Virus
I have a vicious malware that randomly plays audio clips. It loads it self upon boot up at the user login screen. After loggin in, the mixer shows a noname source is active.
I have AVG free running. I have run Combofix, MalwareBytes, fixTDSS, and Sophos with negative results.
It appears to be streaming because it only plays when I am connected to the internet.
Also, I can't identify any services or processes that point to the culprit.
I can't find any useful references on Google, so this must be fairly new.
I have AVG free running. I have run Combofix, MalwareBytes, fixTDSS, and Sophos with negative results.
It appears to be streaming because it only plays when I am connected to the internet.
Also, I can't identify any services or processes that point to the culprit.
I can't find any useful references on Google, so this must be fairly new.
Lee W, MVP
Check your scheduled tasks and look over the system with Autoruns. Never heard of a virus like this and doubt it's actually a virus would think someone is playing a trick on them.
A look into the startup items in msconfig may show some unnamed process or service. I would deactivate any of those found and reboot.
jsmitter--
When you have IE running and you can hear the audio, run Process Explorer.
http://technet.microsoft.com/en-us/sysinternals/bb896653
See if you can pick out the audio file from the list that will be presented.
When you have IE running and you can hear the audio, run Process Explorer.
http://technet.microsoft.com/en-us/sysinternals/bb896653
See if you can pick out the audio file from the list that will be presented.
ASKER
There is nothing listed in Scheduled Tasks and disabling local services items in msconfig has no effect.
It's interesting to note that SP1 is not installed and when trying to use Microsoft Update to upgrade it, Microsoft reports that it doesn't recognize the OS???
It's interesting to note that SP1 is not installed and when trying to use Microsoft Update to upgrade it, Microsoft reports that it doesn't recognize the OS???
Try a scan with Windows Defender Offline
http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline
This runs the the A/V utility outside of the OS and not subject to possible manipulation by the virus.
http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline
This runs the the A/V utility outside of the OS and not subject to possible manipulation by the virus.
ASKER
Procmon errors out because it can't exract itself for some reason. The OS is 64 bit, so I don't know why it won't run, Will try Windows Defender now.
ASKER
Since Windows Defender is part of Windows, I am looking for a recommendation for a "safe" website to download it from? In the meantime, I ran MS Windows safety Scanner which came up clean.
jsmitter--Since you are using Win 7, Microsoft Security Essentials is a better choice than Windows Defender.
http://windows.microsoft.com/en-us/windows/security-essentials-download
See
http://blogs.msdn.com/b/securitytipstalk/archive/2013/11/14/windows-defender-and-microsoft-security-essentials-which-one-do-i-need.aspx
for a comparison of MSSE and Windows Defender on Win7
Earlier I suggested Process Explorer and you said "procmon errors out". Did you mean procmon? That has been superseded by Process Monitor
http://technet.microsoft.com/en-us/sysinternals/bb896645
http://windows.microsoft.com/en-us/windows/security-essentials-download
See
http://blogs.msdn.com/b/securitytipstalk/archive/2013/11/14/windows-defender-and-microsoft-security-essentials-which-one-do-i-need.aspx
for a comparison of MSSE and Windows Defender on Win7
Earlier I suggested Process Explorer and you said "procmon errors out". Did you mean procmon? That has been superseded by Process Monitor
http://technet.microsoft.com/en-us/sysinternals/bb896645
ASKER
I had to extract the process monitor file and now it executes.
It revealed that there are lot of tmp files being generated. For example, all the file names contain the three letter prefix "fla" followed by a hexadecimal number. For example one is listed as "flaE815.tmp". A new one is created just before a new clip begins to play through the mixer. It contains a different hex number in its file name.
Is there a way to see what program is launching the file?
It revealed that there are lot of tmp files being generated. For example, all the file names contain the three letter prefix "fla" followed by a hexadecimal number. For example one is listed as "flaE815.tmp". A new one is created just before a new clip begins to play through the mixer. It contains a different hex number in its file name.
Is there a way to see what program is launching the file?
ASKER
The Process Monitor under Event Properties - Process Tab, shows these files to have the following parameters -
"Path" C:\Windows\system32\svchos
"Command Line": C:\Windows\system32\svchos
"Path" C:\Windows\system32\svchos
"Command Line": C:\Windows\system32\svchos
jsmitter--
regrettably I do not think either of those files are the problem.
Both are Windows files
http://windows.microsoft.com/en-us/windows/what-is-svchost-exe#1TC=windows-7
DComLaunch is a Windows Service.
regrettably I do not think either of those files are the problem.
Both are Windows files
http://windows.microsoft.com/en-us/windows/what-is-svchost-exe#1TC=windows-7
DComLaunch is a Windows Service.
ASKER
Sorry Firebar, I didn't realize that there was a product called "Windows Defender Offline". I followed Microsoft's instructions and ran it from a usb flash drive. It produced a clean report.
Still no solution.
Still no solution.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
jsmitter, what was your solution?
ASKER
Sorry, I thought I posted it.
The culprit was the Zekos Trojan. RogueKiller V8.8.2 did a superb job in removing it. They documented the Trojan component thoroughly, as can be seen on their website http://www.adlice.com/zeko
I love this site!
The culprit was the Zekos Trojan. RogueKiller V8.8.2 did a superb job in removing it. They documented the Trojan component thoroughly, as can be seen on their website http://www.adlice.com/zeko
I love this site!
jsmitter -tx for the info -always useful to know what worked, and what not.
have a nice day!
have a nice day!