Wdm_splitter [Archive] - Safer-Networking Forums

nately

2008-09-23, 15:41

Whenever I power up, Spybot gives the following message

"Spybot Search and Destroy has detected an important registry entry that has been changed.
Category: System Startup global entry
Change: Key deleted
Entry: WDM_SPLITTER0
Old data: rundll32.exe streamci.dll,StreamingDeviceSet"

I always deny the change and I then get the same message again but for WDM_SPLITTER1, which I also deny. I can find no information about WDM_SPLITTER. Does anyone know what this is?

md usa spybot fan

2008-09-23, 15:47

nately:

What version of Spybot - Search & Destroy are you running (Spybot » Help » About)?

nately

2008-09-23, 16:05

The message comes from Tea Timer version 1.6.0.30, System settings protector 1.6.2.23. The version of Spybot I have is 1.6.0.31.

md usa spybot fan

2008-09-23, 16:55

nately:

The entry that you posted is the deletion of a startup entry. I believe that you may be dealing with a "RunOnce" startup registry entry. "RunOnce" startup entries are executed before most other startup entries and normally are automatically deleted when the program they start completes. If in fact the entry that you are denying is a "RunOnce" registry entry, then denying the deletion of the entry would cause the program to execute each time you rebooted rather than just once as intended.

Please go into Spybot » Mode (menu) » Advanced Mode (answer yes to the warning message if necessary) » Tools » System Startup. Right click on the listing and select "Copy to Clipboard". Then paste (Ctrl+V) those results to a new post in this thread.

That listing should indicate if the startup entry is in the "RunOnce" registry key.

nately

2008-09-23, 17:02

This is it:-

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---

2008-08-14 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-08-14 SDFiles.exe (1.6.0.4)
2008-08-14 SDMain.exe (1.0.0.6)
2008-08-14 SDShred.exe (1.0.2.3)
2008-08-14 SDUpdate.exe (1.6.0.9)
2008-08-14 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-08-18 TeaTimer.exe (1.6.2.23)
2005-10-01 unins000.exe (51.41.0.0)
2008-08-21 unins001.exe (51.49.0.0)
2008-08-14 Update.exe (1.6.0.7)
2008-08-14 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-08-14 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-08-14 Tools.dll (2.1.5.7)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-09-02 Includes\Adware.sbi
2008-09-09 Includes\AdwareC.sbi
2008-06-03 Includes\Cookies.sbi
2008-09-02 Includes\Dialer.sbi
2008-09-09 Includes\DialerC.sbi
2008-07-23 Includes\HeavyDuty.sbi
2008-09-02 Includes\Hijackers.sbi
2008-09-02 Includes\HijackersC.sbi
2008-09-09 Includes\Keyloggers.sbi
2008-09-09 Includes\KeyloggersC.sbi
2008-09-09 Includes\Malware.sbi
2008-09-10 Includes\MalwareC.sbi
2008-09-02 Includes\PUPS.sbi
2008-09-09 Includes\PUPSC.sbi
2007-11-07 Includes\Revision.sbi
2008-06-18 Includes\Security.sbi
2008-09-02 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-09-02 Includes\Spyware.sbi
2008-09-09 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2008-09-10 Includes\Trojans.sbi
2008-09-09 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Located: HK_LM:Run, Apoint
command: "C:\Program Files\Apoint2K\Apoint.exe"
file: C:\Program Files\Apoint2K\Apoint.exe
size: 159744
MD5: 45A55108FC51F9A54FDCF3B07A8A3AFC

Located: HK_LM:Run, AVG8_TRAY
command: C:\PROGRA~1\AVG\AVG8\avgtray.exe
file: C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 1235736
MD5: B95536F0B568C4476A78966CFA7BA006

Located: HK_LM:Run, DU Meter
command: C:\Program Files\DU Meter\DUMeter.exe
file: C:\Program Files\DU Meter\DUMeter.exe
size: 1123328
MD5: BD49BE282E9F1CFF8B6D5F25BAFD36FA

Located: HK_LM:Run, ZoneAlarm Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 919016
MD5: 8800130156B0642B15ECB75E7CC7E6F1

Located: HK_LM:Run, Cpqset (DISABLED)
command: C:\Program Files\HPQ\Default Settings\cpqset.exe
file: C:\Program Files\HPQ\Default Settings\cpqset.exe
size: 233534
MD5: 27EDE9B7F4C2ABEFCECA90C1971FB8C7

Located: HK_LM:Run, Deskup (DISABLED)
command: "C:\Program Files\Iomega\DriveIcons\deskup.exe" /IMGSTART
file: C:\Program Files\Iomega\DriveIcons\deskup.exe
size: 32768
MD5: 68EBC55F843BD47A2EB30FC95CFD55E5

Located: HK_LM:Run, DSLSTATEXE (DISABLED)
command: "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" icon
file: C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
size: 1658965
MD5: 642D1794FD0A1A15660A129303BDE42D

Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 385024
MD5: F89DA660C511652EE511FE3AB2F04BFC

Located: HK_LM:Run, SunJavaUpdateSched (DISABLED)
command: "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
file: C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
size: 75520
MD5: EDF5D27C6D244740418903626DF5741A

Located: HK_LM:Run, TkBellExe (DISABLED)
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 185896
MD5: 89D583FC41D48328128A974C25AFAEB7

Located: HK_CU:Run, Nokia.PCSync
where: .DEFAULT...
command: C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
file: C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
size: 1744896
MD5: 9BE8BA4D4EF5F5213684AF159BBC9C5C

Located: HK_CU:RunOnce, WUAppSetup
where: .DEFAULT...
command: C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08da -f video -m logitech -d 10.5.0.1091
file: C:\Program Files\Common Files\logishrd\WUApp32.exe
size: 435736
MD5: 91137B1C3726B13762D825990E699AAF

Located: HK_CU:Run, CTFMON.EXE (DISABLED)
where: .DEFAULT...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, Picasa Media Detector (DISABLED)
where: .DEFAULT...
command: C:\Program Files\Picasa2\PicasaMediaDetector.exe
file: C:\Program Files\Picasa2\PicasaMediaDetector.exe
size: 443968
MD5: 429C00E25AFA42015311C092E49BFD07

Located: HK_CU:Run, ares
where: PE_C_ADMINISTRATOR...
command: "C:\Program Files\Ares\Ares.exe" -h
file: C:\Program Files\Ares\Ares.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, ctfmon.exe
where: PE_C_ADMINISTRATOR...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, MSMSGS
where: PE_C_ADMINISTRATOR...
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1695232
MD5: 3E930C641079443D4DE036167A69CAA2

Located: HK_CU:Run, MsnMsgr
where: PE_C_ADMINISTRATOR...
command: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
file: C:\Program Files\MSN Messenger\msnmsgr.exe
size: 5674352
MD5: C4281AD865739E71FD1E4DAC19A68D60

Located: HK_CU:Run, RecordNow!
where: PE_C_ADMINISTRATOR...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Skype
where: PE_C_ADMINISTRATOR...
command: "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
file: C:\Program Files\Skype\Phone\Skype.exe
size: 23237416
MD5: 8A2017375D2D3367B758610474546C04

Located: HK_CU:Run, swg
where: PE_C_ADMINISTRATOR...
command: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, updateMgr
where: PE_C_ADMINISTRATOR...
command: "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, WMPNSCFG
where: PE_C_ADMINISTRATOR...
command: C:\Program Files\Windows Media Player\WMPNSCFG.exe
file: C:\Program Files\Windows Media Player\WMPNSCFG.exe
size: 204288
MD5: 7EAED08CCCA4DDDE61A388C82598CFA9

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-3748536240-2378564684-1556971600-1007...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, Google Update
where: S-1-5-21-3748536240-2378564684-1556971600-1007...
command: "C:\Documents and Settings\ray halligan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
file: C:\Documents and Settings\ray halligan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
size: 133104
MD5: 626A24ED1228580B9518C01930936DF9

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-3748536240-2378564684-1556971600-1007...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1832272
MD5: FFB5BAC9C29303904365640A2E2A6D0C

Located: HK_CU:Run, WMPNSCFG
where: S-1-5-21-3748536240-2378564684-1556971600-1007...
command: C:\Program Files\Windows Media Player\WMPNSCFG.exe
file: C:\Program Files\Windows Media Player\WMPNSCFG.exe
size: 204288
MD5: 7EAED08CCCA4DDDE61A388C82598CFA9

Located: HK_CU:Run, ctfmon.exe (DISABLED)
where: S-1-5-21-3748536240-2378564684-1556971600-1007...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, WMPNSCFG (DISABLED)
where: S-1-5-21-3748536240-2378564684-1556971600-1007...
command: C:\Program Files\Windows Media Player\WMPNSCFG.exe
file: C:\Program Files\Windows Media Player\WMPNSCFG.exe
size: 204288
MD5: 7EAED08CCCA4DDDE61A388C82598CFA9

Located: HK_CU:Run, Nokia.PCSync
where: S-1-5-18...
command: C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
file: C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
size: 1744896
MD5: 9BE8BA4D4EF5F5213684AF159BBC9C5C

Located: HK_CU:RunOnce, WUAppSetup
where: S-1-5-18...
command: C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08da -f video -m logitech -d 10.5.0.1091
file: C:\Program Files\Common Files\logishrd\WUApp32.exe
size: 435736
MD5: 91137B1C3726B13762D825990E699AAF

Located: HK_CU:Run, CTFMON.EXE (DISABLED)
where: S-1-5-18...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, Picasa Media Detector (DISABLED)
where: S-1-5-18...
command: C:\Program Files\Picasa2\PicasaMediaDetector.exe
file: C:\Program Files\Picasa2\PicasaMediaDetector.exe
size: 443968
MD5: 429C00E25AFA42015311C092E49BFD07

Located: Startup (disabled), Adobe Reader Speed Launch (DISABLED)
command: C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE
file: C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (disabled), HP Digital Imaging Monitor (DISABLED)
command: C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqtra08.exe
file: C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqtra08.exe
size: 258048
MD5: C519CEC624CF9BCBA3059F32266C8FFF

Located: Startup (disabled), HP Image Zone Fast Start (DISABLED)
command: C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqthb08.exe -s
file: C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqthb08.exe
size: 53248
MD5: 8C53463A3E28454D74F48BF87A9CF7BA

Located: Startup (disabled), Microsoft Office (DISABLED)
command: C:\PROGRA~1\MICROS~3\Office\OSA9.EXE -b -l
file: C:\PROGRA~1\MICROS~3\Office\OSA9.EXE
size: 65588
MD5: F51F9E10D937A8EDD58D2D456FF49468

Located: Startup (disabled), Picture Package Menu (DISABLED)
command: C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~3\SonyTray.exe
file: C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~3\SonyTray.exe
size: 151552
MD5: F15FCBB20FE82674F48A60A37E5BA45A

Located: Startup (disabled), Picture Package VCD Maker (DISABLED)
command: C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~1\RESIDE~1.EXE -h
file: C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~1\RESIDE~1.EXE
size: 106496
MD5: CD7DB8BF7F82F78E89E0AC0F58DCB3B0

Located: Startup (disabled), TunesUp20 (DISABLED)
command: C:\Program Files\HLT\TunesUp20\TunesUp20.exe
file: C:\Program Files\HLT\TunesUp20\TunesUp20.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (disabled), Microsoft Outlook (DISABLED)
command: C:\WINDOWS\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
file: C:\WINDOWS\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
size: 104960
MD5: DA5A1242C2B4F60E1C51D7F684DB5283

Located: Startup (disabled), OpenOffice.org 2.3 (DISABLED)
command: C:\PROGRA~1\OPENOF~1.3\program\QUICKS~1.EXE
file: C:\PROGRA~1\OPENOF~1.3\program\QUICKS~1.EXE
size: 393216
MD5: 01F7BA16BC60D65149FA36F355319171

Located: Startup (disabled), VoiceCentre (DISABLED)
command: C:\ViaVoice\bin\SPEECH~1.EXE -L En_UK
file: C:\ViaVoice\bin\SPEECH~1.EXE
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WRNotifier
command: WRLogonNTF.dll
file: WRLogonNTF.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

md usa spybot fan

2008-09-23, 19:46

nately:

I don't see any startup entries named WDM_SPLITTERx or referencing the program rundll32.exe. I'm sorry, but I don't quite understand why an entry that does not exit is being deleted when you reboot.

nately

2008-09-23, 19:57

Thanks for your help anyway. I'll continue to deny the change until I'm sure I know what it's trying to do.
By the way, I was unaware that the Startup facility existed in Spybot and I was surprised to see some of the entries set to start. I try to keep these down to an absolute minimum using a number of tools such as msconfig, Ashampoo Startup Tuner, Autoruns etc. There are various entries that I thought I had deleted from startup. I'll now experiment with unchecking a number of the boxes on the Startup facility within Spybot.
Thanks again.