Where does the phantom music come from

Thanks for posting the logs Viv,

Mbam and AdwCleaner look clean. Two more just to make sure:

Restart your machine in case there are any system operations pending

Click here to download Old Timer-TFC.
>> save the application to your Desktop.
Old Timer-TFC is a standalone application, there is no install.

Save your work and close all open windows.
TFC will close ALL open programs including your browser!

Old Timer-TFC resets Folder Options -> View -> Hidden files and folders to Don't show hidden...

Right click TFC and select, Run as administrator from the alternate menu.

Click the Start button to begin the cleaning up temporary files and folders.
Do not work on other things while TFC is running - most applications use some sort of temporary files. Just let TFC run by itself on the machine until it completes.

If TFC prompts you to restart, do so immediately.
If TFC does NOT prompt you, then restart your machine immediately after TFC has completed.

---

Run herdProtect one more time (see post# 15 - you don't have to download it again, just scan)

Please post the log and if it's clean, I think you're done.
Leave the thread open for a few days and when you feel that the issue is resolved, please mark the thread as solved.

Thanks,

Bill
.

Thanks,

There are a few entries that concern me

easyfundraising toolbar - conduit reference.
Uninstall it in CPL - > Pgm & Feats
and uninstall any tool bars - I thought this was already done - perhaps it was and the malware re-established itself.

c:\program files (x86)\asus\axsp\1.00.19\pebiosinterface32.dll
Anything asus on your machine?

c:\users\viv\appdata\local\temp\install_hosts_anti-adware.exe
Old Timer-TFC should have cleaned up every temp location.

Download the Farbar Recovery Scan Tool (FRST) Click here

1. Select the version that applies to your system: 32-bit OR 64-bit
   .
2. Click the Save button
   Default save location is your Downloads folder
   If the SmartFilter bar is presented, click the Actions button and click Don't Run (saves FRST but does not run it)
   .
3. Double-click FRST or FRST64 to launch the utility
   FRST is the 32-bit version / FRST64 is the 64-bit version
   
   1. Click the Yes button to confirm UAC
      .
   2. Click the Yes button on the Warranty disclaimer window.
      .
   3. Tick [a] all Whitelist checkboxes
      .
   4. Tick [a] Addition.txt in the Optional scan list
      .
4. Click the Scan button to begin scanning.
   .
5. FRST creates two logs when the scan has finished, they are located in the same folder where FRST was launched
   
   • FRST.txt and
   • Addition.txt
   • Attach both logs to a post on your thread and a SevenForums member will analyze the output.
     See: Screenshots and Files - Upload and Post in Seven Forums
   
   Exit out of Farbar

I don't know this tool well enough to advise you past a scan.
Do NOT experiment with FRST - the wrong line in the wrong place can rick your system.
A simple scan is safe.

I'll ask a member of the Security team to look at the output and they can determine what, if any, tool is needed next.

Thanks

Ok, thank you. I've done a cursory look at FRST and there's not much that I saw, but I'll ask for a second opinion from the Sec team.

I want to make sure your system is clean, the FRSt says your home page is easyfundraising.uk.org and I thought that should have been corrected by the reset. That and the 2nd run of herdProtect showing some remnants.

ASUS: Oops... of course it's your Mobo

The music is still gone - right?

Thanks for all of your excellent feedback.

---

I've collected all of your logs/screenshots and placed them here in chorological order

1. Post# 16: herdProctect screenshots
2. Post# 18: AdwCleaner[R7].txt
3. Post# 20: AdwCleaner[R8].txt
   
4. Post# 31:
   1. herdProtect log
   2. AdwCleaner [S1].txt
   3. AdwCleaner [S2].txt
   4. AdwCleaner[R9].txt
   5. AdwCleaner[R10].txt
   6. AdwCleaner[R11].txt
5. Post# 32: Mbam log
6. Post# 34: herdProtect log
   >> also ran Old timer-TFC at this point - no log
   
7. Fabar logs from post# 36
   1. FRST.txt
   2. Addition.txt

Hopefully this will save some time looking through the thread.


Bill
.

I have run Old Timer again but there are still 32Gb of files in c:\users\viv\appdata\local\temp\, including about 35 .tmp files, although the install_hosts_anti-adware.exe file is no longer there.

It looks like these temp files are in "Quarantine".


Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3


Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

• Double click combofix.exe and follow the prompts.
• When finished, it will produce a log for you. Post that log.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply.
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt

***A guide and tutorial on "How to use Combofix" can be found here:
ComboFix: A guide and tutorial on using ComboFix

Thanks for letting me know about the home page, Viv.

You'll have to see what Jacee has to say about the ComboFix output, that's her forte'

Bill
.