Computer Hope

Software => Computer viruses and spyware => Topic started by: keyweez360 on September 12, 2008, 07:51:12 PM

Title: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 07:51:12 PM
Ok so whenever I start my computer and get to my main desktop screen, a TON of windows open up very quickly. Folders: Desktop, My Documents, Start Menu, Favorites, WINDOWS, and Incomplete all open up. In addition to these, I get about 12 other little windows that open up, all talking about something similar.

These little windows say --

Windows cannot open this file:
File: ntuser.dat_BAK_94409 (this number varies through all of them)

Apart from these BAK things, I also get two more windows with the same message as above, but different files. One asks for SI.bin while the other asks for ntuser.dat.

The HijackThis log is attached -- couldn't get the other log files to work.

[recovering disk space -- attachment deleted by admin]
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 12, 2008, 08:49:03 PM
I'm not sure this is malware doing this but the HijackThis log is odd to say the least.

You do need to uninstall one of the antivirus. Running two is never advised and just causes problems, including being less protected.

When did this start happening?
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 09:41:01 PM
It started happening yesterday, within the past couple of days maybe. And I can see the folders identified as Startup by HijackThis, but trying to "fix" them does nothing -- as windows tells me they are too important to mess with when I try.
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 12, 2008, 09:43:11 PM
Did you install anything around the time this started happening, and did you uninstall one of the antivirus?
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 09:48:34 PM
All I had done in the few days before it started happening was mess with my audio drivers. I lost audio for some reason, so i uninstalled/reinstalled the drivers.
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 12, 2008, 09:53:23 PM
How about trying do a system restore to before it happened?

Or do you have an XP CD?
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 09:55:40 PM
You know, my system restore functionality has been broken for as long as I can remember. It will let me start the restoration, it does its thing, and the comp restarts, but when I get back to the desktop it says it could not restore the system.

And I might have an XP cd around here. It's a Dell, so it came on the machine, but I think I have the disc somewhere.
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 12, 2008, 09:57:11 PM
Try Start > All Programs > Dell Accessories > Driver Reset Tool
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 10:11:07 PM
Ran it, it said no problems found, so I reset. Still getting the windows at startup though. I should probably mention I was able to stop the BAK windows from showing up -- "fixed" them in HijackThis. Now its just ntuser.dat, Desktop, My Documents, Start Menu, Favorites, WINDOWS, and Incomplete.
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 12, 2008, 10:23:20 PM
Try here for the unwanted files that are starting up.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

C:\Documents and Settings\your name/account\Start Menu\Programs\Startup

You will need to Set windows to show hidden extensions, file's, folder's. http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 10:28:21 PM
The contents of those two folders (after showing hidden items) is

Adobe Gamma (Shortcut)
DESKTOP.INI
Microsoft Office (Shortcut)
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 12, 2008, 10:31:25 PM
That not it then.

try C:\Documents and Settings\*username
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 10:38:27 PM
Went through all the names under Documents and Settings startup, and they all just had DESKTOP.INI. One folder called "All Users.WINDOWS" had "Start Menu" inside of its startup folder, and "Programs" inside of that, and "SUPERAntiSpyware" inside of that.
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 12, 2008, 10:43:38 PM
Download and run this. http://majorgeeks.com/StartUp_d4436.html

See if they show up in the startups.
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 10:45:35 PM
Sidenote: I just want to say thanks for all of your help thus far. I really appreciate it. And it was hard to get a hold of someone who knew their stuff, so thanks. Trying that startup program now...
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 10:53:23 PM
Ok so according to that start-up tool (enabled where "check" noted):

WMPNSCFG (check)
ctfmon.exe (check)
Windows Media Connect 2 (check)
AVG8_TRAY (check)
QuickTime Task (check)
SsAAD.exe
QuickTime Task (again, no check)
iTunesHelper
SoundMan
ccApp
Symantec NetDriver Monitor
WinampAgent
Lexmark X83 Button Manager
Lexmark X83 Button Monitor
PrinTray
Windows Defender
Remote Control
SunJavaUpdateSched

Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 12, 2008, 10:58:45 PM
Those are all legitimate.

Lets look closer at whats going on. This isn't malware I'm pretty sure but some of the tools we use may shed some light.

Download random's system information tool (RSIT) (http://images.malwareremoval.com/random/RSIT.exe) by random/random from and save it to your Desktop.

Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 11:03:05 PM
log and info are attached

[recovering disk space -- attachment deleted by admin]
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 12, 2008, 11:11:22 PM
I think this is where to look for them.

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
Start Menu

C:\Documents and Settings\Owner.ANTHONY
Application Data
Cookies
Desktop
Favorites
Local Settings
LuResult.txt
My Documents
NetHood
ntuser.dat
ntuser.dat.LOG
ntuser.ini
PrintHood
Recent
SendTo
Start Menu
Templates
UserData
WINDOWS
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 11:15:39 PM
Wait what?
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 12, 2008, 11:19:34 PM
The files are in the middle of the registry dump. They are loading from the registry for some reason.

I see you ran ComboFix, can you post that log also please. It is in C:\ComboFix.txt
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 11:23:19 PM
Ok I'm gonna have to run it again -- didn't let it finish the first time. Will reply back (with log) when its done.
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 12, 2008, 11:24:33 PM
OK. Did you uninstall Norton?
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 12, 2008, 11:28:22 PM
After ComboFix is done.

Go to Add or Remove Programs and uninstall LiveUpdate 2.6 (Symantec Corporation)

----------

Download JavaRa (http://www.majorgeeks.com/JavaRa_d5967.html)
.
Run CCleaner.
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 11:39:22 PM
Ran ComboFix and uninstalled LiveUpdate and everything else Norton AntiVirus related. the ComboFix log is attached.

[recovering disk space -- attachment deleted by admin]
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 11:42:46 PM
Ran JavaRa. log attached.

[recovering disk space -- attachment deleted by admin]
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 12, 2008, 11:53:34 PM
I am nervous about deleting those files. Not sure what the consequences might be.

Do you have a flash drive or CD to put all of your important files on to like pictures or documents you don't want to loose?

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]
KillAll::

File::
C:\WINDOWS\SYSTEM32\tmp.reg
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 12, 2008, 11:59:13 PM
Let me back up some stuff I have as you said, then i'll follow your other steps. Will post back with the log.
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 13, 2008, 12:06:55 AM
You don't need to backup yet. I think you need to create another user account and put your important files on it then delete this one. Or we can delete the files that are starting up and see what happens. In case of disaster you will have a good account already set up to use.
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 13, 2008, 12:13:43 AM
Ok did what you said. log file attached

[recovering disk space -- attachment deleted by admin]
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 13, 2008, 12:16:27 AM
That didn't get it for some reason.

Go ahead and create the new account and backup your files. After that we will try to remove the startups.
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 13, 2008, 12:18:10 AM
You mean create a user on XP itself? I have another user account on here (Danny) so could I just backup my files on his desktop or something?
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 13, 2008, 12:21:59 AM
Does the same thing happen when you log on to Danny?
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 13, 2008, 12:26:38 AM
Yes but I noticed it's to a much lesser degree. The only thing that pops up at startup on Danny is the "Start Menu" folder
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 13, 2008, 12:28:54 AM
OK create the new user and see if it loads up correctly when you sign on.

How to create and configure user accounts in Windows XP (http://support.microsoft.com/kb/279783)
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 13, 2008, 12:41:34 AM
Created a new user called TestAccount and it behaved just like Danny -- folder "Start Menu" is the only thing that popped up at startup
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 13, 2008, 12:57:26 AM
Lets try to repair your System Restore in case it's needed.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the text in the Quote box below to Notepad and save as fixme.reg to Your Desktop

Quote
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=dword:00000000
"DisableSR"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
"Type"=dword:00000002
"Start"=dword:00000000
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,73,00,72,00,2e,00,73,00,79,00,73,\
  00,00,00
"DisplayName"="System Restore Filter Driver"
"Group"="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters]
"FirstRun"=dword:00000000
"DontBackup"=dword:00000000
"MachineGuid"="{EAAFAEEC-4AFE-42BE-83D9-C12FDD4942A6}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Enum]
"0"="Root\\LEGACY_SR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Accept any warnings.

----------

Download to your desktop FixPolicies.exe, a self-extracting ZIP archive from HERE (http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe).

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
A black box will briefly appear and then close.
Restart the computer so the changes can take effect.


Any changes?
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 13, 2008, 01:11:23 AM
Did what you said. The only thing different is a new pop-up at startup. It's a notepad file called LuResult.txt and contains the text

Quote
Install Failed
16
The LiveUpdate install failed due to an internal error.

Which is weird, since I uninstalled LiveUpdate and all things Norton...But other than that, should I try to see if System Restore now works? I have a few system checkpoints from a few days before the problems arose.
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 13, 2008, 01:17:32 AM
(http://i154.photobucket.com/albums/s258/evilfantasy69/combofixu-1.jpg)

.
----------

Now lets try to remove all of those folders/files that are opening.

Log on to the account that has everything bad loading up on it. (be sure you have moved your files to another account before doing this)

Download OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe)
.
Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

Code: [Select]
[kill explorer]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Start Menu
C:\Documents and Settings\Owner.ANTHONY\Application Data
C:\Documents and Settings\Owner.ANTHONY\Cookies
C:\Documents and Settings\Owner.ANTHONY\Desktop
C:\Documents and Settings\Owner.ANTHONY\Favorites
C:\Documents and Settings\Owner.ANTHONY\Local Settings
C:\Documents and Settings\Owner.ANTHONY\LuResult.txt
C:\Documents and Settings\Owner.ANTHONY\My Documents
C:\Documents and Settings\Owner.ANTHONY\NetHood
C:\Documents and Settings\Owner.ANTHONY\ntuser.dat
C:\Documents and Settings\Owner.ANTHONY\ntuser.dat.LOG
C:\Documents and Settings\Owner.ANTHONY\ntuser.ini
C:\Documents and Settings\Owner.ANTHONY\PrintHood
C:\Documents and Settings\Owner.ANTHONY\Recent
C:\Documents and Settings\Owner.ANTHONY\SendTo
C:\Documents and Settings\Owner.ANTHONY\Start Menu
C:\Documents and Settings\Owner.ANTHONY\Templates
C:\Documents and Settings\Owner.ANTHONY\UserData
C:\Documents and Settings\Owner.ANTHONY\WINDOWS
C:\WINDOWS\system32\tmp.txt
C:\WINDOWS\SYSTEM32\tmp.reg
EmptyTemp
[start explorer].
Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 13, 2008, 01:41:58 AM
Did what you said but forgot to grab the results for you before the computer restarted itself...

Anyways, on startup I still got the folders popping up. And a whole bunch of stuff is missing from my desktop/everywhere.
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 13, 2008, 01:45:18 AM
Do a system restore to when you uninstalled combofix. I don't know what to think now.

I will do some googling but I'm out of ideas at this point.
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 13, 2008, 02:00:15 AM
Ok the system restore worked and most of the stuff is back, but My Documents and those other folders are now gone. There's nothing in My Pictures or any of that stuff
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 13, 2008, 02:07:07 AM
I just realized I skipped the part where you said to backup everything on another account.

Wow. Is there ANYTHING I can do to get it back?
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 13, 2008, 02:13:03 AM
I mentioned it like 3 or 4 times...

I have a guide for file recovery here. Data Loss - Recovery & Prevention (http://www.techsupportteam.org/forum/tutorials/1318-data-loss-recovery-prevention.html) Might work.
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 13, 2008, 02:23:21 AM
Well, I think I'm SOL, which in turn means I'm dead. Apologies for being awful at following directions.

 :-\
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 13, 2008, 02:51:29 AM
Did you try any of the file recovery programs in the link?
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 13, 2008, 03:01:32 AM
Yes I'm trying Recuva and Undelete PLUS.

Recuva is Deep Scanning right now (30% complete) and Undelete PLUS found a ton of stuff, but none of it is my documents/pictures/music
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 13, 2008, 03:08:24 AM
Maybe they will be found before the scan is complete. Hopefully.
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 13, 2008, 03:17:36 AM
OH SNAP!

I was just browsing in windows explorer and found that everything that was moved was backed up by the OTMoveIt program itself. It's all here in a folder called "MovedFiles"
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 13, 2008, 05:19:50 AM
But does it restore your pictures?
Title: Re: Folder/Window spam at Startup
Post by: keyweez360 on September 13, 2008, 05:24:39 AM
Yeah man I got everything back, pictures, music, documents, the works. Let me tell you that was THE sigh of relief. I just had to manually place each file/folder back where it was originally, which was a pain, but at least it worked.

The startup problems remain, but for now I'll just live with it (I rarely reset/turn off my comp anyways). But I will be looking through Google, seeing what I can find.

And thanks again for all your help. I'll be around.
Title: Re: Folder/Window spam at Startup
Post by: evilfantasy on September 13, 2008, 05:27:29 AM
Glad it worked. I didn't think that would restore your files (music, pics, etc) or I would have suggested it. I learned something new lol.

I'm off to bed now. I'll look more into it tomorrow. Let me know if you figure anything out.