Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Behavior At Start Up


  • Please log in to reply
10 replies to this topic

#1 amaker

amaker

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 13 January 2007 - 01:30 PM

At start up this window opens C:\Program Files\Windows and it is empty. I have had the guys at the hijack this log forum take a look at my log and they could not see any malware, and my virus scan and anti-spyware cannot find anything. I had some trojans a week ago or so but they have been cleaned or so it would seem. Thanks for your help ahead of time.

BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:04:28 PM

Posted 13 January 2007 - 03:15 PM

Presuming that your system is clean you can search your startups for something that wants to start a program in the Windows folder. Here's a free utility to check it out: http://www.mlin.net/StartupCPL.shtml

If this program doesn't locate it, here's a more powerful program (also free) that may help: http://www.microsoft.com/technet/sysintern...s/Autoruns.mspx

I suspect that it's this line from your HJT log that's causing this:
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

Another possibility is these 2 lines:
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Since none of them point to anything, it should be safe to fix them using HJT.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 amaker

amaker
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 13 January 2007 - 04:31 PM

Thanks for helping me with this. I tried to delete the three entries that you mentioned with hijack this and I got this message:

Unexpected error occurred!
Error #52 (Bad file name or number) in Sub GetLongPath(?.exe).

Please send a report to merijn@spywareinfo.com, mentioning what you were doing, and what version of Windows you have.

This message has been copied to your clipboard.


With the other software that you asked me to download I am not sure what I am looking for.

#4 amaker

amaker
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 13 January 2007 - 05:34 PM

After that error message from hijack this the files that I selected to delete were deleted though after restart this folder opened again C:\Program Files\Windows

#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:04:28 PM

Posted 13 January 2007 - 06:18 PM

In the software that you downloaded, you're looking for the path of a program that resides in the C:\Program Files\Windows directory - that'll be the startup entry that's causing this.

On my system there's no such directory, so I suspect that it was created by a virus/malware - and what's happening is that the launcher is trying to access the program, but since it's not there anymore, it can't find it.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 amaker

amaker
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 13 January 2007 - 06:41 PM

I looked at all the entries using the powerful software that you had me down loand and I could not find a path of a program that resides in C:\Program Files\Windows......very strange. Any ideas?

#7 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:04:28 PM

Posted 13 January 2007 - 08:01 PM

It appears that the program that's calling this is goiing to be a bugger to root out.

Try these MS KB articles to see if you can isolate the problem using clean boot techniques:

http://support.microsoft.com/kb/310353
http://support.microsoft.com/kb/316434

This thing is likely called from another program, so there's an intermediate step that we'll need to figure out.

Have you tried booting into Safe Mode? Does this stop the window from popping up? If so, you might try comparing a Safe Mode bootlog with a regular mode bootlog to see the differences.

You can also try stopping all your startups, to see if that stops it - then re-enable them until you find the offending entry.
You can also try searching the registry for all instances of C:\Program Files\Windows and see if something pops up.

Edited by usasma, 13 January 2007 - 08:03 PM.

My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#8 amaker

amaker
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 14 January 2007 - 04:54 AM

Just on a feeling that there must an intermediate virus causing this somewhere even the the hijack this log guys saw nothing I ran bit defender online scan and this is what it found.

Scanned File
Status

C:\Documents and Settings\Adam.LAPTOP2\Local Settings\Temporary Internet Files\Content.IE5\XIPSV6Z2\modservices[1].zip=>archstored:modservices.exe
Infected with: Trojan.Hacktool.Ibounce.A

C:\Documents and Settings\Adam.LAPTOP2\Local Settings\Temporary Internet Files\Content.IE5\XIPSV6Z2\modservices[1].zip=>archstored:modservices.exe
Disinfection failed

C:\Documents and Settings\Adam.LAPTOP2\Local Settings\Temporary Internet Files\Content.IE5\XIPSV6Z2\modservices[1].zip=>archstored:modservices.exe
Deleted

C:\Documents and Settings\Adam.LAPTOP2\Local Settings\Temporary Internet Files\Content.IE5\XIPSV6Z2\modservices[1].zip
Update failed

I re-ran the scan and the virus is still being detected meaning that bit defender can't get it. I will post this in the malware section as well.

#9 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:04:28 PM

Posted 14 January 2007 - 10:56 AM

Since it's an infection, let the HJT handle it. While I can give advice on the removal of simple stuff - I'm way, way out of my depth when it comes to issues like this! :thumbsup:
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#10 Herk

Herk

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:04:28 PM

Posted 14 January 2007 - 10:58 AM

One of the first things you should do is clear out all your temp internet files. Open Internet Explorer, click on Tools -> Internet Options. Then delete your temporary internet files and make sure you check the box for offline content. In the newer IE7, click on the delete tab and then temp internet files is the button at the top.

You should also clean temporary Windows files because a lot of malware installs from there and it's safe to clean that folder. There may be two or three files that will not clean because they are in use and this is normal. For this, go to Start -> Run and type in:
%temp%
. . . and hit enter. This will take you to the temp folder. (the percent keys are a variable) Then hit control-A to select all. Then hold down your shift key (to make the deletion permanent instead of sending it to your Recycle Bin) and press the delete key.

It may immediately pop up a window that says that a file could not be deleted because it was in use. Hold down the control key and use your mouse to deselect that single file. Then delete again. Repeat until all files that can be deleted are deleted.

#11 amaker

amaker
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 15 January 2007 - 08:33 AM

okay the guys at hjt log said it is not a virus just something that one of my virus scan thought was one. I have erased all the temp folders. The empty window does not open in safe mode so I guess I have to go through all the entries as you said....if there are any other easier options I am open ears.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users