Problem: Strange noises come from the Win XP desktop when there is an internet connection, even if no browser is open. The noises cease once I disable the connection. The noises sound like a strange mash-up of TV/radio sounds.
Attempts to resolve: I have run full scans of my system using McAfee, Malwarebytes and AdAware. Threats were detected and resolved, but the problem persists. I have also deleted temp files.
Suggestions, anyone? Thanks in advance.
Check drivers for rogue entities? Particularly sound and network, since that seems to be where the problem arises.
Does the WinXP sound mixer show which program is producing sounds? Win7’s does, but I don’t remember if the feature dates back to XP or not.
Not sure how to do this, other than with the utilities I’ve already run. Perhaps I should uninstall and reinstall the sound drivers.
Does the WinXP sound mixer show which program is producing sounds? Win7’s does, but I don’t remember if the feature dates back to XP or not.
I don’t believe the mixer shows this. And when I hear these sounds, I go to task manager and nothing is running. I’ve tried going into processes in the task manager and ending any processes that look odd, but that hasn’t stopped this either.
Just now I uninstalled and reinstalled the sound card driver, but the problem remains.
Maybe try something like Process Explorer to see which processes are using network traffic?
Also, Spybot - Search and Destroy.
Oh! My son had this VERY issue this weekend. Creepy, right? Like a blending of radio stations or something. I figured it was a virus, backed up his documents/profile, and formatted his drive and re-installed Windows. Takes me like an hour to put it all back together, then another couple hours for updates, and he was back up and running. I’ve long since stopped fucking around with “cleaning up” a system, since it’s pretty easy to just re-install everything these days, and a lot of his data is auto-archived on Dropbox. /shrug
That would be a weird virus to make itself known by including sound effects. Kind of self-defeating, isn’t it?
My guess is something else is amiss.
edit - … which can often be “fixed” with the nuke-it-from-orbit approach.
edit 2 - upon further review, there apparently was once a virus that played random sound clips that popped up in the wild about six years ago. The culprit was indt2.sys and prefs.exe back then. I still have no idea why someone who made a virus would want to advertise it was installed on your system without an associated extortion request built in.
Thanks for the suggestions. I am running Spybot right now. With Process Explorer, I am uncertain how to tell which processes are using network traffic. However, I did kill a few processes that looked to be of dubious origin. That did not solve the problem. The remaining processes that are running appear to be legit.
Exactly, a mash-up of what sound like tv or radio reports.
Nuking it with a full re-install is not an option at this point, unfortunately.
EDIT: Spybot found and eliminated some spyware, but problem persists. Any further ideas would be greatly appreciated, though I doubt there’s anything that can be done short of a full re-install.
I should mention that in the case of my son’s PC, MSE was also locked down so even the system couldn’t make changes. I couldn’t seem to get permissions/ownership back to it and get it to the point where it could be removed, attempts at a re-install failed out right, and it wouldn’t launch whatsoever. I didn’t feel like fixing that issue on top of that strange sound bug thing, so I just started over. If you can’t start over, I feel for ya, that’s a tough spot to be in. After this time, make sure it’s never a spot you’re in again though! I recommend dropbox to store important documents on (I even moved my documents, pictures, and music folders to point to sub folders in my dropbox folder, so things like save games and documents I work on auto-upload and I can get to them at work, too) and also getting a USB stick to keep a hard copy of in wherever you keep other important documents, if needed. Then if you have to wipe your system, it’s not a big deal, just a time sink.
Just a thought - do you have a mic plugged in (or operative) that’s feeding back what’s going on in the room back out through the speakers, perhaps with audio compression or other audio effects, so it’s not recognizable as such?
I saw this exact scenario on a friend’s laptop a few weeks ago, albeit on Win7. A rogue process would periodically start playing sounds, spoken language that sounded like a news report or advertisement. Malwarebytes found some things including a rootkit, but the problem persisted. I ended up running Rootkit Revealer, which found another rootkit. After removing that, the problem went away and has remained away.
Good luck!
Mike, I ran Rootkit Revealer, which found 5,181 discrepancies, though I take it not all of these are problems. I have no idea what to do with this output. Do you happen to recall which rootkit was found on your friend’s laptop?
EDIT: I ran it again and only a few discrepancies turned up:
HKU\S-1-5-21-394406091-1356997682-2509371637-1005\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\URL 10/31/2012 1:50 PM 73 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 8/12/2004 1:36 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/12/2004 1:36 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o 8/14/2009 3:13 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\szLastScanned 7/11/2013 10:38 AM 58 bytes Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\dwFilesScanned 7/11/2013 10:38 AM 4 bytes Data mismatch between Windows API and raw hive data.
I will now research these to see if any are known rootkits.
Try running a tool called “Hijack This!”, then run the log through one of the many HJT log analyzers on the internet. If you’re unsure what to do then, there are forums where nice people will look through your log and make recommendations.
Before you make any changes or (in particular) run combofix, create a windows restore point.
FYI - if you use a Hijack This analyzer, DO NOT just start yanking things off your computer because something looks funny. It’s there to point you in a direction for research, and doesn’t analyze the merits of the various programs themselves.
Tyler,
I don’t remember precisely which rootkit it was, but it wasn’t anything as indirect as what you found. The one I hit was masquerading physical disk space as RAM (according to RKR) and was blatantly malware. I’m not sure what to make of what you posted, except that a 4-byte discrepancy might hide a pointer? I’m not sure. Your findings are definitely not the same as mine.
Hijack This is a logical next step, but there’s a serious signal-to-noise problem there for non-techies. Did you run Malwarebytes in safe mode?
Thank you Stusser, Dan and Mike. I did try Hijack and ran the results through a couple of sites looking for something obviously malicious. One listing did turn up, which I had removed, but the problem persists.
I have not done Malwarebytes in safe mode. Beyond that, I’m just going to through in the towel.
Just reimage/format.
If you’re running windows 8, you can try the “refresh my PC” thingie. It reinstalls windows on top of itself. It retains your files and metro apps, but you’ll need to reinstall win32 programs.
http://windows.microsoft.com/en-us/windows-8/restore-refresh-reset-pc