Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 186
  • Last Modified:

My Documents folder opening on Windows startup after hack attack

Had 2 backdoor trojans infect my machine after upgrading OS from Win 98 to Win 2000 while installing SP3.  All ini files, registry entries, worms and other identified files from this attack have been removed.

Desktop My Documents folder opens on Windows startup. Deleted UserShellFolders from Registry HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\UserShellFolders

Still have the problem. Can't think what else to do.  Thanks.
0
yic01
Asked:
yic01
  • 15
  • 7
  • 2
  • +6
1 Solution
 
CrazyOneCommented:
Well use one of these free utilities to check what is launching at startup and if you can't find what specifically is the program that is doing it then use the process of elimination by deselcting what can run at startup.

MSCONFIG for Win 2000
http://www.insideproject.com/showguide.cfm?guideid=31
http://www.insideproject.com/downloads/msconfig2k/msconfig.zip

StartupCop
http://web.zdnet.com/pcmag/pctech/content/18/08/ut1808.007.html

StartStop
http://www.tfi-technology.com/downloads.htm

Startup Control Panel
http://www.mlin.net/StartupCPL.shtml
0
 
smallbeeCommented:
better use antivirus to check and remove everything completely
0
 
YarnoSGCommented:
CrazyOne:  add to that list
AutoRuns
from Sysinternals
http://www.sysinternals.com
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
CrazyOneCommented:
Cool thanks YarnoSG :>)
0
 
livedthereCommented:
You may want to check:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
0
 
CrazyOneCommented:
Well if you really want to get into registy viewing then

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce


Some other registry settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
---------------------

But those startup utilities will list what is in these registry keys.
0
 
livedthereCommented:
CrazyOne:
Runonce shouldn't be showing up every re-boot though if I remember correctly...Others are valid if memory serves me.
0
 
yic01Author Commented:
Hi .. thanks for the utilities .. they are very cool but I still haven't been able to identify the problem.  Programs in startup are all identifiable. Haven't shut them all down yet because I recognize them.  Do you still recommend this procedure?  I've also checked out the registry keys and don't see anything there.  Thank you for your help so far.
0
 
YarnoSGCommented:
The Autoruns Tool hits all of those and more:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%UserProfile%\Start Menu\Programs\Startup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKCU\Software\Policies\Microsoft\Windows\System\Scripts
HKLM\Software\Policies\Microsoft\Windows\System\Scripts
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
Task Scheduler


HTH
0
 
CrazyOneCommented:
Is explorer open when you shutdown? If so then that may be the reason for it showing up at statup.
0
 
CrazyOneCommented:
>>>Runonce shouldn't be showing up every re-boot though if I remember correctly...Others are valid if memory serves me.

True but what some rogue programs will do is when they are launched they will reset themelves in the RunOnce key.
0
 
CrazyOneCommented:
Check what services are running

Start > run services.msc

Service Configurations
http://www.blkviper.com/WIN2K/servicecfg.htm


Also double check again for virues

 Norton Web Services  
     Rating  = 4  
Go to this page and click on Scan for Viruses
http://security2.norton.com/ssc/vc_about.asp?langid=us&venid=sym&plfid=22&pkj=RKNYPJUIYCZRWEJGSSK

It needs to download a few file so as to activate the scan so you may see a message like this.

"The Scan for Viruses uses an ActiveX program to scan your computer. The download is approximately 1.5MB and can take about 10 minutes over a 28.8 modem.

The scan can take more than 20 minutes depending on the speed of your computer and the number of files that you have. Please do not browse away from this page unless you intend to abort the scan.
 
Downloading Scan for Viruses controls. Please wait...
 
During the download, you might see one or more messages asking if it is OK to download and run these programs. Click Yes when these messages appear.
 
Note: Scan for Viruses does not scan compressed files"
======================
 Trend Micro HouseCall  
     Rating  = 3
www.housecall.antivirus.com
"Trend Micro's free online virus scanner
In order to better serve our customers, we ask HouseCall users to register before scanning their computer.  By registering, you will receive virus alerts from our team of Virus Doctors. You will be able to unsubscribe when you receive your first email. You can also scan without registering"
http://housecall.antivirus.com/housecall/start_corp.asp
======================

PC Pitstop Virus Scan
Our free Web-based virus scan uses Panda Software's award-winning technology and virus list. We're checking against the "wildlist," the roughly 200 viruses that are most prevalent in the world in a given month
http://www.pcpitstop.com/antivirus/default.asp
0
 
fonetikCommented:
Does this happen when you log on as another user?
0
 
yic01Author Commented:
Yes, it happens regardless of what user I log on as.
0
 
CrazyOneCommented:
Well I know this article doesn't address the My Documents folder but...

System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;170086
0
 
yic01Author Commented:
Found these non windows entries in Services.  First one is particularly worrying.  Does anyone know if they mean anything and can you tell me how to disable/delete them?

Background Intelligent Transfer Services: Transfers  files in the background using idle network bandwidth – Start: Manual

PSEXESVC : No description – manual start – local system

Server:  Provides RPC support and file, print and named pipe sharing.  Status: Started – local system – Automatic
0
 
CrazyOneCommented:
Those are windows services
0
 
CrazyOneCommented:
0
 
CrazyOneCommented:
Although I am not sure what the PSEXESVC is. But it is set to manual so it probably isn't running. Double click on it and look in the path to executable and it will show where look for the program.
0
 
CrazyOneCommented:
However the

Background Intelligent Transfer Services

and

Server

are Windows sevices.
0
 
BeermanCommented:
I found this tool useful to remove backdoor trojans, if one is still lurking on your pc.
http://www.moosoft.com/
Any chance you have any IRC type program installed
0
 
sramesh2kCommented:
My Documents Folder Opens Upon Boot

In the right pane, check your settings under Load:  Start/Run/Regedit

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

Tip:  This problem can be caused by the DlDer Trojan.  More information here:
         http://securityresponse.symantec.com/avcenter/venc/data/w32.dlder.html
0
 
yic01Author Commented:
Wow .. you have all been really great.  Beerman thanks so much for the tool to remove trojans.  I downloaded it and my machine is clear.

I now feel foolish because ... I realized that it's Explorer that is opening with the focus on My Documents (I'm sorry :(  ) and I still haven't been able to to fix it.  There is nothing lurking on my system anymore .. I have run 2 different VirusScans, The Cleaner for trojans and Pest Control as well as removed every file that was identified with the trojans by Symantec.  I have checked Services and there is nothing in there.  I have run Norton Win Doctor.  I think at this point there must be something in a registry key that is off.  Sramesh2k, I checked that key in Current_Users but don't know what I'm looking for.  Didn't see anything obvious.

Thanks again to all, especially CrazyOne - you are great!
0
 
CrazyOneCommented:
Ok I think I am a little confused. Is My Documents folder still opening at startup? Or is just that is where Explorer is opening to when you open Explorer?
0
 
CrazyOneCommented:
BTW is Expoler open when you shut down?
0
 
yic01Author Commented:
Explorer is NOT open when I shut down and Explorer is opening automatically at start up to My Documents.  Thanks CrazyOne! :)
0
 
CrazyOneCommented:
Ok I think you need use one of those startup utilities and remove every thing from the starup just to be sure none of those items are the cause.
0
 
yic01Author Commented:
Thanks everyone!  The system is clean and working now!
0
 
yic01Author Commented:
Really helpful and patient!  Thanks so much!
0
 
CrazyOneCommented:
You are welcome. :>)
0
 
John-BizCoachCommented:
Had a similar problem on a WinXP machine. It was related to a virus that also changed instant messaging away messages.  Both were fixed by AIMFix from http://www.jayloden.com/VirusClean.htm
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 15
  • 7
  • 2
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now