Dismiss Notice

Psst... Ready to join TalkBass and start posting, make new friends, sell your gear, and more?  Register your free account in 30 seconds.

My "System32" folder opens up when my computer starts....

Discussion in 'Off Topic [BG]' started by Ty McNeely, Feb 13, 2004.


  1. Ty McNeely

    Ty McNeely

    Mar 27, 2000
    TX
    Any ideas why my "C:\Windows\System32" folder opens up whenever my computer starts up?? Can't figure out why it's doing it.

    Thanks! :cool:
     
  2. JMX

    JMX Vorsprung durch Technik

    Sep 4, 2000
    Cologne, Germany
    Is there are file called autorun.inf in that folder? If so, delete it.
     
  3. Figjam

    Figjam

    Aug 5, 2003
    Boston, MA
    My bro fixed that on my friends comp , forgot how he did it though. I dont think its as simple as the autorun, bc i belive its from a virus of some sort, bc i know multiple people who have/had it.
     
  4. Toasted

    Toasted

    May 26, 2003
    Leeds, UK
    _most_ viruses hide in system32 dir. just a piece of anecdotal knowledge.
     
  5. primesuspect

    primesuspect

    Feb 11, 2004
    Detroit, MI
    You have something that's starting at bootup that is looking for something in that folder that is no longer there. Have you recently killed any viruses or trojans, or done a spyware scan?

    Run a program called HiJackThis. Be careful - do NOT fix anything yet. Post the output of that program in this thread and I'll tell you what to do from there.

    You'll have to cut and paste it in here - it's a lot of crap.

    Also, read my article on spyware removal - it might help you.
     
  6. Ty McNeely

    Ty McNeely

    Mar 27, 2000
    TX
    Logfile of HijackThis v1.97.7
    Scan saved at 6:21:06 PM, on 2/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\McAfee.com\MPS\mscifapp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Ty\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://resnet.baylor.edu/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://resnet.baylor.edu
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Baylor University Resnet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
    O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=https://resnet.baylor.edu
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud5.sports.yahoo.com/java/y/nflgcst1008_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akamai.net/7/1408/99...W/win/061-0848.20031022.TtzS4/iTunesSetup.exe
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/stx/install.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F1154108-FB75-47EB-9A7E-4DD28DBDAF34} - http://www.threedegrees.com/td_netd.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
     
  7. Ty McNeely

    Ty McNeely

    Mar 27, 2000
    TX

    There is an "autoexec.nt," "autofmt" and "autolfn," but thats it.
     
  8. Ty McNeely

    Ty McNeely

    Mar 27, 2000
    TX
    good lord......

    tells my life story, eh?
     
  9. primesuspect

    primesuspect

    Feb 11, 2004
    Detroit, MI
    Okay, you have some crappy stuff in there:

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

    Get rid of those two - they're trojans.

    Here's some other things that you can get rid of. They aren't necessarily malicious, but they are essentially pointless and only serve to impact the overall performance of your computer:

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

    Let me know if that does the trick.
     
  10. Ty McNeely

    Ty McNeely

    Mar 27, 2000
    TX


    Did what you said and it still pops up :meh:
     
  11. primesuspect

    primesuspect

    Feb 11, 2004
    Detroit, MI
    Have you run Spyboy search and destroy, with the latest updated definitions?

    Also, run CWShredder just in case....
     
  12. Ty McNeely

    Ty McNeely

    Mar 27, 2000
    TX
    I ran Spybot today actually--before I ever even posted about it. I did update too.

    I've never heard of CWShredder, so I'll DL it and see whats up and get back to you.
     
  13. primesuspect

    primesuspect

    Feb 11, 2004
    Detroit, MI
    Yeah, that's what I think caused your issue - you ran spybot, and it killed a piece of spyware that was in your SYSTEM32 folder, but there's something that is still telling that spyware to launch... But since Spybot killed the file, it's just launching the SYSTEM32 folder where it can't find whatever it's looking for.
     
  14. primesuspect

    primesuspect

    Feb 11, 2004
    Detroit, MI
    get rid of this one too:

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
     
  15. Ty McNeely

    Ty McNeely

    Mar 27, 2000
    TX
    which means what?? how can I get it to stop? any ideas??

    want me to post the contents of my system32 folder here??
     
  16. primesuspect

    primesuspect

    Feb 11, 2004
    Detroit, MI
    No, don't post the contents of the sys32 folder, it won't help.

    Did you remove that last one I just mentioned? Did that help?
     
  17. bentem

    bentem

    Oct 18, 2002
    Rockville, MD
    I have that virus too. I hate it. I get that folder popup, among other things. Whenever i get to the virus files, either through adaware, or norton, or myself, it wont let me dfelete them. I think ill just wipe the disk clean.
     
  18. Ty McNeely

    Ty McNeely

    Mar 27, 2000
    TX
    Yes I did and no it didn't :(
     
  19. primesuspect

    primesuspect

    Feb 11, 2004
    Detroit, MI
    No biggie, let's just keep at it.

    Okay, this key is really weird to me:

    O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC 1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"

    I'd like to see if deleting that fixes it. Be forewarned that it might make your printer stop working .. IF IT DOES, all you have to do is download the Epson Stylus C82 drivers from the epson website and reinstall the printer. No biggie.
     
  20. Ty McNeely

    Ty McNeely

    Mar 27, 2000
    TX
    I don't think I'm even going to bother deleting it--that is my printer, which is hooked up to USB port #1.