Computer Support Forum

System32 at startup, popups, trying to clean up

Question: System32 at startup, popups, trying to clean up

Hi. I have been having trouble with viruses for the past few months, and I've been attacked by pop-ups. Also, the System32 folder opens whenever I start Windows. I have run Spybot, which fixed most of the pop-ups, but I still get some, and the System32 problem is persistent. Here is my HijackThis log:

Logfile of HijackThis v1.97.5
Scan saved at 4:05:55 PM, on 3/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\KaZaA\kazaa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\program files\steam\steam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Waltenbaugh\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blazefind.com/search.php?search=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home Network Version 1.7
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [KaZaA Media Desktop] C:\Program Files\KaZaA\kazaa.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kmwytndp] C:\WINDOWS\fjbhgfxf.exe
O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: @Home (HKCU)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://spystream.babenet.com/cabs/videox.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1556d308282bb9c11202/netzip/RdxIE2.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A3852FBD-AC5C-88C0-3AEC-B8B0AD7EE3A9} (DownloadUL Class) - http://public.searchbarcash.com/cab/348/rpuxgbdz.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I'd appreciate any help I can get with cleaning up my computer. Also, when you reply, please give me specific information with what I need to do - I've never used HijackThis before. Thanks in advance.

Relevance 100%
Preferred Solution: System32 at startup, popups, trying to clean up

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: System32 at startup, popups, trying to clean up

9 more replies
Relevance 68.88%

Good afternoon to all! I am currently expriencing 2 problems w/ my pc: Every time i log on to my pc , the system32 folder appears. I have downloaded Hijackthis, however i am not sure what files i should delete. Also, just recently a lot of popups have been appearing. I have attached the results of the Hijackthis scan. I would appreciate any help in solving both these problems. In advance, thank you for your help...

Logfile of HijackThis v1.97.7
Scan saved at 2:27:18 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Viewpoint\View... Read more

Answer:System32 folder appears at startup & POPUPS

Remove these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=146274
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=146274
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=146274
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
O2 - BHO: (no name) - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINDOWS\System32\ssurf022.dll

O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [ <meta name="page-type" content="Domain, info, biz, com, net, org, top, lev] c:\WINDOWS\System32\ <meta name="page-type" content="Domain, info, biz, com, net, org, top, level">
O4 - HKLM\..\Run: [ <meta name="keywords" content="domain, order, name, dns, free, url, forwarding, dot, com, net, org, info, biz, top, lev] c:\WINDOWS\System32\ <meta name="keywords" content="domain, order, name, dns, free, url, forwarding, dot, com, net, org, info, biz, top, level">
O4 - HKLM\..\Run: [ <meta name="description" content="Joker ... Read more

1 more replies
Relevance 61.09%

Good afternoon to all! I am currently expriencing 2 problems w/ my pc: Every time i log on to my pc , the system32 folder appears. I have downloaded Hijackthis, however i am not sure what files i should delete. Also, just recently a lot of popups have been appearing. I have attached the results of the Hijackthis scan. I would appreciate any help in solving both these problems. In advance, thank you for your help...

Logfile of HijackThis v1.97.7
Scan saved at 2:27:18 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Viewpoint\Viewpo... Read more

Answer:Please someone help!!! REPOST "System32 folder appears at startup & POPUPS"

You have plenty of problems. Start with SpyBot Search & Detroy and work up from there. Post a new HiJackThis. Not sure if it will get rid of Joker or Belt, but it can't hurt.
 

3 more replies
Relevance 50.02%

first off....hellooo...this is my first post. i am usually pretty good with getting to the bottom of my past computer problems with just researching the issue and making changes, downloading certain things and eventually getting it back to the way it was. not this time...its my gf's comp and i cant seem to find an answer. ive noticed that alot of people trust hijack this and you guys can decifer it and tell the appropriate actions to take. im hopin that is the case here. so ive recently downloaded it and im guessing i need to post a log of it (i will do that at the end of this post or one immediatly after it). here are a few symptoms ive notice with the computer:

- definatly popups are pretty frequent, eventhough we have popup blocker enabled on the ie browser. i have run the lavasoft ad-aware program and it only gets the normal cookies. i ran spysweeper and it found one not picked up on adaware but you had to purchase for it to delete it.

- My regedit doesnt work. It kinda tries but desktop just kinda refreshes and nothing happens.

- I was getting a message on startup that a couple of system32 dll files had errors. Im guessin they are checked and no longer on the comp somehow.

- My gf?s email of choice is hotmail. For almost a week now she has been having to check it via cell phone due to the fact that it says ?We can't connect to Windows Live Hotmail right now. Please try again later.? I looked searched this prob but I cant make sense of it really. Im hopin getting ri... Read more

Answer:popups, regedit, system32, email, avg, etc

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 01:42, on 2009-04-25Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\... Read more

32 more replies
Relevance 49.61%

I have had this computer for six months and I have been getting clean virus scans from AVG since I built it. I clicked on an old quickbooks file the other day and my Internet shut down, windows started popping up like crazy and now I'm getting over 100hits on my AVG scans for viruses everytime I run it. I can't do anything without AVG popping up an "accessed file is infected" warning. Eg. Threat Detected! - Accessed File is Infected - C: Windows/system32/msdtc.exe - Virus found win32/Heur The most common popup relates to cmd.exe when I start the computer though. Help!

KASPERSKY LOG.....

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 31, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, April 01, 2009 04:23:50
Records in database: 1991580
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Christopher\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics
Files scanned 48569
Threat name 2
Infected objects 1197
Suspicious objects 0
Duration of the scan 00:49:57

File name Threat name Threats count
C:\WINDOWS\system32\nvsvc32.exe/C:\WINDOWS\system32\nvsvc3... Read more

Answer:AVG POPUPS - HEUR Virus C:Windows\system32\cmd.exe

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructio... Read more

2 more replies
Relevance 49.61%

Hello,

I recently had the unfortunate luck of coming in contact with a virus.
I have read some other threads of users that experienced a similar virus to this but mine seems a bit more complicated. I am using Windows 7 Pack 1 on my laptop. While on the internet suddenly all of my windows closed for every application open and a couple dozen popups show saying "Failed to save all the components for the file \\System32\\<various numbers> This file is corrupted or unreadable. This error may be caused by a PC hardware problem." Another popup comes up saying I need to scan my computer and gives me two options: to scan or to cancel and reboot. I reboot my computer and all of a sudden all of my desktop icons are gone and the background is black. When I click the start menu, all it has are program files which is empty and administrative tools which is also empty.

I have run a dds and it is below. I also ran a full scan using McAfee. It returned 5 corrupted files that it quarantined:
KIWBUNqkT7buFh.exe.tmp
2c5b4613-3d419fcc
638148df-49874c13
30a1b96e-1d0f88f5
1d2f977-5d43794d

It also found and removed two trojan/viruses:
artemis!073197ABAB69 and Exploit-CVE2010-0840.a

After removing the virus it seems to have stopped creating the dozens of boxes every 5 minutes or so, and I just noticed that my desktop background has my previous backgrounds from pictures that are stored on the computer... hmmm.

If anyone is able to help me recover my files and pictures, etc... Read more

Answer:Failed to save System32 Popups Virus

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

It appears you didn't attach the second dds log, attach.txt, to your initial post.

Press the Windows "logo" key and "R" key then copy/paste the following into the Run box and click OK:

%temp%\attach.txt

A text file should open. Save it to your desktop then attach that file to your next reply.

------------------------------------------------------

Please go to: VirusTotalClick the Browse button.
Please copy/paste the following bolded text into the 'File name:' box:

C:\Windows\System32\drivers\ksbibtvb.sys

Click Open then click the Send File button just below.
This will scan the file. Please be patient.
If you get a message saying File already submitted: click Reanalyse
Once scanned, copy and paste the URL from your browser address bar in your next reply.
------------------------------------------------------

11 more replies
Relevance 49.2%

Last log from (entry 1397790) Chewy said.....The hidden service and reg keys look like broken remnants of the infection. MBAM may have caught more of them if Norton's hadn't stepped in at bootup when you killed the actual care file with Sophos.http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/Go ahead and go thru the preparations for posting in the HJT forum so a final cleanup can be done.ChewyYoda said "Do or do not. There is no try."----------------------------------------------------------Overview of problem:Running clean computer with Norton 360 but came back from hols and young relative had infected computer with 84 viruses, managed to remove most with MBAM bar a sYSTEM32\uac one was redireting me to websites on internet. Then logged onto forum and followed instructions and used sophos but screen stuck and when i rebooted Norton 360 awoke and said it was removing something so did not allow Sophos to finish it off.Please see some programs and logs of DDS and attachements called ark.txt and attach.txt that I was instructed to run and include here.---------------DDS (Ver_09-07-30.01) - NTFSx86 Run by Owner at 22:38:00.76 on 25/08/2009Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.518 [GMT 1:00]AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C0... Read more

Answer:Final clean up needed for system32\uac***

Hello Kazzer09, Welcome to Bleeping Computer.
Sorry for delayed response. Forums have been really busy.
My name is fireman4it and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.Please take note of some guidelines for this fix: Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
I will be analyzing your log. I will get back to you with instructions after it is approved.

9 more replies
Relevance 49.2%

I am trying to repair my Windows\system32\wininet.dll file. It has been infected. I attempted the below instructions. I was told that I could find a clean copy in the Windows\system32\dllcache. I could not locate the file. any suggestion how I could find or obtain this?
These were the instructions given to me:
while in safe mode do this to fix the wininet.dll problem.

Because XP will not always show you hidden files and folders by default,
Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden
files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View
tab and make sure that "Show hidden files and folders" is checked. Also
uncheck "Hide protected operating system files" and "Hide extensions for
known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

You will need to boot to safe mode and navigate to the C:\Windows\System32
folder and rename the infected wininet.dll file to wininet.old then go to the
C:\Windows\System32\dllcache folder and copy the wininet.dll file there then
paste it in the system32 folder replacing the infected one you renamed.
After it has been replaced restart your computer and then delete the
wininet.old file.
 

Answer:I need a clean copy of system32\wininet.dll

Do you have your Windows CD? You can always extract files from that.
 

2 more replies
Relevance 49.2%

Good evening team,

As you can see by the title of this thread - I have a serious issue. I have done some scans recommended by various websites but it seems that this is the place to get the ultimate help.

I am not an overly technical person (although having this virus is getting me a wee bit moreso), so I appreciate your patience with me.

As things currently stand, I have been told I have a rootkit virus ....

I'll await a response for assistance - Thanks!

Answer:Failed to save System32 Popups Virus - Please assist!!!

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and
Quote:




Having problems with spyware and pop-ups? First Steps




a link at the top of each page.

Please follow our pre-posting process outlined below. Use a USB flash drive to download and transfer the tools to the affected machine, if necessary. You might like to run the Flash_Disinfector.exe on the clean machine and the flash drive first to protect against any possible transfer of infection via USB.


NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

1 more replies
Relevance 49.2%

Hello, can you help me?, my computer has uncontrolable popups, i've added a pop-up blocker (stinger) and it helps but it doesn't stop some of the popups and when I click on the add/delete button when the popup window is open, some don't appear in the add part.. anyway that's not all, my computer is very very very slow, it takes about 5minutes to get my firefox open and running, about 8minutes to get my computer all ready when I open it.. anyway its amazingly slow..Thank you for your time.Gen.([email protected])Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:06:57 PM, on 7/18/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\wltrysvc.exeC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Pr... Read more

Answer:System32 Infected, Computer Is Very Slow, Uncontrolable Popups

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Nokia My name is Richie and i'll be helping you to fix your problems.First you've no virus protection installed.Download\install one of the following freeware options from the choice below.Once installed update its definitions and then run a full system virus scan.AVG7 Free Edition Antivirus:http://free.grisoft.com/softw/70free/setup...ree_446a965.exeAvast! 4 Home Edition: http://files.avast.com/iavs4pro/setupeng.exeAvira AntiVir Personal Edition Classic http://www.free-av.com/-------------------------------------------Download SDFix.exe and save it to your desktop:http://downloads.andymanchesta.com/RemovalTools/SDFix.exe* Double click on SDFix on your desktop,and install the fix to C:\ Please then reboot your computer into Safe Mode by doing the following:* Restart your computer* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;* Instead of Windows loading as normal, a menu with options should appear;* Select the first option, to run Windows in Safe Mode, then press "Enter".* Choose your usual account.* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.* Type Y to begin the script.* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.* Press any Key and it will restart the PC.* Your system will ta... Read more

1 more replies
Relevance 48.38%

Hi all,

I have read some other threads of users that experienced a similar virus to this but mine seems a bit more complicated. I am using Windows XP on my laptop. I was searching old jeeps today in google and came upon a site I have never been to before. The loading page for this site took a while and windows essentials detects a dangerous file (I remove file called Exploit:Win32/Pdfjsc.YE and also Exploit:/Win32/Pifde). The next thing I know all of my firefox tabs/windows disappear and and a couple dozen popups show saying "Failed to save all the components for the file \\System32\\<various numbers> This file is corrupted or unreadable. This error may be caused by a PC hardware problem." Another popup comes up saying I need to scan my computer and gives me two options: to scan or to cancel and reboot. I did not click anything on these popups since they seemed fishy. I reboot my computer and all of a sudden all of my desktop icons are gone and the background is black. When I click the start menu, all it has are program files which is empty and administrative tools which is also empty.

I have seen other threads try to defeat this virus or a similar virus, but in all of the "cures" you have to download files, or access my computer, or use start menu run and to my knowledge I have no way of getting to any of these things. None of them are visible on my laptop. I downloaded rkill and MBAM onto a flash drive on another computer and tried to transfe... Read more

Answer:Failed to save System32 Popups Virus CANNOT access anything EVERYTHING is HIDDEN

Hello and welcome to TSF

We will do our best to assist you. However, in order to do so, please follow all instructions provided in the sequence given. Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use. This may cause conflicts with the tools being used in the cleanup process.

If you have questions regarding any of the instructions or problems running any tools, please let us know.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

-------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.

Please print out or save the following instructions in Notepad. Please also stay with me until I declare you clean.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.





If you boot into safe mode are you able to access drives such as your flash drive?

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account.

If you are then able to see your flash drive, then ... Read more

19 more replies
Relevance 48.38%

ANNOYING popup Bad Image error/ removed Skynet trogan, MBAM finds nothing.
Ive Ran MBAM wiht the LATEST updatesIn safemode while i Unpluged my internet, and deactivated AV software(McAfee Enterprise)
I also ran SuperAntispyware in same conditions to NO AVAIL.
I first ran a MBAM a couple of days ago, it foudn abot 20 SKYNET trogans and i removed them... Then i started gettign these random popups saysing blank is not a windows image file. it also shows"system32\skynet" so im thinkin its still it. Its seems NASTY.. PLEASE.. i have TOO many games and stuff to Reformatt... PLEASE help me fix.. thanks very much in advance for the time you have, and wil take. its drivign my crazy

Answer:Bad Image Error/ Annoying Popups/ system32\SKYNET suspected

Please download RootRepeal Rootkit Detector and save it to your Desktop.alternate download link 1Disconnect from the Internet as your system will be unprotected while using this tool.Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan. Click this link to see a list of such programs and how to disable them.Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...When the program opens, click the Report tab at the bottom, then click the Scan button.In the Select Scan, dialog What do you want to include in the scan?, check all the boxes.
Click OK.In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.The scan can take some time to finish. Do not use the computer while the scan is running.When the scan has completed, a list of files will be generated in the RootRepeal window.Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.Note: If RootR... Read more

18 more replies
Relevance 47.15%

I got infected last night and have cleaned my computer several times using AVG, Ad-Aware, and Spybot. However, I'm still getting popups in both IE and Firefox which usually start with http://url.adtrgt.com/........

Below is my HJ log.

Thanks guys!
==================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:36 PM, on 2/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLaun... Read more

Answer:PopUps - can't seem to clean

This seems to have done the trick.

Thanks!

Malwarebytes' Anti-Malware
 

1 more replies
Relevance 47.15%

Hello. I was re directed here after Eset was unable to remove C:\WINDOWS\system32\winlogon.exe Win32/Spy.Ursnif.Original thread After running DDS, gmer and defogger my computer is even more sluggish and I'm also getting a popup window every 1-3mins that says "the system has Recovered from a serious error" and when I tried to attach the ark.txt it says "error this file was too big to upload". The file is 695KB. Should I post it instead? Appreciate any help. Thank you..DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13Run by Owner at 12:43:19 on 2012-03-02Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.126 [GMT -8:00].AV: Anti-Virus - SBC Yahoo! Online Protection *Enabled/Outdated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}FW: COMODO Firewall *Enabled* .============== Running Processes ===============.C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\Program Files\COMODO\COMODO Internet Security\cmdagent.exeC:\WINDOWS\system32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\PROGRA~1\Yahoo!\YOP\yop.exeC:\WINDOWS\system32\S3apphk.exeC:\WINDOWS\s... Read more

Answer:C:\WINDOWS\system32\winlogon.exe Win32/Spy.Ursnif.A virus unable to clean

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Please download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
Do not install any other programs until this if fixed.[/b]
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass... Read more

7 more replies
Relevance 47.15%

Hi, i have a problem. My eset nod 32 detect a trojan, but cant delete it. And other programs like malwarebyts or northon dont find the virus.

This is the log report from eset:

Scan Log
Version of virus signature database: 6244 (20110627)
Date: 6/27/2011 Time: 11:32:33 PM
Scanned disks, folders and files: C:\WINDOWS
C:\WINDOWS\system32\sfc_os.dll - Win32/Patched.NAW trojan - unable to clean
C:\WINDOWS\Temp\HTT4364.tmp - error opening [4]
Number of scanned objects: 22942
Number of threats found: 1
Number of cleaned objects: 0
Time of completion: 11:38:59 PM Total scanning time: 386 sec (0026)

Notes:
[4] Object cannot be opened. It may be in use by another application or operating system.

I have windows xp.

Thanks for your time and help....

Karin

Answer:C:\WINDOWS\system32\sfc_os.dll - Win32/Patched.NAW trojan - unable to clean

there is my log from gmer, but i cant use the dds...

19 more replies
Relevance 47.15%

Salut, the system32 folder runs always at startup, any help to remove it? (maybe i have to delete/change a registry key..)

Answer:System32 at startup?

Run this:

System32 Folder pops up

7 more replies
Relevance 47.15%

I don't know if I'm in the right place here. I pretty much don't know what to do when a problem arises. I'm good at following directions though!    A few weeks ago when I started my laptop up the system32 program (?) popped up and warned me not to change anything. I never opened it. Don't even know what it does. Anyway....now it comes on every time I boot up the computer. How the heck do I rectify this? I did a McAfee scan and there are no infected files. Please help! Thanks!Amanda

Answer:system32 on startup

Hello Amanda & welcome to the forum.Please post the exact message displayed.

14 more replies
Relevance 47.15%

Every time I turn my computer on, the system32 folder pops up. It's not a big deal, but it's quite annoying. How do I stop this from happening?
I have searched alot on this topic, and the answers all involve very confusing steps on how to get rid of this. Any easy instructions on how to remove this would be great, as I'm not that computer-savvy.
 

Answer:system32 at startup

6 more replies
Relevance 47.15%

Hi, Problem I am having with my laptop, whenever I start up, the machine boots up and displays the system32 folder contents.Does not seem to effect the operation and I can close it no problem, just irritating, any advice would be greatly received.Oh yes, running windows XP

Answer:system32 on startup

Any reference to it under MSConfig? startrunmsconfig

3 more replies
Relevance 47.15%

Hi e1, when everything has loaded on startup my system32 file opens up even when my McAfee anti-virusscan has done its job in startup. Ive read about this problem a few days ago and i tried to solve it but im not very pc know how!! so if any1 can help and explain in the most simplist ways i would be most thankful

Answer:startup ..comes system32, why?

click herePost back if theres any problems with it.

1 more replies
Relevance 47.15%
Question: System32 Startup

I need help.
Whenever i start my computer it opens up a file called system32 why

Its not a virus!!!

I run XP sp2 and IE 7

Please help me
 

Answer:System32 Startup

7 more replies
Relevance 47.15%
Question: system32 startup

I know there have bee lots'o'questions on sys32, but its driving me nuts. I'm not real good at regedit...but I can follow directions. If someone can show an example of a bad value, and EXACTLY what to delete...
My box is a new Dell w/XP pro. Here is a HJT log also.
Thanks to all who help. dkb51

Oh, to be clear about the problem, System32 folder opens on startup.

Logfile of HijackThis v1.97.7
Scan saved at 11:35:04 AM, on 2/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program... Read more

Answer:system32 startup

6 more replies
Relevance 47.15%
Question: system32 startup

i had a virus not too long ago, and with all the problem (that were fixed) the system32 still upload in startup.i scan my coputer all the time. what do i do to fix it? thanx!!

Answer:system32 startup

I don't understand the problem. What does "the system32 still upload in startup" mean?

3 more replies
Relevance 47.15%

Hi,
Installed win 7 64-bit the other day. Everytime after startup, as my desktop shows up, a prompt "can't verify the publisher of this program" (or something like that) comes up - click 'yes' or 'no'. Been chosing 'no' so far, not knowing if the program should be let loose or nor not.
Someone?
/rooftops

Answer:Let <system32\startup.exe> run on 64-bit?

  
Quote: Originally Posted by rooftops


Hi,
Installed win 7 64-bit the other day. Everytime after startup, as my desktop shows up, a prompt "can't verify the publisher of this program" (or something like that) comes up - click 'yes' or 'no'. Been chosing 'no' so far, not knowing if the program should be let loose or nor not.
Someone?
/rooftops



Hi and welcome

I think we are going to need you to explain exactly what the problem is. I cant understand the above

ken J+

4 more replies
Relevance 47.15%
Question: startup system32

When i start up the file system32 opens every time its not always done this but i cant remember what triggered it how can i stop this and why does it happen ps ive got winXP home

Answer:startup system32

click herethis may help..

4 more replies
Relevance 47.15%
Question: System32 startup

How can I prevent "C:\WINDOWS\system32" from popping up on my display when I boot up my system (Windows XP)? I have checked my startup program; it is not there.
 

Answer:System32 startup

See if this MS article helps ..... http://support.microsoft.com/?kbid=170086
 

2 more replies
Relevance 46.74%

Hello all,I have a Toshiba Tecra M9, 100 GB of harddrive, running on Vista. A day and a half ago I seem to have downloaded a bunch of malware. (I had scanned everything with my regular antivirus, with comes fom my ISP Bell Sympatico Security Manager, but it had found nothing.) It started with the Spy Away popups, the disappearance of my Task Manager, and a very slow moving computer. Eventually I discovered adware like zango, seekmo, second thought, batco, etc. Other scans then found a trojan, a worm, things like prockill, Js/Psyme.CA, etc. No matter what I do, I seem to find something more.Reading various forums, I tried to following instructions for cleaning my computer, including...1. SmitfraudFix Search2. SmitfraudFix Clean run in Safe Mode (rapport below)3. HijackThis (log below)4. SUPERAntiSpyware scan: First scan found 12 threats after 18 hours and said it cleaned them. (The scan was not completed, though, because after 18 hours I needed to shut down my laptop.) Second scan is still running after 16:24 hours and has not yet found anything.5. Spyware Doctor scan which I have run at least twice. Each time it finds things (usually low to moderate risk), then fixes everything. But then I run it again and things are back.6. Sympatico Security Antivirus scan: Found 11 items, quarantined them all.The initial problems (Spy Away popups, computer speed, disappearance of the Task Manager) have all been rectified. But now I am afraid that I am still infected with other... Read more

Answer:It Started With Spy Away Popups... Can't Come Clean

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.If you think you have similar problems, please post a log in the HJT forum and wait for help.Hello and welcome to the forumsMy name is Katana and I will be helping you to remove any infection(s) that you may have.Please observe these rules while we work:1. If you don't know, stop and ask! Don't keep going on.2. Please reply to this thread. Do not start a new topic.3. Please continue to respond until I give you the "All Clear" (Just because you can't see a problem doesn't mean it isn't there)If you can do those three things, everything should go smoothly :D ----------------------------------------------------------------------------------------I apologize for the delay in responding, but as you can probably see the forums are quite busy.Unfortunately there are far more people needing help than there are helpers.If you still require help please post a fresh HJT log

14 more replies
Relevance 46.74%

I first ran Spysweeper From MSN and it found virtumonde, then i installed spybot Serach and destory and it found some varients of virtumonde and Smitfraud-C, then i ran spybot search and destory again and it still found virtumonde a few times later so i when and did your Read and Run Me First and the Windows XP Cleaning (ran SUPERAntiSpyware, SpyBot - Search & Destroy, Malwarebytes Anti-Malware), and after running Combofix.exe it solved the problem of the popups and for good measure i ran MGTools.exe. then i ran Ccleaner and cleaned out the temp files and registry. but i still haven't disabled and enabled system restore yet.

Heres the Log files i got.
 

Answer:Just would like to know if im clean after a problem with popups

Here are the Rest of the Log Files plus the web address that keep popping up also i remember a few popping up for installing Anitspyware 360, Dex, before the started coming up as a page not found after i ran immunize on spybot search and destroy. Also i uninstalled all the programs but Spybot Search and Destory.
 

8 more replies
Relevance 46.74%

hey all, we had some sort of hoax on this pc. scanned with malwarebytes, combofix, avg, spybot. all of them now run clean but we're still getting some popups. i just put zone alarm on so i could get here to post a hijackthis log. please take a look & let me know if i've still got something to fix (which obviously i do).

Running a dell, windows XP home sp2 pentium 4 2.2 GHz 768MB RAM.

Thanks!

Answer:scans run clean but popups still come through

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instruction... Read more

2 more replies
Relevance 46.74%

I need an expert to help clean out the popup ads. I run Adaware SE v1.05 and Spybot Search & Destroy 1.3 and can't seem to get rid of the popups. Any help would be greatly appreciated. Hijachthis log posted below.

Thanks!

Logfile of HijackThis v1.98.2
Scan saved at 9:42:02 AM, on 12/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\crypserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD ... Read more

Answer:Hijackthis log help - can't clean out popups

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download CWShredder and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and i... Read more

4 more replies
Relevance 46.74%

My problem seems somewhat like aisusa's.

I originally contracted the SmitFraud Trojan, but after following the directions on these forums it seemed to be fixed [read: Adaware SE stopped restarting during scans].

Afterward I was and am still experiencing popups, mostly (like aisusa said) from WinAntiVirus 2006. I also have some from some travel site (Orbit?). I went through this site's general removal tutorials and they found a few things, but the problems are still there.

I've gone through all the scans yet again and I've turned up zero problems on any scans - including BitDefender and Panda Active Scan.

So at this point I'm down to looking for hijacks it seems. Any help would be appreciated. If my problem turns out to be the same as aisusa's just let me know and I'll follow those directions.
 

Answer:Still getting popups but clean scans.

I apologize for the double post but I thought this might be important.

The popups only occur when I have a browser open. I generally use firefox, but regardless of whether I'm using FF or IE, the popups are always in an IE window.

I am permenently connected to the internet on a dsl modem, but I don't get any popups until I open a browser.

Anyway - here's to hoping this can be resolved.
 

8 more replies
Relevance 46.74%

I'm trying to clean up a friends computer that has been getting a lot of popups. I have installed, updated and run Spybot S&D and Ad-Aware SE. I've also installed Mozilla Firefox and tightened up some of their system settings.

There are some persistant programs that defy removal. One in particular is C:\WINDOWS\Nail.exe. If I delete it, it comes back. I don't know what is creating it. I've done some googling and tried some stuff. I eventually oped Nail.exe in notepad and saved it as a 0 byte file just to prevent this unknown exe files from existing.

The following is a logfile for their system. Please note that I will only be able to access the system every few days or so, so I might not respond quickly, but I will respond to and help. Thanks.



Logfile of HijackThis v1.99.1
Scan saved at 2:57:47 PM, on 05/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.... Read more

Answer:trying to clean aurora popups

Hi and Welcome
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes..

Download any of the required programs before attempting to start any of the fixes.


Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check ?Turn off System Restore?, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------

Download and run Adaware,SpyBot (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below.

How to setup Ad-Aware

Download Ad-Aware
Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/
Doubleclick aawsepersonal.exe. Make... Read more

5 more replies
Relevance 46.74%

My pc is troubled by this ucleaner website. kindly advise to remove this malware
i am posting hijackthis log for review. PC is IBM Intellistation M Pro.

Thanx
sanjeev

Logfile of HijackThis v1.99.1
Scan saved at 10:31:06 AM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\ABAQUS\Documentation\monitor.exe
C:... Read more

Answer:how to clean ucleaner and popups

When you post the next log - in notepad go to FORMAT and un-check wordwrap
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal ... Read more

1 more replies
Relevance 46.74%

just did a clean install of 8.1 and think there might still be some funny business going on, esp with internet explorer (adwrcleaner keeps cleaning registry keys).  SEeing popups in IE and was having issues with chrome extensions downloading ask web bar.  Maybe paranoid, but just want to make sure.

Answer:think still seeing popups despite clean install

Hello,Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/552822/still-noticing-issues-with-ie-and-chrome-dispite-clean-install-of-win-81/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.Please be pat... Read more

1 more replies
Relevance 46.74%

Hi!
Setting: I have two identical Notebooks - bought at the same time at the same shop -  that have two internal harddisk slots. They had win 7 preinstalled. I chose the 64 bit version.


As time went by I changed the harddisks 3 or 4 times over the years. The last two changes were to SSD.
One old HD is gone, as it overheated. (But I was able to secure all data.)
The current problem:
To change to the new SSD on NB1 (Notebook1) I cloned the "C"-Partition from the other notebook.
Then I put the SSD in NB1's harddisk slot. In the other harddisk slot there is an old harddisk once running this notebook.
First time it didn't boot, whyever, but second time it did boot. It booted from the new SSD. (I changed the boot-order in the bios appropriatly. And the old harddisk has a defect MBR, so can't boot anyway.)
Two days ago I accessed the old harddisk, where I had a folder "windows.old" which actually contained a quite complete copy of an old state of that harddisks original partition back when it was the OS running harddisk. When trying to access the
user's folder on that old harddisk, it said I need administrator right, then it will be made permanently accessible to me (my current user on the SSD logged in.) It took some minutes, and everything was alright.
When ending work I put the system in "Hibernation" (Ruhezustand).
Yesterday when starting the system, the starting screen was in English "Windows is continued" instead of... Read more

More replies
Relevance 46.74%

Hi!
Setting: I have two identical Notebooks - bought at the same time at the same shop -  that have two internal harddisk slots. They had win 7 preinstalled. I chose the 64 bit version.


As time went by I changed the harddisks 3 or 4 times over the years. The last two changes were to SSD.
One old HD is gone, as it overheated. (But I was able to secure all data.)
The current problem:
To change to the new SSD on NB1 (Notebook1) I cloned the "C"-Partition from the other notebook.
Then I put the SSD in NB1's harddisk slot. In the other harddisk slot there is an old harddisk once running this notebook.
First time it didn't boot, whyever, but second time it did boot. It booted from the new SSD. (I changed the boot-order in the bios appropriatly. And the old harddisk has a defect MBR, so can't boot anyway.)
Two days ago I accessed the old harddisk, where I had a folder "windows.old" which actually contained a quite complete copy of an old state of that harddisks original partition back when it was the OS running harddisk. When trying to access the
user's folder on that old harddisk, it said I need administrator right, then it will be made permanently accessible to me (my current user on the SSD logged in.) It took some minutes, and everything was alright.
When ending work I put the system in "Hibernation" (Ruhezustand).
Yesterday when starting the system, the starting screen was in English "Windows is continued" instead of... Read more

More replies
Relevance 46.33%

I have a new pc and for some reason during startup, an Explo9rer page for the System32 folder pops up. Help would really be appreciated. I am including a HiJackThis log.

Logfile of HijackThis v1.97.7
Scan saved at 11:23:48 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hp... Read more

More replies
Relevance 46.33%

My system32 folder keeps opening at startup. The Kellys Korner tweak does not work, and I can't understand that Microsoft Article.

BTW here is a Hijackthis v2.0.2 Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:22 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\arservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WI... Read more

Answer:system32 opens on startup

Hi techman,
If you think you have a malware problem then you need to post your log in the HiJackthis Log Help forum.We no longer just use HJT but DSS. Full instructions can be found here.

1 more replies
Relevance 46.33%

Hello friends. I'm running XP and my System32 folder is coming up upon starting my computer. I've run several virus scans and Adaware scans. I have also run HijackThis and have posted it here. I did recently remove the Downloader-er.b virus. I read a similar post but couldn't figure it out. It seems I have a similar problem though...the default in the registry shows up as REG_EXPAND_SZ type in System32. Any help will be greatly appreciated. Thanks

Logfile of HijackThis v1.97.7
Scan saved at 5:47:12 PM, on 1/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\A... Read more

Answer:System32 folder on startup

11 more replies
Relevance 46.33%

Hi all,

Any ideas on how to fix this error when booting up windows XP machine
"system32\hal.dll missing "

I have tried booting into the windows XP recovery console (XP-DISK), performed chkdsk /r and then tried the bootcfg /rebuild command without any success, any ideas how else I could fix this problem, it's also not allowing me to do a repair install, is formatting the HDD my only option here?

CheerZ Craig

Answer:system32\hal.dll missing - on startup

Hi Craig, you have some options left before a reinstall.

Please check out the following link for some advice:
http://www.kellys-korner-xp.com/xp_haldll_missing.htm

Hope that helps :)

4 more replies
Relevance 46.33%

I have recently bought a new pc with winXP and either from the beginning or soon thereafter, I began to get the system32 folder on startup. I just found an item on
Tech Guy where you tried to tell a guy what to do about this. Did you ever hear back from him ?

Assuming I did something to cause this, what might I have done. I did nothing intentionally.
Logfile of HijackThis v1.97.7
Scan saved at 12:39:37 AM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\... Read more

More replies
Relevance 46.33%

I've had this problem for a while now that my 'System32' folder pops up whenever I start up my computer. I'm running Windows XP Professional and all of my family have individual log ons. This problems only seems to happen on mine!

I have the latest Spybot and the latest Ad-Aware and they both haven't helped on this issue.

I've previously seen threads to problems like this but none of them seem to help.

Below is my HJT log. Any help would be much appreciated.

Thanks in advance...

Logfile of HijackThis v1.98.2
Scan saved at 19:57:03, on 10/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EX... Read more

Answer:System32 Folder Pop-up at startup

This is one specific Known issue with Dell systems

click on Start and select RUN ,type in msconfig there

Click on the startup tab .

In the displayed options, Uncheck the option L:\ENG.

and then restart the system.

the reason of the annoying display of the system 32 folder is because of the Audigo driver in the system.

Do lemme know what happened
 

3 more replies
Relevance 46.33%

I have the problem of my System32 Folder popping up when I startup my computer. I am aware that this could be a spyware issue or trojan program. I have run Hijackthis and please find the log report below. Please advise as to what I need to fix.

Logfile of HijackThis v1.97.7
Scan saved at 6:05:58 AM, on 25/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\Program Files\WS_FTP Pro\ftpqueue.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS... Read more

Answer:System32 Popup on Startup

I don't see the usual culprits for this error, but this item in the Scanlog doesn't look copacetic to me:

O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG

Try running msconfig and UNchecking it under the startup group. If the error still occurs on rebooting UN check the ENTIRE "load startup" items check box on the general page and test. If that resolves the problem, then something else under that startup tab is causing it and you have to selectively troubleshoot those.

I *think* the entry should read like this:

O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] "C:\Program Files\Creative\SBAudigy2\Program\Startup Menu\Audigy.EXE" /L:ENG
 

2 more replies
Relevance 46.33%

hey i need some help here.Whenever i start or restart my comp. system32 appears on the startup..can anyone help?
 

Answer:system32 appears on startup

11 more replies
Relevance 46.33%

does anybody know why it is that every time i boot up the %system32% folder is displayed? if so can you tell me how to make it stop?
 

Answer:%system32% opens on startup

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.




Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.Click to expand...

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

runkeys.txt - the log from GetRunKey.bat
newfiles.txt - the log from ShowNew.bat
CounterSpy - ONLY IF you were not able to run Windows Defender
Bitdefender - from step 6
Panda Scan - from step 6
HijackThis



NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!Click to expand...

 

1 more replies
Relevance 46.33%

Please help,

My System32 window opens at startup as does my dial up window.

I've downloaded and run Adaware 6, Spybot Search & Destroy, and CWShredder.

My HJT log is below. Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 10:16:04 PM, on 12/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\qivhhmck.exe
C:\WINDOWS\System32\bkyzxulq.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\EzButton System V2.1\Ezbutton.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\freecell.exe
C:\Documents and Settings\David Barrie\My Documents\Dave\Computer\virus detec... Read more

Answer:System32 opens at startup

7 more replies
Relevance 46.33%

I am fixing this computer that had alot of viruses and what not on it and I ran everything including Spy Bot, AdAware, and Pest Patrol. And everytime that I start up this computer it brings up the folder System32.

This folder is not located in my Startup folder or anything so I was wondering where it might be populating from.

If you have any ideas that would be greats

Thanks

~LuMa
 

Answer:Why does folder System32 pop up on startup.

See these links:

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q177/5/10.asp&NoWebContent=1

http://ask-leo.com/archives/000066.html
 

2 more replies
Relevance 46.33%

Hello there. Im in need of some help. Everytime I startup my PC, the system32 window appears. ive heard that its possible to fix it throught the registry somewhere, but could anyone simplify this process for me?? step by step perhaps??

any help appreciated.

regards.

Answer:System32 Window At Startup!

See if this helps:http://support.microsoft.com/?kbid=170086

7 more replies
Relevance 46.33%

Hello to all.

I am helping a friend with computer problems, and one of those problems is one I have no experience with. When system is restarted, Explorer windows going to folders in *System32* pop up. I searched google for solutions and found this wonderful site...was hoping someone here would help me with this.

Here is some info about the system:

Windows XP Prof.
Norton Professional 2004 - ver 10.0.1.13 (with latest def. list)

------------------

I have already;

Used http://housecall.trendmicro.com/hous...start_corp.asp
Installed & Ran Adaware SE (updated) Configured by guidelines in sticky
Installed & Ran Spybot SD (updated)

------------------

I really appreciate any help with this and would also like to know how this problem usually occurs (If you don't have enough time for explaination, it's all good.)

Thank you very much,

David




Logfile of HijackThis v1.98.2
Scan saved at 9:36:26 PM, on 11/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3... Read more

Answer:System32 folders @ startup

Hi turtlemiller and welcome to TSF. This may take more than one pass. I am hoping we get lucky.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it b... Read more

3 more replies
Relevance 46.33%

I found an older thread dealing with this problem, but the answers didn't help me out any. Each time we start the computer system32 shows on the screen.

I tried this (http://www.kellys-korner-xp.com/reg...stem32opens.vbs) fix, but I don't have the problem that that fix is specific to.

Here's my hijackthis log in case the problem is in here. Even if it's not, deal me what to delete!

Logfile of HijackThis v1.97.7
Scan saved at 5:54:04 PM, on 4/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C... Read more

Answer:System32 at Startup (and HiJack log)

6 more replies
Relevance 46.33%

I recently went through the thread on malware removal. At one point, it had me turn off Safeboot mode in the windows config. Then later, it has me turn the /Safeboot back on.

Ever since I did this..... I have something strange happening. First of all, I easily got rid of all malware....thanks to all...but, now, upon logging into my windows account, an exporer windor always opens up on my desktop in the system32 directory. What is going on?

Thanks,

Nactigal

 

Answer:system32 window at startup

Welcome to MG's ....Here's the Solution: Go to this Kellys-Korner link and when you get to that webpage; scroll down to #260 on the right-hand side, and click on the "System32 Folder Opens Upon Boot" entry.
http://www.kellys-korner-xp.com/xp_tweaks.htm
 

9 more replies
Relevance 46.33%

When I start my computer, a missing entry error pops up for RUNNDLL

More replies
Relevance 46.33%

Okay, I'm pretty sure this isn't caused by malware since it was one of the oddities I noticed as soon as I turned the computer on right out of the box. For some reason on some accounts, the "System32" folder will open on login. I'm running Windows XP, Service Pack 2 on a Dell Dimension XPS. I'm not exactly sure of the generation in the Dimension XPS series but it's something like 2 or 3.

Answer:System32 Opens At Startup?

Did you look in the startup folder?

6 more replies
Relevance 46.33%

I need some help. Everytime I restart my computer, the system32 folder pops up. I would like to know how to prevent it from showing up. Thanx!

Here is my HiJackThis log if that helps :
Logfile of HijackThis v1.97.7
Scan saved at 9:57:25 PM, on 06/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\windows\system32\spoolsrv.exe
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MSN Me... Read more

Answer:System32 folder at Startup

Hi, and welcome to tsg - please add a reply to your post if you still have a problem with your PC include any updated info.
 

1 more replies
Relevance 46.33%

When I boot up my PC I get a Windows XP screen then over the top I get a black screen labelledC:\WINDOWS\System32\ntqt.ex[i]when I go to clear it down i get this message.Cannot end program needs time to complete - or some suchHow do I stop this screen popping up from start up? I cannot find any reference to ntqt.exe at microsoft or on the net.

Answer:System32 Error On Startup

Seeing as you're a HJT trainee I thought you may be suspicious of any unknown files, particularly in the system32 folder. Can't you use HJT to remove it?

9 more replies
Relevance 46.33%

After my system reboots or is turned on, i will log into my computer and i will get 2 (sometimes more) cmd.exe starts up with the heading

"c:\windows\system32\cmd.exe"

the 2 cmd.exe windows are blank and are automatically closed within a couple of seconds. ive tried closing some programs on startup using msconfig. It should be noted that i am recovering from a virus in which i have reinstalled windows on my C drive (other drives were not formated) . Macafee is updated and is running but not showing any problems.

in any case here is my HJT log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:43 PM, on 10/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\jav... Read more

More replies
Relevance 46.33%

I have the System32 window popping up on startup. Have looked at registry keys for null values and anything "suspicious" as suggested by more experienced folks, but don't understand registry values well enough to know what is valid and what is not. Can someone please review this HT logfile and suggest what to correct? Many thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 11:02:11 AM, on 12/9/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\AVGVIR~1\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\AVGVIR~1\avgcc32.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\ewjvfbwa.exe
C:\WINDOWS\System32\sdertsqx.... Read more

Answer:System32 popup at startup

10 more replies
Relevance 46.33%

When restarting xp operating system I get a windows/system32/cpmrotate.dll dl verify error. How can I fix this problem?
 

Answer:system32 error at startup

According to this link "cpmrotate.dll" is malware. So I think that you must scan your pc with AVAST.
 

2 more replies
Relevance 46.33%

Hi,
Whenever I start my computer (Win XP), the system32 folder keeps opening. I've checked my msconfig, and there is no /L:Eng there. I don't have any spy/malware. According to Microsoft I need to make sure that
"both:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Double check that the values do not have incorrect, incomplete, or blank entries."
That's great and all, but what values are supposed to be in there? I looked at mine, and it just says (value not set) for the "Default" entry. Any help that you guys could give would be great. Thanks in advance.
 

Answer:System32 Pops Up at Startup

Download and install HijackThis using the "self extractor". Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe
 

3 more replies
Relevance 46.33%

Everytime that I start my computer the System32 folder seems to pop up no matter what i do. Can anyone help me fix this problem

I have a HijackThis logfile

Scan saved at 5:24:17 PM, on 3/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\program files\altnet\points manager\points manager.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiV... Read more

Answer:System32 Folder At Startup

http://forums.techguy.org/t209732/s.html
 

3 more replies
Relevance 46.33%

This is a friend's computer that continues to display the System32 folder whenever the computer is turned on. This computer uses Windows XP. Below is the HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 5:39:34 PM, on 1/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Syma... Read more

Answer:System32 popup at startup

11 more replies
Relevance 46.33%

i know you guys get this one a lot, so maybe this will be quick...

system32 folder appears at every startup

ran spybot and ad aware, both found minimal 'infestations' (mostly tracking cookies) both cleaned.

hijack this logfile:

Logfile of HijackThis v1.97.7
Scan saved at 11:46:03 AM, on 10/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\msvcmm32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Real Alternative\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.23.0\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Hijack this\Hijac... Read more

Answer:system32 folder at startup

9 more replies
Relevance 46.33%

Logfile of HijackThis v1.99.1Scan saved at 8:58:33 PM, on 10/27/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\WINDOWS\system32\devldr32.exeC:\Program Files\Winamp\winampa.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Java\jre1.5.0_05\bin\jusched.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\Yahoo!\Messenger\ypager.exeC:\Program Files\InterVideo\Common\Bin&... Read more

Answer:Log Help...system32 Popup On Startup

Hello and welcome to BleepingComputer. I don't see anything particularly bad here, but it does look like you have significant registry corruption. Let's see if we can do anything about that.Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htmO4 - HKLM\..\Run: [zjqesymo] C:\WINDOWS\oxdkoivp.exeO4 - HKLM\..\Run: [] c:\WINDOWS\System32\ <tr>O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exeO4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\ </table>O4 - HKLM\..\Run: [var d] c:\WINDOWS\System32\var data;O4 - HKLM\..\Run: [} el] c:\WINDOWS\System32\} else {O4 - HKLM\..\Run: [if (location.hos] c:\WINDOWS\System32\if (location.host) {O4 - HKLM\..\Run: [if (document.referre] c:\WINDOWS\System32\if (document.referrer) {O4 - HKLM\..\Run: [if (navigator.appNam] c:\WINDOWS\System32\if (navigator.appName) {O4 - HKLM\..\Run: [if (navigator.userAgen] c:\WINDOWS\System32\if (navigator.userAgent)... Read more

4 more replies
Relevance 46.33%

My system32 folder keeps opening up on startup. How can I stop this? Don't give me that Microsoft article because I can't understand it ,and don't give me that link to kellys korner either because the tweak I found there didn't work. I have also tried running many anti-spyware softwares.
 

Answer:System32 opens on startup

8 more replies
Relevance 46.33%

This MS-DOS screen pops up at least 10 times at startup, then shuts itself down. Also running into virtual memory issues and the Brazilian Bancos bug. Here is the HiJack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:12:03 AM, on 8/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\CA_LIC\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\PROGRA~1\CA\eTrust\INOCUL~1\realmon.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\HPPROPTY.EXE
F:\Company Shared Folders\Lab\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\WINNT\LSASS.exe
C:\Program Files\explore.exe
C:\Program Files\Internet Explorer\INTEXPLORE.com
C:\Program Files\iPod\bi... Read more

Answer:system32 IPconfig @ startup

16 more replies
Relevance 46.33%

I have recently bought a new pc with winXP and either from the beginning or soon thereafter, I began to get the system32 folder on startup.

Assuming I did something to cause this, what might I have done. I did nothing intentionally.
-----------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 10:55:30 PM, on 6/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:... Read more

More replies
Relevance 46.33%

My system32 folder comes up on startup. I've read instructions on how to get rid of it using HiJackThis but I'm not all that familiar with HiJackThis. I'm also wondering if there is anything else on my computer I can get rid of with HiJack.

These are my results from HiJack

Logfile of HijackThis v1.97.7
Scan saved at 10:50:39 AM, on 1/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\WINDOWS\tisthufn.exe
C:\WINDOWS\System32\polpbwai.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\PowerP... Read more

Answer:[Resolved] System32 on Startup

8 more replies
Relevance 46.33%

I am working on my friend's pc. Her kid had some friends over, and they messed with her pc. I was able to clean it up a lot, but this stupid folder appears. I do not know enough to mess with hijackthis, but I made a log, and here it is. any help is greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 3:20:27 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\WindowsUpd4.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Dell\Support... Read more

Answer:System32 Folder on Startup

Hi Justin.Galle

Welcome to TSG!

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O2 - BHO: (no name) - {BCDAE01B-985F-9DD1-223C-A07FC96818C5} - C:\WINDOWS\system32\flfevqfr.dll (file missing)

O2 - BHO: (no name) - {BEABAEAA-CEC9-B83E-5BC5-E052EA70EB25} - C:\WINDOWS\system32\pbknomzh.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WindowsUpd4.exe

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

The C:\WINDOWS\WindowsUpd4.exe file
 

3 more replies
Relevance 46.33%

I've searched the net far and wide, and I've attempted every single possible thing to no avail.

Logfile of HijackThis v1.97.7
Scan saved at 12:41:01 PM, on 1/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\sesinetd.exe
C:\WINDOWS\System32\hserver.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\AIM95\aim.exe
C:\Documents and Settings\****\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU... Read more

Answer:System32 Folder On Startup HJT Log

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R3 - Default URLSearchHook is missing
O1 - Hosts: 203.161.127.141 www.dcsresearch.com

O2 - BHO: (no name) - {A47D4B4E-9E3F-7F6D-3721-6EBA82E0F339} - C:\WINDOWS\system32\blnvhxqj.dll

O2 - BHO: (no name) - {EFDEB116-95B6-BE64-8CFB-5BA3BEAF2F24} - C:\WINDOWS\system32\ipwdgkkj.dll (file missing)

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [w] C:\WINDOWS\System32\dcxmcd.exe
O4 - HKLM\..\Run: [l] C:\WINDOWS\System32\hpzwwh.exe

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/0203...everContent.cab
O16 - DPF: {1695C611-186A-4355-B777-0D85B325F07F} (DIGStream) - http://espn.go.com/espnmotion/espnmotion.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...iTunesSetup.exe
Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
Click "Apply&quo... Read more

2 more replies
Relevance 45.92%

I have started to get a lot of pop ups when using the internet,i havent cleaned the laptop for over twelve months so will start here first.
Any help is appreciated,logs attached.
 

Answer:Problems with popups,first step a clean up.

Let's start with this:
Rescan with RogueKiller and fix these items:

Code:
Scheduled tasks : 1
[V1][SUSP PATH] VaudiXUpdaterTask{684DE9BD-8FF5-4493-90AC-37398D6C55CF}.job : C:\ProgramData\Premium\VaudiX\VaudiX.exe - /schedule /profilepath "C:\ProgramData\Premium\VaudiX\profile.ini" [-][-] -> FOUND
HOSTS File:
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 www.download-winmx-free.com --> Potentially malicious!
127.0.0.1 download-winmx-free.com --> Potentially malicious!
127.0.0.1 www.free-winmx-downloads.com --> Potentially malicious!
127.0.0.1 free-winmx-downloads.com --> Potentially malicious!
127.0.0.1 www.mp3winmx.com --> Potentially malicious!
127.0.0.1 mp3winmx.com --> Potentially malicious!
127.0.0.1 winmx.click-new-download.com --> Potentially malicious!
127.0.0.1 www.winmx.click-new-download.com --> Potentially malicious!
127.0.0.1 winmx-d0wnload.com --> Potentially malicious!
127.0.0.1 www.winmx-d0wnload.com --> Potentially malicious!
127.0.0.1 www.winmxfrance.com --> Potentially malicious!
127.0.0.1 winmxfrance.com --> Potentially malicious!
127.0.0.1 www.winmx-freebie.com --> Potentially malicious!
127.0.0.1 winmx-freebie.com --> Potentially malicious!
127.0.0.1 www.winmx-music-download.com --> Potentially malicious!
127.0.0.1 winmx-music-download.com --> Potentially malicious!
127.0.0.1 www.winmx-usa.com --... Read more

5 more replies
Relevance 45.92%

Logfile of HijackThis v1.99.1
Scan saved at 7:27:06 PM, on 1/29/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Drew F\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:... Read more

Answer:Spyware Popups on clean install

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

Please be patient with me during this time.

3 more replies
Relevance 45.92%

I got bombarded at someone's website with spyware & trojans. :angry: .. most of which McAfee caught and some that Ad-Aware caught, but I'm still getting boatloads of popups -- and McAfee/Ad-Aware are now clean.I'm getting suspicious about the Google toolbar .... has anyone had problems with spyware from it? <_< Anyway ... I need some help ... here's my HJT log:Logfile of HijackThis v1.99.1Scan saved at 3:47:20 PM, on 10/4/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Bose\WavePC\BWRComm.exec:\program files\mcafee.com\agent\mcdetect.exec:\PROGRA~1\mcafee.com\vso\mcshield.exec:\PROGRA~1\mcafee.com\agent\mctskshd.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exec:\PROGRA~1\mcafee.com\v... Read more

Answer:Popups - Mcafee & Ad-aware Clean

You did not post the entire log

Open the log in notepad

EDIT - SELECT ALL
EDIT - COPY

Then come to this message, and in the fast reply box click in the white space and then EDIT - PASTE

1 more replies
Relevance 45.92%

All i could manage to start inbetween an INSANE amount of never-ending popups on this computer i'm fixing, was spybot and a hijack scan, so heres to scan. SUPRISINGLY, the spybot was completely clean. I have every program i could want to scan with or fix with, i just can't figure out the damn problem.
It will NOT stop getting windows security alerts that tell you someones hacking your computer, but they look like scams.
Here's the hijack:

Logfile of HijackThis v1.99.1
Scan saved at 10:32:13 AM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\... Read more

Answer:Endless popups and a clean spybot!

Hello and welcome to TSF

You are using an outdated version of Hijackthis. Please uninstall from Add/Remove programs, and delete your current version.

Next, download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Do not post that log, instead, do this next:

=====================================================

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
cop... Read more

1 more replies
Relevance 45.92%

I am on the tail end of getting rid of this Aurora spyware that I inadvertently dloaded yesterday. I've used MS Antispyware, Lavasoft's Ad-Aware and Spybot a number of times as well as dloading the supposed clean up utility from mypctuneup.com. These programs were successful in getting ride of most everything that was creating the non-stop popup issue but there is still one file that I can't prevent from loading regardless of what I do. The name of this file is VCMnet11.exe. It show up in HJS on a single line as the following:

O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe

I've tried using HJS to identify and delete the instance of the file from the Registry as well from the C:\Windows directory. It doesn't show up in Safemode. Everytime I reboot though, the file comes back. Any ideas how to get ride of this last spyware remnant?

Thanks,
Rob
 

Answer:Clean up from Aurora - Non Stop popups

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting
 

1 more replies
Relevance 45.92%

here is my hijackthis log and my vundofix log. thanks in advance for your help.Logfile of HijackThis v1.99.1Scan saved at 12:02:17 AM, on 10/28/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\BCMSMMSG.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\hijackthis\HijackThis.exeO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Nort... Read more

Answer:Log Looks Clean But I Still Get Popups Everywhere Including Winantivirus

Welcome to Bleeping Computer, brute force.* Please rename your HijackThis.exe into WhatYouWant.exe. * Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.Updating Java:Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".Click the "Download" button to the right.Check the box that says: "Accept License Agreement".The page will refresh.Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.Check any item with Java Runtime Environment (JRE or J2SE) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.* Please download Look2Me-Destroyer.exe to your desktop.Close all windows before continuing.Double-click Look2Me-Destroyer.exe to run it.Put a check next to Run this program as a task.You will receive a message saying Look2Me-Destroyer will clo... Read more

9 more replies
Relevance 45.92%

Dell 600m laptop running XP Home opens a bunch (15-40+) of System32 windows at startup. Use McAfee (from AOL), Counterspy, Spybot, AdAwareSE and Microsoft Anti-Spy regularly.

Also, when I try to update McAfee, it says "internet connection not available", even though I can be on line in an IE window at the same time. I can also use AOL, but when I try to go to the AOL anti virus pages, I get only a blank window. I used McAfee's online Freescan and found 3 viruses; I cleaned them with the online Stinger. I have tried booting in Safe Mode to get the McAfee updates, but haven't been able to get them their either.

I also cannot access Task Mgr to see what processes are running. (haven't tried that in Safe Mode as an Admin, though, will try that tonight when I get home)

I may have more than one bad actor at play here. Where should I go next?

Answer:XP Opens 15-40 System32 windows at Startup

Sounds like you're infested with malware, and spyware/adware. I recommend downloading, update, run and post a Hijackthis log to the board on this forum or one of the other forums listed. Be patient these hijackthis forums are extremely busy but they will assist you.HijackThis: http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim Eshelman http://www.bleepingcomputer.com/forums/ind...showtutorial=42 - HijackThis tutorial http://aumha.net/viewforum.php?f=30 http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis forum http://www.wilderssecurity.com/ http://forums.tomcoyote.org/ http://castlecops.com/forum67.html

2 more replies
Relevance 45.92%

Hello everyone,

Can someone please look at my Hiajckthis log and tell me why my system32 folder opens on startup? Thanks in advance.

Dee

Logfile of HijackThis v1.99.1
Scan saved at 5:02:09 PM, on 2/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1121732180\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1121732180\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\1121732180\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
... Read more

Answer:System32 folder pops up on startup

Try #260 right side of page.
System32 Folder Opens Upon Boot
http://www.kellys-korner-xp.com/xp_tweaks.htm
To use the VBS Files:
Download .vbs file and save it to your hard drive
(you may want to right click and use Save Target As).
Double click the vbs file. You will be prompted when the script is done.

System32 Folder Opens When Logging on to Windows XP, Windows 2000,
or Windows NT 4.0
http://support.microsoft.com/default...NoWebContent=1

3 more replies
Relevance 45.92%

I have the System32 window popping up on startup. Can someone please review this HT logfile and suggest what to correct? Any help on what to delete would be greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 6:18:41 PM, on 1/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\WINDOWS\cjubdj.exe
C:\WINDOWS\System32\fjoqumrj.exe
C:\WINDOWS\System32\lexpps.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\QUICKENW\QWDLLS.EXE
C:\Documents and Settings\Doug\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C... Read more

Answer:[Solved] System32 popup at startup

Welcome to TSG!

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O2 - BHO: (no name) - {3E97E780-7CCC-EFEE-3C03-4A9025A1A510} - C:\WINDOWS\system32\psoaycxv.dll

O4 - HKLM\..\Run: [bdtznwbt] C:\WINDOWS\cjubdj.exe

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\fjoqumrj.exe

Restart to safe mode and delete:

The C:\WINDOWS\System32\fjoqumrj.exe file
The C:\WINDOWS\cjubdj.exe file

See here for starting to safe mode:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
 

3 more replies
Relevance 45.92%

Hi everytime i start the PC the above mentioned command box flashes quickly. I have run through the Malware removal guide but there are no logs for the TDSSkiller as it did not find any threats. I ran the malware removal process last night and then went to bed as it was late. Windows then decided to update and now this morning i have 2 new identical icons on my desktop which are faded out entitled desktop.ini Thankyou for your time.
 

Answer:c:\windows\system32\cmd.exe pops up on startup

ynot said:





but there are no logs for the TDSSkiller as it did not find any threats.Click to expand...

You have to make the log by following the instructions given to make one.

However I don't think you are having problems. It may just be what you are running at startup and the below is where I would start:

O4 - HKLM\..\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml

Try disabling it with MSconfig and see if that stops it.

Side note: I do recommend that you uninstall Yontoo
 

3 more replies
Relevance 45.92%

Hi All.I recently installed a new HD and had some problems with viruses and trojans, but now I think all are removed. I still just have XP installed with just 1 or 2 updates, so may install XP 2 soon. But the state of play with my PC now is as follows:When I boot up, C\Windows\System 32 folder opens up on the screen. Dont know why. Also twice in last few days I've got this error:Generic Host Process for Win32 ServicesGeneric Host Process for Win32 Services has encountered a problem and needs to close. And the Data error report contained:szAppName : szAppVer: 0.0.0.0 szModName: unknown szModVer: 0.0.0.0offset: 00000000The following files were includedC:\DOCUMENT~1\KEVINC~1\LOCALS~1\TEMP\WER1E.tmp.dir00\svchost.exe.mdmp\appcompat.txtThe PC froze and nothing would open or close, so I had to press the on/off button. Now today I was online, going fine and the very same thing has just happened, and I had to turn on/off again. This also happened last week. And of course c-windows-system32 still opens on booting up.No virus present in AVG, I also ran Search and Destroy and Adaware, and they did remove a number of files.Any ideas anyone, on the error, or on the system32? Or are they related?Thanks KC

Answer:C\Windows\System32 opening in startup

click here

4 more replies
Relevance 45.92%

Hi All, I'm working on a Dell laptop that the system32 folder pops up at startup. I ran Hijackthis and found a huge javascript in the start up. I've never seen this before. I ran spybot s&d an it found and cleaned out some stuff, but this script thing still remains. I'm pretty clueless on how to fix this one. The Hijack log is to large to post, I'll try and post it as an attachment. Any help would be greatly appericiated. Thanks a bunch.
 

Answer:System32 folder opens at startup

After looking on google this should fix it.. http://www.kellys-korner-xp.com/regs_edits/xp_system32opens.vbs

 

2 more replies
Relevance 45.92%

I did what flrman1 suggested below, but cannot get anyone to take a look at the hijack log and advise me.
----------------------------
Originally Posted by ronglass
I have recently bought a new pc with winXP and either from the beginning or soon thereafter, I began to get the system32 folder on startup. I just found an item on Tech Guy where you tried to tell a guy what to do about this. Did you ever hear back from him ?

Assuming I did something to cause this, what might I have done. I did nothing intentionally.

-----------------------
flrman1 -

Go here:

http://forums.techguy.org/f54-s.html

Start a "New Thread" and post your Hijack This log:

Click here to download Hijack This. Click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in your New Thread.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.
----------------------------
Logfile of HijackThis v1.97.7
Scan saved at 12:29:30 AM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe... Read more

More replies
Relevance 45.92%

I have a computer which is running Win2000 Pro. The user called me saying when they boot up, after they log in the system32 folder is displayed in explorer. I have checked the registry files in HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER and can't find any obvious "bad" values.

The user claims they have not changed anything or loaded any software. Any ideas on how I can track down why this is launching on startup.

Thanks a bunch.
 

Answer:System32 folder displays on startup

Make sure the user is closing all windows before selecting Shutdown.

If the problem persists I would try running MSCONFIG. It does not come with Windows 2000 but you can use a copy from an XP PC or download it from:
http://www.thetechguide.com/downloads/msconfig.zip

Once you start it click the Startup tab and Services.
 

2 more replies
Relevance 45.92%

I did what flrman1 suggested below, but cannot get anyone to take a look at the hijack log and advise me.
----------------------------
Originally Posted by ronglass
I have recently bought a new pc with winXP and either from the beginning or soon thereafter, I began to get the system32 folder on startup. I just found an item on
Tech Guy where you tried to tell a guy what to do about this. Did you ever hear back from him ?

Assuming I did something to cause this, what might I have done. I did nothing intentionally.

-----------------------
flrman1 -

Go here:

http://forums.techguy.org/f54-s.html

Start a "New Thread" and post your Hijack This log:

Click here to download Hijack This. Click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in your New Thread.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.
----------------------------
Logfile of HijackThis v1.97.7
Scan saved at 12:29:30 AM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe... Read more

More replies
Relevance 45.92%

system32 folder keeps showing at startup.It is irritating.How do i stop it?

Answer:System32 Folder Shows At Startup.

Try this link: http://support.microsoft.com/Default.aspx?kbid=170086

1 more replies
Relevance 45.92%

My system32 folder keeps opening at startup. The Kellys Korner tweak does not work, and I can't understand that Microsoft Article.

BTW here is a Hijackthis v2.0.2 Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:22 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\arservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WIN... Read more

Answer:system32 opens on startup HJT v2.02 log included

Hi techman86 and welcome to TSF

Sorry for the delay in getting to you, the forum has been really busy lately and all our helpers are volunteers.

1. Download combofix to your desktop

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------

Download Deckard's System Scanner to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, 2 text files will open - main.txt and extra.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt back in this thread (do not attach it).
Please attach extra.txt to your post.


To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt

Click Upload.

What DSS will do: create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to... Read more

1 more replies
Relevance 45.92%

someone please help me out. not only with the system32 folder problem but anything else that looks out of place

Logfile of HijackThis v1.97.7
Scan saved at 3:13:34 PM, on 1/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\Update... Read more

Answer:System32 Folder PopUp at Startup

6 more replies
Relevance 45.92%

I had the following file that I wanted to remove:c:\windows\system32\update.exe (See here: http://www.bleepingcomputer.com/startups/s...key-13483.html)which gets run on startup. To get rid of it I followed this tutorial:http://www.bleepingcomputer.com/tutorials/how-to-remove-a-trojan-virus-worm-or-malware/I used Autoruns, and looked for any entry with "c:\windows\system32\update.exe" and deleted it. I then deleted the actual file in the directory. However, every time I start up the computer its still trying to open this file, despite the fact that all start up entries are removed (or so i think).Anyone have advice for this problem. Thanks.

Answer:> Can't get rid of c:\windows\system32\update.exe on startup

Do you have Spyware Doctor installed on your computer?

What security programs do you have?

If you suspect malware or one of your security programs has identified the file as malware then tell us which one. Is update.exe still on your computer? If it is, right click on it and choose properties and tell us what it says.

1 more replies
Relevance 45.92%

Hello; I am running XP home edition. On startup system32 folder displays.
I have tried running hijackthis but it fails about 2/3rds the way thru and gives an error message see attached jpg.

Can anyone help on this?
 

Answer:System32 folder displays on startup

7 more replies
Relevance 45.92%

All right, I've been having problems with this for a while. I have looked through some threads here, but haven't been able to make much of anything. Here's the problem...

Every time I start my computer, my System32 folder opens. (I am running Windows XP). Basically, I have no clue why. For a while, I also got an error message about a "wjview.exe" error, but that has recently stopped after doing some other stuff.

Any help/suggestions is greatly appreciated. Also, does anyone know what a program called "lycemo.exe" is? That often gets blocked by my firewall, but I have no clue what it is.
 

Answer:System32 folder opens at startup

8 more replies
Relevance 45.92%

I just ran Spybot, which identified 1 trojan and numerous registry issues. I removed the trojan and indicated I wanted to decline the registry changes (probably about 15-20). When I restart my PC, I now get at least 15 or so screens pop up momentarily toward the end of the startup that contain Wndows/System32/CMD or Command.exe or com. This occurs after Windows has loaded and the startup applications are being loaded. The screens only appear for a second or so, not enough time to do anything with them, and then disappear. Most of them are black with nothing else; but a few have a single line of text that disappears before I can read it. The screens are about 5x6 inches in size and by the time all my startup applications have loaded, they are all gone. Everything else seems to run normally.

I certainly appreciate any help in determining the cause and fixing it.

I have a Gateway PC with a Pentium 4 chip (1.3Mhz), 1.5 Gb memory, and I'm running Windows XP SP3. I ran HiJack This and saved the following:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:13 AM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil S... Read more

More replies