Halloween movie music plays randomly

Mancabus

I have a user here at work that has a strange problem.

At random intervals during the day the music from the movie Halloween starts to play.

Many things have been done to try and remedy this: She said she downloaded a spyware ridden halloween screensaver. She removed it and ran spybot and ad aware which did their jobs. Now, days after that has happened and coincidentally after halloween, this music thing started.

So I come to the rescue, running spybot, ad aware, hijack this, and nothing shows up. Checked registry run dialogs, checked startup folder, checked task scheduler, virus scan, and I also did searches for mp3's wav's and midi's on the computer, Sounds were also disabled via control panel.

Obviously it is still doing it even after all I have tried.

So any other suggestions would be appreciated.

Mods if you think this belongs in the spyware forum, please move, thanks.

profdlp

It's haunted. Contact a priest immediately for exorcism.

comfortable

Look at her scheduled tasks. If it occurs at the exact same time each time, then that's probably what you'd need to do.

Mancabus

profdlp wrote:

It's haunted. Contact a priest immediately for exorcism.

If I could get the ones from the Exorcist movie I just may have a chance of getting it.

comfortable wrote:

Look at her scheduled tasks. If it occurs at the exact same time each time, then that's probably what you'd need to do.

Already did that and nothing. It is random, no consistent time.

profdlp

You could try this program (freeware!) and see if you can spot the culprit.

Another free program I use all of the time is RegCleaner. It quickly and easily removes all traces of any program you choose.

primesuspect

Can we see a HJT log?

Mancabus

primesuspect wrote:

Can we see a HJT log?

She went home early today, and seeing as it may be related only to this user, i'll have to get it tomorrow.

Although the log will be a stripped version as there are many work related network items I will be removing.

And Prof, i've used regcleaner before and may try it. This is a Windows XP machine so as far as processes go I did check the task manager while the music was playing and didn't see anything abnormal for the computer.

Mancabus

primesuspect wrote:

Can we see a HJT log?

As promised.

And I pointed out things I know may look odd, but are legitimate processes.

Logfile of HijackThis v1.97.7
Scan saved at 9:51:22 AM, on 11/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\slpservice.exe ---Seiko Label Printer---
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\slpmonx.exe ---Seiko Label Printer---
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\Seiko\slpcap.exe ---Seiko Label Printer---
C:\Program Files\RDS\FmIcsl.exe ---Ricoh scanning utility---
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\WISPTIS.EXE ---Some Microsoft Office thing---
C:\Program Files\Microsoft Office 2000\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office 2000\OFFICE11\WINWORD.EXE
G:\FPCXFER\ADMIN\Software\Spyware Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fm.virginia.edu/fpc/Links.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - Startup: ScanRouter V2 Link.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.2166782407
O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab

Mancabus

Well, I think we narrowed it down to an html email that had the suspect music. Strange thing was it didn't care that the email had been closed, it just kept on playing the music randomly. Another odd thing was it played out of a .tmp file, and appears that as long as that temp file was on the computer it would just randomly play the music.

Does this make any sense? I didn't think .tmp files could do such things. And further more why the hell doesn't the damn Temp folder empty itself when the "Temp" files are no longer such.

I hate software.

Guyute

Coulda been worse- could have played random New Kids On The Block clips...

lilbrenbren89

I have been having the same problem (except Usher music has been playing, and once it sounded like an add for cake...I'm not sure)

I know it's not pop ups because I have every pop up blocker there is

I know it's not an AIM ad because it has happened when I wasn't on AIM (or the internet)

I know it's not a virus because I've scanned for viruses over and over again

It's starting to freak me out, how did you get rid of it? Please give directions for people who aren't VERY computer-savvy...I want to get rid of this weird thing, it's really starting to get me scared...

profdlp

lilbrenbren89 wrote:

I have been having the same problem...

We don't see it as much as we used to, but when WinXP first came out there were a lot of problems with the Messenger service. (Not related to any Instant Messenger program.) Assuming you are running XP you could try disabling it.

Go to Control Panel>>Administrative Tools>>Computer Management, then look for the Services section (under Services And Applications). Double-click the Messenger service and under Startup set it to disabled. Reboot and it won't load again.

Even if this doesn't work it won't do any harm. The Messenger service is for administrators who want to send an alert to computers on a network. Spammers quickly figured out how to hijack this service to send spam over the Internet. If this is a work computer you need to talk to your local administrator first.

Hope this helps.

lilbrenbren89

you're a lifesaver, thank you

profdlp

You are very welcome.

Want to join a great Folding @ Home Team?

It's a project which just might change the world and we have a lot of fun doing it.