Mysterious RunOnce Startup Registries

[Sunrise12]

Something strange thing happened to my computer today, and I am hoping for feedback from techies here.

WinPatrol alerted me of new RunOnce Startup items and then my computer froze. I was offline when this happened and do not use that computer to go online for surfing or anything.

I was able to get back into my computer but unable to delete the "hidden" registry files that were still appearing in WinPatrol.

I tried to log in as the admin -- still offline -- and the screen was frozen and black; no luck.

But I was able to log in with another account and discovered that the mysterious registries were gone. When I logged in again under my usual account, WinPatrol even alerted me that they were gone.

My security programs did not find anything suspicious. Everything appears to be fine.

I found the following snippet on patchmanagement.org that matched my situation:

The RunOnce registry key is getting populated with the following content on some computers:

MSPCLOCK=rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000}
MSPQM=rundll32.exe streamci,StreamingDeviceSetup {DDF4358E-BB2C-11D0-A42F-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196}
MSKSSRV=rundll32.exe streamci,StreamingDeviceSetup {96E080C7-143C-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196}
MSTEE.CxTransform=rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},C:\Windows\inf\ksfilter.inf,MSTEE.Interface.Install
MSTEE.Splitter=rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},C:\Windows\inf\ksfilter.inf,MSTEE.Interface.Install
WDM_DRMKAUD=rundll32.exe streamci,StreamingDeviceSetup {EEC12DB6-AD9C-4168-8658-B03DAEF417FE},{ABD61E00-9350-47e2-A632-4438B90C6641},{FFBB6E3F-CCFE-4D84-90D9-421418B03A8E},C:\Windows\inf\WDMAUDIO.inf,WDM_DRMKAUD.Interface.Install

 

[maxie]

Some Information about it in the Link below ...

Ccdecode - rundll32.exe streamci, StreamingDeviceSetup - Program Information

 

[Sunrise12]

Okay, thanks. But why would all of that suddenly populate like that and crash my computer?

When it happened, I was testing a basic web page locally in Firefox while offline but that should not have caused any issues. Perhaps something in Firefox triggered the problem.

The closest thing that I found on Google was here but (that does not really clarify it for me):

http://permalink.gmane.org/gmane.comp.security.patch-managment/2659

I do not use Gmane, which I guess is a program or OS, unless I am missing something and it is a kernel or something that is used in Windows 7.

Should I move on and hope it never happens again or get other software to evaluate whether something bad happened?

 

[maxie]

Do you use any other Security Software ? ....

 

[Sunrise12]

I am trying not to panic and assume it was some kind of malware (that was not picked up my antivirus software).

I found an article that makes me feel a little about it on a forum at thewindowsclub.com that claimed it is related to a MS security patch from October 2008. It described the exact same issue that I ran into with the WinPatrol alerts.

Not sure why it suddenly was triggered again in November 2014.

 

[maxie]

See if Malwarebytes finds any thing ... There is not much Information about the issue on the Web ... There is a couple of Members here that use WinPatrol do not think they have has any issues though ..

 

[Sunrise12]

I used to use Malwarebytes and have an old version of it and should update it and use it again. That is a good suggestion and would not hurt.

I did not like how I have to give Malwarebytes permission to run with my Admin account every time I want to use it. The other programs never ask me to do that. (Other than that, I liked it.)

 

[maxie]

Yes i have that issue also ... Have not had any Problems with the new Version of Malwarebytes either ...

 

[Layback Bear]

Some times this helps.

Right tick on program.
Select Properties/Advanced and you will see a box for Run as Administrator.
Some time when you install a program it will give a option for all users.

 

[Tookeri]

I don't remember but maybe it's different with the old Malwarebytes version, and the free new version, but I never get UAC prompts with the latest premium version. mbam.exe starts automatically at startup with Integrity = High, and not Medium like most other programs.

 

[Layback Bear]

I don't have that problem with Malwarebytes either but some might for what ever reason.
That is why I gave other things one may try.

 

[Sunrise12]

I have not tried it in a long time and should install the newest version and run it.

 

[Layback Bear]

I running version 2.0.3.1025 on three systems and they are working as they should.

 

[Sunrise12]

I ran Malwarebytes and it did not find anything suspicious.

 

[maxie]

That would seem to be good news ...

 

[Layback Bear]

Because you found this on the internet about someone else computer means absolutely nothing. Every computer is different and different circumstances.

You can find millions of such things on the internet about someone else computer.
We need to make sure you are clean.

Did you run Malwarebytes and have rootkit selected?
If not I would suggest doing so. The scan does take some time.

I would also recommend going into msconfig/Start and Services (non Microsoft services) and see if you have programs that might be scanning or updating on boot.

If you need instructions how to do these things just ask.
We have many members that can give guidance.

 

[Sunrise12]

Yes, I know how to view the services to view the Startup programs.

I can also view them from WinPatrol that shows me Startup programs and Delayed Start programs and Hidden Files as well as services, etc.

There are some non-MS programs in the list but they do not look suspicious.

I ran Malwarebytes with the rootkit scan and it was clean.

I also ran AVG and and SuperAntiSpyware and the results were clean with them too.

I think something quirky happened that might have been triggered by one of my actions. So, I am betting -- and hoping -- that it is nothing to worry about.

 

[Layback Bear]

After running all those security scans I agree that your system is clean.
I haven't used WinPatrol in so many years I can't remember what all the program does.

You are happy with your system that's all that counts.
If you have anymore problems we are open 24-7-365
Happy computing.

 

[Sunrise12]

Thanks! : )