Hi All.

My XP system has contracted an apparent (and strange) virus that plays random audio at random intervals, even with no applications open or running at the time. Generally the audio is 10 to 30 seconds of rap or clips of commercials or other nonsense. Avast and SpyBot have caught nothing and an exhaustive Google search reveals many are having the same issue but yield no helpful remedies.

I've dealt with stubborn viruses in th

JUST CAUGHT IT, I THINK.

OK, to continue... I think I just caught it. As I was typing this post I had Task Manager open in the Processes tab listed in order of Mem Usage. I noticed that iexplorer.exe memory jumped considerably. While the audio was playing I clicked END PROCESS and it stopped playing immediately. This might be coincidental, but unlikely.

JUST HAPPENED AGAIN!

... as before I clicked iexplore.exe then End Process. Audio stopped, reinforcing my hypothesis. OK, I'm pretty sure Internet Explorer is the culprit.

Question: Since I have no use for that pathetic browser, how do I uninstall it? XP doesn't seem to allow this. I recall attempting to at one time but Windows XP would automatically "rebuild" IE files if deleted.

Help?

Thanks,
Brian

Rename it?

I thought the Uninstall list from Control Panel would remove Iexplore.
Killing all the services that start "IE" will at least restrict its activities (Run Services.MSC)

No you can't remove IE. You are using it even if not as a browser. However this piece of malware is possibly an IE add-on a.k.a. Browser Helper Object.

OPen up the regsitry and browse to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects

You'll probably see a bunch of Keys within it with names like
{01188d35-daf3-4a43-90aa-f1bf150207e6}

If you want to delete them all it's probably safe to do so, especially if you don't use IE as a browser. However don't come crying to me if that turns out to be a mistake, because right now I'm telling you to export any keys first before you delete them. That way you can get it back if you need to.

You might want to keep things like Adobe Acrobat or the Google Toolbar.

Looking inside those keys might show you what that add-on is.

Failing that search for the the long funny name in

HKEY_CLASSES_ROOT\CLSID\

IN this example doing so reveals that HKEY_CLASSES_ROOT\CLSID\{01188D35-DAF3-4A43-90AA-F1BF150207E6} is the VIO Toolbar. I want to keep that as I use it for ripping YouTubes.

If I didn't it has a well behaved uninstaller and I'd use that, However dodgy software may need to be removed more agressively. As such the above key tells me that the file being executed is C:\Program Files\VIO1\tbVIO0.dll

Were it dodgy mallware with no uninstaller I could delete this file unregistrering if necessary.

The precedure to use in trickier situations is first to assess what BHO's are in play, what files and registry entries you can afford to lose and then boot to safe mode in order to purge them. Some of the tricky buggers work in gangs and reinistall one another as you're trying to delete them.

There a few other registry locations to consider like...
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run (also RunOnce RunServices and Run ServicesOnce)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run (also RunOnce RunServices and Run ServicesOnce)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\curr entversion\Policies\Explorer\Run

However if it's IE that's chewing the processor my guess is the BHO

Don't delete all the BHOs in the registry, that's just plain silly. Try this: http://www.pcworld.com/downloads/file/fid,23611-order,1-page,1-c,alldownloads/description.html

"Internet Explorer has a nasty habit of allowing so-called Browser Helper Objects (or BHOs) to install themselves into IE. Some BHOs are helpful, like the Google Toolbar, but others (especially those planted by viruses or spyware) can be malicious and harmful. BHODemon gives you a quick look at the BHOs installed on your PC, tells you whether a specific BHO is known to be safe or harmful, and gives you the ability to enable or disable individual BHOs with a single mouse click."

There are some issues with uninstalling IE, you may need it to update! At least it won't update through Firefox, curse you Microsoft!

Sounds like a job for HijackThis! they have a very nice forum and will guide you through the process. But you have to agree to do only what they tell you and run the processes as they request them.
MajorGeeks will do something similar.

You could also try ComboFix.
have you tried MalwareBytes or Superantispyware?

At our school swe had a machine that was doing this, there was an audio codec that somebody , most likely a sub custodian had downloaded. Our tech tried fooling with it and then just reformatted.

SOLVED!

Well at least a quick fix. There's a simple program called Startup Defender here (http://www.zardssoftware.com/startup/startup.html) that prevents Processes from starting. Simple as that. I just select the offending Process and put it in the kill list.

I've watched Task Manager after installation and every time the Process attempts to start it's immediately killed in less than half a second.

Granted there's more going on under the hood with this infection, but at least the offending virus is not allowed to execute. This one has been driving me crazy and I'm surprised the lack of at least this simple fix on net forums.

Cheers,
Brian

:cool: and good luck, does Microsoft Malicious Software remover detect anything?

I would at least want to find out what it is, if it is a backdoor trojan then more is yet to come. :(

SOLVED!

Well at least a quick fix. There's a simple program called Startup Defender here (http://www.zardssoftware.com/startup/startup.html) that prevents Processes from starting. Simple as that. I just select the offending Process and put it in the kill list.

I've watched Task Manager after installation and every time the Process attempts to start it's immediately killed in less than half a second.

Granted there's more going on under the hood with this infection, but at least the offending virus is not allowed to execute. This one has been driving me crazy and I'm surprised the lack of at least this simple fix on net forums.

Cheers,
Brian

you should post a hijackthis log .. i'd also try downloading and running the free version of Malwarebytes (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button), update it, perform a quick scan, and then have it remove everything that it finds. It works great. I work at home as a remote tech, and the focus of my work is removing malware, and this is one of the programs the company i work for uses. It does a great job.

Download and install the Avast antivirus. Scan your system, disable Startup Defender, and if the problem’s still there, then just bite the bullet – backup your most cherished/important data and do a complete format and reinstall of Windows.

...backup your most cherished/important data and do a complete format and reinstall of Windows.

Absolutely, get prepared to format your hard drive and reinstall Windows.

If you can't eradicate that virus completely (I guess you never can be 100% sure it's gone) you may be opening yourself up to another attack in the future. Your system may have been comprimised in some way or the virus may be downloading some of it's trojan buddies onto your computer.

I have reinstalled XP twice in the last 2 years and I made a chart of all the steps I need to do for next time. Here is my advice to you.

Backup your important files:
Music, Pictures, Videos, Books, Downloaded Files, Personal and Business Documents
Backup your data from programs:
Quickbooks, Email, Contacts, Calendars, Favorites
Make a list of the drivers you will need to download from the internet
Make a list of the programs you will need to download/install
Take some notes on the appearance of your desktop and program defaults so that you can recreate it
Make sure to get EVERYTHING you want to keep, think long and hard.

Google & print out a guide to formatting and installing XP, I can't link one yet because I'm still new to the forums.

Pick a day when you aren't going to need your computer for argent business.

In this order:
1) Format
2) Install Windows
3) Update Windows
4) install an Antivirus program
5) install an Antispyware program
6) update and activate both
7) configure Windows Update to update automatically.
8) install any drivers you need to run your peripherals (use yo' periphuruls!)
9) install your programs and tweak your desktop settings
10)copy your backed-up data over and enjoy your fresh XP!

Sounds like the virus is opening what's called a "popunder" -- via javascript it can cause the browser to eliminate almost all of it's chrome, keep it from appearing in the taskbar, and reduce it to a size you can't see (like a single pixel)