Solved

SYSTEM32 folder opens on startup!

Posted on 2006-06-22
14
2,326 Views
Last Modified: 2012-06-21
One of my XP systems is now opening the "system32" folder each time someone logs into the local computer.  I have checked for virus infection, ran spybot and adaware, and ran hijackThis on it but cannot figure out what is causing this.  I have also tried the #260 tip listed in other threads but that runs and says there is no entry of that type in registry.  I have checked the registry RUN commands but have no strange entries there.  I have disabled everything in the MSCONFIG startup items and that does not help either.
Here is the info I copied from HijackThis...

StartupList report, 6/22/2006, 2:43:01 PM
StartupList version: 1.52.2
Started from : C:\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton Internet Security.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: *Registry key not found*
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

wininet.dll =
kernel32.dll = C:\WINDOWS\system32\
0
Comment
Question by:krusebr
14 Comments
 
LVL 16

Expert Comment

by:Joe
ID: 16963453
0
 

Author Comment

by:krusebr
ID: 16963494
I have no entry in the startup of MSCONFIG that looks like this... Deselect /L:ENG entry from the startup tab
0
 
LVL 23

Expert Comment

by:phototropic
ID: 16963532
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:krusebr
ID: 16963583
I have seen all of these threads and none have helped me yet.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16964915
What you posted is the Hijackthis' generated startup list not the real Hijackthis log.
Can we look at the proper hijackthis log please?
Post the log at either of these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.



Also, Can we look at the all the "Run" keys?
Could be something to do with this entry below:
>>>HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
kernel32.dll = C:\WINDOWS\system32\<<<


--------------------------------------

cd\WINDOWS\desktop
regedit /e /a HKCURun.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
regedit /e /a HKLMRun.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"


Copy and paste the aboved text into Notepad.
Save this text as "Log.bat"  Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the "Log.bat" after it flashes, 2 txt files are created on your desktop, HKCURun.txt and HKLMRun.txt
Post the contents of the txt files.
0
 

Author Comment

by:krusebr
ID: 16965102
Thanks rpggamergirl!  Below is your last request.  I will get back to you soon with the hijack log requested.

HKCURun.txt

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
----------------------------
HKLMRun.txt

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
0
 

Author Comment

by:krusebr
ID: 16965115
ok, here is the link to the hijackthis log...
http://www.rafb.net/paste/results/SudJjH32.html
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16965166
Sorry the run keys didn't help and your Hijackthis log didn't help either, not much to tell there.

Can you please Export this Run key to your desktop(as a regfile) and post the contents of the reg file here? that might tell us something, otherwise I'm out of ideas.

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16965222
Can you also check this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

then on the right pane, look for the "userinit" and make sure there is no other data but this --> C:\Windows\System32\Userinit.exe,

there should be no other data but -->  C:\Windows\System32\Userinit.exe,
0
 

Author Comment

by:krusebr
ID: 16965253
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"wininet.dll"=""
"kernel32.dll"="C:\\WINDOWS\\system32\\"
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 16965378
You can manually delete the "kernel32dll" value or use this regfile below.

Make sure the key you exported before stays in your desktop because that is your backup.



Copy and paste the bolded text into Notepad.
Save this text as "Deleteme.reg"  Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the Deleteme.reg and when it asks you to merge the information to the registry click Yes. (delete the reg file you created on your desktop after the successful merged)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"kernel32.dll"=-
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16965392
>>(delete the reg file you created on your desktop after the successful merged)<<
I'm talking about the deleteme.reg.

Do not delete the one you exported before(your backup)
0
 

Author Comment

by:krusebr
ID: 16965529
Thanks so much RPGGAMERGIRL!
You did it.  The "kernel32.dll" registry line was the culprit!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16965609
You're welcome!

Glad to hear it's fixed, now you can delete the backup of that Run key on your desktop.

Thanks for the points and the "A" grade! :)

0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now