Jump to content
Instructions on joining the Members Only Forum

Recommended Posts

OK guys, a question for the expert PC users amongst you.

 

Every time I start up my PC, the Systems 32 folder insists that I want it to open. Now as this folder contains some bloody important files, it is one of the last folders I want to open automatically. I have tried the obvious and checked what programmes I have specifically asked to be opened when I start up the PC and as far as I can tell, everything that is there is there for a reason. Any suggestions as to where else I can check would be much appreciated.

 

Also, on a fairly regular basis my PC tries to open AOL claiming that either I or a programme (usually versign.com - whoever they are) have requested access to the internet. I have no idea what this web-site relates to and it is becoming a bit of a pain in the arse having to cancel the request. I check the cookies set on my PC on a regular basis and delete any that I don't want. Again, any suggestions would be appreciated.

 

Thanks,

 

Alan

Link to post
Share on other sites
OK guys,  a question for the expert PC users amongst you.

 

Every time I start up my PC, the Systems 32 folder insists that I want it to open. Now as this folder contains some bloody important files, it is one of the last folders I want to open automatically. I have tried the obvious and checked what programmes I have specifically asked to be opened when I start up the PC and as far as I can tell, everything that is there is there for a reason. Any suggestions as to where else I can check would be much appreciated.

 

Also, on a fairly regular basis my PC tries to open AOL claiming that either I or a programme (usually versign.com - whoever they are) have requested access to the internet. I have no idea what this web-site relates to and it is becoming a bit of a pain in the arse having to cancel the request. I check the cookies set on my PC on a regular basis and delete any that I don't want. Again, any suggestions would be appreciated.

 

Thanks,

 

Alan

 

Eneukman,

I don't think I am an expert on the subject, but I do believe that you have a worm/virus on your PC.

 

During the start-up it gets started together with the OS's system programs.

 

Then it tries doing what you have described.

 

Which anti-virus and firewall programs do you use? (I hope you do use them... :D)

 

Which OS do you run on your PC (WinXPHome, WinXPPro, Win2000, WinME, something else...)?

 

If I were you, I'd make a security copy of my data on a CD-R (or more CD-Rs, if you have more data), get a proper virus-scanner tool (using someone else's PC) and then run it on your PC.

 

Most important: do not connect to the internet anymore. If your PC is connected to a LAN (local-area-network), disconnect it. Switch it on just once, after you have a CD-R with all the necessary tools to clean your PC. First back-up your data and then try to clean your machine. If it is not possible, restart the machine (2nd start-up...) in the Safe Mode.

 

Hope this wasn't too technical. If it was, say it. Also, I believe there are other IT-guys around here (ting_tong, PattayaPete and w3bmast3r come to my mind...) who could help you.

 

All of this, of course, if you don't get lucky and someone tells you something similar to what I wrote above (don't connect to the internet etc.) before you read this - that would definitely be a better/luckier course of action.

 

Good luck. :)

 

:lol:

Link to post
Share on other sites

Babepecker, thanks for the suggestions.

 

I'm running Windows XP and use Norton ANti-Virus. Norton prompts me to update the anti-virus definitions on a regular basis and I always do them as soon as possible after that. Also, I do tend to download any patches provided by Microsoft though I'm not totally convinced as to how useful many of these really are.

 

I do a full anti-virus scan once a week and it has been some time since a virus was last detected on my pc. It was successfully removed from my pc 2 weeks after it was detected (it had been placed into quarantine in the intervening period).

I think therefore that it is unlikely (though doubtless not impossible) that I have a virus on my pc.

 

I visited Symantec's web-site tonight and ran their security check and it gave my pc a clean bill of health.

 

Good point about doing a back up of important files etc on my pc - something we all should do on a regular basis. It's some time since I last did a back up and I have to say that this is now long overdue.

 

Alan

Link to post
Share on other sites

Eneukman,

glad that the state of your PC's OS obviously didn't become critical in the meantime.

 

Norton AV is OK, but try getting some of the better freeware AV programs. Install them without letting them be resident in the memory/system-tray. Switch the NAv off and run the alternatives - more tends to be better... :D

For example, one of my current alternatives is downloadable from www.avast.com.

 

Do you use any ad-ware and/or spy-ware blocker?

 

A firewall?

 

Anyway, if your PC and NAV are still running it sounds like you picked nothing worse than a dialer or a spy-bot somewhere on the net. Still, the system32 folder bit would keep me worried. :P

 

A few days ago this entertainment machine of mine got compromized despite a firewall (the Norton one was on at that moment) - I didn't click onto something or opened an e-mail attachment, it just came from the net. There are some nasty things on the net, lately... :(

 

Good luck

 

B)

Link to post
Share on other sites

Ok - before doing anything make sure you turns off system restore - you can always turn it back on when you know yr machine is clean:

Right-click 'My Computer' then click 'Properties'. Click 'System Restore' tab then uncheck the box before 'Turn off System Restore'

Click OK. Restart your computer.

 

Once done, go to Housecall and run an online scan which will disinfect your system.

 

Reboot once done.

 

Next, download Ad-Aware

After installing AAW, and before running the program, you need to FIRST update the reference file following the instructions here: http://www.lavahelp.com/howto/updref/index.html

 

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

 

Press "Scan Now"

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

 

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys.

Right-click in that pane and choose "select all"

 

Now press "Next" again.

It will ask you whether you'd like to remove all checked items. Click OK.

 

Finally, close Ad-Aware, and reboot.

 

Doing the above should get rid the known spywares in your system.

 

There's another one called Spybot - Search & Destroy - I'd recommend that you download & install this one too. Fairly self-explanatory.

 

As a final step - download Hijack This.

 

Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed. Download and save the contents to the new folder you made and then navigate to the HijackThis.exe. Then, doubleclick HijackThis.exe, and hit "Scan".

 

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet. I'll check back or you can PM to tell you what steps to take after you post the contents of the scan results.

 

Hope this helps! These pesky things are everywhere - I reckon every computer that spends any time on the internet is infected at one point or another. Having a good firewall will help. Windows XP users can download the lastest Service Pack 2 -from here but it is a BIG file! Over 270mb...

Link to post
Share on other sites

Thanks for the suggestions, triplegee. I'll try these when I get some free time.

 

I did download Ad-Aware not too long ago and run it on a fairly regular basis. The first time it removed a lot of crap but the last time I ran it there was nothing to clear. However, the refernce file may well need updating so I'll do that as well.

 

Alan

Link to post
Share on other sites

OK guys, I tried Housecall but it found nothing untoward on my pc. Also, I updated my Ad-aware programme, which removed a few items that had previously been undetected.

 

None of these have solved the problems I've been having. I don't think there is anything major wrong with my PC as I'm sure something else would have manifested itself by now. It's just a pain in the arse having to close down the system 32 folder every time I switch the PC on. I have hidden the contents of the folder so I can't inadvertently delete anything that is vital to the PC's operation.

 

Any other suggestions?

 

Alan

Link to post
Share on other sites

Reinstall windows. :( If you have the necessary time... B)

Almost forgotten: not with the recovery CD, but the complete installation.

 

What has happened to the:

 

Also, on a fairly regular basis my PC tries to open AOL claiming that either I or a programme (usually versign.com - whoever they are) have requested access to the internet.

?

 

I don't want to be negative, but it still sounds dangerous, the state of your PC, I mean.

Good luck. :)

 

:unsure:

Link to post
Share on other sites
As a final step - download Hijack This.

 

Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. I suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed. Download and save the contents to the new folder you made and then navigate to the HijackThis.exe. Then, doubleclick HijackThis.exe, and hit "Scan".

 

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet. I'll check back or you can PM to tell you what steps to take after you post the contents of the scan results.

 

Did you try this one Alan?? Let's give it a go before reinstalling windows.

Link to post
Share on other sites

Babepecker, I seem to have got rid of the verisign.com web-site trying to start up AOL. I've had a few problems with this in the past but deleting all unwanted cookies has usually resolved the problem.

 

Triplegee, I've now download and run Hijack This. The attached is what it produced -

 

Logfile of HijackThis v1.97.7

Scan saved at 21:46:36, on 27/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\DELLMMKB.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft Money\System\reminder.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\Nhksrv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Netropa\OSD.exe

C:\Program Files\AOL 9.0\aoltray.exe

C:\Program Files\MSWorks\Calendar\MSWKSCAL.EXE

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AOL Companion\companion.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Documents and Settings\Alan\My Documents\Hijack this\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

R3 - Default URLSearchHook is missing

O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O2 - BHO: (no name) - {0A28355C-1F91-A40D-886D-A91CDB01166D} - C:\WINDOWS\System32\hdfvtmpt.dll

O2 - BHO: (no name) - {3F31857E-22F1-4752-4E10-3EC6EC99E3CC} - C:\WINDOWS\System32\urmxxuoo.dll

O2 - BHO: (no name) - {59368E5A-D57B-F080-C413-CD0BA540D7A1} - C:\WINDOWS\System32\kvvsjifz.dll

O2 - BHO: (no name) - {79C7E745-0D1D-EC1A-1B91-C624F6D6A4D4} - C:\WINDOWS\System32\othbuecv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [spool ml710e] "C:\Program Files\spool\spool.exe"

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [

O4 - HKLM\..\Run: [

Error] c:\WINDOWS\System32\ <title>Error

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

Link to post
Share on other sites

Alan, there's a fair bit of fixing to do that will remove the annoying system32 folder opening startup issue.

 

Run Hijack This again, press scan and put a check mark against the following (I am working from top to bottom on your previous scan log):

 

R3 - Default URLSearchHook is missing

O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O2 - BHO: (no name) - {0A28355C-1F91-A40D-886D-A91CDB01166D} - C:\WINDOWS\System32\hdfvtmpt.dll

O2 - BHO: (no name) - {3F31857E-22F1-4752-4E10-3EC6EC99E3CC} - C:\WINDOWS\System32\urmxxuoo.dll

O2 - BHO: (no name) - {59368E5A-D57B-F080-C413-CD0BA540D7A1} - C:\WINDOWS\System32\kvvsjifz.dll

O2 - BHO: (no name) - {79C7E745-0D1D-EC1A-1B91-C624F6D6A4D4} - C:\WINDOWS\System32\othbuecv.dll

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>

O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>

O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>

O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.

O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>

O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<HEAD>

O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\</HTML>

O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\<BODY>

O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.

O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\</BODY>

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/079dbe33d2c926ad6e19/netzip/RdxIE2.cab

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

 

C:\WINDOWS\DELLMMKB.EXE - you only need this one if you use the multimedia keys on your Dell keyboard

 

Do you use AOL or AIM at all Alan?? If not, I would recommend uninstalling all AOL applications through Control Panel, Add/Remove Programs.

 

You will also want to remove the following files, it may take SAFE mode to do this...

C:\WINDOWS\System32\hdfvtmpt.dll

C:\WINDOWS\System32\urmxxuoo.dll

C:\WINDOWS\System32\kvvsjifz.dll

C:\WINDOWS\System32\othbuecv.dll

C:\Program Files\Common files\updater\wupdater.exe (delete the whole directory)

 

There is evidence of RapidBlaster on your system - you can download THIS application to remove it... it can be annoying to get rid of.

 

Are you running a program called Evidence Eliminator? If so no probs, if not - then check the following:

O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m

You should also uninstall & delete these files if you are not using the program.

 

Fingers crossed!! B)

Link to post
Share on other sites

Triplegee.

 

Thanks for that. I use AOL and AIM but I'll have a go at deleting the others. I'll let you know how I get on.

 

Alan

Link to post
Share on other sites

Triplegee, you're a genius!

 

I ran Hijack This again and deleted the files you suggested and then restarted my PC. That seems to have done the trick as the Systems32 folder did not open up automatically. In fact neither did my calendar but I know how to fix that.

 

I haven't so fat tried deleting some of the other files you suggested but I'll look at these later.

 

Thanks for all your help.

 

Alan

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...