Solved Where does the phantom music come from

[strollin]

Conduit is listed as "Search Protect" in Programs and Features.

 

[k0065126]

Strollin,

Sorry, I do not understand. Are you saying that there should be a program named "Search Protect" in the list of programs? I cannot see one and I cannot see any programs which I am not aware of.

Viv

 

[strollin]

Yes, that's what I am saying. If it's not listed there but it's showing in your browser, then you need to go in to your browser extensions and disable it there.

 

[Layback Bear]

Three programs that I use on my computers to get rid of such trash.

AdwCleaner Download

https://www.malwarebytes.org/

Free Virus Scan | Online Virus Scanner from ESET

 

[ComputerGeek]

Conduit is listed as "Search Protect" in Programs and Features.

Yikes!!!! Conduit is bad news. It's a search engine hijack and more. You can Google conduit Removal instructions. I've done it once before - seemed straight forward in my case - but you'll also find threads from others who ended up with more problems when trying on their own. May be best to get removal assistance from a security/malware forum expert. Or at least backup / image u r disk if u want to first try on your own

 

[Slartybart]

Thanks Bill,

I have followed some of your advice so far. The Google toolbar for IE has now been uninstalled. I have reset IE, Firefox and Chrome, although I could not remove the Conduit extension as it is not listed.

There are a few differences in the AdwCleaner log from last time but I will wait until tomorrow before I let it clean the registry as I wish to make a registry backup and have a new system backup in case of problems.

I will let you know how I get on tomorrow, thanks for all your help.

Backups makes sense to me. I'll read the new AdwCleaner log and wait for your next post. I expect the new log shows your resetting the browsers (Chrome... understood, no conduit - thanks).

I'm not concerned about nircmd, it is in the correct location
>> VirusTotal suspects in other reports is most likely due to it being in other locations.... if that were the case on your machine, I would be more concerned)

Did you get any feedback from VoiceTeach?

I'm also glad you waited - I only recommended Unticking nircmd, but after reviewing your post with the VirusTotal information, I'll revise that to also Untick install.rdf.

You seem fairly comfortable and knowledgeable with computers, I'm guessing you would have done that on your own.

Bill
.

 

[Slartybart]

A quick look at AdwCleaner[R8] confirms that the difference is due to the browser and toolbar work you already did.

So now... I'll wait until your backups are done and you run the clean cycle of AdwCleaner.

Please post the logs after you run AdwCleaner Clean.

Then a few other scans to double check.

If at any time the "phantom music" isn't present, please post that information. It might not be east to determine that though since it's intermittent.

If the "phantom music" does get resolved in the first pass using AdwCleaner, it doesn't mean you shouldn't run additional scans

Bill
.

 

[k0065126]

Yes, that's what I am saying. If it's not listed there but it's showing in your browser, then you need to go in to your browser extensions and disable it there.

Thanks, Conduit/"Search Protect" is not showing as an enabled or disabled extension in any of my browsers.

Viv

 

[k0065126]

LaybackBear,

Thanks, I already have the first two you mentioned and I am now running a scan with ESET which looks as if it will run for most of the night.

Bill,

I have had no response from VoiceTeach regarding nircmd.exe yet but I suspect that it is not a problem due to it's location. There have been no more phantom sounds in the last couple of days, but maybe I was not listening at the right time. Due to the occasional nature of it's occurrence it will probably be a few weeks before I can be sure that it has ceased, but my best guess is that it is from a web page which is no longer open. I will gradually increase the number of web pages which are open, (it is normally the same ones each day), to see if there is a recurrence of the sound.

Viv

 

[Slartybart]

Thanks for the update Viv,

I'd still like to see the logs from any scanner you have run (if you're following Layback's list that would be AdwCleaner and Malwarebytes (Mbam)) and the ESET log when it finishes.

And just so I'm on track - you are cleaning / removing malware when the scanner displays the results, right?

Good about the sound, but yeah it's inconclusive for the moment. Keep track of the web pages you open as you increase the number to see if a specific often visited page is the culprit.

Bill
.

 

[k0065126]

Bill,

I have run the scanners suggested by Layback and used them to remove malware, except for nircmd.exe and install.rdf. Results are attached. No reply from VoiceTeach yet, but I think it was probably a false positive for nircmd.exe.

Viv

View attachment Scan_2014-3-7-12-30.txt
View attachment AdwCleaner[S2].txt
View attachment AdwCleaner[S1].txt
View attachment AdwCleaner[R11].txt
View attachment AdwCleaner[R10].txt
View attachment AdwCleaner[R9].txt

 

[k0065126]

Bill,

Sorry, I forgot the Malwarebytes log. Thanks to all who have offered suggestions.

Viv

View attachment mbam-log-2014-03-07 (08-44-10).txt

 

[Slartybart]

Thanks for posting the logs Viv,

Mbam and AdwCleaner look clean. Two more just to make sure:

Restart your machine in case there are any system operations pending

Click here to download Old Timer-TFC.
>> save the application to your Desktop.
:info: Old Timer-TFC is a standalone application, there is no install.

:warn:Save your work and close all open windows.
TFC will close ALL open programs including your browser!

:note: Old Timer-TFC resets Folder Options -> View -> Hidden files and folders to Don't show hidden...

Right click TFC and select, Run as administrator from the alternate menu.

Click the Start button to begin the cleaning up temporary files and folders.
:warn: Do not work on other things while TFC is running - most applications use some sort of temporary files. Just let TFC run by itself on the machine until it completes.

:busted: If TFC prompts you to restart, do so immediately.
:busted: If TFC does NOT prompt you, then restart your machine immediately after TFC has completed.​

---

Run herdProtect one more time (see post# 15 - you don't have to download it again, just scan)

Please post the log and if it's clean, I think you're done.
Leave the thread open for a few days and when you feel that the issue is resolved, please mark the thread as solved.

Thanks,

Bill
.

 

[k0065126]

Bill,

I have done as you suggest and attach the herdProtect results.

Thanks again,

Viv

View attachment Scan_2014-3-8-22-50.txt

 

[Slartybart]

Thanks,

There are a few entries that concern me

easyfundraising toolbar - conduit reference.
Uninstall it in CPL - > Pgm & Feats
and uninstall any tool bars - I thought this was already done - perhaps it was and the malware re-established itself.

c:\program files (x86)\asus\axsp\1.00.19\pebiosinterface32.dll
Anything asus on your machine?

c:\users\viv\appdata\local\temp\install_hosts_anti-adware.exe
Old Timer-TFC should have cleaned up every temp location.

Download the Farbar Recovery Scan Tool (FRST) Click here

1. Select the version that applies to your system: 32-bit OR 64-bit
   .
2. Click the Save button
   Default save location is your Downloads folder
   :note: If the SmartFilter bar is presented, click the Actions button and click Don't Run (saves FRST but does not run it)
   .
3. Double-click FRST or FRST64 to launch the utility
   :info: FRST is the 32-bit version / FRST64 is the 64-bit version
   • Click the Yes button to confirm UAC
     .
   • Click the Yes button on the Warranty disclaimer window.
     .
   • Tick [[FONT=Webdings, serif]a[/FONT]] all Whitelist checkboxes
     .
   • Tick [[FONT=Webdings, serif]a[/FONT]] Addition.txt in the Optional scan list
     .
4. Click the Scan button to begin scanning.
   .
5. FRST creates two logs when the scan has finished, they are located in the same folder where FRST was launched
   • FRST.txt and
   • Addition.txt
   • Attach both logs to a post on your thread and a SevenForums member will analyze the output.
     See: http://www.sevenforums.com/tutorials/9733-screenshots-files-upload-post-seven-forums.html
   Exit out of Farbar

I don't know this tool well enough to advise you past a scan.
Do NOT experiment with FRST - the wrong line in the wrong place can rick your system.
A simple scan is safe.

I'll ask a member of the Security team to look at the output and they can determine what, if any, tool is needed next.

Thanks

 

[k0065126]

easyfundraising toolbar - conduit reference.
Uninstall it in CPL - > Pgm & Feats
and uninstall any tool bars - I thought this was already done - perhaps it was and the malware re-established itself.

I have now done this as I have realised that I do not use it.

c:\program files (x86)\asus\axsp\1.00.19\pebiosinterface32.dll
Anything asus on your machine?

My MoBo.

c:\users\viv\appdata\local\temp\install_hosts_anti-adware.exe

Old Timer-TFC should have cleaned up every temp location.

I have run Old Timer again but there are still 32Gb of files in c:\users\viv\appdata\local\temp\, including about 35 .tmp files, although the install_hosts_anti-adware.exe file is no longer there.

Download the Farbar Recovery Scan Tool (FRST)

I have done this, (just before running Old Timer for the second time), and the results are attached.

Viv

View attachment Addition.txt

View attachment FRST.txt

 

[Slartybart]

Ok, thank you. I've done a cursory look at FRST and there's not much that I saw, but I'll ask for a second opinion from the Sec team.

I want to make sure your system is clean, the FRSt says your home page is easyfundraising.uk.org and I thought that should have been corrected by the reset. That and the 2nd run of herdProtect showing some remnants.

ASUS: Oops... of course it's your Mobo

The music is still gone - right?

Thanks for all of your excellent feedback.

---

I've collected all of your logs/screenshots and placed them here in chorological order

1. Post# 16: herdProctect screenshots
2. Post# 18: AdwCleaner[R7].txt
3. Post# 20: AdwCleaner[R8].txt
   
4. Post# 31:
   • herdProtect log
   • AdwCleaner [S1].txt
   • AdwCleaner [S2].txt
   • AdwCleaner[R9].txt
   • AdwCleaner[R10].txt
   • AdwCleaner[R11].txt
5. Post# 32: Mbam log
6. Post# 34: herdProtect log
   >> also ran Old timer-TFC at this point - no log
   
7. Fabar logs from post# 36
   • FRST.txt
   • Addition.txt

Hopefully this will save some time looking through the thread.


Bill
.

 

[Jacee]

I have run Old Timer again but there are still 32Gb of files in c:\users\viv\appdata\local\temp\, including about 35 .tmp files, although the install_hosts_anti-adware.exe file is no longer there.

It looks like these temp files are in "Quarantine".


Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3


Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

• Double click combofix.exe and follow the prompts.
• When finished, it will produce a log for you. Post that log.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply.
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt

***A guide and tutorial on "How to use Combofix" can be found here:
ComboFix: A guide and tutorial on using ComboFix

 

[k0065126]

Bill,

I set the home pages of IE to the ones I want, as I use them regularly. There has been one occasion when I have heard the phantom noise, but I do not have my headphones on all of the time. It still seems likely that it is a web page which is doing this, although I have not been able to narrow it down yet.

Jacee,

The size of the c:\users\viv\appdata\local\temp\ file is now much reduced, 306Mb, most of which are tmp files from today.

I ran combofix according to your instructions, rebooted even though I was not asked, and have attached the file you want to see.

Viv

View attachment ComboFix.txt

 

[Slartybart]

Thanks for letting me know about the home page, Viv.

You'll have to see what Jacee has to say about the ComboFix output, that's her forte'

Bill
.