Media Player Behaves strange: spyware issue?

Hi Guys

I have a strange issue with the windows media player. when my computer boots the windows media player gets opened automatically. i dont know wats the reason.. but its irritating bcoz it takes a lot of time in the process.. Moreover, WMP is not there in the programs at start-up list.

actually few months back when the pc got infected with spywares after then from this prob started. i removed all spywares with help of "spyware specific" forum but this prob was not fixed at that time.

By the way i talked in the Software section of this board, but they also said sometimes it may be bcoz of spywares. so i request some expert in this section to look into the matter.

Regards
Gene

 

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

 

Dear Shadow..

Thanks a lot for the kind reply. as an old member of this forum i know the initial things that has to be done and my system is up-to-date with all the antivirus (norton), anti-spywares (adaware, spybot, ewido, cccleaner etc) and i run them regularly and i have sygate firewall too. except the WMP start at boot problem (which going on from last 4-5 months, i have no other problem which can make me suspicious of presence of any malware.
So I have put an HJT log herewith for you to look over..

Regards
Gene

 

Have HijackThis fix the following:

Other than that your log is fine.

As far as the WMP issue, cheeck MSCONFIG to see if it is starting that way. If so, make a note of the registry key. Then use REGEDIT to delete the registry value.

 

Dear Shadow..

Thanks for the help. I removed those BHO.
u told to "cheeck MSCONFIG to see if it is starting that way. If so, make a note of the registry key". But as i mentioned earlier, i dont see WMP if i run msconfig and then check for it by clicking on start-up tab.

 

Look in the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

for WMP startups.

Also check to see if a media file is trying to open at system start.

You can also do the following:

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report.

 

Dear Shadow

Here i have attached screenshot of the programs running at the the start-up.

i already have ewido and keep using it, still i will run ewido as u told and let u know till tonight.

Thanks
Gene

 

The startup intem that is blank, what is the registry key value for that item?

 

Do this scan also:

Please download Spy Sweeper

• Click the link above to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into notepad and save it as spysweeper.txt and attach it to your next post along with a fresh HJT log.

 

it is HKCU/software/microsoft/windows/currentVersion/Run

 

Delete that item from the registry.

 

Dear Shadow..

I ran ewido and spysweeper, spysweeper could find some trojan and spyware, i donno those were their traces or what. i have attached all the logs.

Gene

 

Hi Shadow..

new HJT log is here (taken after ewido and spysweeper scan).. plis look for the ewido and spysweeper logs in my earlier message.

regarding the deletion of that registry key u mentioned, plis let me know in detail how to do that, sorry i am not that an expert with these things.

Thanks
Gene

 

Scan with HijackThis and fix the following:

Download
- MSConfig Cleanup

Install the MSConfig Cleanup tool. Open MSCONFIG to disable that blank Startup item. Run the MSConfig Cleanup tool and have it remove the disabled items.

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments

 

Hi Shadow

when i run msconfig cleaner i can only see two item, ypager and messenger. dont see that item to remove it..

 

OK, run REGEDIT and navigate to the following registry key:
HKCU/software/microsoft/windows/currentVersion/Run

Look through all the values under that key and delete the blank startup item once you locate it.

 

hi Shadow..

i m not so familiar with registry editor, after i went to the location in regedit these r the values i found (see the attached screenshot), which one of them i have to remove? plis inform.

the scans u suggested, i m doin them, just returned from office.
gene

 

i removed the items u mentioned in post #15 using HJT, except this one, which i cudnt find there:

O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\System32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0

plis look into my earlier post also..

 

You can delete the WebCamRT.exe item from HKCU/software/microsoft/windows/currentVersion/Run. Also run the batch file that chaslang posted; and post its log file.

 

but what about the start-up item u mentioned earlier? where can i found that?

 

Run REGEDIT and navigate to HKCU/software/microsoft/windows/currentVersion/Run, click on WebCamRT.exe, press the Delete key and answer Yes.

 

the panda scan log is herewith..

 

ok i did as u said and deleted it, and i have attached the logs of the 3 scans u mentioned..2 are here and third one is in the message posted just earlier to this..
Thank you very very much for the time you are giving !!!

Gene

 

Download
- Pocket Killbox

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

 

I did everything as u told, but after normal mode booting, i saw WMP is still opening and this time its behaviour was little different, it took some more time to load and two WMP windows opened one of which disappeared itself. moreover when i booted in normal mode , spysweeper told that something called !cleanupnetmeetingdispdriver is trying to load on startup and asked me if i want to allow. i think this item was there somewhere wat u told me to remove. does this thing has some relation with WMP?

if i uninstal WMP from my system will it solve the problem? plis inform.

i have attached the log from the program that Chaslang gave.


Gene

 

I see nothing in the log that shoud be removed. Yes I had you remove that, run HijackThis and look for that and fix that line.

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Hi Shadow..

Wish u a Happy Thanksgiving !

I have attached the log of WinPfind.

i removed that !cleanupnetmeetingdispdriver thing using HJT, but it keeps coming back and i again get a message from spysweeper at booting.

Gene

 

Boot to Safe Mode using Windows Explorer navigate to and Delete the following files. if they exist.

Now run REGEDIT and Delete the following Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

WARNING: Backup your Registry before deleting the above key.

If there is nothing else under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer then delete it also.

Reboot to Normal Mode and post a fresh HijackThis log.

Happy Thanksgiving!

 

Dear Shadow..
sorry for late reply, i was busy coz of thanksgiving..
u told to make a registry backup b4 deleting the key, but as i told earlier i m novice with registry things and donno how to backup.. !

one more thing wanted to ask u, i usually get a mesage from my firewall about a port scan attack from the IP 61.156.238.238. it comes 2-3 times almost daily. it usually scans the UDP 4081, 2, 1026, and 1028 , though some other ports also sometimes. can u tell wat it is? is it something serious?

regards
Gene

 

Right-click on the registry key select export and save to your desktop.

Your firewall is blocking it that is a good thing. That IP is for cnc-noc.net which redirects to a site in China. Port scans are looking for unprotected computers.

 

Dear Shadow..

I tried the things u mentioned, the media player is not opening at start-up now !! thanks a lot for the great help and the time you gave me. i am really grateful !

by the way, spysweeper still says about that !cleanupnetmeetingdispdriver thing is trying to come at startup. attached herewith the new hjt log.

regards
Gene

 

Scan with HijackThis and fix the following:

Reboot to Safe Mode.

Run Spy Sweeper.

Reboot to Normal Mode.

Post the Spy Sweeper log and a fresh HijackTHis log.