Ever since I downloaded Avast Home Edition 4.7.1029, I’ve been having the same problem. When I turn on the computer, My Documents opens up twice. I don’t know if this is a problem, but it is rather annoying because I have to close them down both.
So, what’s up with that anyway? Anyone encountered the same problem? What should I do?
Thanks a lot 
Go START>ALL PROGRAMMES>STARTUP and see if there is anything in there you do not recognise.
Failing that drop a Hijackthis log in your next post and I will have a look at the startup files
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
When folders open on startup it is usually because there is a registry entry to run a file in the folder displayed which is missing. The is often a symptom of malware previously on your system where the file has been deleted/moved but the registry entry still exists.
Running HiJackThis as suggested by essexboy should show these up.
On the first scan (boot-time) after you installed avast were there any detections ?
I can’t paste it onto here because it exceeds the 10000 characters limit. WHere else can I send it to you?
No, none. ???
You can past in parts (two or three posts).
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:01 AM, on 08/12/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\The Weather Channel FW\Desktop
Weather\DesktopWeather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=secon
duser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=sec
onduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=secon
duser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=sec
onduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=sec
onduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=secon
duser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-
0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,EXPLORER.EXE
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-
E57AF4D5FA7D} - (no file)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-
4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no
file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-
CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar4.dll
O4 - HKLM..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot
Optimizer\HPBootOp.exe" /run
O4 - HKLM..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM..\Run: [LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1
\MotiveSB.exe
O4 - HKLM..\Run: [nmapp] "C:\Program Files\Pure Networks\Network
Magic\nmapp.exe" -autorun
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic
Insight\SemanticInsight.exe
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM..\Run: [SSBkgdUpdate] "C:\Program Files\Common
Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0
\OpwareSE4.exe"
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU..\Run: [DW4] "C:\Program Files\The Weather Channel
FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [wsctf.exe] wsctf.exe
O4 - HKCU..\Run: [EXPLORER.EXE] EXPLORER.EXE
O4 - HKUS\S-1-5-19..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
/RUNONCE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
/RUNONCE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
/RUNONCE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
/RUNONCE (User ‘Default user’)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program
Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program
Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Search -
http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-
AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-
462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-
Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Connection Help - {E2D4D26B-0180-43a4-
B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-
Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-
800749B94EED} - C:\Program
Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra ‘Tools’ menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849
-800749B94EED} - C:\Program
Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-
BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) - http://go.microsoft.com/fwlink/?
linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class)
Uploader Control) -
http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert
Class) -
http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/Pht
PkMSN.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) -
http://static.zangocash.com/cab/Zango/ie/bridge-c46.cab?
7378e17007b888cf2ccc96ed3ef0bbbde21534fa5f1dae8c09d76d01d8b37de8348b7ed
89e3e7648d9d77f153c62217aee8cd05518f9cceec733be0f741393a72a229602c0:922
26d1eb566b3551014cc57584483b6
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647}
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050
\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service
(LightScribeService) - Hewlett-Packard Company - C:\Program
Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure
Networks, Inc. - C:\Program Files\Pure Networks\Network
Magic\nmsrvc.exe
O23 - Service: Pure Networks Router Manager (pnrouter) - Pure Networks,
Inc. - C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation -
C:\Program Files\Viewpoint\Common\ViewpointService.exe
–
End of file - 10554 bytes
You have infected (adware) items.
I’m not an expert on HijackThis… But you can check the automatic analysis of your HijackThis log here.
You can find more info in the links of the last column of this table.
That info could guide you on the cleaning process.
Anyway, if you have doubts, just post here.
Also, take a careful look at the first column of the table:
If you don’t recognize a legit program in one of the items marked as FIX IF UNKNOWN, please post it back here and maybe we can help you. Or, if you’re sure it’s a malware item, you can remove it as posted bellow.
If you agree with the automatic classification of the infected items marked as FIX (CHECK NOTES!), you can turn back to HijackThis program, check the box of this item and then remove it using the button ‘Fix checked’.
Hope it helps.
If you want to do it by yourself, click here to download HJTsetup.exe
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
I did what you said. At first, I’m wasn’t really sure exactly what to look for.
There’s was on that says FIX IF UNKNOWN in green. It’s called F2 - REG:system.ini: UserInit=userinit.exe,EXPLOR ER.EXE and described as Autoloading programs
I fix checked it and restarted the computer. This time, my documents only opened once. So, we’re making progress.
Thanks a lot for your help. I’m gonna look at everything again and see if I can remove something.