system 32 on boot

hoffy628 · Jun 4, 2006

Hello,
like others I have found on the internet, I have been getting a windows explorer window that pops up evertime I boot up my computer. the window contains the contents of the system32 folder.

I have tried the following...
in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
all that is left is
name = (Default) type = reg_sz data = (value not set)
name = (MSConfig) Type = reg_sz data = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
under the key
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
name = (Default) type = reg_sz data = (value not set)

In MSConfig I checked diagnostic startup so nothing loads

Problem persists.....
I am at my wits end on this one... This seems to be a dell issue mostly, but I still am unable to come up with any kind of a fix....

the issue started originally after using spybot and rougescanfix to get rid of a spyware program called spyquake, spyquake is now gone from the computer but I can get rid of the dang system 32 popup.

here is a hijack this log if that will help...
Thanks in advance for any help you can give..
Hoffy

Logfile of HijackThis v1.99.1
Scan saved at 1:23:19 PM, on 6/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Sales\Local Settings\Temporary Internet Files\Content.IE5\LCGNH9ST\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - blank (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136408355718
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

TimW · Jun 4, 2006

See if any of this helps:
Anyway, this Windows System32 "folder" popping up at each boot is a fairly common problem for users of Windows NT 4.0, 2000, and XP operating systems. It's caused by an erroneous entry in one of the Registry keys that control programs launched at start-up.

The good news is that there is an 'easy fix' available at Kellys-Korner-xp.com.

Here's the Solution: Go to this Kellys-Korner link and when you get to that webpage; scroll down to #260 on the right-hand side, and click on the "System32 Folder Opens Upon Boot" entry.

NOTE: To use the VBS Files: Download .vbs file and save it to your hard drive (you may want to right click and use Save Target As). Double click the vbs file. You will be prompted when the script is done.

System32 Folder Opens When Logging on to Windows
Go to Start/Run and type in: msinfo32 From there navigate to Software Environment, Startup Programs. The Command column will show you the exact command line used. You are looking for a listing that uses a long file name/path with spaces in it, that is not enclosed in quotes. If found that is the culprit. Go to Start/Run/msconfig/Startup. If this is the case go to Start/Run/Regedit: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Look here for the program/folder in question. If listed, double click the entry and put the full path name in quotes. And Verify that all the values in these keys do not contain any incorrect, incomplete, or null entries (such as "").

Do this first!!! System32 Folder Opens When Logging on to Windows http://support.microsoft.com/support/kb/articles/q170/0/86.asp

hoffy628 · Jun 4, 2006

I have already tried that as well, it comes up with a message that says something to the effect that it cant find an error, I dont remember exactly what it says, but that is the basic message..
Thanks anyway

Matacumbie · Jun 4, 2006

Go into your "Control Panel" and open "Folder Options", under the "View" tab make sure that "Restore previous folder windows at logon" is unchecked, click Apply/OK.

Steve

hoffy628 · Jun 4, 2006

make sure that "Restore previous folder windows at logon" is unchecked

It was unchecked, Thanks Steve

anyone else????

TimW · Jun 4, 2006

Do you by chance have sound blaster audigy installed?
OR:
The last time I saw this, was after virus removal, and the command for its executable was still there in msconfig, even though the virus was gone.look in the Run strings in the registry, there is an entry there that was probably left behind by a cleaned virus, since the file’s gone, the folder opens.

hoffy628 · Jun 5, 2006

No sound blaster, as far as the remnant left behind, dont think so, I disabled everything in msconfig using a diagnostic boot, and also deleted all lines except default in the registry that pertain to startup. at least in the two keys I mentioned in previous posts. is there more keys that deal with startup?

Thanks

Matacumbie · Jun 5, 2006

Did you ever try the fix from Kellys-Korner?

It's #260 on the righthand side here,http://www.kellys-korner-xp.com/xp_tweaks.htm

To use the VBS Files: Download .vbs file and save it to your hard drive (you may want to right click and use Save Target As). Double
click the vbs file. You will be prompted when the script is done.

Steve

hoffy628 · Jun 5, 2006

Yes, I did try the fix from Kellys corner, it said something to the affect that no prblem was found.

Matacumbie · Jun 5, 2006

OK, just covering all the bases.

You also said you "do not" have the Creative Labs Sound Blaster, correct?

Steve

hoffy628 · Jun 5, 2006

that is correct... I do not have a SB card

Matacumbie · Jun 5, 2006

It has got to be malware related. I would suggest starting here, http://forums.majorgeeks.com/showthread.php?t=35407

Steve

Log in or Sign up

system 32 on boot

hoffy628 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

hoffy628 Private E-2

Matacumbie Rocky Top

hoffy628 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

hoffy628 Private E-2

Matacumbie Rocky Top

hoffy628 Private E-2

Matacumbie Rocky Top

hoffy628 Private E-2

Matacumbie Rocky Top