• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4443
  • Last Modified:

System32 Folder appears after startup

Hello,

I have researched this issue pretty thoroughly, looking at MS kb 170086, startup folders, turned all msconfig startups off and nothing has worked.  Also run spybot, MS Defender, and adaware.  Please help!
0
Captain_John
Asked:
Captain_John
  • 9
  • 3
  • 2
  • +6
1 Solution
 
Joseph NyaemaIT ConsultantCommented:
Plsease post  a linkt to a hijacthis analysis.

Hijack this can be downloaded from http://www.merijn.org/

an analysis can be done at http://www.hijackthis.de/
0
 
Captain_JohnAuthor Commented:
Logfile of HijackThis v1.99.1
Scan saved at 11:16:20 AM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.41.10:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [Uniblue Quick Access] "C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ensusa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ensusa.com
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

0
 
Joseph NyaemaIT ConsultantCommented:
The Hijackthis analysis is at http://www.hijackthis.de/logfiles/5c1a8e473558a375df9d39e29568a8c2.html

You should remove the browser hijack object (BHO) marked in red O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp

Use Hijackthis to do that.

Hope that helps
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
NYtechGuyCommented:

Captain-

While it is possible that this is a spyware issue as the others have noted, I have seen this be caused by something less onerous.

In my case, it was an entry in the HKLM\Software\Microsoft\Current Version\Run registry key that was incomplete, or wasn't enclosed in quotes as it should have been.

Please check this Microsoft Article:  http://support.microsoft.com/kb/170086/en-us

Good Luck - Justin

0
 
arvaniusCommented:
This program will fix any errors in the registry that causes Program or System32 folder to pop up at startup - its in Swedish...

http://www.pekspro.com/cgi-bin/countdown.pl?files/pmfix.zip

run pmfix.exe from the ZIP-file, Next/Nästa, check box "Avancerat läge" (Advanced mode),
if the program finds any errors, it will list this in the window, press Next/Nästa,
and the program fixes the registry setting, and it creates a backup.reg file on your desktop.

This is a great program, I use it all the time at work!

Usually its a driver or progam that creates a incorrct registry setting under
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
or
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

Hope this helps!
0
 
Captain_JohnAuthor Commented:
Thanks to you both.  As I mentioned in my original posting I had checked both of those registry keys for correctness.
0
 
arvaniusCommented:
But do use the application I recommended, it can fix incorrect registry settings in other places in the registry also! it takes like 5sec to download and run the utility...

Try it to exclude registry as a sorce for the problem
0
 
arvaniusCommented:
This is a error I have encountered many many times, everytime the utlity from Pekspro fixed it...
0
 
Captain_JohnAuthor Commented:
Use it Arvanius but unfortunately it did not fix the problem.
0
 
heerakCommented:
Try the following link

http://www.kellys-korner-xp.com/regs_edits/xp_system32opens.vbs

It will open up a file which you have to run, its a registry batch file, which will surely fix your issue, its worked for me.

Heerak
0
 
Captain_JohnAuthor Commented:
Thanks Heerak, ran the program and got the expected registry entry was not found.  You guys are great, I know we'll get there!
0
 
top_rungCommented:
Any Audigy equipment?  I see a lot of mention about Dell and Audigy causing this problem.  If so, try updating audigy drivers.

As for me, it was a simple msconfig|startup issue:  Unchecked /l:eng from the starup.








0
 
top_rungCommented:
ah, I believe the script above that your ran is supposed to handle the Audigy issue. :|
0
 
Captain_JohnAuthor Commented:
No audigy equipment
0
 
phototropicCommented:
What happens in safe mode?
0
 
rpggamergirlCommented:
First you might like to fix the infection that is showing in your hijackthis log, that could be causing it, new smitfraud variants surface almost everyday.

Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.

0
 
dmccurdy51Commented:
If you logon with another username does the system32 folder appear.  
   If this fixes the problem you can either delete the profile and start from scratch or try and track down the problem.

  If it still appears something external to the user is calling it.
     This would be located in a login script like a domain login script.
     Maybe in a Group Policy
    Or the All Users Profile.
0
 
Captain_JohnAuthor Commented:
It doesn't appear in safe mode.  I will attempt the SmitFraudFix next.  In does appear when you login as a different user.
Thanks all!
0
 
dmccurdy51Commented:
Well it has to be called from somewhere.

Run MSconfig
   Click the Startup Tab
   Uncheck all All Applications
   Logoff
    Login

Does is still appear?
   If so its a logon script
0
 
phototropicCommented:
I agree. Msconfig - "disable all". If the problem goes away, re-enable startups until it reappears and you find the guilty program. You could try disabling all non-Microsoft services too. Something is loading which causes this problem, and if it doesn't load in safe mode, a process of elimination should reveal it.
0
 
Captain_JohnAuthor Commented:
I did the MsConfig thing before I posted and it still appeared.
0
 
Captain_JohnAuthor Commented:
Not a batch file either.
0
 
Captain_JohnAuthor Commented:
SmitFraud.exe was indeed the answer.  Thanks very much!
0
 
rpggamergirlCommented:
No problem, glad to hear your problem is solved.

Thank you for the points with an "A" grade! :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
  • 3
  • 2
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now