Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Critical Stop Sound


  • Please log in to reply
5 replies to this topic

#1 Cmdr Decker

Cmdr Decker

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 17 January 2009 - 12:13 PM

Hi Guys,

Perhaps someone out there has an idea of how I can find out what is the source of this odd critical stop sound I am hearing on this XP Pro running machine. It usally happens about 20 minutes into running after boot up. No notices are given. I looked in the event viewer but did not see anything. Is there anyplace else I can look to see why the critical stop sound went off?

I have run several suites of anti-malware/viral programs, and the system is coming up clean, did have a run in with Virtumonde recently. Perhaps it has changed a windows basic setting or something. Any ideas kindly appreciated.

Regards,

~Decker

BC AdBot (Login to Remove)

 


#2 tork

tork

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:here
  • Local time:11:13 PM

Posted 17 January 2009 - 12:46 PM

Are you always using the same apps twenty minutes into the critical stop sound happening? You might try unloading everything at startup and add your apps back one at a time until you get the culprit - tedious, and maybe someone else has a better idea

#3 Cmdr Decker

Cmdr Decker
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 20 January 2009 - 11:25 AM

After a few more days of testing I have finally discovered where this sound is coming from. I am posting my solution for others who might encounter this...

The sound was coming from: Scheduled Tasks - After a recent bout with Virtumonde variant (and friends), and after a slew of removal tools... there were a few bits left around. Every hour, the following tasks would try to run:

C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\jkkLCvuS.dll",AddRefActCtx
C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\rqRJBUkh.dll",AddRefActCtx

Showed up at hourly scheduled Tasks -

Knsxakhy
Krmasocb

While the dlls had been identified and removed by the anti-malware, the scheduled tasks had not. These were set to run every hour on the hour. Even without the .dlls being there, RUNDLL.EXE is still there and runs, but cannot find the DLLs to run - and this is where the critical stop sound comes from!

So, just deleting the Scheduled Tasks solved the mysterious Critical Stop Sound. Yay!!!!

I have to credit my wife with cluing me into this solution, as she said "Hey, that seems to be happening on the hour..." And, then of course a light bulb went on in my head and I thought.... Hmm, there must be something in Scheduled Tasks!

Well, hope this is useful to someone else who gets driven nuts by this... The behavior makes you think you have an infection... when you in actually do not, just a non-functioning remant.

All the best.

~Decker

#4 shadysprings

shadysprings

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 21 January 2009 - 11:17 AM

Thanks for the post. I'm having the same thing. How do you access the Scheduled Tasks? I also recently ran a malware cleaner.

**** EDIT ****

Never mind. I did find the scheduled tasks. Thanks for the post so I even know what to look for.
I found "zsaorhrz" C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\hgGxYQgH.dll",ShellPath
trying to launch every hour.

I yahoo'd and googled zsaorhrz but couldn't find anything on what this does.

Edited by shadysprings, 21 January 2009 - 11:26 AM.


#5 tork

tork

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:here
  • Local time:11:13 PM

Posted 21 January 2009 - 05:37 PM

nice to hear you both :thumbsup: tracked it down

#6 st-m4il

st-m4il

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 26 June 2009 - 11:02 AM

Thought I would add to this since I discovered a scheduled task on a workstation today :thumbsup: The name of the task and name of the .dll is randomly made during the Virtumonde infection. The consistent property is the AddRefActCtx command, you can see what that does here: http://msdn.microsoft.com/en-us/library/aa374171(VS.85).aspx With the scheduled task it allows the Virtumonde .dll to reactivate if you have turned it off but not removed it, every hour, every day :flowers:

Nasty little spy ware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users