# Random music playing virus (STDRT.EXE, crosspost)



## jwcgator (Dec 17, 2005)

Posted this on Windows 7 Forum; Makes more sense to post it here:



This all started today when I plugged in an HDTV with an HDMI cable and I heard random mixtures of music and talking playing through the speakers. At first I thought it was the tv picking up something in the air so I unplugged the cable and the "music" started playing through my laptop speakers. I closed every running window to make sure it was nothing I had running but it was still playing. I traced the sound back to STDRT.EXE using the audio mixer. It normally hovers around 17mb but when it activates it goes up to 300mb. There are a lot of temp files containing the exe and other files (that are replaced after a reboot).
The audio only seems to happen when I plug in my TV, though.

I'm rather stumped, because neither Mal-ware Bytes nor Spybot can find anything related to it, and a scan of any of the files leads to nothing.

Also, I'm leaving for a trip in about 5 hours from now so I may not be able to get on the internet for a while (anywhere from 6 hours to 4 days, depending on internet access availability) .

Attached is a file containing a sample of what plays and my HJT log..


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:

Please download MBRCheck.exe to your desktop.

Be sure to disable your security programs
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press *N* then press *Enter* twice.
If nothing unusual is found just press *Enter*
A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop. 
Please post the contents of that file.

*
NEXT*

Download *OTL* to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath *Output* at the top change it to *Minimal Output*.
Check the boxes beside *LOP Check* and *Purity Check*.
Under the Custom Scan box paste this in

*
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg 
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav 
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
*

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time, and post them in your next reply.


----------



## jwcgator (Dec 17, 2005)

Thanks! Attached are the log files


Edit: also, it's playing the random music atm, it's just automuting itself on the current audio playback device.


----------



## CatByte (Feb 24, 2009)

Hi

Do you recognize this directory? Did you create it yourself?

If not - open it and let me know if it contains files (don't open them > just report)

Please do the following:

Run *OTL.exe*

Copy/paste the following text written *inside of the code box* into the *Custom Scans/Fixes* box located at the bottom of OTL


```
:OTL
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
@Alternate Data Stream - 1213 bytes -> C:\ProgramData\Microsoft:lJOLmCyz2Q7Lkbybly4mfV

:Commands
[resethosts]
[emptyflash]
[purity]
[emptytemp]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot when it is done
Then post the OTL log

*
NEXT*

Please download *Malwarebytes' Anti-Malware * 

Double Click *mbam-setup.exe* to install the application.
Make sure a *checkmark* is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click *Finish.*
If an update is found, it will download and install the latest version.
Once the program has loaded, select* "Perform Quick Scan"*, then click* Scan.*
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that everything is checked, and click *Remove Selected*. <-- very important
When disinfection is completed, a *log* will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. 


*NEXT*

**Vista users - right click on the IE icon and run as administrator

*Run an on-line scan with Kaspersky*

Using Internet Explorer or Firefox, visit *Kaspersky On-line Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions. 
*2.* To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan
*3.* Click *Run* at the Security prompt. 
The program will then begin downloading and installing and will also update the database. 
Please be patient as this can take several minutes. 

Once the update is complete, click on *My Computer* under the green *Scan* bar to the left to start the scan. 
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. 
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined. 
Click *View scan report* at the bottom.










 Click the *Save as Text* button to save the file to your desktop so that you may post it in your next reply


----------



## jwcgator (Dec 17, 2005)

I'm not sure what directory you're referring to, but I'll go ahead and start on all of that now.


----------



## CatByte (Feb 24, 2009)

sorry about that,

could have sworn I copy/pasted that in 

C:\Users\jwcgator\Documents\jtk379en


----------



## jwcgator (Dec 17, 2005)

Here are the logs, Kaspersky seems to have found the file that was causing all of this (Windows/system/regsrv.exe)

Edit: oh and about the folder, it's a program called joytokey, it's safe


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following,

Please empty the SPAM folder in your email, then empty the recycle bin

*
NEXT*

Run *OTL.exe*

Copy/paste the following text written *inside of the code box* into the *Custom Scans/Fixes* box located at the bottom of OTL


```
:Files
C:\Program Files (x86)\Image-Line\FL Studio 9\FL.exe	
C:\Windows\system\regsrv.exe	

:Commands
[resethosts]
[emptyflash]
[purity]
[emptytemp]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot when it is done
Then post the OTL log

*NEXT*

Please post a fresh OTL log and advise how your computer is running now and if there are any outstanding issues.


----------



## jwcgator (Dec 17, 2005)

I experienced some weird behavior when I ran that in OTL, I got a popup telling me that Windows encountered a serious error and was going to reboot in 1 minute (which it did). OTL didnt finish running (it was all the way up to clearing the temp files, though). I checked task manager, and there were many iexplorer.exe (or iexplore.exe, dont remember which) running under SYSTEM. The next boot appeared to be locked up so I cool-rebooted my laptop and the files hadnt been deleted, so I deleted them myself manually which has cleared all symptoms.

tl;dr: A bunch of weird stuff happened but I got rid of the files and they didn't come back.

Thank you so much for your time!! 

Attached is a fresh OTL log using the parameters I used before


----------



## CatByte (Feb 24, 2009)

That was odd behaviour, at least you were able to delete the files manually.

The log appears to be clean,

so let's do the tool clean up,









*Your Java is out of date.* Older versions have vulnerabilities that malware can use to infect your system. *Please follow these steps to remove older version Java components and update.*

Download the latest version of *Java Runtime Environment (JRE) 21* and save it to your desktop.
Scroll down to where it says *JDK 6 Update 21 (JDK or JRE)*
Click the *Download JRE* button to the right
Select the *Windows* platform from the dropdown menu.
Read the License Agreement and then check the box that says: "_I agree to the Java SE Runtime Environment 6u21 with JavaFX 1 License Agreement_". Click on *Continue.*The page will refresh.
Click on the link to download *Windows Offline Installation* and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on *Add or Remove Programs* and remove all older versions of Java.
Check (_highlight_) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the *Remove* or *Change/Remove* button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on *jre-6u21-windows-i586-p.exe* to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
On the General tab, under Temporary Internet Files, click the *Settings* button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - *Leave BOTH Checked*

*Applications and Applets
Trace and Log Files*

Click OK on Delete Temporary Files Window
*Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.*
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

*

NEXT*

Clean up with *OTL:*

Double-click *OTL.exe* to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the *CLEANUP* button
Say *Yes* to the prompt and then allow the program to reboot your computer.

If any tools / logs remain on your desktop > right click and delete them

Let me know how the computer is running and if there are any outstanding issues.


----------



## jwcgator (Dec 17, 2005)

Java is all up to date and my computer is cleaned up and running great!

Thank you so much for your time and help, I really appreciate it.


----------



## CatByte (Feb 24, 2009)

you are welcome

stay safe

~CB


----------

