Google Answers: Unintentional virus/spyware/trojan horse program on my Windows XP-based PC

View Question

Q: Unintentional virus/spyware/trojan horse program on my Windows XP-based PC ( No Answer, 2 Comments )

Question

Subject: Unintentional virus/spyware/trojan horse program on my Windows XP-based PC
Category: Computers > Security
Asked by: colan-ga
List Price: $21.00

Posted: 11 Dec 2003 10:33 PST
Expires: 03 Jan 2004 14:19 PST
Question ID: 286079

How do I get rid of a virus/program that is lurking on my PC? The computer shouts out "Merry Christmas" randomly several times per day. I have run a current version of Norton Anti-virus on the machine and it returned no viruses found. This problem started a couple of weeks ago so it is possible that I inadvertently downloaded this into my system.
Request for Question Clarification by endo-ga on 11 Dec 2003 15:21 PST Hi, There are several viruses that could fit the description you give. Could you describe the effects in more detail please? Also please run Housecall online scan: http://housecall.trendmicro.com/ If you still have problems, please try the removal instructions found at: W32.Music.A.Worm http://securityresponse.symantec.com/avcenter/venc/data/w32.music.a.worm.html W32.Brid.B@mm http://securityresponse.symantec.com/avcenter/venc/data/w32.brid.b@mm.html If these don't fix your problem, please tell me what exactly happens, is there something on screen as well? Please let me know how it goes. Thanks. endo
Clarification of Question by colan-ga on 11 Dec 2003 16:04 PST Thank you Leonleon and endo. I am running housecall as I write this and I will see if it helps. I assumed that Norton Antivirus would catch anything that I might have had...but perhaps housecall is different? At any rate, there is not much more to describe about the event. Randomly, several times per day, a chorus of "Merry Christmas" comes out of the speakers. Nothing happens on the screen, there is no noticeable delay to any programs that are running, and no indication whatsoever that anything is wrong other than the "Merry Christmas." There does not seem to be any discernable pattern to the timing of the sounds. As for the w32.music.a.worm suggestion, the website you suggested says the worm only runs on W95 and W98. I am running Windows XP; As for the W32.Brid.B@mm suggestion, the website says to run Norton Antivirus with an updated set of virus definitions. I tried that already and Norton came back with no viruses found.
Request for Question Clarification by endo-ga on 11 Dec 2003 16:32 PST Hi, I'm having trouble locating the name of your particular worm/virus/spyware. Assuming Housecall doesn't come up with anything, please try Spybot Search and Destroy and Hijack This: Spybot http://www.safer-networking.org/ Hijack This http://mjc1.com/mirror/hjt/ Still failing that, you can try two more virus scanners: Computer Associates http://www3.ca.com/virusinfo/virusscan.aspx and Mcafee http://us.mcafee.com/root/mfs/default.asp This description of this virus seems relevant, but I still doubt this is the one that's troubling you: Merry Xmas http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=775 Please let me know how it goes. Thanks. endo
Clarification of Question by colan-ga on 13 Dec 2003 13:20 PST Endo: I tried running the programs you suggested. The spy software noted a large number of programs that I deleted. Since then, I have yet to experience the problem, but as I noted it is random and at this point I cannot be certain that the problem is fixed. I will continue to monitor.
Clarification of Question by colan-ga on 13 Dec 2003 13:36 PST Timallan: 1. It started within last 2-3 weeks; 2. The last time I heard the sound, I checked the applications and there was nothing unusual. I don't remember the exact programs that were listed but they seemed appropriate (i.e. aol, iexplorer, etc.) The following is listed currently in the processes: taskmgr, wuauclt, wcmdmgr, aolwbspd, shellmon, waol, iexplore, wzqkpick, aoltray, wanmpsvc, ipodservice, nvsvc32, navapsvc, gearsec, agentsvr, acsd, alg, ccevtmgr, spoolsv, msmsgs, qttask, svchost (local service), svchost (network service), rundl32, ituneshelper, svchost (system), svchost (system) [note this appears twice in a row], lsass, services, e_sohic1, winlogon, csrss, directed, gamechannel, smss, ccapp, gwinkmonitor, cthelper, explorer, winword, sk9910dm, iexplore, system, system idle process. 3. W XP-Home 4. Computer is only used by myself and my family 5. yes I have kids (and they do use the computer from time to time) 6. 9 items: a. domorerunexe.domorerun; b. housecall control c. microsoft office template and media... d. prequalifier class e. qdiagaolccupdateobj class f. runexeactivex.runexe g. stamps.com secure postal account re... h. techtoolsactivex.techtools g. wildtangent control Thanks for your input.
Request for Question Clarification by endo-ga on 18 Dec 2003 09:51 PST Hi, Have you had the problem since? Thanks. endo
Clarification of Question by colan-ga on 18 Dec 2003 10:40 PST Endo: Thought I had it licked...but my wife said yesterday it happened again. Part of the frustration is the random nature it seems to use...I can't really tell if it's gone. I ran the anti-virus and anti-spy software, but unfortunately it is still there. I am also going to raise the price offered and request a way to tell whether the problem is really gone or not. Thanks for all of your input.
Request for Question Clarification by endo-ga on 18 Dec 2003 11:16 PST Hi, Can you please post a HijackThis log? Hijack This http://mjc1.com/mirror/hjt/ Thanks. endo
Clarification of Question by colan-ga on 18 Dec 2003 11:36 PST endo: Will try to post a log later this evening when I have access to the computer.
Request for Question Clarification by endo-ga on 18 Dec 2003 12:18 PST Hi, I'll wait for your log. But after looking at the Iexplore objects, you might want to remove WildTangent and any trace of it on your computer. It's a form of spyware. Please have a look at the removal instructions here: WildTangent http://www.safersite.com/PestInfo/w/wildtangent.asp Thanks. endo
Clarification of Question by colan-ga on 18 Dec 2003 16:23 PST From Hijack This: Logfile of HijackThis v1.97.7 Scan saved at 7:22:25 PM, on 12/18/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINNT\System32\GEARSEC.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\wanmpsvc.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\CTHELPER.EXE C:\WINNT\System32\SK9910DM.EXE C:\Program Files\Gateway Utilities\GWInkMonitor.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\WildTangent\Apps\GameChannel.exe C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Messenger\msmsgs.exe C:\WINNT\System32\RUNDLL32.EXE C:\Program Files\America Online 9.0\aoltray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\America Online 9.0\waol.exe C:\Program Files\America Online 9.0\shellmon.exe C:\Program Files\America Online 9.0\aolwbspd.exe C:\WINNT\System32\svchost.exe C:\WINNT\wt\updater\wcmdmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\My Documents\Downloads\Putnam\hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/news/default.asp R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken 2004\bagent.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://install.wildtangent.com/bgn/partners/wildgames/polarbowler/install.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{2B46E27E-A971-4727-84C4-11C11C687A06}: NameServer = 205.188.146.146 O17 - HKLM\System\CS1\Services\Tcpip\..\{2B46E27E-A971-4727-84C4-11C11C687A06}: NameServer = 205.188.146.146
Clarification of Question by colan-ga on 18 Dec 2003 16:31 PST Endo: I'd rather wait on the Wildtangent removal. First, the removal instructions look quite complicated and I am doubtful that this is the cause. Second, my kids play several of the wildtangent games and I would prefer to keep these operable. Third and most important, I was just sitting at the computer (at about 7:12 eastern time) and got the "Merry Christmas" shout from the speakers. I checked the processes and applications and wildtangent was not listed. I cant figure out a quick way to cut and paste the programs from the processes and applications screen on task manager (if you know of a way please let me know). However, wildtangent is not currently listed.
Request for Question Clarification by endo-ga on 18 Dec 2003 20:12 PST Hi, I can't find anything wrong in that list of processes. Also the HijackThis log gives a list of processes, so you don't need the list from Task Manager. Please try running CWShredder. http://www.merijn.org/files/cwshredder.zip Thanks. endo
Request for Question Clarification by aceresearcher-ga on 19 Dec 2003 02:50 PST Greetings, colan! Could you try checking to see if someone has mischievously altered your "Sound Scheme"? This is the set of sounds which are played when you perform certain actions, such as right- or left-clicking your mouse, clicking on an action that fails, starting up or shutting down your computer, etc. From your description, I thought this might be what is going on: someone has set a certain action on your computer to perform a sound clip of "Merry Christmas". A group of us once installed a clip of a co-worker's favorite phrase as a Sound Scheme on her computer on her birthday. Every time she clicked on things with her mouse, her computer would say, "The Suckage Continues". To check for this on your computer: - Click on the "Start" button to display the Start menu - Click on "Control Panel"; "Pick a Category" will appear in the control panel window. - Click on "Sound, Speech, and Audio Devices". A window will appear with two options: "Pick a Task" or "Pick a Control Panel icon". - Under the "Pick a Task" option, click "Change the sound scheme". - The "Sounds and Audio Devices Properties" window appears. Select the "Sounds" tab. Is there a sound scheme of some type listed? If so, you can view the list of actions and associated sounds for that scheme. Please let me know if this helps. Regards, ace
Clarification of Question by colan-ga on 19 Dec 2003 03:38 PST Ace: Thanks for your idea. I looked at the Sound schemes, and indeed there were many listed. However, I looked carefully at them and they all looked genuine. Still, this made me realize that the "sound" had to be coming from somewhere. So I did a search for all .wav files, as well as for files with "merry" or "christmas" in them. Unfortunately, I found nothing out of the ordinary. This tells me that the sound file is either hiding under a disguised name or is coming from the internet every time it is played. Thanks for the input.
Request for Question Clarification by aceresearcher-ga on 20 Dec 2003 13:17 PST colan, If indeed someone did store a .wav file on your computer, you might be able to find it by doing a search for all *.wav files modified after a date slightly before you remember this annoyance starting to appear. Regards, ace
Clarification of Question by colan-ga on 20 Dec 2003 14:55 PST Ace: Thx. for the comment. As previously noted, I thought of that and searched for all .wav files. Unfortunately, I saw nothing unusual.
Request for Question Clarification by aht-ga on 02 Jan 2004 22:46 PST colan-ga: Now that it's well past Christmas, has your computer stopped randomly shouting out Merry Christmas? Regards, aht-ga Google Answers Researcher
Clarification of Question by colan-ga on 03 Jan 2004 07:07 PST aht: I have not heard anything since a few days before Christmas. Unfortunately, because of the random nature of things, I am still not sure it is gone. I have done some further investigation and I think the problem may be coming from AOL. I believe one or more people on my buddy list may have "programmed" their appearance (sign on) to say the phrase. This would explain the random nature of the phrase. I am trying further to see if AOL has has this ability and to see if that could have been the cause. At any rate, it has been a couple of weeks since I have noticed it. I will not be absoultely certain until a longer amount of time has gone by.
Clarification of Question by colan-ga on 03 Jan 2004 14:19 PST I finally found the answer myself. Apparently AOL 9.0 allows users to substitute "Cute" sounds in place of the normal AOL sounds when they log on or off or send IM's. One of my friends had done that and that's why I could not find the sound file on my computer. It was not a virus after all...just the annoying marketing people at AOL thinking that they had created something value added. Thanks for all of the help and support on this question from everyone.

Answer

There is no answer at this time.

Comments

Subject: Re: Unintentional virus/spyware/trojan horse program on my Windows XP-based PC
From: leonleon-ga on 11 Dec 2003 12:27 PST

There are numerous software products that remove spyware. 
One reliable product that does this is addaware which does a fine job
in removing software like this.
Note that removing spyware may be forbidden in the license agreement
of the software you have on your pc.

Subject: Re: Unintentional virus/spyware/trojan horse program on my Windows XP-based PC
From: timallan-ga on 13 Dec 2003 10:14 PST

Just some additional info required .. 
When did this start happening?
when you hold ctrl+alt+del what items are in the applications and
processes listings?
Is this xp Pro or Xp Home?
Are you the only user of this computer ?
Do you have children?
If you open Internet Explorer Click Tools, Internet Options,Settings,
view objects what is listed here and what is the version and date
created?


Hope I can Help

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy