Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Strange sounds indeed![RESOLVED]

Started by thinkbig , May 18 2005 06:50 AM

  • This topic is locked This topic is locked

#1
thinkbig
Posted 18 May 2005 - 06:50 AM

thinkbig

    New Member

  • Member
  • Pip
  • 5 posts
I am an Aussie expat living in Hong Kong so hope this does not preclude me from seeking assistance..we are more or less on the same side I guess!!
I am no Geek but some basic knowledge and willing to follow instructions.

Iam getting weird intermittent sound from my PC...rifle shots, sirens, bells, dogs barking ( I am not barking mad but maybe soon)
Running XP SP2 updated, Norton Anti virus and Utilities including GoBack, updated daily (would have to go back 2 months if all else fails!), McAfee Firewall.

Have run Norton scan in normal and safe mode and Trend Housecall in normal. Trend picked up JavaBytever.A but would not let me delete it..said it was in use. However a second scan did not detect it so I assume it was cleaned.

Have run AdAware, SpyBot, CCleaner, Spywareblaster, CWShredder, TDS3 which noted a change in Autostart registry, EWido which picked up tracking cookies others did not, Aboutbuster, Kill2me, WinPatrol...all these with Norton Restore turned off. .
Hijack log below and any advice greatly appreciated


Logfile of HijackThis v1.99.1
Scan saved at 7:43:51 PM, on 18/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sistray.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Spyware\security suite\ewidoctrl.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\H40JI3AF\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HKJC Applet - https://bet.hongkong.../ib/en/HKJC.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{68CF0939-08D6-4DA4-BE92-9F62DF4D39E2}: NameServer = 202.14.67.4 202.14.67.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1878BD9-5B3E-45DD-A4D9-B18221683DBB}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Spyware\security suite\ewidoctrl.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
Metallica
Posted 24 May 2005 - 03:23 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I don't see anything wrong in your log.

Those sounds could they be caused by a program trying to warn you for something?
I have once spent an entire afternoon for unexpected sounds that turned out to be caused by a popupblocker.

One option you can try:
http://www.sysintern...kitreveal.shtml

Regards,
  • 0

#3
thinkbig
Posted 27 May 2005 - 02:52 AM

thinkbig

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks Metallica,

I have been out of town for a couple of days so just back on the case. I am not running any programmes that I know of that will constantly give such different warning sounds.....intermittent with no pattern I can detect, one minute barkig then next shots or sirens
I have disabled Windows sounds.
I ran the rootkit search and came up with this.

C:\Documents and Settings\user\Cookies\user@cgi-bin[1].txt 5/25/2005 11:32 AM 98 bytes Hidden from Windows API.
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt 5/25/2005 11:34 AM 95 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\45ANODEZ\1116700714271[1].html 5/25/2005 11:35 AM 8.92 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\45ANODEZ\CACPQZ0X.htm 5/25/2005 11:35 AM 196 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\45ANODEZ\ctype=index&cat=ros&site=age&adspace=textad&loc=3&isiframe=yes&domain=smh.com[9].htm 5/25/2005 11:36 AM 2.30 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\45ANODEZ\ebServing[1].js 5/25/2005 11:36 AM 1.97 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\89IBW5YR\cat=home&ctype=index&subcat=news&site=smh&adspace=180x210[2].htm 5/25/2005 11:35 AM 6.03 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\89IBW5YR\cat=home&site=smh&adspace=468x60&domain=smh.com[1].htm 5/25/2005 11:35 AM 7.19 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\89IBW5YR\CAUYS1QI.htm 5/25/2005 11:36 AM 196 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\89IBW5YR\ctype=index&cat=ros&site=age&adspace=textad&loc=1&isiframe=yes&domain=smh.com[8].htm 5/25/2005 11:36 AM 2.27 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\89IBW5YR\ctype=index&cat=ros&site=age&adspace=textad&loc=2&isiframe=yes&domain=smh.com[8].htm 5/25/2005 11:36 AM 2.31 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\89IBW5YR\html&color_bg=FFFFFF&color_text=000000&color_link=003366&color_url=0066CC&color_border=1A63A5&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=480&u_his=1&u_java=t 5/25/2005 11:35 AM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CLM3OPUN\cat=home&ctype=index&subcat=news&site=smh&adspace=180x210[1].htm 5/25/2005 11:36 AM 6.00 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CLM3OPUN\cat=home&site=smh&adspace=468x60&domain=smh.com[1].htm 5/25/2005 11:36 AM 7.19 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CLM3OPUN\cat=home&site=smh&adspace=text&domain=smh.com[1].htm 5/25/2005 11:35 AM 1.87 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CLM3OPUN\cat=home&site=smh&adspace=text&domain=smh.com[2].htm 5/25/2005 11:36 AM 1.87 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CLM3OPUN\html&color_bg=FFFFFF&color_text=000000&color_link=003366&color_url=0066CC&color_border=1A63A5&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=480&u_his=1&u_java=t 5/25/2005 11:35 AM 1.27 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CLM3OPUN\site=smh&adspace=100x29[1].htm 5/25/2005 11:36 AM 903 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CLM3OPUN\site=smh&adspace=100x29[2].htm 5/25/2005 11:35 AM 904 bytes Hidden from Windows API.

FYI.... smh ref is to a Sydney daily newspaper

I am a bit concerned that this rootkit search programme is trying to plant itself in my start up menu?

I notice that whenever the sounds play a file Qserver.exe shows up in Windows Task Manager Processes but I think this a Norton file??


Regards

David
  • 0

#4
Metallica
Posted 27 May 2005 - 04:06 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
If it is Symantecs Qserver.exe then it could be responding to something.

Can you try running a full systemscan with NAV in safe mode?

Let me know if it turns up anything.

Regards,
  • 0

#5
thinkbig
Posted 28 May 2005 - 09:38 AM

thinkbig

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Pieter,

Did the full scan of NAV in safe mode...no infection found. Uninstalled Nero which is the only thing I have installed in recent times...not the cause (no surprise) but did get a siren sound blast when I started to uninstall.

The only pop up blocker I have is XP....don't install any strange tool bars etc.

Regards & thanks for your interest ......

David
  • 0

#6
Metallica
Posted 28 May 2005 - 10:35 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you do a Find Files for *.wav

See if any of them show up in places where they shouldn't ?

Regards,
  • 0

#7
thinkbig
Posted 28 May 2005 - 08:16 PM

thinkbig

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I now feel a bit of an idiot!!! You were right first time but I did not realise what it might be.

I went through the .wav files and listened to them. Turns out it is my bl...dy McAfee Spam Killer which plays all these weird warning sounds when mail/spam arrives. I have had the program for a couple of years but re-installed recently and must have enabled sounds....I have now disabled sound and expect my problem has gone away. I have learned a bit more about spyware and files as well.
Apologies for wasting your time when you have more important things to do but you have restored my sanity and your guidance is greatly appreciated.

I will continue to watch the forum posts as part of my learning curve.

Cheers and thanks again

David
  • 0

#8
Metallica
Posted 29 May 2005 - 02:12 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP