Soundman.exe .... trojan or safe ????

Discussion in 'Computer Science & Culture' started by Sputnik, May 20, 2007.

Thread Status:
Not open for further replies.
  1. Sputnik Banned Banned

    Messages:
    888
    Stryder , I need your advice !!!

    I updated my Bulletproof spyware program , and suddenly it said I had a severe trojan called :QQPass.jf ...... because I had this in my windows :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run=
    soundman .........

    The funny thing is : when I press remove or quarantine on the bulletproof , NOTHING happens - it can not remove it !!!

    I decided to find the key :
    I pressed START .... Then run .... REGEDIT ..... and the key : showing a
    soundman.exe under this key ........

    I looked up QQPass.jf ... an evil trojan trying to steal your passwords ..... and it should normally be HKLM\Software\Microsoft\currentVersion\run
    "soundman" = %system%\SVOHOST.EXE .... not what I have ..... I only have : SOUNDMAN.EXE

    Then I looked up SOUNDMAN.EXE and it should only be part of REALTEK 97 AUDIO ( which is actually my soundsoftware , which I got with my computer in the first place ) ...........

    Has my BULLETPROOF gone bunkers ?
    Or do I have something bad on my computer .... I ran adaware from lavasoft, spybot search and destroy , spyware doctor and symantecs ...........
    NOTHING .... my computer seems to be clean ........

    Please give me some advice , Stryder .....

    Please Register or Log in to view the hidden image!



    BULLETPROOF is known to be a "rogue" spyware program .....
     
  2. Google AdSense Guest Advertisement



    to hide all adverts.
  3. Plazma Inferno! Ding Ding Ding Ding Administrator

    Messages:
    4,610
  4. Google AdSense Guest Advertisement



    to hide all adverts.
  5. Plazma Inferno! Ding Ding Ding Ding Administrator

    Messages:
    4,610
    Also, in the meantime run msconfig and stop all suspicious processes if they're any in Startup.

    Also HijackThis log could be helpful, so you could download the program and post the log here.
     
  6. Google AdSense Guest Advertisement



    to hide all adverts.
  7. Sputnik Banned Banned

    Messages:
    888
    OK - I removed soundman.exe from processes ........ which simply removed my icon for REALTEK 97 AUDIO in the bar below on my computer ..........
    Everything is still working ......... I will check out hijackthis , now ..........
     
  8. Sputnik Banned Banned

    Messages:
    888
    There was NO ...SVOHOST on it , only svchost.exe ... that is normal ......
     
  9. Sputnik Banned Banned

    Messages:
    888
  10. Plazma Inferno! Ding Ding Ding Ding Administrator

    Messages:
    4,610
    Yes it's regular Realtek process, but yours is malicious one.

    Also, useful trick:

    Go to system32 folder > Arrange icons by > Modified > Check the last created files (especially .exe, .tmp) with strange name and with unknown manufacturer (i.e. not Microsoft). Delete them (just in Recycle Bin) restart and check if everything is working.

    Also, for cleaning the Registry (if there are traces of trojan) good software is CCleaner.

    I hope you'll solve it.
     
  11. Sputnik Banned Banned

    Messages:
    888

    How do you know it is malign ???
    My "fucking" bulletproof , cant remove it ....... bulletproof is known to be .... sort of "bad" ...........

    http://spywarewarrior.com/rogue_anti-spyware.htm#products

    See BPS spyware ........
     
    Last edited: May 20, 2007
  12. Plazma Inferno! Ding Ding Ding Ding Administrator

    Messages:
    4,610
    Check the second link. First sentence...

    You said you had active SVOHOST.EXE.

    I thought because of that.
     
  13. Sputnik Banned Banned

    Messages:
    888
    No, No, No, Plazma ....... I have NO svohost ........only svchost.exe ...

    I think I will kill my Bulletproof .......

    Please Register or Log in to view the hidden image!

    Please Register or Log in to view the hidden image!

    :bawl:
     
  14. domesticated om Stickler for details Valued Senior Member

    Messages:
    3,277
    Soundman is a safe program. It is an application installed on your machine when you install the drivers for your sound card. My wife has a gigabyte mobo that includes all the bells and whistles like integrated sound and whatnot, and the driver disk included with it installs soundman (which I guess is supposed to be short for "sound manager"). The icon for it kinda looks like a mutated square crab monster.
     
  15. Plazma Inferno! Ding Ding Ding Ding Administrator

    Messages:
    4,610
    Oh sorry, Sputnik. I'm reckless sometimes.

    Well, then it could be just Bulletproof. He probably mixed up real process with trojan.

    But, anyway check your PC with some other antispyware and antivirus program.

    Also make a HijackThis log.
     
  16. Sputnik Banned Banned

    Messages:
    888
    I already did ( ad-aware from lavasoft, spybot, spywaredoctor, symantecs and your CCleaner ) ...... I also made the highjackthis .....nothing seems wrong ..........
     
  17. Sputnik Banned Banned

    Messages:
    888

    Yep , that is the one ..............

    If you dare ... you might download a free trial of Bulletproof SpyWare.... just to run it ....if it shows the same (QQPass.jf) because of realtek , then I know Bulletproof is wrong ....
    Just uninstall bulletproof after one run ........

    http://www.bulletproofsoft.com/download.html
     
    Last edited: May 20, 2007
  18. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    It's just Bulletproof. Soundman.exe should be safe enough, it's just that Trojan writers attempt to hide their trojans with legitimate program names.

    If you are concerned about it, then just make sure you do like Plasma mentioned and use msconfig to turn off any programs that look dodgy from starting.

    The majority of Trojans or Worms require being runned in the tasklist to do what they are intended to do, the more in depth exploits are far and few between.

    Sometimes trojan writers do try to hide things in the SVCHOSTS, however if you are running XP Pro or Vista you should be able to use the following:
    type CMD in the run box, then type in the cmd window:
    TASKLIST /SVC

    This will list all the SVCHOST entries with a more indepth analysis of what each one is connected too. You can lessen the number of svchost entries by altering what SERVICES (Services.msc) run.
     
  19. Sputnik Banned Banned

    Messages:
    888
    Thanks Stryder !!!

    Here is my CMD list : Do you see something wrong here ?

    I notice that under svchost ..... I have "dmserver" and "ersvc" .... When I google them , they are suspect for being trojans ....
    I made a search in my files : I have ERSvc.dll and dmserver.dll (but they both seems to be from Microsoft )

    Please Register or Log in to view the hidden image!

     
    Last edited: May 21, 2007
  20. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    I can't see anything wrong as in a Trojan, you'll find most of those entries are certain services. The usual ones I lock down are things like "Remote Registry" and even "Remote Assistant". It's not due to them having any known exploits, it's just best to lock down as many services as you dare.

    This is why you have some people completely in love with Linux, it's not because of how easy it is to install or how it runs their prefered applications, but the fact that you don't have to run any more than you need.

    There are alot of services in the windows operating system you can get away with turning off, the less on the less available services to exploit. I can't of course tell you which ones to turn off as this is a system by system preference and some things being turned off can cause instability, so you might want to use a trial and error method if you feel up to the task.
     
Thread Status:
Not open for further replies.

Share This Page