windows/system32

Re: system32 errors

Abby & Adryn,

There is an abundance of malware present in this PC, there is no AV or firewall, and the OS is way out of date. This needs to be worked in the Malware Forum so I'm moving it there.

joejoe172833,

You need to do all of the below. And make sure you follow ALL steps and also install HijackThis properly when you get to step 7.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

Well WinAntivirus is one of your problems and should be uninstalled. See it on the below list:

http://www.spywarewarrior.com/rogue_anti-spyware.htm


Please follow the steps below:

- download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet. We will run it later.

- Now boot in safe mode, run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear)

- When abiremover finishes just reboot into normal and continue with the below steps.

- Note: If ABIremover fails to remove the nail.exe & svcproc.exe problems (you can tell from your HJT log if they are gone), use the below uninstaller:

Nail Uninstaller

Make sure you tell me which of the above applications you ran and if they removed this problem.


Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Please also attach a new HJT log now that you have run the READ ME. But make sure you have followed step 0 (to uninstall various malware) and step 7 of the READ ME and have HijackThis installed correctly.

 

Don't worry about it. It worked anyway and we made some progress. You have a ton more trojans in there but before I can workup a fix, I need one more quick item to be run.

Let's get an installed programs list from HijackThis!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

 

Goto Add/Remove programs and uninstall the below:
Command
MDS Search Booster
Network Monitor
Win-dh

Then attach a new Uninstall list and also a new HJT log.

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Local Security Authority Subsystem Service (if that is not found, look for the short name: lsass)... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
Windows Update Manager
windows notify network
Remote Procedure Call (RPC) Service <----**** Be careful to match this name exactly. There are two similarly named services that are valid. DO NOT stop or disable Remote Procedure Call (RPC) or Remote Procedure Call (RPC) Locator.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

aswUpdSv

Now repeat the Delete NT Service steps for:
UpdateMgr
windows network notify service
RpcSssvc
If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.


Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\DOCUME~1\Home\MYDOCU~1\SEMBLY~1\regedit.exe
C:\Documents and Settings\Home\My Documents\??sembly\n?lookup.exe
C:\WINDOWS\System32\dun.exe
C:\WINDOWS\System32\dun.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {8443B309-C6D3-AFE4-68C2-BEFE6B2F9FF9} - C:\WINDOWS\deruvxlm.dll (file missing)
O3 - Toolbar: Search - {B9B39E1A-218D-2DF1-1CE4-F2ED97AA27A7} - C:\WINDOWS\deruvxlm.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\svchost.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [Service Drivers] msnpg.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [Service Drivers] msnpg.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [Strc] "C:\DOCUME~1\Home\MYDOCU~1\SEMBLY~1\regedit.exe" -vt mt
O4 - HKCU\..\Run: [Pybqzz] C:\Documents and Settings\Home\My Documents\??sembly\n?lookup.exe
O4 - HKCU\..\RunServices: [Service Drivers] msnpg.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:

I'm not sure what these next two folder (??sembly and SEMBLY~1 ) will actually be named these are shortened names. You will ave to figure it out. Let me know what you find.
C:\Documents and Settings\Home\My Documents\??sembly\n?lookup.exe <--- the whole ??sembly folder
C:\Documents and Settings\Home\My Documents\SEMBLY~1\regedit.exe <--- the whole SEMBLY~1 folder
C:\WINDOWS\System32\veritas.exe
C:\WINDOWS\System32\msnpg.exe
C:\WINDOWS\System32\msconfig32.exe
C:\WINDOWS\System32\RpcSs.exe
C:\WINDOWS\System32\dun.exe
C:\WINDOWS\update\svchost.exe <-- only delete this one. Do not delete this file from C:\windows\system32
C:\WINDOWS\csrssc.exe
C:\WINDOWS\lsass.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Okay you have a whole bunch of new infections that showed up. This happens quite often on systems like yours that do not have their Windows Updates and that do not have proper protection (like an antivirus and firewall in place). So before we even attempt another fix we need to first add an antivirus and a firewall. Otherwise these problems will keep coming back as fast as we clean them. We will work on your other problems (like not having any of your Windows Updates) later.

First goto the following link step 2 and download and install AVG Free Edition antivirus.
Then goto step 3 in the same link and download and install ZoneAlarmFree firewall.

How to Protect yourself from malware!


After installing those the above two applications, continue with the below.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Windows Service Manager (if that is not found, look for the short name: ServiceMgr )... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

ServiceMgr

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\windows\mousepad7.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [newname] C:\windows\newname7.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft (R) Windows Service Manager] C:\WINDOWS\services\svchost.exe
O23 - Service: Windows Service Manager (ServiceMgr) - Unknown owner - C:\WINDOWS\services\svchost.exe <--- this line should already be gone if above steps to stop service worked.

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\windows\newname7.exe <--- delete any files using the starting with the text newname and ending in .exe (like newname1.exe, newname2.exe...etc)
C:\windows\mousepad7.exe <--- delete any files using the starting with the text mousepad and ending in .exe (like mousepad1.exe, mousepad2.exe...etc)
C:\windows\keyboard7.exe <--- delete any files using the starting with the text KEYBOARD and ending in .exe (like KEYBOARD1.exe, KEYBOARD2.exe...etc)
C:\WINDOWS\services\svchost.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

That's because due to the malware you have hiding on your PC it is changing names (and sometimes spreading) after each reboot of your PC. So in between the time you post your log and I give you a fix, it has already changed before you come back to get the fix from me. Thus, from now on after you attach any logs, DO NOT power down or reboot until I give you the next steps. This way what I give you should still apply.

We will try to fix things based on your last HJT log and maybe we will get lucky.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Hardware Clock Driver ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable steps for the below services:
dllmgr64
Windows Update Service
Win32 Update

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

hwclock

Now repeat the above Delete an NT Service steps for the below services:
dllmgr64
UpdateSvc
Win32Update

If you receive any error messages (like about a system critical process) just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\System32\win32update.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [Win32 Kernel Update] C:\WINDOWS\System32\win32update.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Service] C:\WINDOWS\update\wuauclt.exe
O23 - Service: dllmgr64 - Unknown owner - C:\WINDOWS\dllmgr64.exe (file missing) <--- this line should already be gone if above steps to stop service worked.

O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing) <--- this line should already be gone if above steps to stop service worked.

O23 - Service: Windows Update Service (UpdateSvc) - Unknown owner - C:\WINDOWS\update\wuauclt.exe <--- this line should already be gone if above steps to stop service worked.

O23 - Service: Win32 Update (Win32Update) - Unknown owner - C:\WINDOWS\oswinupdate.exe (file missing) <--- this line should already be gone if above steps to stop service worked.

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (Some of these may not be found. That's okay! Just continue.)
C:\WINDOWS\System32\win32update.exe
C:\WINDOWS\update\wuauclt.exe
C:\WINDOWS\dllmgr64.exe
C:\WINDOWS\System32\hwclock.exe
C:\WINDOWS\oswinupdate.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

REMEMBER: DO NOT reboot or power down. You must wait to see the next steps.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Great! Good job! The antivirus and firewall additions probably provided enough protect to stop this junk from killing you each time. Now your log is clean! I'm assuming everything is working better now! Is that a valid assumption?

Now you need to complete the below ASAP. DO NO delay in getting the Windows updates which are in the first step of the link below. (You already have step 2 & 3 done).

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely!

 

HijackThis is not a virus or spyware scanning program! It does not locate infections and it shows very little of what actually may exist on a PC.

Decide for yourself what that folder or file is and delete it if you don't need it.

Is c:\PLUGSIN.EXE a folder or a file? Looks like a folder!