Articles

Random audio playing and can't shut it off

November 18, 2012 at 10:11:23
Specs: Windows 7

This has been happening for several months and I have no idea what to do. Random audio will start playing on my computer, mostly ads, but sometimes it sounds like videos or news or people talking. It happens even when all my browser windows are closed and I have no applications running. It has even woken me up in the middle of the night after I thought my computer was asleep.

I've opened task manager and can't find the problem. Many times as soon as I open task manager, it stops so it's hard to catch. It usually lasts for less than 2 minutes, but today it just kept going for 15 minutes or so. It will stop doing this for weeks at a time, then randomly come back.

I have not downloaded anything recently or installed any new software. I have Norton Internet Security and I've scanned several times with Malwarebytes and it comes up with nothing. I've checked running services, startup, sounds, etc.- nothing comes up. It is incredibly frustrating.

I am running Windows 7.

I read on another forum someone had a similar problem and it was a process "indt2.sys" but I don't even have that process anywhere.

Any help is appreciated. Thanks.


See More: Random audio playing and cant shut it off

Report •


#1
November 18, 2012 at 13:52:34

We have to start somewhere, lets start with this.

Run ESET & post the log please. This scan may take a very long while, so please be patient. Start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
You may have to download ESET from a good computer, put it on a thumb drive & run it from there.
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.


Report •

#2
November 18, 2012 at 18:17:12

OK, I will run the scan tonight and see what happens.

Report •

#3
November 18, 2012 at 22:15:59

imanygirl,
Sounds like you have an unwanted rootkit installed. Run these 3 free progs in EXACTLY the order listed, don't reboot untill after the last scan

1- rkill.exe
http://www.bleepingcomputer.com/dow...
2- tdss killer
http://support.kaspersky.com/faq/?q...
3- malwarebytes
http://www.filehippo.com/download_m...

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

Related Solutions

#4
November 19, 2012 at 11:05:17

I ran the ESET Scanner and am copying and pasting the log file below: I just hope I didn't delete anything I use.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=e8665276cde2b34487b4287a9bea123e
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-11-19 06:52:59
# local_time=2012-11-19 01:52:59 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 62104798 104889459 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=165653
# found=11
# cleaned=11
# scan_time=5170
C:\Program Files (x86)\DAEMON Tools Lite\cnet2_DTLite4451-0236_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Free FLV Converter\cnet_FreemakeVideoConverter_2_3_4_0_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Free FLV Converter\Setup_FreeFlvConverter.exe Win32/Toolbar.SearchSuite application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Freemake\FreemakeVideoConverterSetup.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\IObit\gb3-setup.exe a variant of Win32/Toolbar.Widgi application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\anygirl\AppData\Local\Temp\FreemakeVideoConverter_3.1.1.4.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\anygirl\AppData\Roaming\Mozilla\Firefox\Profiles\rdfxsb1w.default\extensions\{a8824621-54a8-454c-9619-703313eb72cf}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\anygirl\AppData\Roaming\Mozilla\Firefox\Profiles\rdfxsb1w.default\extensions\{ac088ab9-ed83-47e5-8746-356d65acf25d}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\anygirl\Downloads\FotoMorphV13Setup.exe a variant of Win32/Toolbar.Funmoods application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CrashDumps\xlzbnr.dll a variant of Win32/Kryptik.AGFG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Temp\nsq518A.tmp\xlzbnr.dll a variant of Win32/Kryptik.AGFG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


Report •

#5
November 19, 2012 at 11:06:26

I just did the ESET thing. I am not going to do all those other things unless that turns out not to have worked. I'll just have to wait and see if it worked.

Report •

#6
November 19, 2012 at 13:07:48

It wouldn't hurt at all to run the three tools that XPuser4real suggests.
One scanner might miss something, and you have some nasty Trojans found already. Leaving any traces behind can cause reinfection. (I know Johnw will not be relying on that one scan. And all pc's should have Malwarebytes installed on them for extra protection)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#7
November 19, 2012 at 13:13:21

"I'll just have to wait and see if it worked"
No one program will remove everything, ESET is just the beginning of the process, remnants left will once again infect the comp & slowly invade deeper & deeper.

Report •

#8
November 19, 2012 at 13:20:37

Correct MrGoodguy, shall wait for a response from imanygirl.

Report •

#9
November 21, 2012 at 06:55:22

I have Malwarebytes installed and run a full scan at least once a week. It didn't pick up any of the other stuff. I had Norton Internet Security installed until two days ago, when I got fed up with it. It always fails and I have to reinstall it and I don't have time to do that every other week. I was going to wait and see if I had any more problems with the audio thing before downloading and running the other three programs, but I guess I'll do it anyway. It kind of surprises me that Malwarebytes didn't catch anything. I always thought they were the most thorough. OK, I'll post the results of the other 3 programs as I get them. It might be a day or two since I don't know how much time they will take to run. Thanks.

Report •

#10
November 21, 2012 at 07:01:21

Oh, I just realized that Malwarebytes was one of the three you listed. Well, so we already know that didn't find anything. I just downloaded the other two, but while I was downloading the first one, I got a strange message saying the it failed to save because it wouldn't save to the desktop because that file couldn't be altered or something along those lines, which I have never had before. I always save to the desktop when I download from online so I had to change the destination folder and it worked. I don't know what that was about.

I already ran Rkill and here is the log file from that:

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 11/21/2012 10:03:18 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Windows\SysWOW64\ezSharedSvcHost.exe (PID: 396) [SFI]

1 proccess terminated!

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\anygirl\Desktop\rkill\rkill-11-21-2012-10-03-25.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 11/21/2012 10:03:36 AM
Execution time: 0 hours(s), 0 minute(s), and 18 seconds(s)


Report •

#11
November 21, 2012 at 07:13:44

OK, well, this all took a lot less time than I anticipated, obviously. So I ran the other one and it says I have to reboot, but I'm really, really nervous about doing so because it says that it the hard disk was infected and something about rootkit.boot and if it doesn't work, I'm worried my computer won't reboot at all. There is no log file that I can see yet, so I took a screenshot of the results. I can't figure out how to insert the image into this post so I'm just going to post the link.

http://i.imgur.com/NLYbZ.jpg

Btw, "Sounds like you have an unwanted rootkit installed.." Sounds like you were totally right! I'm running Malwarebytes again before I reboot. Then I'll just take my chances, I guess.


Report •

#12
November 21, 2012 at 11:55:44

Run the new Malwarebytes Rootkit Scanner from this link:
http://www.malwarebytes.org/product...
A user guide at this link:
http://www.bleepingcomputer.com/vir...

If you did reboot please rerun Rkill and TDSSkiller before the Rootkit scan.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#13
November 21, 2012 at 14:05:32

Please copy & paste instructions into a text file, print steps & info. You will need them, as they are hard to remember, for when you are offline.

Note: Is your important stuff backed up, including your emails & address book? Anything can happen, during the clean up.

The badies are always ahead of the goodies, be aware, this can be a very long process, involving many different tools to clean up an infected comp.
Some infections are irremovable.
Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc.
The use of the computer is the primary factor in the decision whether to re-format and re-install, or just disinfect.
http://www.dslreports.com/faq/10063
How to report ID theft, fraud, drive-by installs, hijacking and malware?
http://www.dslreports.com/faq/10451
Change your router password if it is not strong or still uses the default one.
Hack lets intruders sneak into home routers
http://tinyurl.com/4pz64fc
http://compnetworking.about.com/od/...

If you do decide to reinstall, make sure you delete ALL partitions & format to NTFS.
D to Delete the selected partition ( XP )
http://www.blackviper.com/os-instal...
W7 - Click on > Drive options (advanced) Then highlight each partition & hit > Delete.
http://www.blackviper.com/os-instal...
http://www.blackviper.com/os-instal...
Here are some examples of why you delete all partitions.
http://forums.spybot.info/showthrea...
http://forums.whatthetech.com/index...
http://blog.eset.com/2011/10/18/tdl...

As we dismantle the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.
Removal of infected parts of the system, may cause other parts to stop working, such as your Internet connection or Services. These then we have to repair.

If any program won't run ( due to the infection ) let me know. Post the log/logs after each run.
Screenshots ( SS ) may also requested, or if you want to illustrate a point yourself, use the uploader.
If any of the logs are too large, upload them to a site of your choosing or, all can be done with this. I use Imgur.com
Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://zenden.ws/imageuploader_ru
How to use
http://i.imgur.com/IwZrT.gif
http://i.imgur.com/q4uHK.gif
http://i.imgur.com/qk0sN.gif
http://i.imgur.com/TTVsl.gif
For other files.
http://i.imgur.com/KT4wS.gif
http://i.imgur.com/wAG3q.gif

After each fix or change we make, let me know how the comp is running. Example: Still got Random audio playing and can't shut it off.


Report •

#14
November 21, 2012 at 14:06:44

After finishing MrGoodguy post #12

1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

2: Reboot

3: Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://www.sur-la-toile.com/RogueKi...
http://www.sur-la-toile.com/RogueKi...
RogueKiller tutorial
http://en.kioskea.net/faq/11626-rog...

4: Run ComboFix
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •


Ask Question