I've seen earlier posts for this problem, but the solutions don't apply to me, and the earlier posts are a couple of years old.
I was hit on 6/5/11 with malware from a legitimate website that I had accessed just the day before with no problems. Malwarebytes (MBAM) identified the culprits as Trojan.Agent.GD and Trojan.FakeMS. These trojans installed a start-up program called NfeiQASGux and ran from a program called 26992420.exe on my PC.
I thought MBAM had scrubbed the trojans, but I found later that I could hear a .wav sound in the background that occurred randomly whether or not I was connected to the Internet. It also occurred when I was in Safe Mode without networking. The sound is a click followed by a "bubbling" sound like someone pouring something out of a bottle. It seems like it's a program that's hidden and keeps trying to open or is opening, and I just can't see it. It doesn't show up in TaskManager Applications, Processes, or Networking.
I ran updated MBAM and Microsoft Security Essentials several times in full System Mode and in Safe Mode without networking, and both showed that my PC was clean. I then ran ComboFix (it found and fixed the Process.exe virus and revealed several items such as desktop icons and Start Menu Programs that had been hidden by the trojans), followed by ESET Online Antivirus (it found the malware items that ComboFix had quarantined -- after I uninstalled ComboFix, ESET found no malware), and TFC (Temporary File Cleaner) to get rid of remnants that might be hiding in the Temp files. All these tools now show my PC to be clean.
But, the sound continues to occur. What is it, and how do I get rid of it?
I've attached my most recent HJThis, MBAM (original infected log plus current clean log), ComboFix, and ESET logs (log showing items quarantined by ComboFix plus current clean log):
========================================== Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 5:33:07 PM, on 6/9/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal
I have now run BootKit Remover (http://www.esagelab.com), and it states that unknown boot code has been found on my hard drive, indicating that malware has infected it. I ran Microsoft Windows Recovery Console to see if I could fix the master boot record (fixmbr), but I got a serious warning message that this could do serious damage to my PC.
Should I go ahead and run fixmbr, run the BootKit Remover "fix" command, or do nothing?
I just ran Sysinternals RootkitRevealer v. 1.7 and Kaspersky TDSSKiller v. 22.214.171.124, and neither found anything. RootkitRevealer showed 3 files, but they were expected. TDSSKiller found absolutely nothing. I can provide the log files if they would be helpful.
So, it doesn't look like a Boot Record problem.
When the malware was running rampant on my PC, it hid all my files and desktop icons and broke the links between my Start Menu Programs and their executables. I'm thinking that this click-bubbling sound I'm hearing is some program or function that is still hidden (e.g., a "suppressed" balloon tip that is trying to show itself). I noticed that the balloon tips that normally pop up during startup are no longer there. I went into Regedit to enable balloon tips, but they haven't come back, and the sound persists.
I tried Trojan Remover, and it found a few more things, including that my Internet Settings had been changed so that certificates were ignored on downloaded programs. I couldn't find a log file to reproduce here. I got the 30-day free trial, so maybe log files don't come with that version.
I rebooted and was getting pretty excited because I didn't hear the sound for a really long time. Then, Bam!, there it was. I rebooted and allowed Trojan Remover's Fast Scan to run, hoping that the sound would stay away, but it came back again. However, it sounds very infrequently compared to before I ran Trojan Remover, so that program did something! It's a very nice program, by the way.
Try going to your control panel then click sound or sounds and audio devices (depending on you os I believe). Go to the sounds tab and make sure that windows default is selected, or , if it is selected, try selecting another theme.
Thanks -- that was the first thing I tried before going after residual malware. There is no program entry in Control Panel/Sounds and Audio Devices for potentially offending programs, which leads me to the fact that...
I've actually figured out what's causing the sound. After I had initially thought I had my cleaned my PC of the trojans, I installed the newly updated Dell Support Center (DSC) onto my Inspiron 1520 with Win XP(SP3) and ran the included PC Checkup (PCC) powered by PC-Doctor. When all the AV/malware/bootkit programs I had run showed that my PC was completely clean, I got to thinking that the culprit might be DSC/PCC.
I have tried an experiment in which I opened DSC/PCC and just let it sit there while I worked on my PC for several hours. Guess what? The sound did not occur once. Shortly after I closed it again, the sound came back and became more frequent when I noodled around in Control Panel\Administrative Tools\Services. This has led me to believe that the background .wav sound is being caused by PCC's Performance and Configuration History program, which appears to be monitoring my hard drive even when DSC/PCC is closed.
I don't mind that the program is always running in the background (and am actually overjoyed that it's not malware!), but the sound is very annoying. I have posted an item on the PC-Doctor Forum about this, asking if anyone knows how to disable the sound other than by leaving DSC/PCC open all the time.
Thanks again for the tip about Trojan Remover. It is really excellent and scans so quickly. Believe me, I am SICK of running 1-2-hr scans on my PC during all this. I also like how Trojan Remover runs FastScan upon every boot-up. I might just buy Trojan Remover when my 30-day trial expires.