Thanks Bill,
I have set the Sound Scheme to No Sounds, unchecked the play a sound on startup and checked that all of the system sounds show None in the box at the bottom next to the Test button.
Viv
PS, I cannot remember when the problem started as I did not take much notice at first.
Last edited by k0065126; 04 Mar 2014 at 17:57.
Do a google search for "random music virus" and you'll find lots of hits. These viruses (virii?) don't seem to be caught and removed by the many AV and malware scanners. You may want to ask for help on a forum where they specialize in infections removal.
Thanks Viv,
Try this quick scan (scan only, no repair)
1. Click here to dowload herdProtecta. Click on the Portable version2. Click Scan
b. Click Save on the download action bar (your downloads folder is the default save location)
c. Click Run when the download complete action bar is presented1. Answer Yes to the UAC diaglog window
2. Click Next on the "This will extract the portable version..."
3. Specify the location for the extracted files (USB, or Harddisk)
4. Click Next
5. Click "I agree" on the license dialog window
6. Leave the checkbox ticked [a] Launch herdProtect
7. Click Finish
herdProtect is a cloud based service. Your computer must remain connected to the Internet while the scan runs.
a. Depending on your system it will take between 5 to 30 minutes for the scan to complete. The two buttons on each object detected provide more detail, but aren't very useful to the average user.
1. Click View to open the file location on your computer
2. Click Details to open the herdProtect knowledgbase for that file
3. Click Save (upper right area of the window) to create the log file in a readable format. The log file is then opened for review in your text editor. You can review the results in the log if you're interested or just close the log file.
The log file is created in the herdProtect\Logs subfolder with a naming convention of Scan_YYYY-M-D-H-M.txt
For example: herdProtect\Logs\Scan_2014-1-1-12-47.txt
4. Attach the most current herdProtect log file to a new post on your thread.
See: Screenshots and Files - Upload and Post in Seven Forums
Bill
.
Last edited by Slartybart; 08 Mar 2014 at 12:41. Reason: spelling, grammar, clarity
Thanks Bill,
I have marked files from programs which I trust.
Viv
hmmmmm, I only get 4 results on my scan and I verified each with VirusTotal.
Did you by any chance untick "Don't show potential false positive detections? The question mark in the upper right corner of herdProtect isn't help - it's where you would configure this option. I unticked it and the results were similar to yours, many files were flagged.
The two results at the top
install.rdf
herdProtect: While the manifest file itself is not malware, it is linked to an unwanted Firefox extension. (1 / 68 scanners) herdProtect (Reason Company) Heuristics: PUP.Smartbar.MozillaPlugin.K (14.3.2.13)
ThreatExpert: ThreatExpert Reports
some real threats, other inconclusive reports.
nircmd.exe
herdProtect:
Scanner detections: 4 / 68
Status: Malware
F-Secure: Suspicious:W32/Malware!Gemini (11.2014-05-03_4)
McAfee: Tool-NirCmd (5600.7201)
McAfee Web Gateway: Tool-NirCmd (7.7201)
Sophos: NirCmd (4.54)
Malware scan of NirCmd.exe (NirCmd) 436b4b7a39219a2c65f1a85de90cc5168b6b649d - herdProtect
ThreatExpert: Across all ThreatExpert reports, the file "nircmd.exe" was mostly identified as a threat
nircmd.exe | ThreatExpert statistics
The results show all other files are inconclusive determinations.
I've found that a lot of open source code (many paid for applications include some open source code) gets flagged and it normally is completely safe.
The next step is to double check the two files at the top of the list with VirusTotal (VT). The easiest way to do this is to download and install the VirusTotal Uploader: VirusTotal Windows Desktop Application. After this is installed, you can navigate to the location of the suspected file and right click the file to send to VirusTotal for further analysis. VT often gives an all clear signal on a file, but if not, then the file should definitely be removed.
Now that threats or potential threats have been identified, run another scanner that will clean any malware. You'll have the opportunity to untick anything you decide is important to keep. Look though the tabs for recognized software and untick what you want to preserve.
AdwCleaner: Scan and Clean
Click here to download AdwCleaner (author: Xplode)
>> save the application to your Desktop.
- Right-click, Run as administrator AdwCleaner.exe
- Click on the Scan button.
>> AdwCleaner begins scanning your system. It might take some time to complete.
>> You can review the objects that will be cleaned at this point of the process. Objects are grouped under the tabs. If there is something you KNOW should not be cleaned, untick the box [_] next to the object. Otherwise, go to the next step.
If you want someone to look at the scan results before you hit the clean button, leave AdwCleaner open and attach C:\AdwCleaner\AdwCleaner[S#].txt (where # is the highest number) to a post and wait for a member to take a look. If you have to close AdwCleaner, don't worry - you'll just have to run the scan again and untick the KNOWN good files (more of an annoyance, but trouble shooting on a forum has it's drawbacks - we're in different time zones).
.- After the scan has finished... click on the Clean button.
- Answer OK to the "close all programs" prompt, then follow the onscreen prompts.
- Answer OK to the "restart the computer" prompt to complete the removal process.
>> The AdwCleaner[S#].txt log is opened in your default Text editor when the machine has restarted.
.- Please attach all AdwCleaner[S#].txt and AdwCleaner[R#].txt logs to a new post on your thread.
Bill,
I have uploaded the two files to VirusTotal and install.rdf was reported as clean, but nircmd.exe is shown as suspect. I will contact VoiceTeach tomorrow and ask them about it as I do not want to delete it if it is not causing me a problem, and also I do not know what it is supposed to do.
I ran AdwCleaner and there is one suspect file and numerous registry entries. I am attaching a copy of the AdwCleaner[S7].txt file to this post. I have not allowed AdwCleaner to delete any files, especially the registry entries, as I am not sure what effect it may have.
Viv
AdwCleaner[R7].txt
Thanks Viv,
It looks as though you have a number of toolbars that are flagged as adware / malware. I looked at a few on ThreatExpert and found that some might be valid, but only you can make that determination.
There is one definite malware that I saw off the bat - conduit. There is also a Softonic downloader flagged - these download managers often come laden with junk so it's always advisable to get them off your system. Better, don't use download managers - you don't need them to download files.
Much in the same with toolbars - they're carriers. Pick one that you use all the time, maybe two. Get rid of the rest.
Normally I would advise a member to let AdwCleaner do it's job and clean up the mess. That is what I recommend now, but took a bit of time to look at the log and offer some feedback. There are too many objects in the log to do all of them and many of the seem to be related to conduit.
So here's what I recommend:
1) Go to Control Panel -> Programs and Features
Look though the installed programs and uninstall any toolbars that you don't recognize or use.
2) Check all of your browsers
The easiest way to ensure completeness is to reset the browsers
Internet Explorer:
Open Internet Options
Click the Advanced tab
Click Reset button.
In the Reset Internet Explorer Settings dialog window
Tick [a] Delete personal settings
Click on Reset.
After the reset, click Close
Click OK
Close IE
Firefox
Open the Firefox menu
Mouse over Help to open the sub-menu
Click Troubleshooting Information on the sub-menu
Click the Reset Firefox button on the right
Confirm click Reset Firefox
Firefox will close and reset, an information window is displayed listing what was done.
Click Finish
Chrome
1) Remove Conduit extension(s)
Click the Chrome menu button
Select Tools
Click Extensions.
Remove Conduit Apps -> click the recycle bin to the right of the object
Remove any other unknown extensions in the same manner
Any extension you did not explicitly install is unknown
2) Set the default search engine to a trusted provider (Google or Bing)
Click the Chrome menu button
Select Settings
In the Search category, Click Manage search engines
Select Google or Bing
Click the Make Default button
On the Conduit row,
Click he X button at the end of the row.
3) Set the homepage to the Chrome default
Click the Chrome menu button
Select Settings
In the On Startup category
Click the radio button Open the New Tab page
When you have Uninstalled the toolbars and other unneeded applications from Control Panel -> Programs and Features and
you have completed the manual changes to your browsers
Run AdwCleaner scan again
Unitick nircmd for now, leave the rest ticked.
Click Clean
You can post the most recent log, but I'll probably just say - clean up your system now so you don't have to go through this exercise again. Malware doesn't wait for you, it re-establishes itself fairly quickly.
Unless you're certain about a keeper, let Adwcleaner do it's job. Anything can be recovered if you need it by downloading it and installing it.
A caveat is an application that you paid for - make sure you have the means to reinstall any purchased software (usually you just need the license key). Stuff you downloaded for free can always be downloaded again - but.... that's how a lot of systems become infected. Better to only download trusted apps than to allow malware on your system. How do you know what's trusted? Experience and caution.
You'll need to restart the machine, but wait until the malware is cleaned up or else it might put everything back.
There will probably be additional utilities or scanners for you to run to make sure there's nothing lurking
Thanks Bill,
I have followed some of your advice so far. The Google toolbar for IE has now been uninstalled. I have reset IE, Firefox and Chrome, although I could not remove the Conduit extension as it is not listed.
There are a few differences in the AdwCleaner log from last time but I will wait until tomorrow before I let it clean the registry as I wish to make a registry backup and have a new system backup in case of problems.
I will let you know how I get on tomorrow, thanks for all your help.
Viv
AdwCleaner[R8].txt
Quote
