Solved Strange Window is appearing on Startup

[pan]

On start up of my computer I am receiving the following message (see attached picture). I have Windows 7 Home Premium 64 bit.

This all happened when I was on the internet and I ran into a malicious site and a pop up box appeared and it wouldn't go away when I clicked the X box, it would just keep reappearing every time. I then just shut off my computer and when I turned it back on now this message appears every time and I just click X every time and it goes away. I ran AVG free virus software and there appears to be no virus, but I have no idea how to get rid of this annoying start up message. Any help is very appreciated. Thanks in advance.

 

[Golden]

Hi Pan,

A couple of things to try:

Firstly, lets try another scan with a different AV program. Please download, install, update and then run a FULL scan using FREE Malwarebytes.

Secondly, can you do a search in Windows Explorer for that exact file? Where is the file located?

Post back here if you need more help.

Regards,
Golden

 

[pan]

Hi Pan,

A couple of things to try:

Firstly, lets try another scan with a different AV program. Please download, install, update and then run a FULL scan using FREE Malwarebytes.

Secondly, can you do a search in Windows Explorer for that exact file? Where is the file located?

Post back here if you need more help.

Regards,
Golden

Thanks, I'm downloading it right now. I tried searching for it in the start menu and nothing comes up.

 

[Golden]

OK. Complete the scan, and then post back the log so we can see if there is anything lurking in the system.

Once we have done that, we can try to "repair" Windows using the sfc /scannow command. I'll post more details once the scan is done.

Regards,
Golden

 

[pan]

This is just an update. I have to get up really early tomorrow so I'm going to bed now. So far the scan has produced no viruses and has been scanning for 38 minutes and has scanned 233,000+ objects. I will post another update as soon as I wake up tomorrow or if I happen to wake up in the middle of the night. Thanks Golden for all of the help so far.

 

[Golden]

No worries - we'll keep checking back here.

Regards,
Golden

 

[seekermeister]

Since that file has a .tmp extension, have you checked in the temp folders, both in Windows and Users?

 

[pan]

Here's my log..........there were no viruses found again.........



Malwarebytes' Anti-Malware 1.51.1.1800
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 7524

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

8/20/2011 10:37:37 PM
mbam-log-2011-08-20 (22-37-37).txt

Scan type: Full scan (C:\|Q:\|)
Objects scanned: 407462
Time elapsed: 47 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[pan]

Since that file has a .tmp extension, have you checked in the temp folders, both in Windows and Users?

I tried but there are a lot of files there. I'll do a more thorough search in the morning, I really have to get some sleep. Thanks for all of the help so far everybody.

 

[Golden]

Hi,

OK. When you wake up tommorrow, try the following:

1. Click Start Orb
2. In the search box, type cmd
3. Right-lcikc on the CMD item in the list, and choose to Run as Administrator
4. In the cmd (dod) window that opnes, type sfc /scannow and hit enter

Post the results of the window once the scan completes.

Regards,
Golden

 

[seekermeister]

Since Malwarebytes didn't find anything, it is possible that the problem file is not exactly malware, or at least it hasn't been classified as such by Malwarebytes. Since the window in question appears on startup, I would look on the Startup tab of msconfig, as well as in the Startup folder in the Start Menu, not for that particular file, but for anything that you do not recognize as needed or normal, and delete or disable it. Chances are good that it is pointing to that .tmp folder during startup.

 

[seekermeister]

Since that file has a .tmp extension, have you checked in the temp folders, both in Windows and Users?

I tried but there are a lot of files there. I'll do a more thorough search in the morning, I really have to get some sleep. Thanks for all of the help so far everybody.

Try deleting all of those .tmps, since they should not be needed any longer. You should regularly clean the Temp folders anyway. Some temps may not delete, and you may have to skip them, but that shortens the list considerably, making it easier to see if what is left is part of the problem.

You can also use Ccleaner to automate cleaning.

 

[Golden]

I think the startup tab in msconfig as suggested by seekmeister is definately worth looking at if the sfc /scannow doesn't turn up anything.

Regards,
Golden

 

[marsmimar]

For a more aggressive cleaning of temp files I'd try this:

TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums

 

[seekermeister]

If you don't find any unknown startup items where I mentioned, you might also try using StartupCPL, because some things start up from the registry, and won't appear in the places mentioned:

Mike Lin's Home Page

 

[pan]

So I just performed sfc /SCANNNOW and it said it found no integrity violations. Now I will try the other stuff mentionted. Thanks for all of the help so far.

 

[pan]

Since Malwarebytes didn't find anything, it is possible that the problem file is not exactly malware, or at least it hasn't been classified as such by Malwarebytes. Since the window in question appears on startup, I would look on the Startup tab of msconfig, as well as in the Startup folder in the Start Menu, not for that particular file, but for anything that you do not recognize as needed or normal, and delete or disable it. Chances are good that it is pointing to that .tmp folder during startup.

Ok, some good news.......I checked the startup tab of msconfig and found a strange thing called Bulletstorm from People Can Fly....which as you can see in the picture had the strange file location in it........I went there and found it and deleted it, as well as a thing called jucheck from the same person created at the same time (People Can Fly)........Then I restarted my computer and the popup message did not appear. However, when I went to msconfig again I found that the thing was still selected, although it is now called something different by an unknown author. I then disabled it from startup by unchecking the box. I'm worried that there might still be some residual files on my computer. So how do I delete all of the files related to this. By scrolling right on the msconfig tab it says that its location is HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. But I have no idea how to get to this place, or is this not where I should be looking. Any help is much appreciated. Thanks in advance.

 

[Golden]

Hi Pan,

Those HKCU are registry references. Can you browse to "C:Users\Stephen....."as per the second image you attached, and see if those files are in that location?

BulletStorm is a first-person shooter game. Did you download this, or install it from a DVD/CD?

Regards,
Golden

 

[seekermeister]

Deleting a registry key is ultra simple, but it can also cause severe problems if it isn't done right. Therefore, I would recommend backing up the registry before attempting to change anything in it:

http://www.sevenforums.com/tutorials/4230-registry-backup-restore.html?ltr=R

After doing that, open Regedit and in much the same manner that you would use a file manager, you use Regedit by expanding the left hand tree one step at a time, according to the path given in msconfig. Once there, find the key in the right window, right click it and select delete. Keep in mind that there are probably other keys in that location that are not from that program, so take care in your selection.

EDIT: Another precaution that would be good to take is to create a new System Restore point beforehand.

 

[pan]

Hi Pan,

Those HKCU are registry references. Can you browse to "C:Users\Stephen....."as per the second image you attached, and see if those files are in that location?

BulletStorm is a first-person shooter game. Did you download this, or install it from a DVD/CD?

Regards,
Golden

In "C:Users\Stephen....." is where I found the two files jucheck and and the .tmp. I already deleted those. And no I have never even heard of bulletstorm.

I will now try to do what seekermeister has recommended and post back the results in a bit. Thanks everybody for all your help.