[jwcgator]

Posted this on Windows 7 Forum; Makes more sense to post it here:



This all started today when I plugged in an HDTV with an HDMI cable and I heard random mixtures of music and talking playing through the speakers. At first I thought it was the tv picking up something in the air so I unplugged the cable and the "music" started playing through my laptop speakers. I closed every running window to make sure it was nothing I had running but it was still playing. I traced the sound back to STDRT.EXE using the audio mixer. It normally hovers around 17mb but when it activates it goes up to 300mb. There are a lot of temp files containing the exe and other files (that are replaced after a reboot).
The audio only seems to happen when I plug in my TV, though.

I'm rather stumped, because neither Mal-ware Bytes nor Spybot can find anything related to it, and a scan of any of the files leads to nothing.

Also, I'm leaving for a trip in about 5 hours from now so I may not be able to get on the internet for a while (anywhere from 6 hours to 4 days, depending on internet access availability) .

Attached is a file containing a sample of what plays and my HJT log..

[CatByte]

Hi

Please do the following:



Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window will open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
• Please post the contents of that file.

NEXT




Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Under the Custom Scan box paste this in
  
  
  
  netsvcs
  drivers32 /all
  %SYSTEMDRIVE%\*.*
  %systemroot%\system32\*.wt
  %systemroot%\system32\*.ruy
  %systemroot%\Fonts\*.com
  %systemroot%\Fonts\*.dll
  %systemroot%\Fonts\*.ini
  %systemroot%\Fonts\*.ini2
  %systemroot%\system32\spool\prtprocs\w32x86\*.*
  %systemroot%\REPAIR\*.bak1
  %systemroot%\REPAIR\*.ini
  %systemroot%\system32\*.jpg
  %systemroot%\*.scr
  %systemroot%\*._sy
  %APPDATA%\Adobe\Update\*.*
  %ALLUSERSPROFILE%\Favorites\*.*
  %APPDATA%\Microsoft\*.*
  %PROGRAMFILES%\*.*
  %APPDATA%\Update\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\user32.dll /md5
  %systemroot%\system32\ws2_32.dll /md5
  %systemroot%\system32\ws2help.dll /md5
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs
  
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your next reply.

[jwcgator]

Thanks! Attached are the log files


Edit: also, it's playing the random music atm, it's just automuting itself on the current audio playback device.

[CatByte]

Hi

Do you recognize this directory? Did you create it yourself?

If not - open it and let me know if it contains files (don't open them > just report)

Please do the following:

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  Code:

  :OTL
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
  O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  @Alternate Data Stream - 1213 bytes -> C:\ProgramData\Microsoft:lJOLmCyz2Q7Lkbybly4mfV
  
  :Commands
  [resethosts]
  [emptyflash]
  [purity]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post the OTL log

NEXT


Please download Malwarebytes' Anti-Malware

• Double Click mbam-setup.exe to install the application.
• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

**Vista users - right click on the IE icon and run as administrator

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[jwcgator]

I'm not sure what directory you're referring to, but I'll go ahead and start on all of that now.

[CatByte]

sorry about that,

could have sworn I copy/pasted that in

C:\Users\jwcgator\Documents\jtk379en

[jwcgator]

Here are the logs, Kaspersky seems to have found the file that was causing all of this (Windows/system/regsrv.exe)

Edit: oh and about the folder, it's a program called joytokey, it's safe

[CatByte]

Hi

Please do the following,

Please empty the SPAM folder in your email, then empty the recycle bin


NEXT

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  Code:

  :Files
  C:\Program Files (x86)\Image-Line\FL Studio 9\FL.exe	
  C:\Windows\system\regsrv.exe	
  
  :Commands
  [resethosts]
  [emptyflash]
  [purity]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post the OTL log

NEXT

Please post a fresh OTL log and advise how your computer is running now and if there are any outstanding issues.

[jwcgator]

I experienced some weird behavior when I ran that in OTL, I got a popup telling me that Windows encountered a serious error and was going to reboot in 1 minute (which it did). OTL didnt finish running (it was all the way up to clearing the temp files, though). I checked task manager, and there were many iexplorer.exe (or iexplore.exe, dont remember which) running under SYSTEM. The next boot appeared to be locked up so I cool-rebooted my laptop and the files hadnt been deleted, so I deleted them myself manually which has cleared all symptoms.

tl;dr: A bunch of weird stuff happened but I got rid of the files and they didn't come back.

Thank you so much for your time!!

Attached is a fresh OTL log using the parameters I used before

[CatByte]

That was odd behaviour, at least you were able to delete the files manually.

The log appears to be clean,

so let's do the tool clean up,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 21 and save it to your desktop.
• Scroll down to where it says JDK 6 Update 21 (JDK or JRE)
• Click the Download JRE button to the right
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u21 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

NEXT

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If any tools / logs remain on your desktop > right click and delete them

Let me know how the computer is running and if there are any outstanding issues.

[jwcgator]

Java is all up to date and my computer is cleaned up and running great!

Thank you so much for your time and help, I really appreciate it.

[CatByte]

you are welcome

stay safe

~CB