1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] System32.exe killing me

Discussion in 'Virus & Other Malware Removal' started by louisj23, Feb 19, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. louisj23

    louisj23 Thread Starter

    Joined:
    Jun 11, 2001
    Messages:
    133
    I have a couple fo posts prior to this but I said it was resolved...However.

    Got stuck with the worm which loads SYSTEM32.EXE up with wondows and completely uses 100% cpu resources. Got some help and ran Spybot Search & Destyroy and that seemed to have cured it.
    Well, system32.exe kept on loading itself so I wanted to get rid of it. Tried to find it everywhere, Windows/system, using regedit, a basic file search, and it was no where to be found. So I found a thread that said that I should download the evaluation version of McAfee (I use System Suite Virus scan normally) and run it through it's paces and try and kill the thing. Well, McAfee was running and I moved the mouse for a sec and that was it, froze.
    Since that point all that I can do is start up windows and that's it, completely frozen from that point on. If I click on one thing it's over with and I can't open anything.
    Now, I can obviously run in safe mode but I can't do anything with McAfee in safe mode and I was trying to remove it with add/remove programs.
    Anyone have any ideas of where I can go once in safe mode to get rid of this ?
     
  2. louisj23

    louisj23 Thread Starter

    Joined:
    Jun 11, 2001
    Messages:
    133
    just read
    Warning: Kazaakrypton trojan horse program
    and that may be a possibility, I'm not sure though cause of system32.exe
     
  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    What Windows version is this?

    Have you tried running McAfee in Safe Mode? You should be able to.
    What happens if you run msconfig in Safe Mode and clear the check for the Startup Group?

    From start, run win.ini and look at the load= and run= lines. Remove any references to that file you see there. You can leave the run= and load= lines just like that, with nothing after them.

    Also look in your System.ini file for the shell=explorer.exe line. It should read only that and have nothing else after it.

    Another way to see what is in system.ini> click Start>Run, enter system.ini so that it opens in Notepad. Check the shell= entry under the [Boot] header. You can modify it and save the file.

    Do a File search for system32.exe and rename or delete it wherever found. Make sure all subdirectories are checked when searching and that in Folder Options > View, you have 'show all files' checked. If it is loading, it must be there someplace.

    Previous thread by poster:

    http://forums.techguy.org/showthread.php?threadid=119014
    ====================
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    Click Start>Run and enter regedit
    Navigate to the above folder by clicking the + beside each entry in the path:

    HKey_Local_Machine
    Software
    Microsoft
    Windows
    CurrentVersion

    RunServices

    >> With the RunServices folder highlighted, right click on and delete this entry in the Right hand pane:

    SystemSAS = system32.exe

    This is the worm you have:

    http://securityresponse.symantec.com/avcenter/venc/data/w32.kwbot.c.worm.html

    In addition to the key I covered above, follow Symantec's instructions and check the other keys as well. Delete the temp folder.

    ===============
    Also your startup list shows this for the scrfile shell open association:

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrFile\shell\open\command

    (Default) = "C:\Program Files\Internet Explorer\Iexplore.exe" %1


    The data value beside the (default) entry should be:


    "%1" /S
     
  4. tpb

    tpb

    Joined:
    Feb 27, 2001
    Messages:
    573
    Hey RR does this entry from his startuplist look suspicious?

    SysTray = c:\windows\system32\syssrcvs.exe
     
  5. louisj23

    louisj23 Thread Starter

    Joined:
    Jun 11, 2001
    Messages:
    133
    I apologize for basically posting the same thread 2x but I wasn't sure if one thing had to do with another, such as if I still have a virus problem or if now I have a registry problem.
    This is from my post in Windows 2000 and some new things I have found out
    3. When starting computer windows 2000 started up and that was it, I was frozen. System32.exe was also still hanging around
    4. In safe mode - Ran McAfee, it found the backdoor file and I got rid of that and also found the system32.exe file in my registry and deleted that.
    5. Computer still will not run under normal mode, windows starts up, then the restore active desktop screen comes up and that's it, I'm done. AND DAMMIT ALL, I just looked in the task manager in safe mode and that damn SYSTEM32.EXE is still there. I have searched high and low for this file. It is not in windows/system, wondows/system32, and I went through regedit and looked and only found one and I thought that would do it. Anyone know where else this thing hides?

    I would download the HIJACKTHIS program but how can I install if I am only running in safe mode?
    So, I am running McAfee again and here's another thing.
    A post said to look in my win.ini registry and look for system32.exe under any lines that have it after LOAD or RUN.
    Well, there is not one line in my win.ini that says LOAD or RUN. Coud this be my problem? Is there something missing from my registry?
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    tpb, yes that entry sure is suspicious, good catch. I can only get a few enigmatic foreign language hits for it in google.

    Louis, run regedit and delete the entry for:

    syssrcvs.exe

    within:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    You could open HijackThis in SafeMode, but you could not download it. You would have to copy it over from another system.

    Have you gone through the Symantec article?

    Since you have Win2k, one thing it might really help you to do is download the msconfig file for 2k to a floppy and copy it to C:\WINNT\system32

    Then run it and use it to disable startups.

    whooops, here is where to get it from:

    http://www2.whidbey.net/djdenham/Msconfig.htm

    as for win.ini and system.ini Win2k is not the same as other Windows versions. I didn't know which you had when I suggested that.
     
  7. louisj23

    louisj23 Thread Starter

    Joined:
    Jun 11, 2001
    Messages:
    133
    Sorry, I forgot to mention that I am at work and have a few other computers around so if it's necessary for me to download it's no problem. Let me try this stuff out and see what happens. Thanks
     
  8. louisj23

    louisj23 Thread Starter

    Joined:
    Jun 11, 2001
    Messages:
    133
    OK RR, here we go,
    I just ran HiJack and I will post the notepad here. I did notice one line thought that was kinda funky, which was having Broken internet access due to missing wps.dll.
    Now I haven't done anything and I'm not about to delete anything until I hear from you and then maybe I will try to start my computer again under normal conditions and see if it still freezes up. Thanks a lot for your help thus far.
    Here's the HiJack results

    Logfile of HijackThis v1.91.2
    Scan saved at 2:38:52 PM, on 2/19/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O10 - Broken Internet access because of LSP provider 'wps.dll' missing
    O15 - Trusted Zone: http://free.aol.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37577.4276157407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The protocols for wps.dll were probably created by a sygate firewall installation. I don't think they are causing any problem, but you could check box for HijackThis to 'fix' it. If sygate is still installed, leave it.

    HijackThis has identified where you are getting system32.exe loaded from:

    system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe

    However I'm not sure what it will do if you try to have it "fix" it.
    Instead go to start and run system.ini so that it opens in notepad.

    Locate the entry:

    Shell=Explorer.exe C:\WINDOWS\System32\system32.exe

    and make it read only: shell=explorer.exe

    Close the file and save the change when prompted.

    you 'should' be able to find that system32.exe in c:\windows\system32.

    If the problem persists, then something else is reloading it.
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It's possible that this line may have been associated with Sygate if you still have it:

    SysTray = c:\windows\system32\syssrcvs.exe

    If you've deleted it using regedit, we can manually restore it if necessary.

    You can confirm the association by doing a file search for syssrcvs.exe

    Right click on it and select Properties > version. If it is sygates, we need to put it back if the program is still installed. I didn't see any other Sygate entries in your startup which is peculiar if it is supposed to be running.
     
  11. louisj23

    louisj23 Thread Starter

    Joined:
    Jun 11, 2001
    Messages:
    133
    Oh man,
    Well, I clicked on "fix it" in HiJack and it came up with an message box with an exclamation titled "D'OH" followed by..I'm so stupid I forgot to implement this, bug me about it.
    F0 - System.ini: Shell=Explorer.exe
    C:\Windows\System32\system32.exe"

    Then the weird thing was that I couldn't find the shell explorer entry in win.ini
    and then when I goto my System32 file it's not there either.Now you can see why I've been having a hard time finding this thing, it's not where it says it should be.

    So I am rebooting now and it has been on loading your personal settings for a couple of minutes now, which may happen due to everything I did but this is kinda long.....Wait a minute, wait a minute. IT'S UP, IT'S NOT FREEZING, IT'S LETTING ME ACCESS PROGRAMS, and for the final test I shall open up my task manager and......SYSTEM32.EXE IS NOT THERE!!!!!

    I swear to God this is there best forum. Rog, thank you.
    I think it's ok now, at least enough to where I can work in it and fix anything left behind.
    Wow, now I'm going to go on to Kazza and download a ton of stuff since it's running....
    bad joke, sorry
     
  12. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Rog,

    FYI, Hijack This will restore the default "Explorer.exe" value data for you, and remove possible additions to that line. You don't need to do it manually.

    I just tested it on XP, and it fixes it there as well.
     
  13. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    I edited my System ini shell line to read Shell = Explorer.exe test.exe and ran Hijack This.

    It identified it, and then gave me exactly the same message as you got.

    Merijn has a good sense of humor! :)

    After I clicked OK, and reopened Regedit (this is in XP, remember) the Shell line was once again reset to its default value Explorer.exe.
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Lol; you had me worried there for a minute. Couldn't imagine what the heck you were seeing.

    Anyway, It seems good ol' merijn has done the job and had all the bases covered. Thanks for the confirmation Tony.

    I'll mark this 'resolved' for now then. Let us know if you need any further follow-up.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - [Resolved] System32 killing
  1. siyasitanda
    Replies:
    0
    Views:
    751
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/119689

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice