SYSTEM32 folder opens on startup!

One of my XP systems is now opening the "system32" folder each time someone logs into the local computer.  I have checked for virus infection, ran spybot and adaware, and ran hijackThis on it but cannot figure out what is causing this.  I have also tried the #260 tip listed in other threads but that runs and says there is no entry of that type in registry.  I have checked the registry RUN commands but have no strange entries there.  I have disabled everything in the MSCONFIG startup items and that does not help either.
Here is the info I copied from HijackThis...

StartupList report, 6/22/2006, 2:43:01 PM
StartupList version: 1.52.2
Started from : C:\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton Internet Security.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: *Registry key not found*
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

wininet.dll =
kernel32.dll = C:\WINDOWS\system32\
krusebrAsked:
Who is Participating?
 
rpggamergirlCommented:
You can manually delete the "kernel32dll" value or use this regfile below.

Make sure the key you exported before stays in your desktop because that is your backup.



Copy and paste the bolded text into Notepad.
Save this text as "Deleteme.reg"  Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the Deleteme.reg and when it asks you to merge the information to the registry click Yes. (delete the reg file you created on your desktop after the successful merged)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"kernel32.dll"=-
0
 
krusebrAuthor Commented:
I have no entry in the startup of MSCONFIG that looks like this... Deselect /L:ENG entry from the startup tab
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

 
phototropicCommented:
0
 
krusebrAuthor Commented:
I have seen all of these threads and none have helped me yet.
0
 
rpggamergirlCommented:
What you posted is the Hijackthis' generated startup list not the real Hijackthis log.
Can we look at the proper hijackthis log please?
Post the log at either of these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.



Also, Can we look at the all the "Run" keys?
Could be something to do with this entry below:
>>>HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
kernel32.dll = C:\WINDOWS\system32\<<<


--------------------------------------

cd\WINDOWS\desktop
regedit /e /a HKCURun.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
regedit /e /a HKLMRun.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"


Copy and paste the aboved text into Notepad.
Save this text as "Log.bat"  Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the "Log.bat" after it flashes, 2 txt files are created on your desktop, HKCURun.txt and HKLMRun.txt
Post the contents of the txt files.
0
 
krusebrAuthor Commented:
Thanks rpggamergirl!  Below is your last request.  I will get back to you soon with the hijack log requested.

HKCURun.txt

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
----------------------------
HKLMRun.txt

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
0
 
krusebrAuthor Commented:
ok, here is the link to the hijackthis log...
http://www.rafb.net/paste/results/SudJjH32.html
0
 
rpggamergirlCommented:
Sorry the run keys didn't help and your Hijackthis log didn't help either, not much to tell there.

Can you please Export this Run key to your desktop(as a regfile) and post the contents of the reg file here? that might tell us something, otherwise I'm out of ideas.

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
0
 
rpggamergirlCommented:
Can you also check this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

then on the right pane, look for the "userinit" and make sure there is no other data but this --> C:\Windows\System32\Userinit.exe,

there should be no other data but -->  C:\Windows\System32\Userinit.exe,
0
 
krusebrAuthor Commented:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"wininet.dll"=""
"kernel32.dll"="C:\\WINDOWS\\system32\\"
0
 
rpggamergirlCommented:
>>(delete the reg file you created on your desktop after the successful merged)<<
I'm talking about the deleteme.reg.

Do not delete the one you exported before(your backup)
0
 
krusebrAuthor Commented:
Thanks so much RPGGAMERGIRL!
You did it.  The "kernel32.dll" registry line was the culprit!
0
 
rpggamergirlCommented:
You're welcome!

Glad to hear it's fixed, now you can delete the backup of that Run key on your desktop.

Thanks for the points and the "A" grade! :)

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.