?
Solved

Windows cannot find C:\WINDOWS\System32\winsys.exe

Posted on 2003-02-26
10
Medium Priority
?
580 Views
Last Modified: 2008-08-19
I am running window XP pro. When I start up my computer the error message "Windows cannot find C:\windows\system32\winsys.exe" always pops up.  It started after I followed symantec's advice on removing the virus "w32.kwbot.d.worm".  I removed the value "winsys" in the right pane of each of these registry keys.
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

I would imagine that the virus put something on my computer that is trying to use that key on startup.  It's not in the startup options under msconfig so I can't disable it.  Where else might I look to keep windows from looking for this file on startup.

Thanks
0
Comment
Question by:caw81677
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8027265
http://www.pestpatrol.com/PestInfo/W/Win-Spy.asp

Will not show up in Add/Remove programs. Run c:\winnt\unin.exe to disable. But this uninstaller will not remove smt.exe, unin.exe, winsys.exe, or any of the dll's it installs.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8027276
Look in all of these

Look to see if it in the registry under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce


Some other registry settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices-

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8027296
Start > Run msconfig

Click the startup tab and experiment by unchecking some of the items in there and see what happens.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:caw81677
ID: 8031212
Thank you for your suggestions.
I already checked all of those registry keys and under Start> Run msconfig.  When norton scanned my system for viruses it basically quarantined the winsys.exe file that was infected but cannot repair it.  Now, when I restart the computer, some program is looking to run that file.  How can I find out what program is looking to run that file and disable it. I have tried a program called "startup list" (I think that's what it's called) which listed everthing that starts automatically on my computer and "bootvis" from microsoft but don't quite understand them yet.  Where else could I possibly look for items that are set to startup automatically on my computer.

Looked in Win.ini, startup group for me and all users, msconfig, and all registry keys listed above.

Any further advice would be appreciated
Thank you
0
 
LVL 1

Accepted Solution

by:
PublicFatality earned 400 total points
ID: 8031494
Hey how aobut not chekcing any specific keys but all of them! :)  Heres how you do it, open up regedit and go to:
edit --->  find

in the find box put in "winsys"  and click enter or OK, let it search, when it comes up with the result...delete it (be very careful what you do delete!)  after you deletd it hit F3 to search again and repeat that process till it tells you finished searching registry.  That should rmeove all th entries.  BTW, start the search on "my computer" in the registry or your just searching form where your highlighted down.  Hope this helps

Kris
0
 

Author Comment

by:caw81677
ID: 8034614
Ah yes, excellent suggestion.  I had tried searching the registry but you helped me realize I didn't do it from my computer down.  Sure enough, I found 4 or 5 keys that needed to be deleted.  The specific one that it was referring to was

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
in the right pane the entry was
Shell   Reg_Sz   Explorer.exe  C:\Windows\System32\winsys.exe

I know this because it was the last one to be deleted and I still received the error until this one was gone.

Excellent help everyone, Thank you very much
0
 
LVL 6

Expert Comment

by:tedsky
ID: 8034716
Hello again!

Just curious whether you had a chance to try any of the links I posted, all of which dealt with different methods (spelling them out, in some cases) of dealing with this WINSYS.EXE worm virus?

Many experts will do this (post links) for assistance, rather than re-invent the wheel.

Glad you found a solution!
Ted
0
 

Author Comment

by:caw81677
ID: 8035930
Ted,
Yes, I checked out most of the links you posted and they all basically gave the same advice of checking the obvious run, and runonce keys in the registry.  I searched most of the sites for the w32.kwbot.d.worm in particular but none of them returned any results.  Symantec.com had instructions for removing the virus from the run and runonce keys so it wouldn't start and Norton quarantined the infected file but the worm created entries in some of the less obvious registry entries that were looking for the infected file on startup.  The answers may have been located in those links, but I may not have read thoroughly enough to find the answer.

You know, everybody wants the quick and easy solution that requires the least amount of work :)

Craig
0
 
LVL 6

Expert Comment

by:tedsky
ID: 8038019
That's all anyone can ask for, isn't it <smile>.
Glad you have your fix - I like quick 'n' easy, too ;)
Take care!
Ted
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question