Solved

SYSTEM32 folder opens on startup!

Posted on 2006-06-22
14
2,330 Views
Last Modified: 2012-06-21
One of my XP systems is now opening the "system32" folder each time someone logs into the local computer.  I have checked for virus infection, ran spybot and adaware, and ran hijackThis on it but cannot figure out what is causing this.  I have also tried the #260 tip listed in other threads but that runs and says there is no entry of that type in registry.  I have checked the registry RUN commands but have no strange entries there.  I have disabled everything in the MSCONFIG startup items and that does not help either.
Here is the info I copied from HijackThis...

StartupList report, 6/22/2006, 2:43:01 PM
StartupList version: 1.52.2
Started from : C:\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton Internet Security.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: *Registry key not found*
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

wininet.dll =
kernel32.dll = C:\WINDOWS\system32\
0
Comment
Question by:krusebr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 16

Expert Comment

by:Joe
ID: 16963453
0
 

Author Comment

by:krusebr
ID: 16963494
I have no entry in the startup of MSCONFIG that looks like this... Deselect /L:ENG entry from the startup tab
0
 
LVL 23

Expert Comment

by:phototropic
ID: 16963532
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Author Comment

by:krusebr
ID: 16963583
I have seen all of these threads and none have helped me yet.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16964915
What you posted is the Hijackthis' generated startup list not the real Hijackthis log.
Can we look at the proper hijackthis log please?
Post the log at either of these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.



Also, Can we look at the all the "Run" keys?
Could be something to do with this entry below:
>>>HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
kernel32.dll = C:\WINDOWS\system32\<<<


--------------------------------------

cd\WINDOWS\desktop
regedit /e /a HKCURun.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
regedit /e /a HKLMRun.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"


Copy and paste the aboved text into Notepad.
Save this text as "Log.bat"  Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the "Log.bat" after it flashes, 2 txt files are created on your desktop, HKCURun.txt and HKLMRun.txt
Post the contents of the txt files.
0
 

Author Comment

by:krusebr
ID: 16965102
Thanks rpggamergirl!  Below is your last request.  I will get back to you soon with the hijack log requested.

HKCURun.txt

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
----------------------------
HKLMRun.txt

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
0
 

Author Comment

by:krusebr
ID: 16965115
ok, here is the link to the hijackthis log...
http://www.rafb.net/paste/results/SudJjH32.html
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16965166
Sorry the run keys didn't help and your Hijackthis log didn't help either, not much to tell there.

Can you please Export this Run key to your desktop(as a regfile) and post the contents of the reg file here? that might tell us something, otherwise I'm out of ideas.

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16965222
Can you also check this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

then on the right pane, look for the "userinit" and make sure there is no other data but this --> C:\Windows\System32\Userinit.exe,

there should be no other data but -->  C:\Windows\System32\Userinit.exe,
0
 

Author Comment

by:krusebr
ID: 16965253
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"wininet.dll"=""
"kernel32.dll"="C:\\WINDOWS\\system32\\"
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 16965378
You can manually delete the "kernel32dll" value or use this regfile below.

Make sure the key you exported before stays in your desktop because that is your backup.



Copy and paste the bolded text into Notepad.
Save this text as "Deleteme.reg"  Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the Deleteme.reg and when it asks you to merge the information to the registry click Yes. (delete the reg file you created on your desktop after the successful merged)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"kernel32.dll"=-
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16965392
>>(delete the reg file you created on your desktop after the successful merged)<<
I'm talking about the deleteme.reg.

Do not delete the one you exported before(your backup)
0
 

Author Comment

by:krusebr
ID: 16965529
Thanks so much RPGGAMERGIRL!
You did it.  The "kernel32.dll" registry line was the culprit!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16965609
You're welcome!

Glad to hear it's fixed, now you can delete the backup of that Run key on your desktop.

Thanks for the points and the "A" grade! :)

0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question