System 32 folder?!

[pcSOSpc]

I'm using Windows XP Home SP2 and every time I login to my computer on any user name, the system 32 folder opens up. I've tired Registry Editor but nothing happen...Any ideas? Here my logfile:


Logfile of HijackThis v1.99.1
Scan saved at 2:09:41 PM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\AOL\1144545010\ee\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tony.YOUR-AT5QGAAC3Z\Desktop\PC Clean-Up\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1150985641640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1150998811843
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[TurcoLoco]

I'm using Windows XP Home SP2 and every time I login to my computer on any user name, the system 32 folder opens up. I've tired Registry Editor but nothing happen...Any ideas? Here my logfile:


O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

From what I could see you system was infected at some point and possibly it still is.

Generally an invalid startup entry (04) could cause Windows the display because a startup entry that was located either in Windows or System32 folder is being called but since it no longer exists, it simply shows the location folder.
Another common place for this invalid entry to be in is either win.ini or system.ini files. I advise you to check these system files as well by:
START > RUN > type win.ini > OK & START > RUN > type system.ini > OK.

I am moving this thread to the Spyware section. There might be more to this problem then just the system32 folder opening upon bootup.

[jholland1964]

http://support.microsoft.com/default...b;en-us;170086

On the other hand, you may be reluctant to use the Registry Editor.
If you go to this page:

http://www.kellys-korner.com/xp_tweaks.htm

and then look for item number 260 (System32 Folder Opens Upon Boot) on the righthand side of the table, you can download a Visual Basic script for solving the problem.

[pcSOSpc]

My computer definitely was infected but I think I fixed it. This system32 problem has been occurring ever since I got rid of the trojan. I now use AVG 7.5.476 and SpywareBlaster 3.5.1 Anyway, I fixed those two items in my logfile but the problem still occurs. Now what am I looking for when I check the win.ini and system.ini files? How do I know if an entry is invalid? Also I downloaded the Visual Basic script and ran the program but a message comes up saying "The script cannot repair your issue. The expected Registry value was not found." Lastly...The microsoft support page pertaining to this issue is a little confusing for me due to the fact that I cannot tell wether or not these registry values are incomplete or null. I saved a couple of screen shot of these registry values, maybe you can guide me by looking at them? Thanks so much!

[jholland1964]

Somebody else may have a different opinion but your registry entries look ok to me. What was the name of the Trojan you had and how did you get rid of it?

[pcSOSpc]

I'm not exactly sure what the Trojan was called but it I know it had something to do with Win32 maybe like Win32.exe or something? Anyway you actually were to one who helped me get rid of it. I was looking for the threads but couldn't find them. I used a different username during that point in time it was ImdefNotAGeek. I got AVG and got rid of all other anti-virus I had installed and also got spyware blaster and RegMechanic.

[ShadowPuterDude]

Your HijackThis log looks awfully short to me. Also HijackThis is in a folder on your desktop, this is not a good location for HJT for several reasons.

Move HJT to either C:\HJT or C:\Program Files\HJT. Then rename hijackthis.exe to analyze.exe.

Now do the following:

Download:
- ISeeYouXP.zip by ShadowPuterDude

Extract the contents of ISeeYouXP.zip to the root directory of drive C:\. This will create a folder named ISeeYouXP in the root directory of Drive C.

Using Windows Explorer (right click the Start button and select Explore to open Windows Explorer) navigate to C:\ISeeYouXP and locate:
ShowIt.bat
ISeeYouXP.bat

Double-click each batch file, in the order listed, to run the scripts.

( Do not attempt to run this program from inside the ZIP file or by using Winzip or similar tool. it will not work properly. )

Possible Error Messages

• If your ISeeYouXP.txt log appears to be empty or semi-empty or you get an error message similar to the below when running ISeeYouXP.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS

C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Window applications.

• To fix the above error message, choose the download below which is appropriate for your system
  • For Windows XP Pro: download and run: XPproFix
  • For Windows XP Home: download and run: XPHomeFix
  • For Windows 2000: download and run: W2KFix
  Then run ISeeYouXP.bat again and attach the log.
• A possible second type of error message may occur as shown in the quote box below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem

16 bit MS-DOS Subsystem
drive:\program path
XXXX. An installable Virtual Device Driver failed DLL initialization. Choose 'Close' to terminate the application.

-or-

16 bit MS-DOS Subsystem
drive:\program path
SYSTEM\CurrentControlSet\Control\ VirtualDeviceDrivers. VDD. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application.

Attach the following logs:
ISeeYouXP
HijackThis

[pcSOSpc]

Thanks so much for all your time and help...I did everything you said in the order given, (thanks for the detailed instructions!) and everything worked just fine. Here is my HTJ and ISUXP logs.

[pcSOSpc]

help?????

[cauzomb]

the hijack this log looks good except for a couple entries,
do you know what this is?
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

Some file discription DB's have it listed as belonging to a support services for a 3rd party MFG device so it is probably OK

We are pretty much all asleep right now, but I'll let Shadowputerdude look at the rest of the info, Judy is on vacation for the weekend and I'm not well versed in xp, so I can't help much on the system32 folder issue.