[Mamabeah]

Hello,

While getting help with adware problem, I have aquired another one. System 32 folder keeps appearing in start up with lots of unknown files. I was told that there are a few suspicious looking items there from what I could C&P, but I'm having trouble pasting the entire folder for viewing.

Here is a link to malware thread so you can see what was done.

http://www.geekstogo...pic=100235&st=0

[Advertisements]

Hello Mamabeah

Before we start changing any configurations, please download and run WinAudit. Save the audit to your desktop as a HTML file. You will see three new HTML files on the desktop...Attach the one named "rightframe.html" to your next post. (please note...attach the audit...not copy/paste) You may then delete the files from your desktop.

wannabe1

[wannabe1]

Hello Mamabeah

Before we start changing any configurations, please download and run WinAudit. Save the audit to your desktop as a HTML file. You will see three new HTML files on the desktop...Attach the one named "rightframe.html" to your next post. (please note...attach the audit...not copy/paste) You may then delete the files from your desktop.

wannabe1

[Mamabeah]

Okay, here's the attachment

I removed the attachment as wannabe1 has copied the bits he needs

Edited by Keith, 04 March 2006 - 04:58 PM.

[wannabe1]

Before I drag you kicking and screeming into the registry...let's try to run a script on this problem. When I finish researching the files you have listed as residing in the System32 folder, I'll get back to you on just what they are.

Download the attached folder and extract the file to your desktop. Double click the extracted file and accept any prompts to let it run. Reboot and let me know if the System32 folder still opens on startup.

wannabe1

Attached Files

•  xp_system32opens.zip   470bytes   122 downloads

[Mamabeah]

Won't let me open it. Says "this script cannot repair my issue. The expected registry was not found...

[wannabe1]

Click Start, then Run, type regedit, and click "Ok".

In the left pane, expand (click +) HKEY_LOCAL_MACHINE, then SOFTWARE, then Microsoft, then Windows, then CurrentVersion, and click on Run. In the right pane, under the "Data" heading look at each value. If any values appear as "" post back.

While looking at this key, also see if the following string is present in the right pane...post back if present.

Name: ActiveMovie File Extensions
Type: REG_SZ
Data: ActMovie.exe /Check

Collapse these keys by clicking the - (just as you clicked on the + to expand them)

Then, in the left pane, expand (click +) HKEY_CURRENT_USER, then Software, then Microsoft, then Windows, then CurrentVersion, and click on Run. In the right pane, under the "Data" heading look at each value. If any values appear as "" post back.

wannabe1

[Mamabeah]

Okay, there are three " " values in both HKEY local machine and HKEY current user.

They are Lexmark, Quiktime and something called Tkbellexe.

I hope that means something to *you, cuz I'm clueless

[Mamabeah]

also
ActiveMovie File Extensions is not present

[wannabe1]

Tkbellexe...is a leftover malware entry...we'll remove that in a few minutes.

One more check and we'll get to it.

Click Start, then Run, type msconfig, and click "Ok".

Under the "Startup" tab, are there any entries that have system32 in them? If so, list them here for me. I didn't see any in the audit, but thought we should double check.

[Mamabeah]

looks like igfxtray and hkcmd are in system

[wannabe1]

Okie Dokie...

Go back into the Registry Editor (regedit). Click "File" on the Toolbar and choose "Export". In the Export window's "Save in" menu, choose "Desktop"...name the file 030406 and click "Save".

In the left pane, expand (click +) HKEY_LOCAL_MACHINE, then SOFTWARE, then Microsoft, then Windows, then CurrentVersion, and click on Run. In the right pane, delete all entries except "Default".

Then, in the left pane, expand (click +) HKEY_CURRENT_USER, then Software, then Microsoft, then Windows, then CurrentVersion, and click on Run. In the right pane, delete all entries except "Default".

Close the Registry Editor and reboot.

Any difference?

wannabe1

[Mamabeah]

I wish I could say yes. That folder is still in startup.

[wannabe1]

That's ok...these can be a bit tricky.

Let's go ahead and restore the registry to the way it was. Right click on the file I had you dave to the Desktop, choose "Merge", and accept the change.

In msconfig, under the startup tab, is there an entry ending in /l:eng?

[Mamabeah]

I don't know if this makes any difference, but here are some things that I see new in this start up folder since my limewire issue. Plus, in the malware thread, there was a mention of somethings in that folder that were problematic.

realarcade_seedcorn_stub.exe
wapitr.exe
zxdnt3d.cfg
sporder.dll
acwfs4t2.exe
PERFH009.DAT
PERFC009.DAT
WPA.DBL
STATUS.MPF
wrlzma.dll
conime.exe (this was discussed on old thread...you might want to refer back).

[Mamabeah]

In msconfig, under the startup tab, is there an entry ending in /l:eng?


No, I don't see that.