Question

Locked

Window opens before "Loading your personal settings" in XP

By txtbkseller2006 ·
Hi there
I have this problem and it is driving me crazy. I cannot seem to find any
solution.
I have windows xp home on 1 computer and windows xp pro on my laptop. This
problem occurs on both these computers.
When I start my computers, it goes through the usual steps. I see the
windows logo and then a window comes up. It looks more like a notepad window
but the filename on top is garbled. The content of the window is also garbled
but limited to 5-10 characters. On my laptop, I can see C:\windows\system32
as the file name but it looks like notepad is trying to open a system file
but I can't understand why it is doing it. There is an "OK" button at the
bottom and when I click on it, I get the "Loading your personal settings"
screen and everything works normally. I don't know why this window shows up
and I have tried booting in the safe mode and it still shows up. I have run
all 3 anti-virus programs and nothing has been detected. Sometime before
"loading your personal settings" page, the system seems to be running a
program which opens the notepad or soemthing. Apparently it is not important
because when I click ok, everything boots ok. It just started happening a
couple of weeks ago. I have no idea which program caused it or is causing it.
I ran autoruns.exe and ccleaner and I can't seem to find anything wrong with
the registry. I even disabled all startup programs using msconfig and it
still does not get rid of that annoying window. I am not sure if there is a
problem with a driver or what. I am enclosing my startups log that was
created by Hijack this. Maybe someone can help.
Many thanks.
StartupList report, 11/3/2007, 8:10:47 AM
StartupList version: 1.52.2
Started from : F:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MailFrontier\mantisp m.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\MemOptimizer 3\MemOptimizer.exe
C:\PROGRA~1\emoze\emoze.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SpywareGuard\sgmain.exe
F:\PROGRA~1\MICROS~1\rapimgr.exe
C:\PROGRA~1\emoze\EMAgent.exe
C:\Program Files\YPOPs\ypops.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
F:\Program Files\HijackThis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Pld\Start Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
YPOPs.lnk = ?
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
avast! = C:\PROGRA~1\Avast4\ashDisp.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MemOptimizer = C:\Program Files\MemOptimizer 3\MemOptimizer.exe
emoze = C:\PROGRA~1\emoze\emoze.exe
H/PC Connection Agent = "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[AutorunsDisabled]
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[AutorunsDisabled]
emoze = C:\PROGRA~1\emoze\emoze.exe
MemOptimizer = C:\Program Files\MemOptimizer 3\MemOptimizer.exe
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = NOTEPAD.EXE %1
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = NOTEPAD.EXE %1
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmyst.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------

Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll -
{089FD14D-132B-48FC-8861-0048AE113215}
(no name) - C:\Program Files\Microsoft Money\System\mnyside.dll -
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}
SpywareGuard Download Protection - C:\Program
Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - F:\PROGRA~1\SPYBOT~1\SDHelper.dll -
{53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL -
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
TrendProtect - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll -
{E3578B37-6346-4EC1-A82B-38273A100DCF}
--------------------------------------------------
Enumerating Task Scheduler jobs:
1-Click Maintenance.job
shutdown.job
--------------------------------------------------
Enumerating Download Program Files:
[Microsoft Office Template and Media Control]
InProcServer32 = C:\PROGRA~1\MICROS~4\Office12\IEAWSDC.DLL
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab
[{04E214E5-63AF-4236-83C6-A7ADCBF9BD02}]
CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/downlo...eckControl.cab
[TmHcmsX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TmHcmsX.ocx
CODEBASE = http://www.trendsecure.com/framework...ex/TmHcmsX.CAB
[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/S...in/AvSniff.cab
[{544EB377-350A-4295-9BEB-EAB8392E09C6}]
CODEBASE = http://fdl.msn.com/public/investor/v13/invinstl.exe
[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/S.../bin/cabsa.cab
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsof...?1139977045515
[{74D05D43-3236-11D4-BDCD-00C04F9A3B61}]
CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
[{90051A81-3018-4826-8B38-DD60B6B53F9C}]
CODEBASE = http://www.costcophotocenter.com/CostcoUpload.cab
[{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}]
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab
[Crucial cpcScan]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cpcScan.dll
CODEBASE = http://www.crucial.com/controls/cpcScanner.cab
[{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078}]
CODEBASE = http://www.symantec.com/techsupp/act...a/SymAData.cab
[{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}]
[{E77C0D62-882A-456F-AD8F-7C6C9569B8C7}]
CODEBASE = https://www-secure.symantec.com/tech...ActiveData.cab
[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/is...30/mcfscan.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 8,442 bytes


PLEASE HELP!!!

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Looks like one of the BEAGLE variants to me

by ThumbsUp2 In reply to Window opens before "Load ...

Pay particular attention to the following:

--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = NOTEPAD.EXE %1

--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = NOTEPAD.EXE %1

--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmyst.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------

Having .SCR and .HTA associated with Notepad.exe?

Looks like one of the BEAGLE worm variants to me. This nasty little worm disables your antivirus detection and hides itself as well.

Try doing your antivirus scans in safe mode and see what they find. If that doesn't show anything, search avast for ways to get rid of BEAGLE.

<edited HTA typo>

Collapse -

Sorry that tech help forum is not more helpful. I will try.

by gladhatter In reply to Window opens before "Load ...

Ok first of all I got of of computer repair 5 years ago so I am a bit green about all this and retarded now. I am VERY sorry that likely qualified folks on here to help you are only qualified and not helpful.

You undoubtly have some .exe program that is being launched by a series of tricks. I may not have this exactly correct here but I can fix you by phone if you have the time and no one else volenteers. I also have free calling to do it.

First of all your registry is being hacked by a program that is making notepad run when other programs should run instead. So each time you evolke the correct programs then note pad is running instead. Now that would not be so terrible but I am guessing the hacker lamer has note pad set to kick off another program each time it runs and in your case on load your system up. Then they have the malicious code run every time your computer is running.

Not sure if it is beagle or what the actuall bad file is but in my day it was remote control programs that was running to steal your ICQ pass word or other information or spy on your keystrokes or what ever.

Regardless I would STRONGLY ADVISE you that to not run your computer again connected to an internet connection until you get it fixed after you read this. If you do you are potentially and likely made available to the world of hackers if you do.

My phone number is 276-926-6423 and my email is gladhatter@gladhatter.net. I can and will compose the fix it reg files you need for this and post them here to copy and paste into a notepad and save as .reg and fix the registry but be sure next time you boot the program will already over write these fixes and you will be just as infected again. You will need to run them to stop the program and then remove the program from your comouter so it cannot re infect you. If this is not so then the reg files will fix you and the hacker was pretty lame.


Now you need to save all this copied and pasted in a note pad and then add it to your registry but would be better to email you the reg key so you do not have to lauch note pad again to kick off you problem.

You should also temp disable screen saver on your computer till this is fixed.

Finally you have some policy values in your registry that need removed but I cannot give you the key for that till I see what else you have there or it will have some unfamiliar setting there that you may not wish for.

Before you run this be sure you have a typical windows installation and ON C: DRIVE and if not then change the C:\\WINDOWS\\system32 below to the acutual location of your installation.

Here is what to save as a file.reg

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\htafile\Shell\Open\Command]
@="NOTEPAD.EXE %1"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command]
@="C:\\WINDOWS\\system32\\mshta.exe \"%1\" %*"

[-HKEY_CLASSES_ROOT\scrfile\shell\config\command]
@="NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\scrfile\shell\config\command]
@="\"%1\""


Sorry I cannot help you more here but will again gladly help you by email and phone.

Edited as I had one of the reg values set in reverse. That would not have helped.

Collapse -

The likely rest of the solution.

by gladhatter In reply to Window opens before "Load ...

Ok I played with this abit to refresh my memory and you also are going to find a registy entry at : [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\notepad.exe]

This is not supposed to be there but will have a value set under default. What ever this value= is the name and location of your malicious code.

You can remove this as well.

Here is the complete registry key you will need to fix most of the problem. I still need to see the problem with the policy keys in your registry. Also its unlikely that the solution is all this simple or it was some really dumb hacker if it is:


Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\htafile\Shell\Open\Command]
@="NOTEPAD.EXE %1"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command]
@="C:\\WINDOWS\\system32\\mshta.exe \"%1\" %*"


[-HKEY_CLASSES_ROOT\scrfile\shell\config\command]
@="NOTEPAD.EXE %1"


[HKEY_CLASSES_ROOT\scrfile\shell\config\command]
@="\"%1\""

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\notepad.exe]

If you make a registry key from the above and execute it and merge it to the registy this will solve most of the problem if not all.

PLEASE however if you do not know how to edit your registry first contact me or some one that can first locate that malicious file on your computer under the key above before you remove that key and then stop the running program and then remove it from your computer or you will likely execute it again and have the same issues over.

Hope this helps and sorry I am not a great writer but I can and will help you fix this if you make phone contact.

Charlie

Collapse -

txtbkseller2006 if you chose to follow this advice

by OH Smeg In reply to The likely rest of the so ...

Make a Backup of the Registery before doing anything.

As you obvioulsy have a Infection as Notebook is running before Windows Opens up I would suggest that you follow the Advice from the original person who answered your question as that has the best posibility of success without the loss of Data or the destruction of the OS on both your computers.

You may however find it better to use the On Line Virus Scanner by Avast as that is far more likely to pick up any infections as if it is one of the Beagle Varients it will disable the AV product that you have installed and remain invvisible to your installed AV Products.

http://onlinescan.avast.com/

Simerally you can look up Symantec's Web Site for ways to remove the Beagle Virus but while it's a fairly safe guess that you have one of the Beagle Varents it's still far better to find the correct name and Version so you know what you need to remove. The Symantec Site is here if you want to look up removal steps for any Virus

http://tinyurl.com/yqcs7f

Col

Collapse -

I am new to XP but

by gladhatter In reply to txtbkseller2006 if you ch ...

I thought XP not only stored a few boot ups of Registries but also offers a rool back feature. This all being so I do not think the simple registry edits I proposed require backing the registry up.

Regardless of what was what we did fix the problem but it did require a roll back to do it. I am not familiar with the beagle thing but I sure have seen some hard to deal with bugs.

Collapse -

The more we think we know .......................

by gladhatter In reply to Window opens before "Load ...

I am telling you I am learning just how little I know and how much things have changed.

The last work I done in developing programing was trying to develop a root kit type program for a good purpose and now I find this word is common and so is the idea but mostly for bad things.

I am sure this person had some root kit installed on them now and yet I had not even heard the term before 2 days ago.

I have so much to learn and relearn and so little interest in it all anymore.

I give the floor to the guru's of the day and I step down and humble myself to relearing enough to stay safe of my own.

Back to Software Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums