system 32 i found a problem i need help fixing it

[fa sho dirrtay]

im having a problem with the system 32 folder popping up
everythime i log on. I checked the registry key for HKEY
LOCAL MACHINE and i found "" on this:

QuickTime Task "C:\Program
Files\QuickTime\qttask.exe" -atboottime

i don't know how to fix this so can somebody kinda direct
to where i should be goin yeah!? thanks so much.

 

[Rick \Nutcase\ Rogers]

Hi,

That entry by itself will not cause this problem. Please see:

System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/?kbid=170086

Also, start/run msconfig, and see if there is a line that loads /L:ENG. It
comes from a SoundBlaster Audigy driver, and it can cause this problem as
well. If it exists, use the registry fix from MVP Kelly:

Line 260 on the right:
http://www.kellys-korner-xp.com/xp_tweaks.htm

It's far easier than mucking about in the registry. The problem can also be
caused by other incorrectly built registry strings. So, if the first two
steps don't help you, could you please export and post the contents of these
keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To do this, start/run regedit, expand the branches to each key (do this one
at a time). Click on the key, then on file/export. Give it any name, then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose edit, it
should open in notepad. Click edit/select all/edit/copy. Open a response to
this post and click in the message text area. Hit ctrl+v to paste the
contents. Repeat for the other saved key, then send the post for
examination.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

 

[fa sho dirrtay]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi
on\Run]
@=hex
(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,
53,00,5c,00,53,\
00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,00,00
"PopUpStopperProfessional"="C:\\PROGRA~1\\PANICW~1\\POP-
UP~1\\POPUPS~1.EXE"



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run]
"windows auto update"="msblast.exe"
"SystemTray"="SysTray.Exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft
Works\\WksSb.exe /AllUsers"
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Jet Detection"="C:\\Program
Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"TPP Auto Loader"="C:\\WINDOWS\\tppaldr.exe"
"EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32
\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P30 \"EPSON
Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus
Photo R300\""
"atjganym"="C:\\WINDOWS\\tfewgvqv.exe"
"WinFavorites"="C:\\Program
Files\\WinFavorites\\WinFavorites.exe1"
"SafeSurfingUpdate"="C:\\WINDOWS\\System32\\SSUpdate.exe"
"Belt"="C:\\WINDOWS\\Belt.exe"
@=hex
(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,
53,00,5c,00,53,\
00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,00,00
"nvid"="C:\\WINDOWS\\System32\\ymcxmajw.exe"
"UpdateStats"="C:\\Program
Files\\Media\\Media\\UpdateStats.exe"
"RunWindowsUpdate"="C:\\WINDOWS\\uptodate.exe"
"updater"="C:\\Program Files\\Common
files\\updater\\wupdater.exe"
"AutoUpdater"="C:\\PROGRA~1\\AUTOUP~1\\AUTOUP~1.EXE"
"QuickTime Task"="\"C:\\Program
Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="C:\\Program
Files\\iTunes\\iTunesHelper.exe"
"SBHC"="C:\\Program Files\\SuperBar\\sbhc.exe"
"{2CF0B992-5EEB-4143-99C2-5297EF71F44B}"="rundll32.exe
C:\\WINDOWS\\System32\\stlbupdt.DLL,DllRunMain"
"RealTray"="C:\\Program
Files\\Real\\RealPlayer\\RealPlay.exe
SYSTEMBOOTHIDEPLAYER"
"wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"Rundll32_7"="rundll32.exe C:\\WINDOWS\\System32
\\msiefr40.dll,DllRunServer"
"msbb"="C:\\WINDOWS\\msbb.exe"
"BEH"="C:\\WINDOWS\\BEH.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents\MSFS]
"Installed"="1"

 

[Rick \Nutcase\ Rogers]

Hi fa sho,

You have your work cut out for you. You will need the better part of a day
to do all this. Please do the following:

The first thing you need to do is get rid of the blaster worm:

"windows auto update"="msblast.exe"

Information:
http://www.kellys-korner-xp.com/xp_qr.htm#rpc
http://www.pchell.com/virus/msblast.shtml
http://vil.nai.com/vil/content/v_100499.htm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
http://www.bigblackglasses.com/Article.aspx?Article=342

You need the patch described here to protect against it:
MS03-039: A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious
Programs
http://support.microsoft.com/?kbid=824146

Then you want to get rid of these trojans:

"atjganym"="C:\\WINDOWS\\tfewgvqv.exe"
"nvid"="C:\\WINDOWS\\System32\\ymcxmajw.exe"

Restart in Safe mode (hit F8 at bootup), search the system for tfewgvqv.exe
and ymcxmajw.exe, delete both. Then start/run regedit and delete those
strings from the run key they were in.

You should also remove these:

"WinFavorites"="C:\\Program Files\\WinFavorites\\WinFavorites.exe1"
"SafeSurfingUpdate"="C:\\WINDOWS\\System32\\SSUpdate.exe"

These pages explains how and why:
http://www.kephyr.com/spywarescanner/library/winfavorites/index.phtml
http://www.kephyr.com/spywarescanner/library/safesurfing/index.phtml

This one should go as well:

"Belt"="C:\\WINDOWS\\Belt.exe"

Why? See:
http://www.faqfarm.com/Computer/Virus/5922

More garbage:

"UpdateStats"="C:\\Program Files\\Media\\Media\\UpdateStats.exe"
"RunWindowsUpdate"="C:\\WINDOWS\\uptodate.exe"
"AutoUpdater"="C:\\PROGRA~1\\AUTOUP~1\\AUTOUP~1.EXE"
"SBHC"="C:\\Program Files\\SuperBar\\sbhc.exe"
C:\\WINDOWS\\System32\\stlbupdt.DLL,DllRunMain"
"wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"Rundll32_7"="rundll32.exe C:\\WINDOWS\\System32\\msiefr40.dll,DllRunServer"
"msbb"="C:\\WINDOWS\\msbb.exe"

Download and run Adaware to assist you with these. Go to www.lavasoft.de for
the latest version.

Definitely don't want this parasite either:

"updater"="C:\\Program Files\\Common files\\updater\\wupdater.exe"

Please see this link:
http://www.safersite.com/pestinfo/k/keenvalue.asp

These should be disabled on the startup tab of msconfig (start/run
msconfig). They are not harmful, but can be a nuisance. They do not need to
load at boot, and can bog down the system:

"QuickTime Task"="\"C:\\Program

Files\\QuickTime\\qttask.exe\" -atboottime"

"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe

Another trojan:

"BEH"="C:\\WINDOWS\\BEH.exe"

See:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_WOMANIZ.C&VSect=T

After cleaning up all this mess (someone in your household likes to click on
anything that pops up in front of them), if the system32 folder still loads
at boot, start/run msconfig. On the general tab put the system in diagnostic
mode. Click apply/ok and reboot. Then, reverse the steps to put the system
in normal mode, it should no longer appear.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



<snip>

 

[Guest]

I have the same problem about the system32 folder. I did
what you said about editing the registries. Here's what
is in the saved files.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi
on\Run]
"Start WingMan Profiler"=""
@=hex
(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,
53,00,5c,00,53,\
00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,00,00
"StartUp WatchDog"="D:\\StartUp Watchdog\\StartUp.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents\MSFS]
"Installed"="1"

that WatchDog program u see up there is a spyware remover
and i installed that just last week. this problem has
been occuring for almost 4 months.

one thing i did see in the registry editor is when i
expand
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run it shows a list of the files or registries and one
of them is > Name: Default > Type: REG_EXPAND_SZ > Data:
c:\WINDOWS\System32. i think that if i delete that file
that the problem will be fixed but i read about how using
the registry editor incorrectly could mess up my system
and i don't want to delete it without being sure.

 

[Charlie]

hey could you help me too? i replied just expand the
different branches of this topic.

 

[Rick \Nutcase\ Rogers]

Hi,

Export a copy of that key, then delete it. I suspect you will find that you
do not need it.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

I have the same problem about the system32 folder. I did
what you said about editing the registries. Here's what
is in the saved files.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi
on\Run]
"Start WingMan Profiler"=""
@=hex
(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,
53,00,5c,00,53,\
00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,00,00
"StartUp WatchDog"="D:\\StartUp Watchdog\\StartUp.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents\MSFS]
"Installed"="1"

that WatchDog program u see up there is a spyware remover
and i installed that just last week. this problem has
been occuring for almost 4 months.

one thing i did see in the registry editor is when i
expand
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run it shows a list of the files or registries and one
of them is > Name: Default > Type: REG_EXPAND_SZ > Data:
c:\WINDOWS\System32. i think that if i delete that file
that the problem will be fixed but i read about how using
the registry editor incorrectly could mess up my system
and i don't want to delete it without being sure.

-----Original Message-----
Hi,

That entry by itself will not cause this problem. Please see:

System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/?kbid=170086

Also, start/run msconfig, and see if there is a line that loads /L:ENG. It
comes from a SoundBlaster Audigy driver, and it can cause this problem as
well. If it exists, use the registry fix from MVP Kelly:

Line 260 on the right:
http://www.kellys-korner-xp.com/xp_tweaks.htm

It's far easier than mucking about in the registry. The problem can also be
caused by other incorrectly built registry strings. So, if the first two
steps don't help you, could you please export and post the contents of these
keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\Run
on\Run

To do this, start/run regedit, expand the branches to each key (do this one
at a time). Click on the key, then on file/export. Give it any name, then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose edit, it
should open in notepad. Click edit/select all/edit/copy. Open a response to
this post and click in the message text area. Hit ctrl+v to paste the
contents. Repeat for the other saved key, then send the post for
examination.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone






.

 

[Rick \Nutcase\ Rogers]

Hi Charlie,

Go ahead and post the contents of those keys if you have already tried the
other fixes that were recommended.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

 

[Charlie]

Thanks a lot it worked. I'm going to save the exported
copy for a few days just in case though, but thanks again.

-----Original Message-----
Hi,

Export a copy of that key, then delete it. I suspect you will find that you
do not need it.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

I have the same problem about the system32 folder. I did
what you said about editing the registries. Here's what
is in the saved files.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi
on\Run]
"Start WingMan Profiler"=""
@=hex
(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,
53,00,5c,00,53,\
00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,00,00
"StartUp WatchDog"="D:\\StartUp Watchdog\\StartUp.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run\OptionalComponents\MSFS]
"Installed"="1"

that WatchDog program u see up there is a spyware remover
and i installed that just last week. this problem has
been occuring for almost 4 months.

one thing i did see in the registry editor is when i
expand
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run it shows a list of the files or registries and one
of them is > Name: Default > Type: REG_EXPAND_SZ > Data:
c:\WINDOWS\System32. i think that if i delete that file
that the problem will be fixed but i read about how using
the registry editor incorrectly could mess up my system
and i don't want to delete it without being sure.

-----Original Message-----
Hi,

That entry by itself will not cause this problem.

Please
see:

System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/?kbid=170086

Also, start/run msconfig, and see if there is a line that loads /L:ENG. It
comes from a SoundBlaster Audigy driver, and it can cause this problem as
well. If it exists, use the registry fix from MVP Kelly:

Line 260 on the right:
http://www.kellys-korner-xp.com/xp_tweaks.htm

It's far easier than mucking about in the registry.

The
problem can also be

caused by other incorrectly built registry strings.

So,
if the first two

steps don't help you, could you please export and post the contents of these
keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers

ion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersi

on\Run

To do this, start/run regedit, expand the branches to each key (do this one
at a time). Click on the key, then on file/export.

Give
it any name, then

save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose edit, it
should open in notepad. Click edit/select

all/edit/copy.
Open a response to

this post and click in the message text area. Hit

ctrl+v
to paste the

contents. Repeat for the other saved key, then send

the
post for

examination.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



im having a problem with the system 32 folder

popping
up

everythime i log on. I checked the registry key for HKEY
LOCAL MACHINE and i found "" on this:

QuickTime Task "C:\Program
Files\QuickTime\qttask.exe" -atboottime

i don't know how to fix this so can somebody kinda direct
to where i should be goin yeah!? thanks so much.


.

.