Then you should run SAS (and MalwareBytes Anti-Malware freeware version http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml) from safe mode and see if that is able to find anything more, reboot. Run HJT again and see if it alows you to fix the entries.

OK,
did that, and it found 3 more rootgens. I removed them, and also went into my system32 folder and deleted all those files that were questionable on my hijack log. Just rebooted and here is my new highjack log, I noticed all the ones I deleted say file missing next to them. Why are they still appearing?

Also, I tried to email to avast those files through the avast chest. But the message bounced back as undeliverable?

Maybe you should do it in safe mode without the internet.

1. Disconnect from the internet (pull the plug)

2. Restart your computer and keep pressing F8 until the Boot Option appears

3. Select Safe Mode and press enter.

I would suggest CCleaner or ATF-Cleaner.

Well if you remember when you tried to get rid of them before they came back, now they are back with the no file annotation which os better as it means although there is a registry key it is inert as the command can’t run as the file isn’t there.

Now it might be that you fixed the entries before removing the files, but I would try fixing the entries again. However before you do this you should create a folder specifically for hijackthis rather than where it is currently dumped in the downloads folder. C:\HJT would be fine. Once you do that rename the hijackthis.exe file to say cdoyleHJT.exe as there are some pieces of malware that can recognise and dodge the hijackthis.exe. Now run cdoyleHJT.exe and fix the entries you mentioned.
O23 - Service: Microsoft Windows Voice Device Services (msjlksd) - Unknown owner - C:\WINDOWS\system32\msjlks.exe (file missing)
O23 - Service: Microsoft Network Message Service (msmsnkd) - Unknown owner - C:\WINDOWS\system32\msmsn.exe (file missing)
O23 - Service: NOBICYT Service (NOBICYT) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe (file missing)
And what looks like a new one.
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)

The emails shouldn’t have bounced, never has on mine so there is something wrong with the settings or your ISP is blocking. So you could use the other method zip and password protect the samples and send to virus (at) avast.com as I mentioned earlier. It is important to get the samples to avast so they can improve detection.

You still don’t have an active firewall, dealing with malware without one is like tying an arm behind your back as fast as you get rid of something a replacement could be downloaded.

I installed Comodo right after I posted that last night, one thing I noticed is that Comodo has a virus checker too.
Do I need both Avast And Comodo? If not, which one should I use? Just not sure if this is bogging down my system by having 2 going at the same time?

I moved Hijack into it’s own folder and renamed, and rescanned. I then tried to fix the ones that said missing, and rescanned.
They still appear with the word missing at the end. Shouldn’t they have been deleted when I fix them in hijack?

Thanks again for all your help, I think I’m getting much closer to having this all fixed.

Don’t worry about the Comodo scanner,its just an on demand scanner,and will not interfere with Avast.Avast is you main and only AV

If you have been able to remove the files in the above HJT entries in my last post that is going a long way towards resolving the problem. The registry entries without the files are a hugh issue, what is, is that something is restoring them, or possibly HJT although appearing to delete them has failed.

You should try the tools suggested by Jtaylor83 as they nay be able to remove redundant registry entries. Try those and report the findings.

OK,
I ran CC Cleaner, and then reran hijack.
The ones that say missing are still appearing.

but I’ve been checking the system32 folder and have not seen those files come back yet.

Just not sure why they are still appearing in hijack?

Then the next step is atf-cleaner and if they are still there then it is a manual search of the registry for the entries, looking for the file names, perfs.exe, etc. in the registry.

lots of suggestions
all good ones
see if ATF cleaner finds anything CCleaner did not

did you ever try the SAS and MBAM scans DAvidR recommended in his first post?
This is like pealing an onion
stay at it
after those two it will be time to try another AV scan with say Kaspersky