I just got an audio virus…do not know how or where as I have not downloaded anything or opened any emails that were not scanned… it is a loop playing some version of “Somewhere over the rainbow” with a male voice and ukulele … I am currently doing a complete system scann with avast and also with SUPER Anti Spyware …

This thing is driving me nuts, as I cannot lsiten to anything but that stupid loop.

I do know it is not associated with any one of my 265 open FireFox tabs…i closed all the tabes and browser it was still playing…

Any one got any ideas on how to destroy this thing???

Yep ;D

Download aswMBR.exe ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://dl.dropbox.com/u/73555776/aswMBRscan.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://dl.dropbox.com/u/73555776/aswMBRlog.png

THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-08 23:30:50

23:30:50.653 OS Version: Windows x64 6.1.7601 Service Pack 1
23:30:50.653 Number of processors: 2 586 0x170A
23:30:50.655 ComputerName: KRKONOSE UserName:
23:31:03.479 Initialize success
23:31:09.468 AVAST engine defs: 12070801
23:31:15.176 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
23:31:15.190 Disk 0 Vendor: ST950042 0003 Size: 476940MB BusType: 3
23:31:15.196 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IAAStorageDevice-2
23:31:15.208 Disk 1 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
23:31:15.219 Disk 2 \Device\Harddisk2\SR0 → \Device\SdBus-0
23:31:15.224 Disk 2 Vendor: ( Size: 1876MB BusType: 12
23:31:15.268 Disk 0 MBR read successfully
23:31:15.276 Disk 0 MBR scan
23:31:15.282 Disk 0 Windows 7 default MBR code
23:31:15.297 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 78 MB offset 63
23:31:15.322 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 9642 MB offset 161792
23:31:15.352 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 467218 MB offset 19908608
23:31:15.369 Disk 0 scanning C:\Windows\system32\drivers
23:31:40.108 Service scanning
23:32:16.045 Modules scanning
23:32:16.074 Disk 0 trace - called modules:
23:32:16.101 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys
23:32:16.109 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa80057c3160]
23:32:16.117 3 CLASSPNP.SYS[fffff8800181743f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8004ae7050]
23:32:18.406 AVAST engine scan C:\Windows
23:32:31.132 AVAST engine scan C:\Windows\system32
23:36:43.938 AVAST engine scan C:\Windows\system32\drivers
23:37:12.228 AVAST engine scan C:\Users\ART SCOTT FOTOGRAFIE
23:39:30.948 Disk 0 MBR has been saved successfully to “C:\Users\ART SCOTT FOTOGRAFIE\Documents\aswMBR log\MBR.dat”
23:39:31.150 The log file has been saved successfully to “C:\Users\ART SCOTT FOTOGRAFIE\Documents\aswMBR log\aswMBR.txt”

Gettin a server busy on the OLT.exe…

Please ATTACH your files. Thank you.

Now I’ve got that song in my head!

What files do you want me to attach?? And how…I am not the smartest when it comes to this stuff…sorry.

Why did I not run the “FIX MBR”?

It is all quiet this morning…ran Avast overnight…Of course this thing could have a timer to only run late at night I guess…when I am trying to sleep and have a playlist of favorite music going…that is when I first noticed it…my music was garbled due tho this thing…

Before i forget…thank you for trying to help…I am a dummy when it comes to this stuff.

Hi the main G2G site is down at the moment

Here is a secondary link http://majorgeeks.com/OTL_OldTimers_List-It_d7074.html

Do not fix MBR as Avast is not indicating that to be a problem area

ok…clicked on the OTL link above and it started running with out me ticking all the boxes and pasteing in the code for the custom box…since it does not have a stop button…I will try to rerun as spoon as it is done…Thanx for all the help so far.

OK G2G is back up now ;D

I THANK YOU FOR THE GREAT HELP…GETTING READY TO RUN.

rna OTL twice and I onoy get 1 note pad file to save…here it is:

OK that has shown me where to go… This will be a busy fix

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL IE - HKLM\..\SearchScopes\{9230cb90-79de-4945-88a4-762244a25bc8}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YKxdm069YYus&ptb=71F7AA70-49AA-49F2-B9A3-3BBD43C053BD&ind=2011121716&ptnrS=YKxdm069YYus&si=&n=77df4834&psa=&st=sb&searchfor={searchTerms} IE - HKU\S-1-5-21-976585497-1788263173-2779139924-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=14542 IE - HKU\S-1-5-21-976585497-1788263173-2779139924-1000\..\SearchScopes\{9230cb90-79de-4945-88a4-762244a25bc8}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YKxdm069YYus&ptb=71F7AA70-49AA-49F2-B9A3-3BBD43C053BD&ind=2011121716&ptnrS=YKxdm069YYus&si=&n=77df4834&psa=&st=sb&searchfor={searchTerms} IE - HKU\S-1-5-21-976585497-1788263173-2779139924-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421; [2010/10/08 23:51:45 | 000,002,226 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (WeCareReminder Class) - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (We-Care.com)

:Files
C:\Users\ART SCOTT FOTOGRAFIE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
C:\Users\ART SCOTT FOTOGRAFIE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

NEXT

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please attach its contents on your next reply.

AND FINALLY

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

reading your instructions you say: “Run OTL
Under the Custom Scans/Fixes box at the bottom, paste in the following”. Am I supposed to paste in the same code as i did before or the whole of the blue box posted in your response above?? Sorry… I qm not the brightest lamp in the room…

Not a problem

Copy and paste just the part in the quote box in the last post as this is the fix

fix report and now off the download and run the TDSSKILLER…

TDSS KILLER REPORT -

Dobry den …

I was listening too this little ditty as I posted the above TDSS report file…but I have not heard it since 7-12-2012 at 1PM Central Daylight time (US) …

Dekuju.

Could you post the combofix log please and let me know of any remaining problems

Was just getting into some David Koller music on Spotify …and Damn it came back … or probably never gone…on my way to appointment i will try to find combpo fix log…when I ran TDSS it only showed one log posted above and the OTL only gave 1 notepad log posted a few above also… Sorry… but will look thru when I return in a few hours…

Dekuju!

It should be at C:\combofix txt… If not could you re-run Combofix for me please

This is not an MBR infection so I think I will need to double check your BHO’s