Anti-Spyware Forums


Reply
Thread Tools Display Modes

Internet Explorer 7, Background Audio Ads

 
 
George.h2006
Guest
Posts: n/a

 
      27-03-2009, 03:29 PM
Hi,

I friend's PC (Dell Optiplex SX270, XP Pro, SP3) has recently been hit by
some strange hijacker/virus that none of the standard anti-viral, adware,
spyware or malware software seems to be able to find (PC-Tools Anti-Virus,
F-Secure, Ad-Aware, Spybot, Defender etc).

The symptoms are that when XP starts there is already an iexplorer.exe
process running which randomly starts playing audio ads in the background,
though no IE windows are visible anywhere. If I terminate the process, 15 or
so mins later it restarts and does the same thing (the audio ads stop if they
are playing when I terminate the process). Nothing I've found on the internet
so far (CoolWebSearch hijacker etc) has made a dent in it....

Anyone else came across this and any suggestions?
George
 
Reply With Quote
 
 
 
 
Shenan Stanley
Guest
Posts: n/a

 
      27-03-2009, 07:00 PM
George.h2006 wrote:
> Hi,
>
> I friend's PC (Dell Optiplex SX270, XP Pro, SP3) has recently been
> hit by some strange hijacker/virus that none of the standard
> anti-viral, adware, spyware or malware software seems to be able to
> find (PC-Tools Anti-Virus, F-Secure, Ad-Aware, Spybot, Defender
> etc).
>
> The symptoms are that when XP starts there is already an
> iexplorer.exe process running which randomly starts playing audio
> ads in the background, though no IE windows are visible anywhere.
> If I terminate the process, 15 or so mins later it restarts and
> does the same thing (the audio ads stop if they are playing when I
> terminate the process). Nothing I've found on the internet so far
> (CoolWebSearch hijacker etc) has made a dent in it....
>
> Anyone else came across this and any suggestions?


MalwareBytes and SuperAntiSpyware?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


 
Reply With Quote
 
 
 
 
FromTheRafters
Guest
Posts: n/a

 
      27-03-2009, 07:05 PM
"George.h2006" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I friend's PC (Dell Optiplex SX270, XP Pro, SP3) has recently been hit
> by
> some strange hijacker/virus that none of the standard anti-viral,
> adware,
> spyware or malware software seems to be able to find (PC-Tools
> Anti-Virus,
> F-Secure, Ad-Aware, Spybot, Defender etc).


Are the antivirus programs you mention both "online scanners" by any
chance?

> The symptoms are that when XP starts there is already an iexplorer.exe
> process running which randomly starts playing audio ads in the
> background,
> though no IE windows are visible anywhere. If I terminate the process,
> 15 or
> so mins later it restarts and does the same thing (the audio ads stop
> if they
> are playing when I terminate the process). Nothing I've found on the
> internet
> so far (CoolWebSearch hijacker etc) has made a dent in it....
>
> Anyone else came across this and any suggestions?


What did you install just before this started happening?

MBAM and SAS are often suggested for general malware removal.


 
Reply With Quote
 
PA Bear [MS MVP]
Guest
Posts: n/a

 
      27-03-2009, 07:32 PM
Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting the requested logs
in an appropriate forum.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/...moving_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachi...php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or other appropriate forums.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

George.h2006 wrote:
> Hi,
>
> I friend's PC (Dell Optiplex SX270, XP Pro, SP3) has recently been hit by
> some strange hijacker/virus that none of the standard anti-viral, adware,
> spyware or malware software seems to be able to find (PC-Tools Anti-Virus,
> F-Secure, Ad-Aware, Spybot, Defender etc).
>
> The symptoms are that when XP starts there is already an iexplorer.exe
> process running which randomly starts playing audio ads in the background,
> though no IE windows are visible anywhere. If I terminate the process, 15
> or
> so mins later it restarts and does the same thing (the audio ads stop if
> they are playing when I terminate the process). Nothing I've found on the
> internet so far (CoolWebSearch hijacker etc) has made a dent in it....
>
> Anyone else came across this and any suggestions?
> George


 
Reply With Quote
 
George.h2006
Guest
Posts: n/a

 
      28-03-2009, 10:07 AM
I've not tried SuperAntiSpyware on it yet, Melwarebytes I dont like as it's
one of the myriad of packages that tell you you've an infection yet will do
nothing to fix it without parting with money. Something Malwarebytes doesn't
make particularly obvious until AFTER it claims to have found things. Which
to me makes it almost as bad.

> MalwareBytes and SuperAntiSpyware?
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
>
>

 
Reply With Quote
 
George.h2006
Guest
Posts: n/a

 
      28-03-2009, 10:12 AM
Hi TheRafters

> > some strange hijacker/virus that none of the standard anti-viral,
> > adware,
> > spyware or malware software seems to be able to find (PC-Tools
> > Anti-Virus,
> > F-Secure, Ad-Aware, Spybot, Defender etc).

>
> Are the antivirus programs you mention both "online scanners" by any
> chance?


F-Secure is an online scanner, PC-Tools etc aren't. Trend on-line scanner
claimed to find 101 infections (wouldnt list them) but hung claiming to clear
them.

> What did you install just before this started happening?


I wish I knew what he'd done - most likely been clicking on anything that
came attached to an email and/or anything that seemed like he could click on
it on God knows what web sites. Needles to say he's had severly slapped
wrists!

>
> MBAM and SAS are often suggested for general malware removal.


Closest I've got is using HijackThis which seems to to show TWEX.EXE tagged
on the end of UserInit (after C:\Windows\System32\userinit.exe). But I've had
no success using Safe Mode or recovery console to find the blighter and
remove it or any of the tools claimed to remove TWEX.
 
Reply With Quote
 
George.h2006
Guest
Posts: n/a

 
      28-03-2009, 10:23 AM
Thanks for the advice PA Bear,

Tried researching it as best as I could, but amazed at how many responses on
some sites seem little more than ads for MalwareBytes software (not free!).

As he started noticing the problem 2/3 weeks ago and only started
complaining about it a couple of days ago it's probably well embedded now.
Most of the research I've done (including HiJackThis logs) has shown up dead
ends or advice (not working) for removal of the only thing showing up
(TWEX.EXE).

Luckily I've a spare identical SX270 so taking the path of least resistance
(and probably safest!) and building a new machine with IE8 etc, Defender,
definitely no nasties, all the security turned on AND (most important for my
friend) a more locked down logon! I think it has been made a lot worse by him
logging on with full Administrator privs! On the replacement machine I'm
building for him I'm keeping those for myself only! Then after moving his
emails/files across (scanned to death!) I'll take his old PC, wipe it, and
use it as my Windows 7 eval machine since thats what I've been using the
replacement machine as....



"PA Bear [MS MVP]" wrote:

> Unexplained computer behavior may be caused by deceptive software
> http://support.microsoft.com/kb/827315
>
> Run a /thorough/ check for hijackware, including posting the requested logs
> in an appropriate forum.



 
Reply With Quote
 
Malke
Guest
Posts: n/a

 
      28-03-2009, 12:18 PM
George.h2006 wrote:

> I've not tried SuperAntiSpyware on it yet, Melwarebytes I dont like as
> it's one of the myriad of packages that tell you you've an infection yet
> will do nothing to fix it without parting with money. Something
> Malwarebytes doesn't make particularly obvious until AFTER it claims to
> have found things. Which to me makes it almost as bad.


I'm sorry but this is completely wrong. Malwarebytes' Anti-malware (MBAM) is
free. The latest version, 1.35, has a small "Purchase" button next to the
"Exit" button but otherwise acts exactly as it always has. IOW, the free
version removes malware just fine. I used MBAM on a client's machine a few
days ago and just downloaded/installed/scanned with the latest version on
one of my machines to be sure nothing has changed. It hasn't.

It is very possible that you downloaded a fake MBAM or somehow
misinterpreted what you saw after running it. The correct site for MBAM is
www.malwarebytes.org.

Your friend's computer is severely infected. Your friend should follow PA
Bear's advice or take the machine to a local computer tech. I don't
recommend using a BigComputerStore/GeekSquad type of place.

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
http://www.elephantboycomputers.com/#FAQ

 
Reply With Quote
 
Shenan Stanley
Guest
Posts: n/a

 
      28-03-2009, 02:06 PM
George.h2006 wrote:
> I've not tried SuperAntiSpyware on it yet, Melwarebytes I dont like
> as it's one of the myriad of packages that tell you you've an
> infection yet will do nothing to fix it without parting with money.
> Something Malwarebytes doesn't make particularly obvious until
> AFTER it claims to have found things. Which to me makes it almost
> as bad.


MalwareBytes doesn't ask you for money before cleaning - you must be using
something else.

In other words - you are incorrect and mistaken - or just plain wrong. ;-)

Grab the Free Trial Version (Blue button on left):
http://www.malwarebytes.org/mbam.php

Specifically (1.35 released March 26, 2009.)
http://download.cnet.com/Malwarebyte...=dl&tag=button

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


 
Reply With Quote
 
PA Bear [MS MVP]
Guest
Posts: n/a

 
      28-03-2009, 02:41 PM
What Malke said.

The MBAM Free Trial Version button found here (only!)
http://www.malwarebytes.org/mbam.php gives you the same application as does
the Full Version button. However, the free version does not include
real-time protection, scheduled scanning, and scheduled updating. You can
download the free version and then activate (upgrade to) the full version
for a one-time fee of $24.95 USD (which will support the work being done at
www.malwarebytes.org forums, etc.

That being said and while MBAM is a very effective utility that will detect
AND remove what it finds (when used properly), it would be best for your
friend to post in one of the forums after running MBAM so an expert can
determine if all the hijackware has been removed.
--
~PA Bear

George.h2006 wrote:
> Thanks for the advice PA Bear,
>
> Tried researching it as best as I could, but amazed at how many responses
> on
> some sites seem little more than ads for MalwareBytes software (not
> free!).
>
> As he started noticing the problem 2/3 weeks ago and only started
> complaining about it a couple of days ago it's probably well embedded now.
> Most of the research I've done (including HiJackThis logs) has shown up
> dead
> ends or advice (not working) for removal of the only thing showing up
> (TWEX.EXE).
>
> Luckily I've a spare identical SX270 so taking the path of least
> resistance
> (and probably safest!) and building a new machine with IE8 etc, Defender,
> definitely no nasties, all the security turned on AND (most important for
> my
> friend) a more locked down logon! I think it has been made a lot worse by
> him logging on with full Administrator privs! On the replacement machine
> I'm
> building for him I'm keeping those for myself only! Then after moving his
> emails/files across (scanned to death!) I'll take his old PC, wipe it, and
> use it as my Windows 7 eval machine since thats what I've been using the
> replacement machine as....
>
>
>
> "PA Bear [MS MVP]" wrote:
>> Unexplained computer behavior may be caused by deceptive software
>> http://support.microsoft.com/kb/827315
>>
>> Run a /thorough/ check for hijackware, including posting the requested
>> logs
>> in an appropriate forum.
>> <snipped>


 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
audio file runs in background Steve T Computer Security 12 20-11-2007 09:30 PM
Background music playing when using Internet Explorer =?Utf-8?B?TmF6YQ==?= Computer Security 0 26-02-2006 03:15 AM
Help! Internet Explorer pop up ads driving me insane Algo Spyware 7 14-12-2004 05:32 AM
Unwanted ads coming from internet explorer edg Security Software 2 30-09-2004 10:52 PM
Microsoft Internet Explorer Pop Up Ads Kathy Security Software 3 22-09-2003 04:34 PM


All times are GMT. The time now is 01:48 PM.