[hikarikokoro]

Hi recently after clearing some viruses and adware from my computer i realise that the system32 folder will appear when i start my computer. I've searched the net to solve the problem but i still can't find a solution

I tried to use the 'System32 Folder Opens Upon Boot' at http://www.kellys-ko...m/xp_tweaks.htm to fix it but my computer responded - 'could not repair issue,expected value not found.'

I've also read up on the article at http://support.micro...om/?kbid=170086 but have no idea what is going on. I would appreciate if someone could help me thanks.


This is my HijackThis text file, hopefully it will be of help in tackling my computer problem.


edit by wannabe1: HJT log attached



This is my Look2Me-Destroyer text file.


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/21/2006 5:55:47PM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

Attached Files

•  HiJackThis_log.txt   8.64KB   63 downloads

Edited by wannabe1, 21 June 2006 - 09:08 AM.

[Advertisements]

I had the same problem once. This is how I fixed it.

Start -> Run -> Regedit

Go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Then check the string (in the right window) called Shell. See if it is set to explorer.exe
If it's not set to explorer.exe, right click on it and select Edit, then change it to explorer.exe

Then there is a piece of registry that says explorer is a shell or a program (folder).
It actually tells Windows that it is a seperate process than the shell.
If you do the following, it should be fixed. If not, then I don't know how to fix it, because this worked for me.

1. Start Regedit
2. Go to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer
3. Create a DWORD value called DesktopProcess
4. Give it a value of 1

[IO-error]

I had the same problem once. This is how I fixed it.

Start -> Run -> Regedit

Go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Then check the string (in the right window) called Shell. See if it is set to explorer.exe
If it's not set to explorer.exe, right click on it and select Edit, then change it to explorer.exe

Then there is a piece of registry that says explorer is a shell or a program (folder).
It actually tells Windows that it is a seperate process than the shell.
If you do the following, it should be fixed. If not, then I don't know how to fix it, because this worked for me.

1. Start Regedit
2. Go to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer
3. Create a DWORD value called DesktopProcess
4. Give it a value of 1

[hikarikokoro]

Thanks for the reply but i can't seem to find the piece of registry that says explorer is a shell or a program (folder).

[hikarikokoro]

Anyway, i did what you told me but the system32 folder still shows up. X_x

[wannabe1]

Hi hikarikokoro...

Click Start, then Run, type regedit, and click "Ok".

In Registry Editor, expand (click +) HKEY_LOCAL_MACHINE, then SOFTWARE, then Microsoft, then Windows, then CurrentVersion, and click on Run.

Is the top entry in the right pane "(Default)"?

Then expand (click +) HKEY_CURRENT_USER, then SOFTWARE, then Microsoft, then Windows, then CurrentVersion, and click on Run.

Is the top entry in the right pane "(Default)"?

wannabe1

[hikarikokoro]

Erm for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run there is a "(default)"

same goes for HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \Run, there is a "(default)" at the top

[wannabe1]

Sorry...I should have asked for the value of those (Default) strings. Can you give me the value (under the data column) for those keys?

[hikarikokoro]

Both have (value not set) under the data column.

Edited by hikarikokoro, 21 June 2006 - 12:29 PM.

[wannabe1]

In the left pane, expand (click +) HKEY_LOCAL_MACHINE, then SOFTWARE, then Microsoft, then Windows, then CurrentVersion, and click on Run. In the right pane, under the "Data" heading look at each value. If any values appear as "" post back.

While looking at this key, also see if the following string is present in the right pane...post back if present.

Name: ActiveMovie File Extensions
Type: REG_SZ
Data: ActMovie.exe /Check

Collapse these keys by clicking the - (just as you clicked on the + to expand them)

Then, in the left pane, expand (click +) HKEY_CURRENT_USER, then Software, then Microsoft, then Windows, then CurrentVersion, and click on Run. In the right pane, under the "Data" heading look at each value. If any values appear as "" post back.

[hikarikokoro]

Erm I'm afraid i will miss out important information to solve this troublesome problem, hope the posting of the entire thing information in my HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run will help.

For HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \Run I have,

Name : (Default)
Type:REG_SZ
Data: Value not set

Name:ctfmon.exe
Type:REG_SZ
Data:C:\WINDOWS\system32\ctfmon.exe

Name:Sony Ericsson PC Suite
Type:REG_SZ
Data:"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized

Name:SuperAdBlocker
Type:REG_SZ
Data:C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe

For HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,

Name: (Default)
Type:REG_SZ
Data:Value not set

Name:AGRSMMSG
Type:REG_SZ
Data:AGRSMMSG.exe

Name:Alaunch
Type:REG_SZ
Data:C:\Windows\alaunch.exe

Name:ccApp
Type:REG_SZ
Data:"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

Name:IMJPMIG8.1
Type:REG_SZ
Data:"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

Name:MSPY2002
Type:REG_SZ
Data:C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

Name:PHIME2002A
Type:REG_SZ
Data:C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

Name:PHIME2002ASync
Type:REG_SZ
Data:C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

Name:QuickTime Task
Type:REG_SZ
Data:"C:\Program Files\QuickTime\qttask.exe" -atboottime

Name:RemoteControl
Type:REG_SZ
Data:"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

Name:SiSUSBRG
Type:REG_SZ
Data:C:\WINDOWS\SiSUSBrg.exe

Name:Symantec NetDriver Monitor
Type:REG_SZ
Data:C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

Name:Windows Defender
Type:REG_SZ
Data:"C:\Program Files\Windows Defender\MSASCui.exe" -hide

Edited by hikarikokoro, 21 June 2006 - 10:41 PM.

[wannabe1]

Good job... There's a couple there we might look at some more in a bit.

Click Start, then Run, type msconfig and click "Ok". Under the "Startup" tab, list anything for me with "System32" in the command column...particularly if it's there without anything else associated with it.

[hikarikokoro]

Erm in start,run,msconfig,startup i have

Startup item:ctfmon
Command:C:\WINDOWS\system32\ctfmon.exe

Startup Item:ImScInst
Command:C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe/SYNC

Startup Item:TINTSETP
Command:C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE/IMEName

Startup Item:TINTSETP
Command:C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE/SYNC

These are all the items with the system32 word in the command

Erm, i'm not sure wether this is of any importance, i will just type it down as it my be the key to my computer problem.

Under start,run,msconfig,startup i found a startup item,

Startupup item:AGRSMMSG
Command:AGRSMMSG.exe

I find it weird as compared to other startup items which have long commands.

Edited by hikarikokoro, 22 June 2006 - 05:07 AM.

[hikarikokoro]

These are the other startup item,

Startup item:MSASCui
Command:"C:\Programme Files\Windows Defender\MSASCui.exe"-hide

STartup item:SNDMon
Command:C:\PROGRA~1\SYMNET~1SNDMon.exe/Consumer

Startup item:SISUSBrg
Command:C:\WINDOWS\SISUSBrg.exe

Startup item:PDVDServ
Command:"C:\Programme Files\CyberLink\PowerDVD\PDVDServ.exe"

Startup item:qttask
Command:"C:\Programme Files\QuickTime\qttask.exe"-arboottime

Startup item:IMJPMIG
Command:"C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe"/Spoil/RemAdDef/Migration32

Startup item:ccApp
Command:"C:\Programme Files\Common Files\Symantec Shared\ccApp.exe"

Startup item:alaunch
Command:C:\WINDOWS\alaunch.exe

Startup item:Application Launcher
Command:"C:\Programme Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe"/Minimised

Startup item:SAdblock
Command:C:\Programme Files\SuperAdBlocker.com\Super Ad Blocker\SAdblock.exe

[wannabe1]

Startupup item:AGRSMMSG
Command:AGRSMMSG.exe

This is an IBM modem driver.

Go back to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Backup this key as follows: In the left pane, right click on Run, choose "Export" from the menu, save this to your desktop, name it runbu

Then, in the right pane, right click on each entry (except (Default)), and choose "Delete". When you are finished, the only string in "Run" should be (Default).

Close Registry Editor and reboot...does the System32 folder still open at startup?

[hikarikokoro]

Sadly system 32 folder still shows up.