Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: System32 file open at startup

(New)
(!)

911's Avatar
911 911 is offline 911 has a Profile Picture
Computer Specs
Member with 543 posts.
THREAD STARTER
 
Join Date: Mar 2003
Location: Endwell, NY
Experience: Still learning........
06-Jun-2006, 01:00 AM #1
Solved: System32 file open at startup
Last week I got infected by a ZLOB trojan. It was pretty tough to get rid of. It kept coming back after my AVs said they had removed it. I went into safe mode and ran both CA and AVG antivirus programs, followed by Ad-Aware and Spybot (all with the latest updates). After all 4 said they removed it, it seems to be gone, but now something somewhere in the (XP-Pro) system keeps opening (or leaving open) the file C:\Windows\system32 at every boot-up on top of my desktop. I need to click it closed at every start-up.

It does not happen when I start in safe mode, so I suspected something in the Startup folder. However, when I use Msconfig to disable everything in my Startup folder it still happens. I tried running SFC /scannow, which churned for more than 90 minutes but exited without reporting any errors. I have run "Windows Registry Repair-Pro", which reported and fixed 'problems' but did nothing to resolve the problem. I have only been using XP for a short time, and I don't know enough to mess around inside the registry, so I am about out of ideas.

I would appreciate any advice.
kiwiguy's Avatar
Member with 17,584 posts.
 
Join Date: Aug 2003
Location: New Zealand
06-Jun-2006, 02:23 AM #2
911's Avatar
911 911 is offline 911 has a Profile Picture
Computer Specs
Member with 543 posts.
THREAD STARTER
 
Join Date: Mar 2003
Location: Endwell, NY
Experience: Still learning........
07-Jun-2006, 07:46 PM #3
Thanks, Kiwiguy. That looked promising, but I can't find anything in those registry keys that fit the description of any of the causes. I also can't seem to find anything else in the MS database. I have removed both AVG7 and Spybot on the theory that the problem emerged after installing, updating and using them, but that didn't do any good. When it becomes annoying enough, I may try replacing Windows itself, but that will be a last resort.
Rick1953's Avatar
Rick1953 Rick1953 is offline
Senior Member with 539 posts.
 
Join Date: Feb 2002
07-Jun-2006, 08:23 PM #4
Go to this site and scroll down to #260 on the right hand side click on System32folder opens upon boot and save file to desktop.
http://www.kellys-korner-xp.com/xp_tweaks.htm
Click on the file to run it. You may get a warning from your AV program cause it's a VBS file but it's O.K. to use.
ozrom1e's Avatar
Computer Specs
Member with 11,849 posts.
 
Join Date: May 2006
Experience: Advanced
07-Jun-2006, 09:34 PM #5
To download HJTsetup.exe To Download HijackThis go to the following: http://www.thespykiller.co.uk/html/downloads.html
Save the file to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\HijackThis.
Continue to click Next in the setup dialog boxes until you get to the Select Additional Tasks dialog.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialog box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
At the top of the Notepad HJT log screen, hit Edit then Select All then click Edit and then click Copy doing that copies the text to the clipboard, you won't see it yet....
Open a TechSupportGuy forum Reply window for this thread, to have ready to paste the Hijackthis log into. Click once to place the typing cursor in the reply window.
At the top of your TSG/browser window, hit Edit then Paste
You should see your copied Hijackthis log appear in the reply space....then, submit the reply
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
911's Avatar
911 911 is offline 911 has a Profile Picture
Computer Specs
Member with 543 posts.
THREAD STARTER
 
Join Date: Mar 2003
Location: Endwell, NY
Experience: Still learning........
08-Jun-2006, 12:28 AM #6
Rick1953:The result was "This script cannot repair your issue. The expected Registry value was not found." I guess that was looking for a different bug. Thanks anyways.

ozrom1e - Here is the resulting file:

Logfile of HijackThis v1.99.1
Scan saved at 12:14:11 AM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\101Clips\101clips.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Arby Ritt\Desktop\iefix\IEFix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.iwon.com
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [MsiMyDesktop] C:\Program Files\Mountain Systems, Inc\MyDesktop\MyDesktop.exe WindowsStartup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: 101clips.lnk = C:\Program Files\101Clips\101clips.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Adobe\ZAcrobat 6.0\Reader\Browser\nppdf32.dll
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
crpger's Avatar
crpger crpger is offline
Junior Member with 2 posts.
 
Join Date: Jun 2006
Experience: Advanced
13-Jun-2006, 07:36 AM #7
System32 folder annoyance
Found a TID on symantec regarding the ZLOB trojan, which I currently had on my system. After cleaning it off with Spybot, I the C:\Windows\System32 folder would repeatedly open upon logon of XP Pro. I fixed it by deleting the following key from the registry and rebooting.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

The should be an entry or two looking like kernel32.dll c:\windows\system32, etc.

Just delete the entire RUN key so the Explorer key is empty.

You should also follow the Symantec doc about removing the ZLOB trojan manually. I found some leftover files, even after the cleaning. Just delete them and empty the recycle bin.
ozrom1e's Avatar
Computer Specs
Member with 11,849 posts.
 
Join Date: May 2006
Experience: Advanced
13-Jun-2006, 10:08 AM #8
crpger - The registry entry you show in your post is not in the HijackThis log. Seeing as you have just arrived here at TSG I would like to welcome you to the forums. You may or may not be familiar with HJT log files but the best procedure on them when they are posted is to let the experts diagnose them and take the member thru any procedures for cleaning their system. The HJT (HiJackThis) team are the only ones allowed to do this.
cybertech's Avatar
Moderator with 69,339 posts.
 
Join Date: Apr 2002
Location: USA
13-Jun-2006, 03:06 PM #9
Let's see if you got rid of the infection.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
crpger's Avatar
crpger crpger is offline
Junior Member with 2 posts.
 
Join Date: Jun 2006
Experience: Advanced
13-Jun-2006, 06:16 PM #10
Member 911 requested help on stopping the c:\windows\system32 folder from opening every time he logged into XP pro. I was simply giving him an option to try since I just went through the same ordeal. I'm curious to see if my suggestion worked for him. Thx.
Rainbow32's Avatar
Rainbow32 Rainbow32 is offline
Member with 77 posts.
 
Join Date: May 2006
Experience: 50/50
13-Jun-2006, 08:38 PM #11
crpger, take ozrom1e advice as I got wacked pretty good by cybertech for posting in a HJT thread even through my advice was good.
ozrom1e's Avatar
Computer Specs
Member with 11,849 posts.
 
Join Date: May 2006
Experience: Advanced
13-Jun-2006, 10:31 PM #12
crpger Not trying to hurt your feelings but since you are new to the TSG forum and not an authority on HJT and with only 2 posts here and nobody says that you have been thru the HJT schooling to be certified it would be better to not try to solve these on going threads once a qualified person takes them.
cybertech's Avatar
Moderator with 69,339 posts.
 
Join Date: Apr 2002
Location: USA
13-Jun-2006, 11:42 PM #13
911 has been here long enough to make her/his own decision. All other comments are just clouding the issue.

EDIT: But thanks ozrom1e for your positive comments.
QuickRick's Avatar
QuickRick QuickRick is offline
Junior Member with 7 posts.
 
Join Date: Aug 2004
Experience: Intermediate
14-Jun-2006, 08:14 PM #14
What happened here.....
I had a similar experience to 911....have run the SmitfraudFix program and gotten my file showing an infection. What do I do next...didn't see 911 come back.
911's Avatar
911 911 is offline 911 has a Profile Picture
Computer Specs
Member with 543 posts.
THREAD STARTER
 
Join Date: Mar 2003
Location: Endwell, NY
Experience: Still learning........
14-Jun-2006, 09:22 PM #15
Sorry. I've been away with some personal stuff.
To crpger: I don't see that entry.

To Cybertech: Here is the Smitfraud log.

SmitFraudFix v2.50

Scan done at 21:18:40.05, Wed 06/14/2006
Run from C:\Documents and Settings\Arby Ritt\Desktop\SmitfraudFix 3\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !

C:\Documents and Settings\Arby Ritt\Application Data


Start Menu


C:\DOCUME~1\ARBYRI~1\FAVORI~1

C:\DOCUME~1\ARBYRI~1\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler]
"{0c7416f0-dd23-420f-97f5-aae352ea2bf1}"="glochid"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler]
"{e5b1e382-817e-4b74-8a96-ec78751e6acf}"="incatenate"


Scanning wininet.dll infection


End

Last edited by 911; 14-Jun-2006 at 09:36 PM..
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑