Folder/Window spam at Startup

[keyweez360]

Ok so whenever I start my computer and get to my main desktop screen, a TON of windows open up very quickly. Folders: Desktop, My Documents, Start Menu, Favorites, WINDOWS, and Incomplete all open up. In addition to these, I get about 12 other little windows that open up, all talking about something similar.

These little windows say --

Windows cannot open this file:
File: ntuser.dat_BAK_94409 (this number varies through all of them)

Apart from these BAK things, I also get two more windows with the same message as above, but different files. One asks for SI.bin while the other asks for ntuser.dat.

The HijackThis log is attached -- couldn't get the other log files to work.

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

I'm not sure this is malware doing this but the HijackThis log is odd to say the least.

You do need to uninstall one of the antivirus. Running two is never advised and just causes problems, including being less protected.

When did this start happening?

[keyweez360]

It started happening yesterday, within the past couple of days maybe. And I can see the folders identified as Startup by HijackThis, but trying to "fix" them does nothing -- as windows tells me they are too important to mess with when I try.

[evilfantasy]

Did you install anything around the time this started happening, and did you uninstall one of the antivirus?

[keyweez360]

All I had done in the few days before it started happening was mess with my audio drivers. I lost audio for some reason, so i uninstalled/reinstalled the drivers.

[evilfantasy]

How about trying do a system restore to before it happened?

Or do you have an XP CD?

[keyweez360]

You know, my system restore functionality has been broken for as long as I can remember. It will let me start the restoration, it does its thing, and the comp restarts, but when I get back to the desktop it says it could not restore the system.

And I might have an XP cd around here. It's a Dell, so it came on the machine, but I think I have the disc somewhere.

[evilfantasy]

Try Start > All Programs > Dell Accessories > Driver Reset Tool

[keyweez360]

Ran it, it said no problems found, so I reset. Still getting the windows at startup though. I should probably mention I was able to stop the BAK windows from showing up -- "fixed" them in HijackThis. Now its just ntuser.dat, Desktop, My Documents, Start Menu, Favorites, WINDOWS, and Incomplete.

[evilfantasy]

Try here for the unwanted files that are starting up.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

C:\Documents and Settings\your name/account\Start Menu\Programs\Startup

You will need to Set windows to show hidden extensions, file's, folder's. http://www.xtra.co.nz/help/0,,4155-1916458,00.html

[keyweez360]

The contents of those two folders (after showing hidden items) is

Adobe Gamma (Shortcut)
DESKTOP.INI
Microsoft Office (Shortcut)

[evilfantasy]

That not it then.

try C:\Documents and Settings\*username

[keyweez360]

Went through all the names under Documents and Settings startup, and they all just had DESKTOP.INI. One folder called "All Users.WINDOWS" had "Start Menu" inside of its startup folder, and "Programs" inside of that, and "SUPERAntiSpyware" inside of that.

[evilfantasy]

Download and run this. http://majorgeeks.com/StartUp_d4436.html

See if they show up in the startups.

[keyweez360]

Sidenote: I just want to say thanks for all of your help thus far. I really appreciate it. And it was hard to get a hold of someone who knew their stuff, so thanks. Trying that startup program now...

[keyweez360]

Ok so according to that start-up tool (enabled where "check" noted):

WMPNSCFG (check)
ctfmon.exe (check)
Windows Media Connect 2 (check)
AVG8_TRAY (check)
QuickTime Task (check)
SsAAD.exe
QuickTime Task (again, no check)
iTunesHelper
SoundMan
ccApp
Symantec NetDriver Monitor
WinampAgent
Lexmark X83 Button Manager
Lexmark X83 Button Monitor
PrinTray
Windows Defender
Remote Control
SunJavaUpdateSched

[evilfantasy]

Those are all legitimate.

Lets look closer at whats going on. This isn't malware I'm pretty sure but some of the tools we use may shed some light.

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
  
• Please post the contents of both logs in the next reply.

[keyweez360]

log and info are attached

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

I think this is where to look for them.

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
Start Menu

C:\Documents and Settings\Owner.ANTHONY
Application Data
Cookies
Desktop
Favorites
Local Settings
LuResult.txt
My Documents
NetHood
ntuser.dat
ntuser.dat.LOG
ntuser.ini
PrintHood
Recent
SendTo
Start Menu
Templates
UserData
WINDOWS

[keyweez360]

Wait what?

[evilfantasy]

The files are in the middle of the registry dump. They are loading from the registry for some reason.

I see you ran ComboFix, can you post that log also please. It is in C:\ComboFix.txt

[keyweez360]

Ok I'm gonna have to run it again -- didn't let it finish the first time. Will reply back (with log) when its done.

[evilfantasy]

OK. Did you uninstall Norton?

[evilfantasy]

After ComboFix is done.

Go to Add or Remove Programs and uninstall LiveUpdate 2.6 (Symantec Corporation)

----------

Download JavaRa

• Unzip the file and open the JavaRa.exe
• Click Remove Older Versions
  
• JavaRa will search for and remove any outdated version of Java and remove any that are found.
• Click Additional Tasks
  
• Place a check next to Remove Useless JRE Files and click Go
  
• Exit JavaRa
  
• Delete the JavaRa files from the Desktop

.
Run CCleaner.

[keyweez360]

Ran ComboFix and uninstalled LiveUpdate and everything else Norton AntiVirus related. the ComboFix log is attached.

[recovering disk space -- attachment deleted by admin]

[keyweez360]

Ran JavaRa. log attached.

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

I am nervous about deleting those files. Not sure what the consequences might be.

Do you have a flash drive or CD to put all of your important files on to like pictures or documents you don't want to loose?

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
C:\WINDOWS\SYSTEM32\tmp.reg
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[keyweez360]

Let me back up some stuff I have as you said, then i'll follow your other steps. Will post back with the log.

[evilfantasy]

You don't need to backup yet. I think you need to create another user account and put your important files on it then delete this one. Or we can delete the files that are starting up and see what happens. In case of disaster you will have a good account already set up to use.

[keyweez360]

Ok did what you said. log file attached

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

That didn't get it for some reason.

Go ahead and create the new account and backup your files. After that we will try to remove the startups.

[keyweez360]

You mean create a user on XP itself? I have another user account on here (Danny) so could I just backup my files on his desktop or something?

[evilfantasy]

Does the same thing happen when you log on to Danny?

[keyweez360]

Yes but I noticed it's to a much lesser degree. The only thing that pops up at startup on Danny is the "Start Menu" folder

[evilfantasy]

OK create the new user and see if it loads up correctly when you sign on.

How to create and configure user accounts in Windows XP

[keyweez360]

Created a new user called TestAccount and it behaved just like Danny -- folder "Start Menu" is the only thing that popped up at startup

[evilfantasy]

Lets try to repair your System Restore in case it's needed.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the text in the Quote box below to Notepad and save as fixme.reg to Your Desktop

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=dword:00000000
"DisableSR"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
"Type"=dword:00000002
"Start"=dword:00000000
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,73,00,72,00,2e,00,73,00,79,00,73,\
  00,00,00
"DisplayName"="System Restore Filter Driver"
"Group"="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters]
"FirstRun"=dword:00000000
"DontBackup"=dword:00000000
"MachineGuid"="{EAAFAEEC-4AFE-42BE-83D9-C12FDD4942A6}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Enum]
"0"="Root\\LEGACY_SR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Accept any warnings.

----------

Download to your desktop FixPolicies.exe, a self-extracting ZIP archive from HERE.

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
A black box will briefly appear and then close.
Restart the computer so the changes can take effect.


Any changes?

[keyweez360]

Did what you said. The only thing different is a new pop-up at startup. It's a notepad file called LuResult.txt and contains the text

Install Failed
16
The LiveUpdate install failed due to an internal error.

Which is weird, since I uninstalled LiveUpdate and all things Norton...But other than that, should I try to see if System Restore now works? I have a few system checkpoints from a few days before the problems arose.

[evilfantasy]

We will create a new Restore Point right now when we uninstall ComboFix.


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Now lets try to remove all of those folders/files that are opening.

Log on to the account that has everything bad loading up on it. (be sure you have moved your files to another account before doing this)

Download OTMoveIt2 by OldTimer

• Save it to your desktop.

.
Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

• Double-click OTMoveIt2.exe to run it.
  
• Copy the lines in the codebox below.

Code: [Select]

[kill explorer]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Start Menu
C:\Documents and Settings\Owner.ANTHONY\Application Data
C:\Documents and Settings\Owner.ANTHONY\Cookies
C:\Documents and Settings\Owner.ANTHONY\Desktop
C:\Documents and Settings\Owner.ANTHONY\Favorites
C:\Documents and Settings\Owner.ANTHONY\Local Settings
C:\Documents and Settings\Owner.ANTHONY\LuResult.txt
C:\Documents and Settings\Owner.ANTHONY\My Documents
C:\Documents and Settings\Owner.ANTHONY\NetHood
C:\Documents and Settings\Owner.ANTHONY\ntuser.dat
C:\Documents and Settings\Owner.ANTHONY\ntuser.dat.LOG
C:\Documents and Settings\Owner.ANTHONY\ntuser.ini
C:\Documents and Settings\Owner.ANTHONY\PrintHood
C:\Documents and Settings\Owner.ANTHONY\Recent
C:\Documents and Settings\Owner.ANTHONY\SendTo
C:\Documents and Settings\Owner.ANTHONY\Start Menu
C:\Documents and Settings\Owner.ANTHONY\Templates
C:\Documents and Settings\Owner.ANTHONY\UserData
C:\Documents and Settings\Owner.ANTHONY\WINDOWS
C:\WINDOWS\system32\tmp.txt
C:\WINDOWS\SYSTEM32\tmp.reg
EmptyTemp
[start explorer]

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) and paste it in your next reply.
  
• Close OTMoveIt2

.
Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

[keyweez360]

Did what you said but forgot to grab the results for you before the computer restarted itself...

Anyways, on startup I still got the folders popping up. And a whole bunch of stuff is missing from my desktop/everywhere.

[evilfantasy]

Do a system restore to when you uninstalled combofix. I don't know what to think now.

I will do some googling but I'm out of ideas at this point.

[keyweez360]

Ok the system restore worked and most of the stuff is back, but My Documents and those other folders are now gone. There's nothing in My Pictures or any of that stuff

[keyweez360]

I just realized I skipped the part where you said to backup everything on another account.

Wow. Is there ANYTHING I can do to get it back?

[evilfantasy]

I mentioned it like 3 or 4 times...

I have a guide for file recovery here. Data Loss - Recovery & Prevention Might work.

[keyweez360]

Well, I think I'm SOL, which in turn means I'm dead. Apologies for being awful at following directions.

 

[evilfantasy]

Did you try any of the file recovery programs in the link?

[keyweez360]

Yes I'm trying Recuva and Undelete PLUS.

Recuva is Deep Scanning right now (30% complete) and Undelete PLUS found a ton of stuff, but none of it is my documents/pictures/music

[evilfantasy]

Maybe they will be found before the scan is complete. Hopefully.

[keyweez360]

OH SNAP!

I was just browsing in windows explorer and found that everything that was moved was backed up by the OTMoveIt program itself. It's all here in a folder called "MovedFiles"

[evilfantasy]

But does it restore your pictures?

[keyweez360]

Yeah man I got everything back, pictures, music, documents, the works. Let me tell you that was THE sigh of relief. I just had to manually place each file/folder back where it was originally, which was a pain, but at least it worked.

The startup problems remain, but for now I'll just live with it (I rarely reset/turn off my comp anyways). But I will be looking through Google, seeing what I can find.

And thanks again for all your help. I'll be around.

[evilfantasy]

Glad it worked. I didn't think that would restore your files (music, pics, etc) or I would have suggested it. I learned something new lol.

I'm off to bed now. I'll look more into it tomorrow. Let me know if you figure anything out.