Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus in volume mixer? Weird process & tone just before Windows autostart sound.


  • This topic is locked This topic is locked
3 replies to this topic

#1 szakala

szakala

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 12 January 2017 - 05:30 AM

Hi,

Few days ago when my Windows 7 was starting up I heard a weird tone, like a piano key or something like that. It occured just before default Windows 7 autostart sound and it keeps play every time I start my computer now (just once before default sound). I also spotted an unknown icon for me that resides in voume mixer. There's also a weird process in Task Manager which consumes almost 25% of CPU.

I attach my logs along with screenshot.

Thanks in advance for any help.

FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-01-2017
Ran by Piotr (administrator) on PIOTR-PC (12-01-2017 11:20:05)
Running from C:\Users\Piotr\Desktop
Loaded Profiles: Piotr (Available Profiles: Piotr)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: Angielski (Stany Zjednoczone)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(Skype Technologies) C:\Program Files (x86)\Skype\Updater\Updater.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
() C:\Users\Piotr\AppData\Roaming\{B9D64DD0-3F63-8DEC-3532-621D88BF15B1}\vdbpqjasd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
() C:\Program Files (x86)\CodePlex\XPS2OneNote\XPS2OneNote.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3245832 2014-07-14] (ELAN Microelectronics Corp.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2776528 2016-12-14] (Malwarebytes)
HKLM-x32\...\Run: [ATKOSD2] => C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [5716608 2011-07-21] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] => C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-10-07] (ASUS)
HKLM-x32\...\Run: [HControlUser] => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-809822771-616469217-2833164455-1000\...\Run: [{8FBFA670-DB20-B89B-AF59-8D19C62DA203}] => C:\Users\Piotr\AppData\Roaming\{B9D64DD0-3F63-8DEC-3532-621D88BF15B1}\vdbpqjasd.exe [196444160 2017-01-06] ()
HKU\S-1-5-21-809822771-616469217-2833164455-1000\...\MountPoints2: {52c0bbec-4f66-11e6-84f4-20cf3051b16c} - F:\iStudio.exe
Startup: C:\Users\Piotr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XPS2OneNote.lnk [2016-10-01]
ShortcutTarget: XPS2OneNote.lnk -> C:\Users\Piotr\AppData\Roaming\Microsoft\Installer\{6DD7A9DA-6732-47D2-8362-6A12BD0EA053}\_FBB2488C0F33C1DFE6AC1F.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 217.144.192.2 217.144.192.33
Tcpip\..\Interfaces\{B29183BD-8C08-4D13-B8AA-CA14FE8BC553}: [DhcpNameServer] 217.144.192.2 217.144.192.33
Tcpip\..\Interfaces\{D978AF04-110F-4AF1-B223-C1F8AEDFDAD1}: [DhcpNameServer] 217.144.192.2 217.144.192.33

Internet Explorer:
==================
HKU\S-1-5-21-809822771-616469217-2833164455-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/pl-pl/?ocid=iehp
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: 2q4tohlt.default
FF ProfilePath: C:\Users\Piotr\AppData\Roaming\Mozilla\Firefox\Profiles\2q4tohlt.default [2017-01-12]
FF Extension: (Adblock Plus) - C:\Users\Piotr\AppData\Roaming\Mozilla\Firefox\Profiles\2q4tohlt.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-24]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_194.dll [2017-01-11] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_194.dll [2017-01-11] ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-10-01] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-12-14] (Malwarebytes)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2008-12-03] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2008-12-03] (Hewlett-Packard) [File not signed]
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77416 2016-12-14] ()
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-08-07] (Intel Corporation)
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [176064 2017-01-11] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [102856 2017-01-12] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2017-01-12] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [250816 2017-01-12] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [81696 2017-01-12] (Malwarebytes)
R3 MTsensor64; C:\Windows\System32\DRIVERS\PuAcpi64.sys [15880 2009-06-05] ()
R3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1800832 2010-09-07] (Sonix Technology Co., Ltd.)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-12 11:20 - 2017-01-12 11:21 - 00008590 _____ C:\Users\Piotr\Desktop\FRST.txt
2017-01-12 11:17 - 2017-01-12 11:17 - 00000585 _____ C:\Users\Piotr\Desktop\Nowy dokument tekstowy.txt
2017-01-12 10:53 - 2017-01-12 11:20 - 00000000 ____D C:\FRST
2017-01-12 10:52 - 2017-01-12 10:52 - 02419200 _____ (Farbar) C:\Users\Piotr\Desktop\FRST64.exe
2017-01-11 21:26 - 2017-01-12 11:19 - 00102856 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-01-11 21:26 - 2017-01-12 11:19 - 00081696 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-01-11 21:26 - 2017-01-12 11:19 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-01-11 21:26 - 2017-01-11 21:26 - 00176064 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-01-11 21:25 - 2017-01-12 11:19 - 00250816 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-01-11 21:25 - 2017-01-11 21:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-01-11 21:25 - 2017-01-11 21:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-01-11 21:25 - 2017-01-11 21:25 - 00000000 ____D C:\Program Files\Malwarebytes
2017-01-11 21:25 - 2016-12-14 12:55 - 00077416 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-01-06 10:26 - 2017-01-11 21:12 - 00000000 ____D C:\Users\Piotr\AppData\Roaming\tor
2017-01-06 10:26 - 2017-01-06 10:26 - 03351566 _____ C:\Users\Piotr\AppData\Roaming\tor.exe
2017-01-06 10:25 - 2017-01-06 10:25 - 00000000 ___HD C:\Users\Piotr\AppData\Roaming\{B9D64DD0-3F63-8DEC-3532-621D88BF15B1}
2016-12-16 14:00 - 2017-01-06 19:32 - 00000000 ____D C:\Users\Piotr\Desktop\Dysk wymienny

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-12 11:19 - 2015-10-17 23:38 - 00002896 _____ C:\Windows\System32\Tasks\AutoKMS
2017-01-12 11:19 - 2015-10-17 23:38 - 00000266 _____ C:\Windows\Tasks\AutoKMS.job
2017-01-12 11:18 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-12 11:17 - 2016-11-30 18:41 - 00000000 ____D C:\Users\Piotr\AppData\LocalLow\Mozilla
2017-01-12 10:57 - 2009-07-14 05:45 - 00026352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-01-12 10:57 - 2009-07-14 05:45 - 00026352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-01-12 10:45 - 2015-10-18 09:03 - 00000930 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-01-11 21:14 - 2009-07-14 06:08 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-01-11 13:45 - 2015-10-18 09:03 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-01-11 13:45 - 2015-10-18 09:03 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-01-11 13:45 - 2015-10-18 09:03 - 00003868 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-01-11 13:45 - 2015-10-18 09:03 - 00000000 ____D C:\Windows\system32\Macromed
2017-01-11 13:45 - 2015-10-17 22:05 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-01-07 17:36 - 2015-10-17 23:51 - 00740954 _____ C:\Windows\system32\perfh015.dat
2017-01-07 17:36 - 2015-10-17 23:51 - 00155994 _____ C:\Windows\system32\perfc015.dat
2017-01-07 17:36 - 2009-07-14 06:13 - 01671648 _____ C:\Windows\system32\PerfStringBackup.INI
2017-01-07 17:36 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf
2016-12-25 22:01 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\catroot2
2016-12-23 22:16 - 2016-10-27 12:07 - 00000000 ____D C:\Users\Piotr\Desktop\zegarek
2016-12-23 22:04 - 2016-09-04 17:51 - 00000000 ____D C:\Users\Piotr\Desktop\Wakacje 2016
2016-12-16 14:36 - 2015-10-24 18:09 - 00524288 ___SH C:\Windows\system32\config\COMPONENTS{83b6a435-7a5d-11e5-b22e-20cf3051b16c}.TMContainer00000000000000000002.regtrans-ms
2016-12-16 14:36 - 2015-10-24 18:09 - 00065536 ___SH C:\Windows\system32\config\COMPONENTS{83b6a435-7a5d-11e5-b22e-20cf3051b16c}.TM.blf
2016-12-16 14:36 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\config
2016-12-16 14:36 - 2009-07-14 03:34 - 44040192 _____ C:\Windows\system32\config\COMPONENTS
2016-12-16 14:36 - 2009-07-14 03:34 - 00262144 ____H C:\Windows\system32\config\COMPONENTS.LOG1
2016-12-16 14:25 - 2015-10-17 21:12 - 00000000 __SHD C:\System Volume Information
2016-12-16 14:18 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\config\RegBack
2016-12-16 13:57 - 2016-02-20 16:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-12-16 13:57 - 2010-11-21 04:47 - 00017292 _____ C:\Windows\PFRO.log
2016-12-16 13:06 - 2016-02-20 16:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== Files in the root of some directories =======

2017-01-06 10:26 - 2017-01-06 10:26 - 3351566 _____ () C:\Users\Piotr\AppData\Roaming\tor.exe
2016-02-16 18:34 - 2016-02-16 19:28 - 0008316 _____ () C:\ProgramData\hpzinstall.log

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-12-16 14:18

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:15 AM

Posted 13 January 2017 - 02:06 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Users\Piotr\AppData\Roaming\{B9D64DD0-3F63-8DEC-3532-621D88BF15B1}\vdbpqjasd.exe
HKU\S-1-5-21-809822771-616469217-2833164455-1000\...\Run: [{8FBFA670-DB20-B89B-AF59-8D19C62DA203}] => C:\Users\Piotr\AppData\Roaming\{B9D64DD0-3F63-8DEC-3532-621D88BF15B1}\vdbpqjasd.exe [196444160 2017-01-06] ()
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {4DF3A24E-1535-4263-BF60-16D7A8B3FA91} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2015-10-17] ()
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
C:\Users\Piotr\AppData\Roaming\{B9D64DD0-3F63-8DEC-3532-621D88BF15B1}

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 szakala

szakala
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 14 January 2017 - 04:33 AM

Everything seems to be fine now. Fixlog attached. Thank you very much for your time and help. I am glad that there are people always willing to help on this forum.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:15 AM

Posted 14 January 2017 - 10:05 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users