« previous next »
Pages: 1 [2]

Author Topic: Vista and the case of the mysterious audio  (Read 2599 times)

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vista and the case of the mysterious audio
« Reply #20 on: November 28, 2008, 04:40:57 PM »
Can you run a fresh Scan and Save logfile with Hijackthis
Does the log open in Notepad?

Post the log if it does
How's things running now?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline HTPConvert

  • Newbie
  • *
  • Posts: 29
  • Karma: +0/-0
    • View Profile
Vista and the case of the mysterious audio
« Reply #21 on: November 28, 2008, 07:12:28 PM »
Yes it opens in notepad - here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:54 AM, on 29/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\ASUS\EZVCR\Agent.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Windows\system32\dllhost.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\Nero\Nero8\Nero Toolkit\DriveSpeed.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Explorer.exe
C:\Windows\system32\WerCon.exe
C:\Program Files\Pegasys Inc\TMPGEnc 4.0 XPress\TMPGEnc4XP.exe
C:\Program Files\Pegasys Inc\TMPGEnc 4.0 XPress\TMPGEnc4XP.exe
C:\Windows\ehome\EHShell.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MagicTuneEngine] C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [Windows Media Center] RunDLL32.exe C:\Windows\ehome\ehuihlp.dll,BootMediaCenter
O4 - HKCU\..\Run: [Nero DriveSpeed] "C:\PROGRA~1\Nero\Nero8\NEROTO~1\DRIVES~1.EXE"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: is-D15N9.lnk = C:\Users\Media Centre\Desktop\Virus Removal Tool\is-D15N9\startup.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O13 - Gopher Prefix:
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EZSERVICE - Unknown owner - C:\Program Files\ASUS\EZVCR\EZSERVICE.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UltiDev Cassini Web Server for ASP.NET 2.0 - UltiDev LLC - C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe
O23 - Service: WebGuideTranscode - WebGuide LLC - D:\Program Files\WebGuide\WebGuide4\bin\WebGuideTranscodeService.exe
O23 - Service: Windows Media Center Guide Service Proxy (wmcGuideServiceProxy) - epgStream.net - C:\Program Files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxyHost.exe
O23 - Service: XMLTV Download Schedule Service (xmltvDownload) - epgStream.net - C:\Program Files\epgStream.net\xmltvDownload\xmltvDownloadHost.exe

--
End of file - 8278 bytes

Symantec isn't going crazy and RAM usage seems better - haven't heard the crazy audio but i'll wait and see with that one

Are things looking clean?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vista and the case of the mysterious audio
« Reply #22 on: November 30, 2008, 02:35:13 PM »
I'm not at home right now, out of province, so I may have a delayed reply

Just for a double check, as things seem to be running good, let's make sure a couple scanners come clean

Can you again, delete your copy of ComboFix and download a fresh copy
Run it and post it's new log

Also, again, update MalwareByte's Anti-malware, run a Scan and post it's new log too
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline HTPConvert

  • Newbie
  • *
  • Posts: 29
  • Karma: +0/-0
    • View Profile
Vista and the case of the mysterious audio
« Reply #23 on: December 07, 2008, 09:23:59 PM »
here is the malware scan log - some problems were found - will do a combo fix now

Malwarebytes' Anti-Malware 1.31
Database version: 1472
Windows 6.0.6001 Service Pack 1

8/12/2008 1:21:25 PM
mbam-log-2008-12-08 (13-21-25).txt

Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 148210
Time elapsed: 1 hour(s), 4 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Windows\System32\tmp0_62837460417.bk.vir (Trojan.Agent) -> Quarantined and deleted successfully.
D:\tmp\Qucik Time Pro 7\Apple.QuickTime.Pro.v7.3.0.70.Multilingual.Regged-CORE\CORE10k.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\tmp\EncoreCS3\Adobe Creative Master Collection Cracks, Launchers and KeyGens\Adobe Creative CS3 KeyGens Collection\SoundBooth CS3.exe (Trojan.Horst) -> Quarantined and deleted successfully.
Logged

Offline HTPConvert

  • Newbie
  • *
  • Posts: 29
  • Karma: +0/-0
    • View Profile
Vista and the case of the mysterious audio
« Reply #24 on: December 07, 2008, 09:31:05 PM »
and here is the combo fix log:

ComboFix 08-12-06.06 - Media Centre 2008-12-08 13:26:13.4 - NTFSx86
Microsoft® Windows Vistaâ„¢ Ultimate   6.0.6001.1.1252.1.1033.18.1661 [GMT 11:00]
Running from: c:\users\Media Centre\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2008-11-08 to 2008-12-08  )))))))))))))))))))))))))))))))
.

2008-11-27 18:18 . 2008-11-27 18:18   <DIR>   d--------   c:\users\All Users\is-D15N9
2008-11-27 18:18 . 2008-11-27 18:18   <DIR>   d--------   c:\programdata\is-D15N9
2008-11-27 18:18 . 2008-11-30 07:30   4,599,840   --ahs----   c:\windows\System32\drivers\fidbox.dat
2008-11-27 18:18 . 2008-11-30 07:30   58,112   --ahs----   c:\windows\System32\drivers\fidbox.idx
2008-11-24 15:45 . 2008-11-24 15:50   19   --a------   C:\videos.vf
2008-11-23 14:52 . 2008-12-03 19:52   38,496   --a------   c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-23 14:52 . 2008-12-03 19:52   15,504   --a------   c:\windows\System32\drivers\mbam.sys
2008-11-23 12:40 . 2008-11-23 12:40   <DIR>   d--------   C:\rsit
2008-11-23 12:01 . 2008-11-23 12:01   <DIR>   d--------   c:\program files\Panda Security
2008-11-23 12:01 . 2008-06-19 17:24   28,544   --a------   c:\windows\System32\drivers\pavboot.sys
2008-11-23 11:58 . 2008-11-23 12:00   <DIR>   d--------   c:\users\Media Centre\.housecall6.6
2008-11-23 11:19 . 2008-11-23 11:19   <DIR>   d--------   c:\users\All Users\MC Menu Mender BETA
2008-11-23 11:19 . 2008-11-23 11:19   <DIR>   d--------   c:\programdata\MC Menu Mender BETA
2008-11-23 11:19 . 2008-11-23 11:19   <DIR>   d--------   c:\program files\MC Menu Mender
2008-11-23 11:16 . 2008-11-25 20:55   <DIR>   d--------   c:\program files\SamSoft
2008-11-16 20:17 . 2008-11-16 20:17   <DIR>   d--------   c:\program files\Xvid
2008-11-16 20:17 . 2007-06-28 18:52   765,952   --a------   c:\windows\System32\xvidcore.dll
2008-11-16 20:17 . 2007-06-28 18:54   180,224   --a------   c:\windows\System32\xvidvfw.dll
2008-11-16 19:28 . 2008-11-16 19:28   <DIR>   d--------   c:\program files\avi.NET
2008-11-16 17:58 . 2008-11-16 17:58   <DIR>   d--------   c:\users\All Users\VistaCodecs
2008-11-16 17:58 . 2008-11-16 17:58   <DIR>   d--------   c:\programdata\VistaCodecs
2008-11-15 12:21 . 2008-11-15 12:23   <DIR>   d--------   c:\users\All Users\OpenMediaLibrary
2008-11-15 12:21 . 2008-11-15 12:23   <DIR>   d--------   c:\programdata\OpenMediaLibrary
2008-11-15 12:20 . 2008-11-29 08:45   <DIR>   d--------   c:\program files\OpenMediaLibrary

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 01:45   ---------   d-----w   c:\users\Media Centre\AppData\Roaming\uTorrent
2008-12-08 01:03   ---------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2008-12-06 00:28   ---------   d-----w   c:\users\Media Centre\AppData\Roaming\VideoReDoPlus
2008-12-06 00:22   ---------   d---a-w   c:\programdata\TEMP
2008-11-17 07:29   ---------   d-----w   c:\program files\AviSynth 2.5
2008-11-16 22:03   ---------   d-----w   c:\programdata\VideoBrowser
2008-11-16 09:15   ---------   d-----w   c:\program files\DivX
2008-11-16 09:13   ---------   d-----w   c:\program files\Winnydows
2008-11-16 07:00   ---------   d-----w   c:\program files\Common Files\PX Storage Engine
2008-10-19 03:24   ---------   d-----w   c:\programdata\IsolatedStorage
2008-10-19 03:24   ---------   d-----w   c:\programdata\epgStream.net
2008-10-19 03:24   ---------   d-----w   c:\program files\epgStream.net
2008-07-24 01:07   47,360   ----a-w   c:\users\Media Centre\AppData\Roaming\pcouffin.sys
2008-03-21 09:33   174   --sha-w   c:\program files\desktop.ini
2008-02-14 03:28   29   ----a-w   c:\program files\version.ini
2008-02-14 03:23   231,944   ----a-w   c:\program files\gwflash.exe
2007-10-16 07:19   245,248   ----a-w   c:\windows\inf\WG311v3\Vista64\MRVW13C.sys
2007-10-16 07:14   256,512   ----a-w   c:\windows\inf\WG311v3\Vista32\MRVW13B.sys
2007-09-21 08:42   19,008   ----a-w   c:\program files\markfun.a64
2007-08-21 08:49   17,912   ----a-w   c:\program files\markfun.w32
2007-08-21 08:49   125,504   ----a-w   c:\program files\MarkFunDrv.dll
2007-05-24 04:58   249,856   ----a-w   c:\windows\inf\WG311v3\Vista32\InsDrv2k.exe
2007-04-04 07:35   207,680   ----a-w   c:\program files\updateutility.exe
2007-03-29 17:36   301   ----a-w   c:\program files\update.ini
2007-03-01 17:48   240,448   ----a-w   c:\program files\gwf32.exe
2006-11-23 12:47   207,680   ----a-w   c:\program files\BIOS_Run.exe
2006-11-23 12:40   60,224   ----a-w   c:\program files\HUADRV.DLL
2006-11-03 07:09   528   ----a-w   c:\program files\CONFIG.INI
2005-11-17 05:46   845,736   ----a-w   c:\windows\inf\WG311v3\Vista64\DPInst.exe
2005-04-27 08:40   6,800   ----a-w   c:\program files\W95_HUA.vxd
2008-05-07 08:37   16,496   --sha-w   c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows NT\DiskQuota\NTDiskQuotaSidCache.dat
.

(((((((((((((((((((((((((((((   snapshot@2008-11-23_14.04.12.94   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-23 02:59:10   1,143,664   ----a-w   c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-12-07 09:17:13   1,143,664   ----a-w   c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-12-07 09:18:42   2,048   --sha-w   c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-07 09:18:42   2,048   --sha-w   c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-11-23 03:01:08   262,144   --sha-w   c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-07 09:20:18   262,144   --sha-w   c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-11-23 03:01:09   262,144   --sha-w   c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-08 00:58:37   262,144   --sha-w   c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-08 00:58:37   262,144   ---ha-w   c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-11-23 03:01:46   1,425,408   --sha-w   c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-03 01:39:21   1,425,408   --sha-w   c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-23 03:01:46   5,865,472   --sha-w   c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-03 01:39:21   5,865,472   --sha-w   c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-23 03:01:46   32,768   --sha-w   c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-03 01:39:21   32,768   --sha-w   c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-23 02:57:00   262,144   ----a-w   c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-12-08 02:26:05   262,144   ----a-w   c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-12-08 02:26:05   262,144   ---ha-w   c:\windows\System32\config\systemprofile\ntuser.dat.LOG1
- 2008-11-23 00:15:27   105,448   ----a-w   c:\windows\System32\perfc009.dat
+ 2008-12-07 09:25:48   105,448   ----a-w   c:\windows\System32\perfc009.dat
- 2008-11-23 00:15:27   599,942   ----a-w   c:\windows\System32\perfh009.dat
+ 2008-12-07 09:25:48   599,942   ----a-w   c:\windows\System32\perfh009.dat
- 2008-11-23 00:10:17   12,182   ----a-w   c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-220370344-2337913255-810275737-1000_UserData.bin
+ 2008-12-07 09:20:28   12,434   ----a-w   c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-220370344-2337913255-810275737-1000_UserData.bin
- 2008-11-23 00:10:16   72,060   ----a-w   c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-07 09:20:27   72,526   ----a-w   c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-09 04:05:50   3,028   ----a-w   c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-12-07 09:17:14   3,028   ----a-w   c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-11-23 00:10:14   78,702   ----a-w   c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-07 09:20:24   79,162   ----a-w   c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-11-22 22:06:22   260,436   ----a-w   c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-12-06 09:00:15   261,390   ----a-w   c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"PowerArchiver Tray"="c:\program files\PowerArchiver\PASTARTER.EXE" [2007-02-23 139816]
"Windows Media Center"="c:\windows\ehome\ehuihlp.dll" [2008-01-18 1499136]
"Nero DriveSpeed"="c:\progra~1\Nero\Nero8\NEROTO~1\DRIVES~1.EXE" [2007-09-20 1975592]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RemoteControl"="c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe" [2005-01-12 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"MagicTuneEngine"="c:\program files\MagicTune Premium\MagicTuneEngine.exe" [2007-06-14 69632]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-04-03 136080]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-19 c:\windows\RtHDVCpl.exe]

c:\users\Media Centre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [5/10/2008 7:27:33 PM 1172992]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [4/22/2008 11:42:26 AM 36864]
NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\WG311v3.exe [8/31/2005 11:46:50 AM 1691648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.CDVC"= cdvccodc.dll
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{AEAB85D1-5BDF-44BE-B1E5-0AFE137237E9}c:\\program files\\gigabyte\\gest\\run.exe"= UDP:c:\program files\gigabyte\gest\run.exe:update
"UDP Query User{88B75BFA-0E87-48C8-ACCC-64504BDBAA65}c:\\program files\\gigabyte\\gest\\run.exe"= TCP:c:\program files\gigabyte\gest\run.exe:update
"TCP Query User{651256BB-6D67-49C0-90DB-1174C4F5FEDF}c:\\program files\\gigabyte\\gest\\run.exe"= UDP:c:\program files\gigabyte\gest\run.exe:update
"UDP Query User{8F5BE7E9-D5F4-4D35-BE47-F8CAD9CA4644}c:\\program files\\gigabyte\\gest\\run.exe"= TCP:c:\program files\gigabyte\gest\run.exe:update
"TCP Query User{3176DAF5-F46E-43E0-B540-13A846A82E04}c:\\program files\\gigabyte\\@bios\\gwflash.exe"= UDP:c:\program files\gigabyte\@bios\gwflash.exe:gwflash
"UDP Query User{70F4429B-2439-419B-83FF-DA766D263D61}c:\\program files\\gigabyte\\@bios\\gwflash.exe"= TCP:c:\program files\gigabyte\@bios\gwflash.exe:gwflash
"TCP Query User{43FAAC04-9451-4360-9EAA-1F1B364B3CD1}c:\\program files\\gwflash.exe"= UDP:c:\program files\gwflash.exe:gwflash
"UDP Query User{FDB4E5B5-5285-415F-9806-B389D2B09A13}c:\\program files\\gwflash.exe"= TCP:c:\program files\gwflash.exe:gwflash
"TCP Query User{F204A39D-B297-49FF-B63B-C4D9F639D8EB}c:\\program files\\gigabyte\\@bios\\update.exe"= UDP:c:\program files\gigabyte\@bios\update.exe:update
"UDP Query User{BE296ADA-9CC5-46D0-87F5-A7E18186440F}c:\\program files\\gigabyte\\@bios\\update.exe"= TCP:c:\program files\gigabyte\@bios\update.exe:update
"TCP Query User{3367E75B-FFF5-4413-BF67-C7D933706696}d:\\program files\\tmnationsforever\\tmforever.exe"= UDP:d:\program files\tmnationsforever\tmforever.exe:TmForever
"UDP Query User{C2630B7A-93F5-4D51-9450-CD343A773C42}d:\\program files\\tmnationsforever\\tmforever.exe"= TCP:d:\program files\tmnationsforever\tmforever.exe:TmForever
"{8A86151E-16AA-4308-A077-9FE605C9F5C0}"= UDP:c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe:UltiDev Cassini Web Server for ASP.NET 2.0
"{DA808245-DD19-4E61-85A7-AC37F31800E9}"= TCP:c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe:UltiDev Cassini Web Server for ASP.NET 2.0
"TCP Query User{B61B2908-E781-4FD2-9214-29C99ED0E153}d:\\program files\\webguide\\webguide4\\bin\\webguide_configuration.exe"= UDP:d:\program files\webguide\webguide4\bin\webguide_configuration.exe:WebGuide_Configuration
"UDP Query User{8BAF1DF4-D050-4971-A25B-7C2AF68A5C09}d:\\program files\\webguide\\webguide4\\bin\\webguide_configuration.exe"= TCP:d:\program files\webguide\webguide4\bin\webguide_configuration.exe:WebGuide_Configuration
"{963CC70A-5B6D-4869-AA0A-89C5C268AB98}"= UDP:56484:WebGuide
"{AAA7EFBE-C8E3-4590-A219-47EBEDF338FF}"= UDP:56485:WebGuide
"TCP Query User{4F3FFA99-7D4E-4E2A-9D3A-6ADAD9A3EFC3}c:\\program files\\nero\\nero8\\nero showtime\\showtime.exe"= UDP:c:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime Essentials
"UDP Query User{A51263EA-0DD2-44DC-875A-B59D3AD8D540}c:\\program files\\nero\\nero8\\nero showtime\\showtime.exe"= TCP:c:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime Essentials
"{46A11C06-2E57-436B-BFAE-FF65419BF063}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{236B0E50-A09C-4E5D-91B1-4A1FBDB104F0}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{90C63744-6260-4009-ABFF-89AD6FD2957B}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{54A692D9-818D-481C-8529-E4F1241206A9}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{70C45649-7952-4C31-8A2A-4012C8E0FF9B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BCC11C71-76AF-45D3-BBB3-F5484424EA8C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BB4C64AA-3F0B-4B51-8ED8-37CC961C3510}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{738A84E1-918C-44C9-8E93-46DB1240ECC2}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{F3249610-7B2E-40F7-8041-3CCD410FE6A6}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{B3FE81E3-AE8F-47B7-851D-AA106865D45C}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{7B11553E-036F-4874-8B07-255A7C74072B}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{E1E98ED7-CB38-4670-8360-65953A030A3D}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/23/2008 12:01:42 PM 28544]
R2 EZSERVICE;EZSERVICE;c:\program files\ASUS\EZVCR\EZSERVICE.exe [3/27/2007 6:32:10 PM 61440]
R2 PD91Agent;PD91Agent;"c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe" [2/28/2008 10:44:58 AM 668936]
R2 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [4/3/2008 1:33:24 PM 121744]
R2 UltiDev Cassini Web Server for ASP.NET 2.0;UltiDev Cassini Web Server for ASP.NET 2.0;"c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe" [2/8/2007 1:06:10 AM 49152]
R2 WebGuideTranscode;WebGuideTranscode;"d:\program files\WebGuide\WebGuide4\bin\WebGuideTranscodeService.exe" [8/8/2007 8:28:42 PM 40960]
R2 wmcGuideServiceProxy;Windows Media Center Guide Service Proxy;"c:\program files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxyHost.exe" [9/28/2008 1:20:32 AM 22016]
R2 xmltvDownload;XMLTV Download Schedule Service;"c:\program files\epgStream.net\xmltvDownload\xmltvDownloadHost.exe" [9/28/2008 1:12:00 AM 40960]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/5/2008 3:19:39 PM 99376]
R3 u3kmini;ASUS My Cinema-U3000 Mini;c:\windows\system32\Drivers\u3kmini.sys [10/16/2006 5:15:58 PM 350720]
S3 GEST Service;GEST Service for program management.;"c:\program files\GIGABYTE\GEST\GSvr.exe" [3/21/2008 7:34:26 PM 47624]
S3 PD91Engine;PD91Engine;"c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe" [2/29/2008 2:08:14 PM 894216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile   REG_MULTI_SZ      wcescomm rapimgr
LocalServiceRestricted   REG_MULTI_SZ      WcesComm RapiMgr
bthsvcs   REG_MULTI_SZ      BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22889c13-bf7a-11dd-a55a-001d7daf31dc}]
\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e61a0ef-f72b-11dc-8675-001b2f2ce128}]
\shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47fee477-fcae-11dc-a19d-001d7daf31dc}]
\shell\AutoRun\command - g:\portableapps\PortableAppsMenu\PortableAppsMenu.exe
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FireFox -: Profile - c:\users\Media Centre\AppData\Roaming\Mozilla\Firefox\Profiles\dwft2yz6.default\
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 13:27:47
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\MEDIAC~1\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-12-08 13:28:48
ComboFix-quarantined-files.txt  2008-12-08 02:28:46
ComboFix2.txt  2008-11-25 09:07:59
ComboFix3.txt  2008-11-23 04:02:00
ComboFix4.txt  2008-11-23 03:05:08

Pre-Run: 6,128,500,736 bytes free
Post-Run: 5,931,577,344 bytes free

234
Logged

Offline HTPConvert

  • Newbie
  • *
  • Posts: 29
  • Karma: +0/-0
    • View Profile
Vista and the case of the mysterious audio
« Reply #25 on: December 07, 2008, 11:29:07 PM »
bump
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vista and the case of the mysterious audio
« Reply #26 on: December 08, 2008, 01:31:52 AM »
Delete RSIT.exe on desktop and it's folder
C:\rsit

Go to START>>RUN>>copy and paste the following then click OK

ComboFix /u

This will uninstall ComboFix and it's components

Take a look at miekiemoes site with other ideas on How to prevent Malware:

I would choose to Hold onto Malwarebytes' Anti-Malware
Occassionaly, check for updates and run a quick scan
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline HTPConvert

  • Newbie
  • *
  • Posts: 29
  • Karma: +0/-0
    • View Profile
Vista and the case of the mysterious audio
« Reply #27 on: December 08, 2008, 07:23:02 PM »
Thanks again for your help guestolo!! Much appreciated - I will take a look at that site to hopefully stop this happening again :-)
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vista and the case of the mysterious audio
« Reply #28 on: December 08, 2008, 11:18:25 PM »
Good work   HTPConvert  
I'll lock this topic as your problems are resolved
Take care  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: 1 [2]
« previous next »