weird but serious problem

Discussion in 'Hardware' started by spike228, Jan 3, 2005.

  1. spike228

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    ok this is not a joke. i am completely serious and i am not sure if this topic belongs here but its a problem thats.....waaay out there.

    my gf's computer, at random times, has a mans voice that is really deep coughing like he was sick. there has also been an instance where the man had a creepy evil laugh, kind of like "muhahahaha" very slowly and in a low voice. she is sure that it is coming from the speakers and even her little brother heard it. this has happened several times. it happens while she is working or if the computer is idle. i have personally checked all windows sounds to see if this was just a prank but no such files were found.

    i know for a fact that her computer has major spyware problems that are a bit hard to fix and is still being worked on. has anyone heard of this or any kind of spyware that maybe causing this?

    she has complained about it several times and its really freaking her out and i have no explanation for it. could it be some kind of interferance as well even though her computer isn't wirelessly connected?

    thank you for taking your time and this situation seriously.
     
    spike228, Jan 3, 2005
    #1
    1. Advertisements

  2. spike228

    D Schrute Assistant Sensei VIP Member

    Joined:
    Aug 31, 2004
    Messages:
    1,201
    Likes Received:
    19
    Location:
    VA & NC
    Is she behind any firewalls? Maybe she should be? I would finish the battle against spyware then see if it continues.
     
    D Schrute, Jan 3, 2005
    #2
    spike228 likes this.
    1. Advertisements

  3. spike228

    James Photojournalist VIP Member

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Location:
    Maine, USA
    Definatley some sort of spyware / malware. Or someone just placed an app that plays random wav files. Have you ever posted her HJT log here?
     
    James, Jan 3, 2005
    #3
    spike228 likes this.
  4. spike228

    nameless VIP Member

    Joined:
    Dec 27, 2004
    Messages:
    183
    Likes Received:
    2
    Location:
    usa
    spike i'd agree that the spy/malware must be taking care of.it it very well could be that she was hacked.you said that some spyware couldnt be removed without damage.why? google spysweeper and download the free version then run it. i'm thinking what seems to be a stuborn gator in fact might be a trojan wich most copys itself into a seprate folder in case the running exe. is deleted. update the antivirus. most trojans has uploading cablities. so someone can upload a file to your machine and excute on your machine.theres a couble trojans that has lamers options like opening drives hiding icons things like that.this sounds like a lamers thing and as "White noise"is gaining poperlity i think we'er going to hear more and more of this kind of lamers stuff. hope this helps.spysweeper sould take care of all your adware/spyware.
     
    nameless, Jan 3, 2005
    #4
    spike228 likes this.
  5. spike228

    davi99 VIP Member

    Joined:
    Feb 4, 2004
    Messages:
    738
    Likes Received:
    5
    Location:
    Chi-town
    Lol i never heard of this before..get it recorded and check in hijackthislog and spybotsearch and destroy <- becareful with thsi program delete something bad it could mess up the whole system
     
    davi99, Jan 3, 2005
    #5
    spike228 likes this.
  6. spike228

    TheOneGreatX VIP Member

    Joined:
    Apr 27, 2004
    Messages:
    1,276
    Likes Received:
    16
    Location:
    US
    white noise?
    no, seriously, its probably spyware, i would agree with posting the HJT log
     
    TheOneGreatX, Jan 3, 2005
    #6
    spike228 likes this.
  7. spike228

    Nickweb Resident Filmaker Moderator

    Joined:
    Nov 7, 2003
    Messages:
    2,532
    Likes Received:
    27
    Location:
    North Wales, Britain
    i agree, spyware
     
    Nickweb, Jan 3, 2005
    #7
    spike228 likes this.
  8. spike228

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    i've done a sweep with spysweeper, spybot S&D, and ad-awareSE. they deleted what they could find and still she complains about this. her computer was also scanned with NAV04 and SAV corporate. those found nothing. she is connected through 2 routers which both have firewalls blocking vulnerable ports.

    when i meant some spyware couldn't be deleted, i mean that it keeps coming back even though it just finished being deleted by 3 scanners. i have asked some people and they mentioned something about AIM. i am still investigating the issue with aim. i will post her HJK log later when she comes back.

    thanks everyone.
     
    spike228, Jan 4, 2005
    #8
  9. spike228

    nameless VIP Member

    Joined:
    Dec 27, 2004
    Messages:
    183
    Likes Received:
    2
    Location:
    usa
    white noise is the new movie about people contacting the dead thru the computer.i,m saying that we might hear of lamers using this to wig people out.are far as adware is concerned when it deleted it is gone untell you pick it back up thru the website.sounds like a trojan that has been injected in explore.a simple test log on the net go to command prompt and type in "netstat"and you can see what your machine is connected to.what firewalls she using and how are they configured? you said protecting vulnerable ports.thats every port.put there still is a problem if the firewall is not configured right it very well might stop someone from connecting to her machine,but does not for keeping something on the machine from connecting out.see the firewall believes that if it is on the machine then its suppose to be there.most backdoor trojans are coded to be be ran on a machine in the background and will contact the intruders machine.in the script will be what port etc to use. so from coming from the inside the firewall doesnt know to stop it.backdoors open ports connect to the machine it was told to some can even send an echo to see if the client is up.it might be nothing but if you deleted something that a spyware program found and it came right back then it had a back up file to exacute at boot.some are configured to wait say 3rd,5th,maybe even 10th boot.
     
    nameless, Jan 4, 2005
    #9
  10. spike228

    Snugglez lvl.49 Bone Mage VIP Member

    Joined:
    Dec 14, 2004
    Messages:
    117
    Likes Received:
    2
    Location:
    Whittier, Ca.
    man this is the kinda crap i WISH happened to me. lol its kinda cool and creepy. this is kind of lame advice but did you check to make sure the file wasnt on "hidden"? In the view folder settings? Or even do a BASIC search on the computer for all audio files. (though that can take a couple years to complete).
     
    Snugglez, Jan 4, 2005
    #10
  11. spike228

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    hidden files, yea i have those shown. there are no sound files that are a hidden file.

    and thanks nameless on the lesson on backdoor trojans. but the thing is, the firewall can detect when a backdoor trojan is contacting another machine. i have checked the logs and it doesn't read anything about a backdoor trojan.

    as for the thing with white noise, my gf would seriously get creeped out and she wouldn't sleep for nights......i rather not tell her that haha.......

    thanks again.
     
    spike228, Jan 4, 2005
    #11
  12. spike228

    James Photojournalist VIP Member

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Location:
    Maine, USA
    Post her HijackThisLog. It sounds like she as some sort of WAV file playing at certain times. I've seen certain ads do this as well.
     
    James, Jan 4, 2005
    #12
  13. spike228

    nameless VIP Member

    Joined:
    Dec 27, 2004
    Messages:
    183
    Likes Received:
    2
    Location:
    usa
    check the task manger when the noises are being heard.or take a look at processes.
     
    nameless, Jan 4, 2005
    #13
  14. spike228

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    yes i will do that today when i go over to her house after school.
     
    spike228, Jan 4, 2005
    #14
  15. spike228

    davi99 VIP Member

    Joined:
    Feb 4, 2004
    Messages:
    738
    Likes Received:
    5
    Location:
    Chi-town
    Oh spike DOes she leave her AIM On..If she does, AIm has Ads That pLay Sound File and i was wondering where that came from, but if you have no other solutions backup computer and reformat
     
    davi99, Jan 4, 2005
    #15
  16. spike228

    davi99 VIP Member

    Joined:
    Feb 4, 2004
    Messages:
    738
    Likes Received:
    5
    Location:
    Chi-town
    by when you said it just keep comming back meaning that the computer has securitys hole for them to come in, try doing a registry mechanic and umm system mechanic
     
    davi99, Jan 4, 2005
    #16
  17. spike228

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    davi, yes her aim is running but she is running deadaim which blocks the ad from playing. i will run tune up utilities and reg seeker.

    james, here is her hijack this log

    Logfile of HijackThis v1.99.0

    Scan saved at 2:51:57 PM, on 1/4/2005

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

    C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe

    C:\Program Files\Logitech\Video\LogiTray.exe

    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

    C:\Program Files\QuickTime\qttask.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\Microsoft IntelliType Pro\type32.exe

    C:\Program Files\Microsoft IntelliPoint\point32.exe

    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\CreataCard\Gold\FMRemind.exe

    C:\Program Files\Sierra\Planner\Plnrnote.exe

    C:\Program Files\Rainlendar\Rainlendar.exe

    C:\Program Files\Microsoft Office\Office10\msoffice.exe

    C:\WINDOWS\System32\LVComS.exe

    C:\Program Files\Logitech\Video\LowLight.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

    C:\Program Files\Norton AntiVirus\navapsvc.exe

    C:\Program Files\Norton Utilities\NPROTECT.EXE

    C:\Program Files\Speed Disk\nopdb.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\wanmpsvc.exe

    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\DOCUME~1\SUZAKU~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis-1-99[1].zip\Desktop\HijackThis.exe

    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;

    O2 - BHO: kbdscxu - {3CD5A9CF-F9A3-E074-ABF7-8F205BDB4E3C} - (no file)

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\aim\\DeadAIM.ocm",ExportedCheckODLs

    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe

    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

    O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

    O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s

    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe

    O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe

    O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097086104218

    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

    O20 - AppInit_DLLs: tbkrnl32.dll

    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

    O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

    O23 - Service: ISEXEng - Unknown - C:\WINDOWS\system32\angelex.exe (file missing)

    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

    O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE

    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

    O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    thanks

     
    spike228, Jan 5, 2005
    #17
  18. spike228

    James Photojournalist VIP Member

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Location:
    Maine, USA
    Are you sure it's not ICQ? ICQ has some weird sounds... Remove these:

    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;http://localhost;
    O2 - BHO: kbdscxu - {3CD5A9CF-F9A3-E074-ABF7-8F205BDB4E3C} - (no file)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1097086104218
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...StatsClient.cab
    O20 - AppInit_DLLs: tbkrnl32.dll
    O23 - Service: ISEXEng - Unknown - C:\WINDOWS\system32\angelex.exe (file missing)
     
    James, Jan 5, 2005
    #18
  19. spike228

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    she doesn't use ICQ, only her parents use it occasionally when the other computer doesn't work.
     
    spike228, Jan 5, 2005
    #19
  20. spike228

    davi99 VIP Member

    Joined:
    Feb 4, 2004
    Messages:
    738
    Likes Received:
    5
    Location:
    Chi-town
    james i think your missing one

    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
     
    davi99, Jan 5, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.