SYSTEM32 Folder on Startup/Windows STANDBY Failure

Hi could you also attach the ShowNew and GetRunKeys logs as listed in the guide as well... cheers.

 

Neither of your problems are really malware issues.

The first problem typically occurs due to a null type entry in one of the registry keys used to load startup items. However, a quicklook at your logs does not reveal a problem like this. Did you attach logs for the user account that is displaying the problem?

The second problems you mention is an issue you should be discussing in the Hardware (maybe Software) Forum.

Let's address a few non-malware issues and see what happens.

Is your copy of CA eTrust PestPatrol a paid version or a free trial? If free uninstall it.
Is you copy of Spy Sweeper for MSN a fully functional program that provides active blocking as well as scanning features?

You must not have PestPatrol, Spy Sweeper and Windows Defender all install. Are goal will be to keep only one and preferably one that is paid program and that is fully functional.


Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6
Now install the current version of Sun Java from: Sun Java Runtime Environment


Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
After clicking Fix, exit HJT.[/COLOR]

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode
Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. HJT

Make sure you tell me how things are working now!

 

You need to follow directions in the order given. I don't need a log that still shows me what I was asking you to fix.

Why did you say no? My instructions said we are doing a Reset Web Settings, you need to allow the reset to work otherwise you are not resetting the web settings as I requested. Please do this again and say yes!

Now that you uninstalled Spy Sweeper you need to have HJT fix the below left over from it:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Then attach a new HJT log from normal boot mode.

Is the user account that appears to be having the problem named FAMILY
If so, does this account have Administrator priviledges?

If not, give it Administrator priviledges and then reboot into safe mode and login to the FAMILY account. Safe a HijackThis log from safe mode and also note whether the system32 folder opened in safe mode.

Then reboot in normal mode and attach this second log which is from safe boot mode.

 

When you click the button to Delete Files... the next window that pops up is titles Delete Files. In this window there is a check box to Delete all offline content and there are two buttons OK and Cancel. Select the check box and click OK!

I don't see an obvious reason for this to be occurring there are no null entries showing in the run keys which can typically cause this. Either way it is not an issue for this forum since it is not malware. You should try the Software Forum. I will give you the below information though which is a list of what addition processes are running in normal boot mode versus safe mode. Some of them load thru normal startups (the O4 lines seen in HJT and also seen under the Startup tab of MSconfig) and other load because they are Services but certain services will only load in normal boot mode. You can also see a Services tab in MSconfig. Using the Startup tab and Services tab you can experiment with the items that are in the difference list (the diff between your safe mode and normal mode logs) below. You can stop various ones from loading to see if any of them are causing this. I tend to doubt they are the cause but they could be.

HERE ARE THE DIFFERENCES: