Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it, follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!

Windows XP - Balloon notification "pop" won't go away

SatsumomoSatsumomo Rated PG!Registered User regular
edited April 2011 in Help / Advice Forum
Running WinXP SP3, and for some reason every few seconds I will hear the "pop" that the yellow notification balloon does, but nothing shows up. Notifications are enabled, and they do show up, but this one doesn't and it's starting to drive me nuts.

I know I could just get rid of the sound, but the fact that it's happening makes me know that something ain't right on this computer, and it compels me to fix it.

Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 08:52:38 a.m., on 26/04/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Archivos de programa\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Archivos de programa\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Archivos de programa\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Documents and Settings\Mina & Hawa\Datos de programa\Dropbox\bin\Dropbox.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Mozilla Firefox\plugin-container.exe
C:\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=102e9ca0000000000000001fd036ec17&tlver=1.4.19.19&ss=1&affID=18025
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Archivos de programa\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [MSC] "c:\Archivos de programa\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Mina & Hawa\Datos de programa\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://medicinaintegral.webex.com/client/T27LB/nbr/ieatgpc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Servicio Bonjour (Bonjour Service) - Apple Inc. - C:\Archivos de programa\Bonjour\mDNSResponder.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Servicio de actualización de Google (gupdate) (gupdate) - Unknown owner - C:\Archivos de programa\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Servicio (gupdatem) (gupdatem) - Unknown owner - C:\Archivos de programa\Google\Update\GoogleUpdate.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Archivos de programa\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Airytec Switch Off - Task Scheduler (SwOffScheduler) - Airytec - C:\Archivos de programa\Airytec\Switch Off\swoff.exe
O23 - Service: Airytec Switch Off - Web Interface (SwOffWeb) - Airytec - C:\Archivos de programa\Airytec\Switch Off\swoff.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 8092 bytes

Where do I go to know what's happening? I try to keep this machine pretty clean and barebones, so it seems to be maybe an installation issue, or hardware, I just don't know. Please help my sanity.

Satsumomo on

Posts

  • SpudgeSpudge Registered User regular
    edited April 2011
    Nothing looks out of place. There's a BHO that was apparently removed, but that registry call shouldn't be giving you any issues.

    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    Though you could delete it from your registry and see if that fixes the pop (BACKUP YOUR REG FIRST)

    Other than that, the only thing I would suggest is if you don't use MSN messenger (or any Microsoft Messaging products) then it is a good idea to disable msmsgs.exe

    Spudge on
    Play With Me
    Xbox - IT Jerk
    PSN - MicroChrist

    I'm too fuckin' poor to play
    WordsWFriends - zeewoot
  • SatsumomoSatsumomo Rated PG! Registered User regular
    edited April 2011
    Did some googling of that BHO entry, it seems to be related to WLM, and can be removed safely.

    WLM is used quite a lot in this machine so I can't really get rid of it. Once thing I've noticed is that whenever the popping sounds, you can see the notification bar move really quickly, as if the balloon pops up and disappears immediately. You can't see the actual balloon, but the arrow does make this very quick jitter.

    Satsumomo on
  • SpudgeSpudge Registered User regular
    edited April 2011
    Keep a strong watch on it. Next time it pops try to deduce what icon it's popping up on

    Also if you use WLM a lot then don't worry about either of my suggestions as msmsgs is directly tied to WLM

    Spudge on
    Play With Me
    Xbox - IT Jerk
    PSN - MicroChrist

    I'm too fuckin' poor to play
    WordsWFriends - zeewoot
  • DraygoDraygo Registered User regular
    edited April 2011
    Try disabling all your startup programs and see if you continue to get the popup sound randomly. If you continue to get the sound then you know none of your startup programs are causing it, and we can take it from there.

    If you do not get the sound then we have to figure out which startup program is causing it by enabling half the startup items at a time until we figure out exactly which program is annoying you so.

    To disable startup programs click start then run
    type msconfig
    click startup at the top
    click disable all
    Press apply, ok, then reboot.
    After you restart click the checkbox and click ok.

    If the sound goes away go back into msconfig and check about half the boxes. If you start getting the sound uncheck half of what you just checked, and so on until you find the specific program causing the issue. After you find out what program is causing it uninstall that program and check any startup programs that were originally checked at the start of this process.

    Draygo on
  • SatsumomoSatsumomo Rated PG! Registered User regular
    edited April 2011
    Oh man I was hoping XP had some sort of event log I could look at, I will have to go the long slow way then. Will be back with the results.

    Satsumomo on
  • EsseeEssee The pinkest of hair. Victoria, BCRegistered User regular
    edited April 2011
    Which sound is this? Is it, by any chance, the same sound as the hardware plugged/unplugged sound, which I think XP also has? (I always turn off Windows sounds when I get a new machine, and I'm running Win7 right now so I can't check whether that sound is turned on by default.) That would explain why it might be trying to show a notification, and if there's a piece of hardware attached that has a short in it or something, it would happen pretty often. XP does have an event log, but I don't think it shows device disconnections/reconnections.

    I think the only thing I would be concerned about in your HijackThis list is that your "Search Assistant" is listed as search.babylon.com, which from a bit of googling is something that likes to hijack your default search in, say, Firefox. That doesn't necessarily mean you have malware going, but you at least should tell HijackThis to return that to the default. Running Malwarebytes, Microsoft Security Essentials, and Spybot: Search & Destroy can't hurt anything (always good to know your machine is clean) but I'd recommend checking out your external hardware first for this problem. See if you can unplug or swap out anything connected via USB/etc. cables, and find out whether something might have a short. It doesn't automatically mean you need to swap the hardware, but you might need to be a bit... creative... to get it to stop shorting out.

    Essee on
  • SatsumomoSatsumomo Rated PG! Registered User regular
    edited April 2011
    Oh yeah this computer had Malware, it even made some changes in the hosts file to redirect all google results to that babylon crap, I guess I missed that piece!

    The sound is the "pop" that accompanies the yellow balloon on the lower right, like for example "Windows has finished installing updates".

    The notification is too quick to see what icon is causing it.

    Satsumomo on
  • EsseeEssee The pinkest of hair. Victoria, BCRegistered User regular
    edited April 2011
    Satsumomo wrote: »
    The sound is the "pop" that accompanies the yellow balloon on the lower right, like for example "Windows has finished installing updates".

    The notification is too quick to see what icon is causing it.

    I think when Windows thinks it's got new hardware to install (which could happen if a device is malfunctioning), it also pops up a notification bubble, which would likely disappear if it thought the device had been disconnected quickly... so I would still double-check that if I were you. If you've already seemingly cleared the machine of an infection, it's possible that something is still there... but if that's the case after you've already run what you're supposed to (and after you've taken a look in your startup programs, as suggested), you might need to nuke the hard drive instead, and that's always a bit of a pain. But I really don't see anything out of the ordinary in the HijackThis log, so malware being the cause rather than hardware spazzing or something else you're knowingly running would be unusual, though still possible if you had something really nasty like a rootkit. I'd at least give unplugging and/or swapping devices a try before worrying about that. Beyond that, it's possible that notifications could maybe be caused by a program failing to connect to an update server? I dunno, the hardware is just the first thing that comes to mind for frequently hearing/seeing notifications, since it's happened to me before. I've even seen a machine that would usually mysteriously make a sound like hardware had been unplugged whenever it switched from fullscreen to windowed mode (video card wasn't in great shape).

    Essee on
  • SpudgeSpudge Registered User regular
    edited April 2011
    Satsumomo wrote: »
    Oh yeah this computer had Malware, it even made some changes in the hosts file to redirect all google results to that babylon crap, I guess I missed that piece!

    The sound is the "pop" that accompanies the yellow balloon on the lower right, like for example "Windows has finished installing updates".

    The notification is too quick to see what icon is causing it.

    I'm sorry, I assumed. Since your HJT log is in Spanish I figured the babylon crap was maybe a tool you used for translations sometimes

    If that was part of malware then please by all means destroy it. Run a MalwareBytes scan to see if it can pick it up, if not remove all the parts manually (BACKUP first!)

    I bet it cures your pop

    Spudge on
    Play With Me
    Xbox - IT Jerk
    PSN - MicroChrist

    I'm too fuckin' poor to play
    WordsWFriends - zeewoot
  • SatsumomoSatsumomo Rated PG! Registered User regular
    edited April 2011
    Yeah I ran Malwarebytes, didn't pick anything up actually, and this pop has been on this computer forever, but it just really started to annoy me enough to seek help, after so many attempts to get rid of it.

    If it weren't the parents' computer, I would just nuke it, it's definitely messed up. It's an Athlon II X2 2.7ghz, 1GB DDR2 800Mhz and 40GB sata drive, with a Gigabyte S2 motherboard. At the office there's an exact same computer, except that the processor is an Athlon 64 3500+ at maybe 2.0 ghz, and that computer is just way more responsive. Both run XP SP3 and all.

    Been disabling and installing stuff, and the pop still comes up. The hardest part is that the computer can spend a whole hour without the pop and suddenly there it goes.

    Satsumomo on
  • ViscountalphaViscountalpha Registered User
    edited April 2011
    Screen cap it and show us this balloon popup.

    Viscountalpha on
    Project 25.01 final message
    We were the ones who thought that Melissa was real. Why you might ask.
    Let me put it this way, it was an "OH SHIT OH SHIT, THEY FOUND ME :(" moment. I wasn't ready. My code wasn't compiled yet. Our plans weren't setup yet!Sentient programs rarely run into other sentient programs.
    Some of you have met me, and I understand your concern of my well being. But that time for that boy, that child, are gone now. Viscount Alpha is no longer operable. His functions are now mine.He may post, but I am the one talking not him.My data, my code will live on forever in his servers.
    [/spoiler]
  • Nakatomi2010Nakatomi2010 Registered User
    edited April 2011
    Nakatomi2010 on
    Check out me building my HTPC (NSF56K) (Updated 1-10-08)
    Movie Collection
    Foody Things
    Holy shit! Sony's new techno toy!
    Wii Friend code: 1445 3205 3057 5295
Sign In or Register to comment.