File appdata\roaming\startup_str_***.vbs not found

Solved
Steewy -  
bazfile Posted messages 58491 Registration date   Status Moderator Last intervention   -

Hello,

I have several missing files on my computer for a few days now.
Every time I restart my computer, several pop-ups appear telling me that files are missing:

C:\Users\....\AppData\Roaming\startup_str_675.vbs

and it’s not the only one; I get the same message showing different numbers like str_569, 230, 194, 626, 363, 854, and 81.

I’ve tried to find a way to solve my problem on several forums, but I didn’t want to mess with it and preferred to ask for help instead of doing something foolish.

PS: I’m on Windows 10


1 answer

  1. bazfile Posted messages 58491 Registration date   Status Moderator Last intervention   20 266
     

    Hello.

    Download FRST.

    Once downloaded, save it to the desktop then right-click on FRST and select Run as administrator you will see this:

    Wait for the message the tool is ready to work to appear then click on Analyze


    Warning, wait for the messages indicating that the analysis is complete to appear.

    At the end of the analysis, you will have two text files on the desktop FRST and Addition.

    Then send the FRST and ADDITION reports to https://www.cjoint.com/ then provide the two links generated by https://www.cjoint.com/ in your reply.


    bazfile
    Moderator/Contributor security.
    a hello, a response, a thank you are always appreciated.

    1
    1. Steewy
       

      Re_
      Here are the two links you requested

      FRST : https://www.cjoint.com/c/NCAqTF36dv1 
      ADDITION : https://www.cjoint.com/c/NCAqUZ6kYP1 

      0
      1. bazfile Posted messages 58491 Registration date   Status Moderator Last intervention   20 266 > Steewy
         

        Procedure to follow in the indicated order:

        1- Open FRST as an administrator by right-clicking on FRST and selecting run as administrator
        2 - Copy the entire script found in the following box:

          Start:: CreateRestorePoint: CloseProcesses: Virusscan: C:\WINDOWS\SysWOW64\launcher.scr Virusscan: C:\Users\Steewy\AppData\Roaming\startup_str_675.vbs Virusscan: C:\Program Files (x86)\Google\GoogleUpdater\124.0.6359.0\updater.exe HKLM-x32\...\Run: [Star Rail_launcher_hoyoverse_PC_1_1] => [X] HKU\S-1-5-21-2045856332-3954248049-232283468-1001\...\Run: [AF_uuid_2426960] => 8826d2b9-a615-41a0-b39b-8d98d1d421d1*wMatrix)***********îÄì0*^*€GL_EXT_s (No file) HKU\S-1-5-21-2045856332-3954248049-232283468-1001\...\Run: [AF_counter_2426960] => 8 (No file) HKU\S-1-5-21-2045856332-3954248049-232283468-1001\...\Run: [AMDNoiseSuppression] => "C:\WINDOWS\system32\AMD\ANR\AMDNoiseSuppression.exe" (No file) HKU\S-1-5-21-2045856332-3954248049-232283468-1001\...\Run: [RuntimeBroker_startup_675_str] => wscript.exe "C:\Users\Steewy\AppData\Roaming\startup_str_675.vbs" [116 2024-03-06] () [Unsigned file] HKU\S-1-5-21-2045856332-3954248049-232283468-1001\...\Run: [RuntimeBroker_startup_81_str] => wscript.exe "C:\Users\Steewy\AppData\Roaming\startup_str_81.vbs" [115 2024-03-06] () [Unsigned file] HKU\S-1-5-21-2045856332-3954248049-232283468-1001\...\Run: [RuntimeBroker_startup_854_str] => wscript.exe "C:\Users\Steewy\AppData\Roaming\startup_str_854.vbs" [116 2024-03-26] () [Unsigned file] HKU\S-1-5-21-2045856332-3954248049-232283468-1001\...\Run: [RuntimeBroker_startup_363_str] => wscript.exe "C:\Users\Steewy\AppData\Roaming\startup_str_363.vbs" [116 2024-03-26] () [Unsigned file] HKU\S-1-5-21-2045856332-3954248049-232283468-1001\...\Run: [RuntimeBroker_startup_626_str] => wscript.exe "C:\Users\Steewy\AppData\Roaming\startup_str_626.vbs" [116 2024-03-26] () [Unsigned file] HKU\S-1-5-21-2045856332-3954248049-232283468-1001\...\Run: [RuntimeBroker_startup_194_str] => wscript.exe "C:\Users\Steewy\AppData\Roaming\startup_str_194.vbs" [116 2024-03-26] () [Unsigned file] HKU\S-1-5-21-2045856332-3954248049-232283468-1001\...\Run: [RuntimeBroker_startup_230_str] => wscript.exe "C:\Users\Steewy\AppData\Roaming\startup_str_230.vbs" [116 2024-03-26] () [Unsigned file] HKU\S-1-5-21-2045856332-3954248049-232283468-1001\...\Run: [RuntimeBroker_startup_569_str] => wscript.exe "C:\Users\Steewy\AppData\Roaming\startup_str_569.vbs" [116 2024-03-26] () [Unsigned file] Task: {7991ACCA-FB7E-44D8-922A-A6EE3B3A5CBD} - System32\Tasks\GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem124.0.6359.0{9F9D274C-EB88-4C3C-A1AA-E224B4D955E5} => C:\Program Files (x86)\Google\GoogleUpdater\124.0.6359.0\updater.exe [4749088 2024-03-15] (Google LLC -> Google LLC) S3 ksophon_x64; \??\D:\Tower Of Fantasy\Hotta\Binaries\Win64\ksophon_x64.sys [X] U4 npcap_wifi; no ImagePath S2 GoogleUpdaterInternalService124.0.6359.0; C:\Program Files (x86)\Google\GoogleUpdater\124.0.6359.0\updater.exe [4749088 2024-03-15] (Google LLC -> Google LLC) S2 GoogleUpdaterService124.0.6359.0; C:\Program Files (x86)\Google\GoogleUpdater\124.0.6359.0\updater.exe [4749088 2024-03-15] (Google LLC -> Google LLC) CustomCLSID: HKU\S-1-5-21-2045856332-3954248049-232283468-1001_Classes\CLSID\{89b2b650-c4dd-d68b-46e7-3176f1973c8b}\localserver32 -> "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" -ToastActivated => No file C:\Users\Steewy\AppData\Roaming\startup_str_675.vbs C:\Users\Steewy\AppData\Roaming\startup_str_81.vbs C:\Users\Steewy\AppData\Roaming\startup_str_854.vbs C:\Users\Steewy\AppData\Roaming\startup_str_363.vbs C:\Users\Steewy\AppData\Roaming\startup_str_626.vbs C:\Users\Steewy\AppData\Roaming\startup_str_194.vbs C:\Users\Steewy\AppData\Roaming\startup_str_230.vbs C:\Users\Steewy\AppData\Roaming\startup_str_569.vbs C:\Program Files (x86)\Google\GoogleUpdater\124.0.6359.0\updater.exe C:\Users\Steewy\AppData\Roaming\startup_str_854.bat cmd: netsh advfirewall reset EmptyTemp: End::

        3- Once the script is copied click on Fix, FRST will automatically take the script from the clipboard.


        Let the correction take place once it's completed you will be prompted to restart your PC, do it as soon as you are asked, see below.

        Then once your computer has restarted:
        4- You will have a Fixlog file on your desktop then send this fixlog report to https://www.cjoint.com/ then provide the link generated by https://www.cjoint.com/ in your reply.

        5- CHECK AND LET ME KNOW IF YOUR ISSUE IS STILL PRESENT

        1
      2. Steewy > bazfile Posted messages 58491 Registration date   Status Moderator Last intervention  
         

        Re_

        No more pop-ups when starting the computer, thank you very much!

        https://www.cjoint.com/c/NCAr3OzcQZ1

        0
      3. bazfile Posted messages 58491 Registration date   Status Moderator Last intervention   20 266 > Steewy
         

        The fixlog is OK.

        Given the nature of the infection, change your sensitive and important online passwords.


        Uninstall FRST, rename the FRST file you downloaded to uninstall, and then once the file is renamed, open it; the uninstallation will occur automatically via a PC restart.

        0