Strange Letters under startup system config

[ArtG818]

Does anyone know what these letters mean or where in the world did they come from?
At first i thought it was a virus but i did a virus scan via avast and it found absolutely nothing. Btw i re installed windows couple of days ago.
Thanks

[/URL] Uploaded with ImageShack.us[/IMG]

 

[Night Hawk]

Looks like some type of downloaded item seen as a result of media playback and retrieving content from the web. The options for WMP allow you to uncheck the automatically retrieve item to prevent download of jpeg image for album covers, etc.

You'll notice the ArtG818 folder name under "C:\users\" was created for WMP. Disabling that item checking off the box there and disabling the automatic download option in WMP should clear that up for you.

 

[Slartybart]

The garbled name and mfr are often associated with malware - character sets don't always translate well.

It isn't ticked now, but it must have been enabled at some time.

Run a full scan with Malwarebytes

What AV do you use? Make sure it's up to date, running real-time and scheduled to scan. Check for any exlcusions - normally none.

 

[Night Hawk]

That can't be ruled out especially seeing the "WMPlayerd.exe" file under the user account instead of simply finding wmplayer.exe in the "C:\Program Files(x86)\Windows Media Player folder where it belongs. The only thing found as far as any malware however is a worm that substitutes itself for the original exe file not the one seen under users. wmplayer.exe (Agobot-Bm Worm) – Details

When you did the clean install of Windows was that before or after you ran the scan with Avast? If you were hit by a bug and were seeing the usual problems and decided to perform a clean install it seems like you were unaware of why you were having them beforehand and now should be able to manually delete that particular item. Once removed you can then use the MSConfig Cleanup Utility. to see that item removed from the list of startup items. MsConfig_Cleanup_Utility

 

[F5ing]

Looks like it may be malware to me as well (manufacturer's name shouldn't get discombobulated like that either).

I'd try uploading to VirusTotal for a quick check: https://www.virustotal.com/

 

[Night Hawk]

The "wmplayerd" noting the D part would seem to make that look supicious. But there are some other things to know as well.

Finding Windows Media Player folder under the users folder isn't unusual if you had elected to install the older version of WMP like 9 for example. That would be seen as it is there under "C:\users\ArtG818\Windows Media Player\" and not something else like "C:\users\users\Windows Media Player" as one source outlined the Fake Windows Media Player virus back in 2011.

For getting some web protection on since Avast isn't cutting it however you can start off with the WOT(Web Of Trust) free addon for IE, FireFox, and other browsers is another item that offers privacy ratings on sites when running a search. That won't be an additional toolbar however but an icon seen on the upper right corner of the browser window.

 

[Slartybart]

Nighthawk: I also found this on SpywareRemove

The WMPlayerd.exe file is installed and associated with Worm:Win32/Rebhip.A. This entry has been reported 9 times.
​

It, whatever it is, doesn't seem to be very prevalent. The search results for wmplayerd was only a few items.

I normally don't depend on any "spyware" sites as they tend to be fluff, marketing, or are as bad as malware. Information is fine. The major vendors are the best sources for protection and removal.

I agree that the file should be removed isolated (rename wmplayerd.exe wmplayerd_X.ex0 in a command prompt), but unless the bug is squashed, the file and startup item might return ("Spoc you state the obvious!")

Follow F5ing's advice and or get and run WDO. Once you know your system is free of bugs, you can sleep better.

Bill
.

 

[Night Hawk]

That was one reason for wanting to research the alterred file name before shouting any bug alert initially to see just what was going on there. The presence of this particular media player with the D added into the wmplayer.exe name would have to determined as a downloaded "bug in disguise" as many are shows the system was infected when going to download the fake player.

Just like many scam wares the initial user interaction is required before the snare is reveiled. When you click on the wrong link and get slammed with something you then know it was just that a snare of some type. This type of worm is more of a bombshell rather then the self replicating I-Worm type however where only one Windows install ends up being trashed.

This is why I was waiting to ask ArtG818 if he remembered going for any media players before or after the reinstall or repair of Windows since if this was before that the Upgrade to Repair would be what kept the entry in the msconfig over a totally fresh install with a new registry and no bug to report except for it being left sitting on the drive idle.

Removing it as well as seeing a different level of protection put on the system would be the move now. If he wants ArtG818 can dump Avast and try out the 30 day trial of VIPRE Internet Security 2013 which includes web filtering to avoid the type of sites this bug came from as part of the active firewall protection. Free Antivirus Trial and Antivirus Download | VIPRE Antivirus

Alll you do there is provide the email address to receive the 30 day key to run the full version which will remove all sorts of bugs even any hidden inside zip and rar files on any second storage drive. It runs in the background with any scheduled scans and you won't even notive it on.

 

[F5ing]

When I posted yesterday I neglected to include what I had found on SpywareRemove.com. Guess I could've at least mentioned it, but it's a site I've not really developed any trust for. As Slartybart mentions the info provided can be useful even if you know or suspect the site to be somewhat shady, but typically I'll try to confirm its validity against other sources. In this case I could find no other info about that filename.

Even so, I think it's best to consider it as malware until you can confirm otherwise. That requires some action on your part. To start with you can follow the advice already posted and report your findings here in this thread.

 

[Slartybart]

ArtG818, Nighthawk & F5ing:

I guess I should throttle back the information I post, especially re: viruses or suspected viruses. I try to qualify the information, but people with less computer experience might not understand. As you said, F5ing, try to confirm with other sources.

Anyway, I'm sorry if I put you in panic mode Art. I think everyone posting here is saying "It might be a bug, or it might not be a bug" Hawk gives some good advice, as does F5.

I'll make this promise.
If I think it's a dangerous bug, I'll speak up with something like

The sky is falling, the sky is falling​

no wait.... that won't work, that was a false alarm in the story.​

You can use cCleaner to remove that entry from your startup list. This won't rename or remove the odd file from your Appdata\Roaming\Windows Media Player\ folder. It only removes the name of the item from the Startup list.​

You should still take action on the file. Does WMPlayerd.exe still exist?
.​

 

[Night Hawk]

The MSConfig Cleanup Utility can easily take care of the entry itself. The question now however is when was this noticed since the mention of "reinstalled Windows a few days ago" was mentioned right off. The only way that would be added in following any reinstall would be from using the Upgrade to Repair install method where everything in the present installation is preserved.

The one absolute guaranty of erasing all traces of this as well as anything else a good sweep could find would be nuking the entire drive to see a full clean install of everything from scratch. That even goes as far as deletion of the C primary and creating a brand new one to replace it. Nothing left after full cleaning!

I think we can all agree the information on that variation of the "wmplayer.exe" file name is limited but is most likely the stray variant of a worm where someone simply added the one lettter so it would go right on without a clash and prompt to overwrite the genuine file. No red flags or prompting dups the pc owner until it is too late and the virus has done it's job!

The best possible move now besides a total wipe would be booting up in safe mode or from a live disk in order to manually remove the bug file if necessary to be followed by a full sweep of the drive(s) on the system. If the bug got on before the reinstall or repair and not afterwards since it was not found active the sweep should be enough once the file and even folder there is gone entirely.

If you have any doubts about which program to use try out a few since often it takes more then one to find something another misses!

 

[F5ing]

Good post Night Hawk!

The one absolute guaranty of erasing all traces of this as well as anything else a good sweep could find would be nuking the entire drive to see a full clean install of everything from scratch. That even goes as far as deletion of the C primary and creating a brand new one to replace it. Nothing left after full cleaning!

Yeah, at a minimum the first MB should be wiped before the install, clearing out the old MBR and the hidden area behind it. That would clear out all references (definitions/pointers) to any other data that may be elsewhere on the disk (including any partitions that were there).

The best possible move now besides a total wipe would be booting up in safe mode or from a live disk in order to manually remove the bug file if necessary to be followed by a full sweep of the drive(s) on the system. If the bug got on before the reinstall or repair and not afterwards since it was not found active the sweep should be enough once the file and even folder there is gone entirely.

If you have any doubts about which program to use try out a few since often it takes more then one to find something another misses!

If a true clean install is out of the question then at a minimum I would probably run a few offline scans (alternate bootable media via CD/DVD/USB), and a few online scans, all from different vendors. Anything found, remove it and start over.

 

[Slartybart]

Art, are you still there? The consensus here seems to be: Scan you system with a few malware tools. Malwarebytes, Windows Dfender Ofline (WDO), ESET online scanner are all well regarded. Run one at a time, your choice how many.

Also beef up your real-time Malware protection and ensure defs are up-to-date.

I'd still like to know if WMplayerd.exe is even on your system.

Bill
.

 

[Night Hawk]

I think we all in agreement that ArtG818 will need to reply in order to see how far he has gone since the thread was started.

It's never any fun finding out you have to wipe everything in order to start over fresh if the last resort is found to be needed. But some more info on when this was first seen before or after what type of Windows reinstall is needed here.

As far as the entry in the msconfig itself the cleanup utility was designed specifically for removing invalid msconfig entries once a program or in this case a bug is no longer present while the unwanted startup item is still seen. That part is a quick fix.

The rest will be the decision on how to proceed as far as clean up or totally nuking the works to start fresh from scratch. Been there enough times lately to remove malwares other people managed to acquire.