Stumpy

Join Date 04/2001

A little help needed, please

For some strange reason, each time I boot my machine it now displays a window to My Documents which I have to close manually, does anyone know why or how I can stop it ?

I have made sure that it there is no shortcut in the Startup Folder, checked the registry, checked for spyware, all is clean, I just cannot find a reason for this to be happeneing.

Also there is now a search Toolbar that appears on the Taskbar (Toolbar is called Search Assistant), this I also have to close

I have checked with 3 Spyware programs plus an online scan by Symantec, system, is clean.

Any help would be appreciated

Locked Post

Advanced Search

Watch this post

Do not email me updates for this post Email me updates for this post

Successfully updated karma reason!

kona0197

Join Date 02/2003

+86

Uninstall the "search assistant" in control panel - add/remove programs.

Also run spybot search and destroy.

[Message Edited]

Successfully updated karma reason!

Search assistant is not in the Add/Remove list, so cannot uninstall

Also as I have said above I have used three Spyware catchers these are:-
Spybot
Adaware
Spy Sweeper

Plus an Online scan at the Symantec website, I have also done a complete virus scan, also used HiJackThis

But thanks anyway

[Message Edited]

Successfully updated karma reason!

goodmorphing

Join Date 03/2002

Stumpy, try Hijack this. Make sure to post it to a forum where there are experts who can help you. It can be get a little confusing, but the people at the forums really know a lot.
[Message Edited]

Successfully updated karma reason!

Sign Up or Login and this ad disappears!
There are many great features available to you once you register. Sign Up for a free account and browse the forums without ads.

NightTrainthedark

Join Date 07/2003

+255

http://www.spy-bot.net/IGetNet.asp

hopefully that will get you on your way.

Successfully updated karma reason!

goodmorphing

Join Date 03/2002

OOPS... I see you did that already.

We need YRAG! or IP.

Successfully updated karma reason!

I would suggest going on the microsoft website they cover many of the problems you encouter when using windows XP.

http://www.microsoft.com

Successfully updated karma reason!

Stumpy
Go here
http://www.spywareinfo.com/~merijn/downloads.html
and get the StartUpList utility.
It won't remove anything, but it will show everything that starts when you boot up and where it is being started from

Successfully updated karma reason!

Ok, checkedd the options you have given

the window to My Documents still appears on startup

Search Assistant is still in the Right-Click menu of the Taskbar (does not appear on Restart only On a New Boot).

All spyware programs have been re-run all clear, registry has been searched and cleared of any dodgy entries.

Cannot find any place where the Taskbar Toolbars are kept

Thanks for the help you have given, if anyone can think of anything more it would be appreciated, thanks

[Message Edited]

Successfully updated karma reason!

Stumpy, if you click on the search toolbar, to what page does it take you? From the research I did just a few minutes ago, it seems there are two adware toolbars called 'Search Assistant', one by Blazefind.com, and one by lop.com. They also seem to be real devils to remove by all accounts. But from what I've found so far, they need to be treated differently so you need to know which version you have.

Successfully updated karma reason!

Stumpy, if you've run hijack this, you might want to check this thread to see if anything looks familiar: http://www.wilderssecurity.com/showthread.php?t=34589&goto=nextnewest

Successfully updated karma reason!

Shameless, clicking the Search takes me to Blazefind.com

Successfully updated karma reason!

Koasati

Join Date 07/2001

+21

http://sarc.com/avcenter/venc/data/adware.blazefind.html

Successfully updated karma reason!

There are also manual instructions for removing it here: http://www.securemost.com/articles/trou_3_remove_ie_searchbar.htm

If you have Norton's, I would use Koasati's link first, otherwise, the link I'm giving has a more complete list of the dll's and reg entries to remove it manually. The link I gave also indicates that Pest Patrol now has blazefinder on it's update list, so that might be a good way to go also. Pest Patrol is a very good spyware remover. Good luck.

[Message Edited]

Successfully updated karma reason!

Ok, thanks guys, I followed the instruction and the Search Assistant does not appear on Taskbar (but is still in the Right-click menu of the Taskbar)

Now there is still the problem of the "My Documents" window opening on startup

Any ideas guys & gals

Successfully updated karma reason!

I.R. Brainiac

Join Date 05/2003

+281

Delete or move the folder...reboot and make a new my documents folder

Successfully updated karma reason!

Ok tried that, didn't work, what actually happens is this when window desktop appears a window opens (Explorer window) at the "My Documents" which resides at the bottom of the treeview list on the laft hand side and I have to close it manually

This has only started happening recently, never did before (there is no icon on the desktop, it is switched off in the Display Properties)

It's really bugging me now

Successfully updated karma reason!

if you have a recent registry backup, before these strange things, i would reload it... you miht have to reinstall recent programs but i think it could be a registry entry. if it's not a wayward shortcut, a malfunctioning dll, or a mis-printed start up option, it looks like something was tweaked deeper down. i just fixed a friend's machine of spyware, and his system32 folder stopped opening on startup. dispite the precautions you've taken, and the scans, something slipped through and altered something, and may still be there. it could, perhaps, be related to Office malfunctioning, as well.. that would also be fixed by a registry reload

Successfully updated karma reason!

Stumpy
Did you run the StartUpList utility?

If so, can you post the results?

Successfully updated karma reason!

http://www.doxdesk.com/parasite/

I dunno if it'll help but it's worth a shot, and only takes a minute.

Successfully updated karma reason!

StartupList was ran, everything in it I know, ther is nothing there that would cause this particular prob, the main problem (Search Assistant) was rectified, thanks,

I will run it again and post the results here.

Successfully updated karma reason!

Here goes, I hope some can see something I missed

StartupList report, 23/06/2004, 06:18:31 PM
StartupList version: 1.52
Started from : D:\Temp\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\logitech\MouseWare\system\em_exec.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
D:\My Program Files\EmailBook\EmailBook.exe
C:\Program Files\WindowsSA\omniscient.exe
D:\Program Files\SysMetrix\SysMetrix.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Stardock\CursorXP\CursorXP.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
D:\Utility Programs\EasyNoterPro\easynoter.exe
D:\Utility Programs\KeySound\Nkboard.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\Rainlendar\Rainlendar.exe
D:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Stardock\sdcentral.exe
D:\Temp\StartupList.exe

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Dennis Hallman\Start Menu\Programs\Startup]
Nkboard.lnk = D:\Utility Programs\KeySound\Nkboard.exe
SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
Rainlendar.lnk = D:\Program Files\Rainlendar\Rainlendar.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

1A:Stardock TrayMonitor = "C:\Program Files\Common Files\Stardock\TrayServer.exe"
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
Logitech Utility = Logi_MwX.Exe
LogonStudio = "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
EmailBook = D:\My Program Files\EmailBook\EmailBook.exe
Windows SA = C:\Program Files\WindowsSA\omniscient.exe
SysMetrix = D:\Program Files\SysMetrix\SysMetrix.exe
jopa = C:\WINDOWS\System32\sysstartup.exe
BootSkin Startup Jobs = "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
QuickTime Task = "D:\Program Files\QuickTime\qttask.exe" -atboottime
AVG7_CC = D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
AVG7_EMC = D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
Outpost Firewall = D:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

FAXPrint = C:\WINDOWS\System32\awadpr32.exe /AM

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CursorXP = D:\Program Files\Stardock\CursorXP\CursorXP.exe
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
jopa = C:\WINDOWS\System32\sysstartup.exe
IncrediMail = C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
Art Plus EasyNoter PRO 3.7 = "D:\Utility Programs\EasyNoterPro\easynoter.exe" /a

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=wbsys.dll

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=
SCRNSAVE.EXE=
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\YU-GI-OH.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

Enumerating Browser Helper Objects:

SpywareGuard Download Protection - D:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - c:\windows\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Uninstall Expiration Reminder.job

Enumerating Download Program Files:

[CoDetectDigitalRiver Class]
CODEBASE = http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

[{556DDE35-E955-11D0-A707-000000521957}]
CODEBASE = http://www.xblock.com/download/xclean_micro.exe

[DASWebDownload Class]
InProcServer32 = C:\WINDOWS\DASAct.dll
CODEBASE = http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[{CEBC955E-58AF-11D2-A30A-00A0C903492B}]
CODEBASE = http://windowsupdate.microsoft.com/R824/V31Controls/x86/w98/en/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[IMDownloader Class]
CODEBASE = http://www2.incredimail.com/contents/setup/downloader/imloader.cab

[Yahoo! Photos Easy Upload Tool Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\YDropperUK.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1uk.cab

Enumerating ShellServiceObjectDelayLoad items:

0aMCPClient: C:\Program Files\Common Files\Stardock\mcpcore.dll
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

End of report, 9,272 bytes
Report generated in 0.250 seconds

Successfully updated karma reason!

Holy Cow....

Essencay goes and gets this to see what starts up with his PC

Successfully updated karma reason!

Stumpy - Do you have Office 2000 installed?

Successfully updated karma reason!

PixelPirate

Join Date 07/2003

+17

Try going to these entries in regedit and see if there's something spooky going on:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Successfully updated karma reason!

Stumpy

See this page for jopa (one of your registry - run entries)

http://www.kephyr.com/spywarescanner/library/sysstartup.jopa/index.phtml

There's a couple of other things I need to check on.

Successfully updated karma reason!