JREF Homepage Swift Blog Events Calendar $1 Million Paranormal Challenge The Amaz!ng Meeting Useful Links Support Us
James Randi Educational Foundation JREF Forum
Forum Index Register Members List Events Mark Forums Read Help

Go Back   JREF Forum » General Topics » Computers and the Internet
Click Here To Donate

Notices


Welcome to the JREF Forum, where we discuss skepticism, critical thinking, the paranormal and science in a friendly but lively way. You are currently viewing the forum as a guest, which means you are missing out on discussing matters that are of interest to you. Please consider registering so you can gain full use of the forum features and interact with other Members. Registration is simple, fast and free! Click here to register today.

Reply
Old 12th March 2009, 01:59 PM   #1
Brian Jackson
Graduate Poster
 
Brian Jackson's Avatar
 
Join Date: Aug 2006
Location: Atlanta, Georgia
Posts: 1,107
Virus plays random audio

Hi All.

My XP system has contracted an apparent (and strange) virus that plays random audio at random intervals, even with no applications open or running at the time. Generally the audio is 10 to 30 seconds of rap or clips of commercials or other nonsense. Avast and SpyBot have caught nothing and an exhaustive Google search reveals many are having the same issue but yield no helpful remedies.

I've dealt with stubborn viruses in th

JUST CAUGHT IT, I THINK.

OK, to continue... I think I just caught it. As I was typing this post I had Task Manager open in the Processes tab listed in order of Mem Usage. I noticed that iexplorer.exe memory jumped considerably. While the audio was playing I clicked END PROCESS and it stopped playing immediately. This might be coincidental, but unlikely.

JUST HAPPENED AGAIN!

... as before I clicked iexplore.exe then End Process. Audio stopped, reinforcing my hypothesis. OK, I'm pretty sure Internet Explorer is the culprit.

Question: Since I have no use for that pathetic browser, how do I uninstall it? XP doesn't seem to allow this. I recall attempting to at one time but Windows XP would automatically "rebuild" IE files if deleted.

Help?

Thanks,
Brian
Brian Jackson is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 12th March 2009, 02:04 PM   #2
Soapy Sam
NLH
 
Join Date: Oct 2002
Posts: 27,763
Rename it?

I thought the Uninstall list from Control Panel would remove Iexplore.
Killing all the services that start "IE" will at least restrict its activities (Run Services.MSC)

Last edited by Soapy Sam; 12th March 2009 at 02:05 PM.
Soapy Sam is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 12th March 2009, 02:27 PM   #3
Ocelot
Illuminator
 
Ocelot's Avatar
 
Join Date: Feb 2007
Location: London
Posts: 3,169
No you can't remove IE. You are using it even if not as a browser. However this piece of malware is possibly an IE add-on a.k.a. Browser Helper Object.

OPen up the regsitry and browse to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects

You'll probably see a bunch of Keys within it with names like
{01188d35-daf3-4a43-90aa-f1bf150207e6}

If you want to delete them all it's probably safe to do so, especially if you don't use IE as a browser. However don't come crying to me if that turns out to be a mistake, because right now I'm telling you to export any keys first before you delete them. That way you can get it back if you need to.

You might want to keep things like Adobe Acrobat or the Google Toolbar.

Looking inside those keys might show you what that add-on is.

Failing that search for the the long funny name in

HKEY_CLASSES_ROOT\CLSID\

IN this example doing so reveals that HKEY_CLASSES_ROOT\CLSID\{01188D35-DAF3-4A43-90AA-F1BF150207E6} is the VIO Toolbar. I want to keep that as I use it for ripping YouTubes.

If I didn't it has a well behaved uninstaller and I'd use that, However dodgy software may need to be removed more agressively. As such the above key tells me that the file being executed is C:\Program Files\VIO1\tbVIO0.dll

Were it dodgy mallware with no uninstaller I could delete this file unregistrering if necessary.

The precedure to use in trickier situations is first to assess what BHO's are in play, what files and registry entries you can afford to lose and then boot to safe mode in order to purge them. Some of the tricky buggers work in gangs and reinistall one another as you're trying to delete them.

There a few other registry locations to consider like...
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run (also RunOnce RunServices and Run ServicesOnce)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run (also RunOnce RunServices and Run ServicesOnce)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\curr entversion\Policies\Explorer\Run

However if it's IE that's chewing the processor my guess is the BHO
__________________
EDL = English Disco Lovers

Last edited by Ocelot; 12th March 2009 at 02:30 PM.
Ocelot is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 12th March 2009, 03:35 PM   #4
Agular
Critical Thinker
 
Agular's Avatar
 
Join Date: Oct 2006
Posts: 260
Don't delete all the BHOs in the registry, that's just plain silly. Try this: http://www.pcworld.com/downloads/fil...scription.html

"Internet Explorer has a nasty habit of allowing so-called Browser Helper Objects (or BHOs) to install themselves into IE. Some BHOs are helpful, like the Google Toolbar, but others (especially those planted by viruses or spyware) can be malicious and harmful. BHODemon gives you a quick look at the BHOs installed on your PC, tells you whether a specific BHO is known to be safe or harmful, and gives you the ability to enable or disable individual BHOs with a single mouse click."
__________________
THE most misspelled word on the Internet is "lose"
LOOSE (for those who misspell it) = not tight
LOSE = to suffer loss
Agular is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 14th March 2009, 05:47 AM   #5
Dancing David
Penultimate Amazing
 
Dancing David's Avatar
 
Join Date: Mar 2003
Location: Central Illinois
Posts: 35,897
There are some issues with uninstalling IE, you may need it to update! At least it won't update through Firefox, curse you Microsoft!

Sounds like a job for HijackThis! they have a very nice forum and will guide you through the process. But you have to agree to do only what they tell you and run the processes as they request them.
MajorGeeks will do something similar.

You could also try ComboFix.
have you tried MalwareBytes or Superantispyware?

At our school swe had a machine that was doing this, there was an audio codec that somebody , most likely a sub custodian had downloaded. Our tech tried fooling with it and then just reformatted.
__________________
I suspect you are a sandwich, metaphorically speaking. -Donn
And a shot rang out. Now Space is doing time... -Ben Burch
You built the toilet - don't complain when people crap in it. _Kid Eager
Never underestimate the power of the Random Number God. More of evolutionary history is His doing than people think. - Dinwar

Last edited by Dancing David; 14th March 2009 at 05:49 AM.
Dancing David is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th March 2009, 02:17 AM   #6
Brian Jackson
Graduate Poster
 
Brian Jackson's Avatar
 
Join Date: Aug 2006
Location: Atlanta, Georgia
Posts: 1,107
SOLVED!

Well at least a quick fix. There's a simple program called Startup Defender here that prevents Processes from starting. Simple as that. I just select the offending Process and put it in the kill list.

I've watched Task Manager after installation and every time the Process attempts to start it's immediately killed in less than half a second.

Granted there's more going on under the hood with this infection, but at least the offending virus is not allowed to execute. This one has been driving me crazy and I'm surprised the lack of at least this simple fix on net forums.

Cheers,
Brian

Last edited by Brian Jackson; 16th March 2009 at 02:19 AM.
Brian Jackson is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th March 2009, 06:53 PM   #7
Dancing David
Penultimate Amazing
 
Dancing David's Avatar
 
Join Date: Mar 2003
Location: Central Illinois
Posts: 35,897
and good luck, does Microsoft Malicious Software remover detect anything?

I would at least want to find out what it is, if it is a backdoor trojan then more is yet to come.
__________________
I suspect you are a sandwich, metaphorically speaking. -Donn
And a shot rang out. Now Space is doing time... -Ben Burch
You built the toilet - don't complain when people crap in it. _Kid Eager
Never underestimate the power of the Random Number God. More of evolutionary history is His doing than people think. - Dinwar
Dancing David is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 23rd March 2009, 11:42 PM   #8
Gangularis
Muse
 
Gangularis's Avatar
 
Join Date: Jan 2009
Location: Barberton, Ohio
Posts: 985
Originally Posted by Brian Jackson View Post
SOLVED!

Well at least a quick fix. There's a simple program called Startup Defender here that prevents Processes from starting. Simple as that. I just select the offending Process and put it in the kill list.

I've watched Task Manager after installation and every time the Process attempts to start it's immediately killed in less than half a second.

Granted there's more going on under the hood with this infection, but at least the offending virus is not allowed to execute. This one has been driving me crazy and I'm surprised the lack of at least this simple fix on net forums.

Cheers,
Brian
you should post a hijackthis log .. i'd also try downloading and running the free version of Malwarebytes, update it, perform a quick scan, and then have it remove everything that it finds. It works great. I work at home as a remote tech, and the focus of my work is removing malware, and this is one of the programs the company i work for uses. It does a great job.
Gangularis is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 27th March 2009, 03:22 AM   #9
TheDaver
hairy farting brute
 
TheDaver's Avatar
 
Join Date: Mar 2008
Location: Montréal
Posts: 972
Download and install the Avast antivirus. Scan your system, disable Startup Defender, and if the problem’s still there, then just bite the bullet – backup your most cherished/important data and do a complete format and reinstall of Windows.
TheDaver is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 9th April 2009, 10:34 PM   #10
Typicallucas
I AM AN F... B... I... AGENT!!
 
Typicallucas's Avatar
 
Join Date: Sep 2008
Location: Next to a burning car in the middle of nowhere.
Posts: 623
Originally Posted by TheDaver View Post
...backup your most cherished/important data and do a complete format and reinstall of Windows.
Absolutely, get prepared to format your hard drive and reinstall Windows.

If you can't eradicate that virus completely (I guess you never can be 100% sure it's gone) you may be opening yourself up to another attack in the future. Your system may have been comprimised in some way or the virus may be downloading some of it's trojan buddies onto your computer.

I have reinstalled XP twice in the last 2 years and I made a chart of all the steps I need to do for next time. Here is my advice to you.

Backup your important files:
Music, Pictures, Videos, Books, Downloaded Files, Personal and Business Documents
Backup your data from programs:
Quickbooks, Email, Contacts, Calendars, Favorites
Make a list of the drivers you will need to download from the internet
Make a list of the programs you will need to download/install
Take some notes on the appearance of your desktop and program defaults so that you can recreate it
Make sure to get EVERYTHING you want to keep, think long and hard.

Google & print out a guide to formatting and installing XP, I can't link one yet because I'm still new to the forums.

Pick a day when you aren't going to need your computer for argent business.

In this order:
1) Format
2) Install Windows
3) Update Windows
4) install an Antivirus program
5) install an Antispyware program
6) update and activate both
7) configure Windows Update to update automatically.
8) install any drivers you need to run your peripherals (use yo' periphuruls!)
9) install your programs and tweak your desktop settings
10)copy your backed-up data over and enjoy your fresh XP!
Typicallucas is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th April 2009, 07:11 PM   #11
Aerik
Critical Thinker
 
Join Date: Nov 2006
Posts: 302
Sounds like the virus is opening what's called a "popunder" -- via javascript it can cause the browser to eliminate almost all of it's chrome, keep it from appearing in the taskbar, and reduce it to a size you can't see (like a single pixel)
Aerik is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Reply

JREF Forum » General Topics » Computers and the Internet

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -7. The time now is 09:24 AM.
Powered by vBulletin. Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2001-2013, James Randi Educational Foundation. All Rights Reserved.

Disclaimer: Messages posted in the Forum are solely the opinion of their authors.