1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: System32 file open at startup

Discussion in 'Virus & Other Malware Removal' started by 911, Jun 6, 2006.

Thread Status:
Not open for further replies.
  1. 911

    911 Thread Starter

    Mar 25, 2003
    Last week I got infected by a ZLOB trojan. It was pretty tough to get rid of. It kept coming back after my AVs said they had removed it. I went into safe mode and ran both CA and AVG antivirus programs, followed by Ad-Aware and Spybot (all with the latest updates). After all 4 said they removed it, it seems to be gone, but now something somewhere in the (XP-Pro) system keeps opening (or leaving open) the file C:\Windows\system32 at every boot-up on top of my desktop. I need to click it closed at every start-up.

    It does not happen when I start in safe mode, so I suspected something in the Startup folder. However, when I use Msconfig to disable everything in my Startup folder it still happens. I tried running SFC /scannow, which churned for more than 90 minutes but exited without reporting any errors. I have run "Windows Registry Repair-Pro", which reported and fixed 'problems' but did nothing to resolve the problem. I have only been using XP for a short time, and I don't know enough to mess around inside the registry, so I am about out of ideas.

    I would appreciate any advice.
  2. kiwiguy


    Aug 17, 2003
  3. 911

    911 Thread Starter

    Mar 25, 2003
    Thanks, Kiwiguy. That looked promising, but I can't find anything in those registry keys that fit the description of any of the causes. I also can't seem to find anything else in the MS database. I have removed both AVG7 and Spybot on the theory that the problem emerged after installing, updating and using them, but that didn't do any good. When it becomes annoying enough, I may try replacing Windows itself, but that will be a last resort.
  4. Rick1953


    Feb 15, 2002
    Go to this site and scroll down to #260 on the right hand side click on System32folder opens upon boot and save file to desktop.
    Click on the file to run it. You may get a warning from your AV program cause it's a VBS file but it's O.K. to use.
  5. ozrom1e


    May 15, 2006
    To download HJTsetup.exe To Download HijackThis go to the following: http://www.thespykiller.co.uk/html/downloads.html
    Save the file to your desktop.
    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\HijackThis.
    Continue to click Next in the setup dialog boxes until you get to the Select Additional Tasks dialog.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialog box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    At the top of the Notepad HJT log screen, hit Edit then Select All then click Edit and then click Copy doing that copies the text to the clipboard, you won't see it yet....
    Open a TechSupportGuy forum Reply window for this thread, to have ready to paste the Hijackthis log into. Click once to place the typing cursor in the reply window.
    At the top of your TSG/browser window, hit Edit then Paste
    You should see your copied Hijackthis log appear in the reply space....then, submit the reply
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  6. 911

    911 Thread Starter

    Mar 25, 2003
    Rick1953:The result was "This script cannot repair your issue. The expected Registry value was not found." I guess that was looking for a different bug. Thanks anyways.

    ozrom1e - Here is the resulting file:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:14:11 AM, on 6/8/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-\QOELoader.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\101Clips\101clips.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    C:\Documents and Settings\Arby Ritt\Desktop\iefix\IEFix.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.iwon.com
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - (no file)
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-\QOELoader.exe"
    O4 - HKLM\..\Run: [MsiMyDesktop] C:\Program Files\Mountain Systems, Inc\MyDesktop\MyDesktop.exe WindowsStartup
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
    O4 - Global Startup: 101clips.lnk = C:\Program Files\101Clips\101clips.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Adobe\ZAcrobat 6.0\Reader\Browser\nppdf32.dll
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
  7. crpger


    Jun 13, 2006
    Found a TID on symantec regarding the ZLOB trojan, which I currently had on my system. After cleaning it off with Spybot, I the C:\Windows\System32 folder would repeatedly open upon logon of XP Pro. I fixed it by deleting the following key from the registry and rebooting.


    The should be an entry or two looking like kernel32.dll c:\windows\system32, etc.

    Just delete the entire RUN key so the Explorer key is empty.

    You should also follow the Symantec doc about removing the ZLOB trojan manually. I found some leftover files, even after the cleaning. Just delete them and empty the recycle bin.
  8. ozrom1e


    May 15, 2006
    crpger - The registry entry you show in your post is not in the HijackThis log. Seeing as you have just arrived here at TSG I would like to welcome you to the forums. You may or may not be familiar with HJT log files but the best procedure on them when they are posted is to let the experts diagnose them and take the member thru any procedures for cleaning their system. The HJT (HiJackThis) team are the only ones allowed to do this.
  9. cybertech

    cybertech Moderator

    Apr 16, 2002
    Let's see if you got rid of the infection.

    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
  10. crpger


    Jun 13, 2006
    Member 911 requested help on stopping the c:\windows\system32 folder from opening every time he logged into XP pro. I was simply giving him an option to try since I just went through the same ordeal. I'm curious to see if my suggestion worked for him. Thx.
  11. Rainbow32


    May 27, 2006
    crpger, take ozrom1e advice as I got wacked pretty good by cybertech for posting in a HJT thread even through my advice was good.:rolleyes:
  12. ozrom1e


    May 15, 2006
    crpger Not trying to hurt your feelings but since you are new to the TSG forum and not an authority on HJT and with only 2 posts here and nobody says that you have been thru the HJT schooling to be certified it would be better to not try to solve these on going threads once a qualified person takes them.
  13. cybertech

    cybertech Moderator

    Apr 16, 2002
    911 has been here long enough to make her/his own decision. All other comments are just clouding the issue.

    EDIT: But thanks ozrom1e for your positive comments.
  14. QuickRick


    Aug 19, 2004
    I had a similar experience to 911....have run the SmitfraudFix program and gotten my file showing an infection. What do I do next...didn't see 911 come back.
  15. 911

    911 Thread Starter

    Mar 25, 2003
    Sorry. I've been away with some personal stuff.
    To crpger: I don't see that entry.

    To Cybertech: Here is the Smitfraud log.

    SmitFraudFix v2.50

    Scan done at 21:18:40.05, Wed 06/14/2006
    Run from C:\Documents and Settings\Arby Ritt\Desktop\SmitfraudFix 3\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\ot.ico FOUND !
    C:\WINDOWS\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Arby Ritt\Application Data

    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu

    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ARBYRI~1\FAVORI~1

    C:\DOCUME~1\ARBYRI~1\FAVORI~1\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "FriendlyName"="My Current Home Page"

    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll



    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

    »»»»»»»»»»»»»»»»»»»»»»»» End
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/473067