Solved

SYSTEM32 folder opens on startup!

Posted on 2006-06-22
14
2,316 Views
Last Modified: 2012-06-21
One of my XP systems is now opening the "system32" folder each time someone logs into the local computer.  I have checked for virus infection, ran spybot and adaware, and ran hijackThis on it but cannot figure out what is causing this.  I have also tried the #260 tip listed in other threads but that runs and says there is no entry of that type in registry.  I have checked the registry RUN commands but have no strange entries there.  I have disabled everything in the MSCONFIG startup items and that does not help either.
Here is the info I copied from HijackThis...

StartupList report, 6/22/2006, 2:43:01 PM
StartupList version: 1.52.2
Started from : C:\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton Internet Security.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: *Registry key not found*
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

wininet.dll =
kernel32.dll = C:\WINDOWS\system32\
0
Comment
Question by:krusebr
14 Comments
 
LVL 16

Expert Comment

by:Joe
ID: 16963453
0
 

Author Comment

by:krusebr
ID: 16963494
I have no entry in the startup of MSCONFIG that looks like this... Deselect /L:ENG entry from the startup tab
0
 
LVL 23

Expert Comment

by:phototropic
ID: 16963532
0
 

Author Comment

by:krusebr
ID: 16963583
I have seen all of these threads and none have helped me yet.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16964915
What you posted is the Hijackthis' generated startup list not the real Hijackthis log.
Can we look at the proper hijackthis log please?
Post the log at either of these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Then post the link to the saved list here.



Also, Can we look at the all the "Run" keys?
Could be something to do with this entry below:
>>>HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
kernel32.dll = C:\WINDOWS\system32\<<<


--------------------------------------

cd\WINDOWS\desktop
regedit /e /a HKCURun.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
regedit /e /a HKLMRun.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"


Copy and paste the aboved text into Notepad.
Save this text as "Log.bat"  Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the "Log.bat" after it flashes, 2 txt files are created on your desktop, HKCURun.txt and HKLMRun.txt
Post the contents of the txt files.
0
 

Author Comment

by:krusebr
ID: 16965102
Thanks rpggamergirl!  Below is your last request.  I will get back to you soon with the hijack log requested.

HKCURun.txt

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
----------------------------
HKLMRun.txt

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
0
 

Author Comment

by:krusebr
ID: 16965115
ok, here is the link to the hijackthis log...
http://www.rafb.net/paste/results/SudJjH32.html
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16965166
Sorry the run keys didn't help and your Hijackthis log didn't help either, not much to tell there.

Can you please Export this Run key to your desktop(as a regfile) and post the contents of the reg file here? that might tell us something, otherwise I'm out of ideas.

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16965222
Can you also check this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

then on the right pane, look for the "userinit" and make sure there is no other data but this --> C:\Windows\System32\Userinit.exe,

there should be no other data but -->  C:\Windows\System32\Userinit.exe,
0
 

Author Comment

by:krusebr
ID: 16965253
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"wininet.dll"=""
"kernel32.dll"="C:\\WINDOWS\\system32\\"
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 16965378
You can manually delete the "kernel32dll" value or use this regfile below.

Make sure the key you exported before stays in your desktop because that is your backup.



Copy and paste the bolded text into Notepad.
Save this text as "Deleteme.reg"  Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the Deleteme.reg and when it asks you to merge the information to the registry click Yes. (delete the reg file you created on your desktop after the successful merged)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"kernel32.dll"=-
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16965392
>>(delete the reg file you created on your desktop after the successful merged)<<
I'm talking about the deleteme.reg.

Do not delete the one you exported before(your backup)
0
 

Author Comment

by:krusebr
ID: 16965529
Thanks so much RPGGAMERGIRL!
You did it.  The "kernel32.dll" registry line was the culprit!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16965609
You're welcome!

Glad to hear it's fixed, now you can delete the backup of that Run key on your desktop.

Thanks for the points and the "A" grade! :)

0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like 192.168.xxx.1, I've seen routers with default values of: 192.168.0.1, 192.168.1.1, 192.168.11.1, …
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now