System 32 folder

[Ross]

Any reason my system 32 folder pops up first no matter who logs on? Only 2
things in my startup folder is an MsWorks calendar reminder and a program
called "updater". After tracking "updater" down it is in the
C:\programs\common files and that has an icon that says "sui MFC
application". My suspicions are that this should not be here.....

My XP Home has been up and running 14 months and has all the updates
installed. I've used Spybot religiously and it seems to catch most
everything but this system 32 popup has me a bit stumped!

Any help suggestions welcome!!

Thanks,

Ross

 

[Carey Frisch [MVP]]

Visit http://www.kellys-korner-xp.com/xp_tweaks.htm and scroll down
to Item No. 260. In the right column, click on "System32 Folder Opens
Upon Boot". Download this repair file and then run the repair.

[Courtesy of MS-MVP Kelly Theriot]

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

--------------------------------------------------------------------------------------------


| Any reason my system 32 folder pops up first no matter who logs on? Only 2
| things in my startup folder is an MsWorks calendar reminder and a program
| called "updater". After tracking "updater" down it is in the
| C:\programs\common files and that has an icon that says "sui MFC
| application". My suspicions are that this should not be here.....
|
| My XP Home has been up and running 14 months and has all the updates
| installed. I've used Spybot religiously and it seems to catch most
| everything but this system 32 popup has me a bit stumped!
|
| Any help suggestions welcome!!
|
| Thanks,
|
| Ross
|
|

 

[Rick \Nutcase\ Rogers]

Hi Ross,

System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/?kbid=170086

However, there are a few other possible causes. Could you please export and
post the contents of these keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To do this, start/run regedit, expand the branches to each key (do this one
at a time). Click on the key, then on file/export. Give it any name, then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose edit, it
should open in notepad. Click edit/select all/edit/copy. Open a response to
this post and click in the message text area. Hit ctrl+v to paste the
contents. Repeat for the other saved key, then send the post for
examination.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

 

[Ross]

Thanks but it did not work... The error message said it could not find the
expected registry entry to correct...any other thoughts? Thanks again!

Ross

 

[Ross]

Thanks! As requested for your help:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="\"C:\\Riva Tuner\\RivaTuner.exe\" /S"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common
Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"FMT"="C:\\WINDOWS\\FMT.exe"
"oqgjffqk"="C:\\WINDOWS\\ucsyvfhi.exe"
@=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,5
3,\
00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,00,00
"SafeSurfingUpdate"="C:\\WINDOWS\\System32\\SSUpdate.exe"
"pytbxqor"="C:\\WINDOWS\\System32\\mnqwmpwg.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo
mponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo
mponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo
mponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo
mponents\MSFS]
"Installed"="1"

NEXT KEY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>NEXT KEY

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"


Thanks Again!!

 

[Rick \Nutcase\ Rogers]

Hi Ross,

Delete these two:

"oqgjffqk"="C:\\WINDOWS\\ucsyvfhi.exe"

"pytbxqor"="C:\\WINDOWS\\System32\\mnqwmpwg.exe"

Then reboot, see what happens. I suspect both may be trojans.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Thanks! As requested for your help:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="\"C:\\Riva Tuner\\RivaTuner.exe\" /S"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"QuickTime Task"="\"C:\\Program

Files\\QuickTime\\qttask.exe\" -atboottime"

"TkBellExe"="\"C:\\Program Files\\Common
Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"FMT"="C:\\WINDOWS\\FMT.exe"
"oqgjffqk"="C:\\WINDOWS\\ucsyvfhi.exe"
@=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,5

3,\
00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,00,00
"SafeSurfingUpdate"="C:\\WINDOWS\\System32\\SSUpdate.exe"
"pytbxqor"="C:\\WINDOWS\\System32\\mnqwmpwg.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo
mponents\MSFS]
"Installed"="1"

NEXT KEY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>NEXT KEY

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"


Thanks Again!!

Hi Ross,

System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/?kbid=170086

However, there are a few other possible causes. Could you please export and
post the contents of these keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To do this, start/run regedit, expand the branches to each key (do this one
at a time). Click on the key, then on file/export. Give it any name, then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose edit, it
should open in notepad. Click edit/select all/edit/copy. Open a response to
this post and click in the message text area. Hit ctrl+v to paste the
contents. Repeat for the other saved key, then send the post for
examination.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



Only

 

[Ross]

No go.....still comes up to the system 32 window. A quick check of the reg
entry shows that the items did not re appear at least. I'm game for
anything else!

Ross

Hi Ross,

Delete these two:

"oqgjffqk"="C:\\WINDOWS\\ucsyvfhi.exe"

"pytbxqor"="C:\\WINDOWS\\System32\\mnqwmpwg.exe"

Then reboot, see what happens. I suspect both may be trojans.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Thanks! As requested for your help:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="\"C:\\Riva Tuner\\RivaTuner.exe\" /S"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"QuickTime Task"="\"C:\\Program

Files\\QuickTime\\qttask.exe\" -atboottime"

"TkBellExe"="\"C:\\Program Files\\Common
Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"FMT"="C:\\WINDOWS\\FMT.exe"
"oqgjffqk"="C:\\WINDOWS\\ucsyvfhi.exe"

@=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,5[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MSFS]
"Installed"="1"

NEXT KEY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>NEXT KEY

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"


Thanks Again!!

Hi Ross,

System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/?kbid=170086

However, there are a few other possible causes. Could you please

export
and

post the contents of these keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To do this, start/run regedit, expand the branches to each key (do

this
one

at a time). Click on the key, then on file/export. Give it any name, then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose

edit,

it response
to

 

[Rick \Nutcase\ Rogers]

Hi Ross,

Ok, the rest of the entries look ok.

1) A question: Do you have any Norton Products installed?

2) Try deleting the updater.exe file from the startup folder (just leave it
in the recycle bin for now, do not permanently delete it).

3) Also, let's expand the search a bit. Start/run msinfo32, expand the
software environment and click on the startup programs. Click edit/select
all/edit/copy, and (same as before) open a new post and use ctrl+v to paste
the contents.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

No go.....still comes up to the system 32 window. A quick check of the reg
entry shows that the items did not re appear at least. I'm game for
anything else!

Ross

Hi Ross,

Delete these two:

"oqgjffqk"="C:\\WINDOWS\\ucsyvfhi.exe"

"pytbxqor"="C:\\WINDOWS\\System32\\mnqwmpwg.exe"

Then reboot, see what happens. I suspect both may be trojans.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Thanks! As requested for your help:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="\"C:\\Riva Tuner\\RivaTuner.exe\" /S"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"QuickTime Task"="\"C:\\Program

Files\\QuickTime\\qttask.exe\" -atboottime"

"TkBellExe"="\"C:\\Program Files\\Common
Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"FMT"="C:\\WINDOWS\\FMT.exe"
"oqgjffqk"="C:\\WINDOWS\\ucsyvfhi.exe"

@=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,5[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MSFS]
"Installed"="1"

NEXT KEY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>NEXT KEY

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"


Thanks Again!!


Hi Ross,

System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/?kbid=170086

However, there are a few other possible causes. Could you please export
and
post the contents of these keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To do this, start/run regedit, expand the branches to each key (do this
one
at a time). Click on the key, then on file/export. Give it any name, then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose

edit,

it
should open in notepad. Click edit/select all/edit/copy. Open a response
to
this post and click in the message text area. Hit ctrl+v to paste the
contents. Repeat for the other saved key, then send the post for
examination.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



Any reason my system 32 folder pops up first no matter who logs on?
Only
2
things in my startup folder is an MsWorks calendar reminder and a
program
called "updater". After tracking "updater" down it is in the
C:\programs\common files and that has an icon that says "sui MFC
application". My suspicions are that this should not be here.....

My XP Home has been up and running 14 months and has all the updates
installed. I've used Spybot religiously and it seems to catch most
everything but this system 32 popup has me a bit stumped!

Any help suggestions welcome!!

Thanks,

Ross

 

[Ross]

Thanks....actually I do not have Norton, guess its time to put it on. I took
it off when I put on XP and set my system up as a RAID 0. Bad move on my
part. I did a check online at the Norton site and it found the following on
my system: W95.Hybris.Plugin , W95.Hybris.worm, Backdoor.Imiserv,
Downloader.MSCache , Trojan dropper and Trojan.Sinkin infecting a total of 7
files....anyway my startup is below. Thanks again!!

c:\windows\system32\ All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FMT c:\windows\fmt.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS "c:\program files\messenger\msmsgs.exe" /background LIVINGROOM\Ross
HKU\S-1-5-21-1715567821-152049171-1957994488-1004\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run
Microsoft Works Calendar Reminders
c:\windows\installer\{1f90c982-33c6-11d3-a3e0-00c04f7989d8}\8a70a30d.exe All
Users Common Startup
NvCplDaemon rundll32.exe nvqtwk,nvcpldaemon initialize All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RivaTunerStartupDaemon "c:\riva tuner\rivatuner.exe" /s All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SafeSurfingUpdate c:\windows\system32\ssupdate.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common
files\real\update_ob\realsched.exe" -osboot All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini LIVINGROOM\Ross Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup
updater c:\program files\common files\updater\wupdater.exe All Users Common
Startup

Hi Ross,

Ok, the rest of the entries look ok.

1) A question: Do you have any Norton Products installed?

2) Try deleting the updater.exe file from the startup folder (just leave it
in the recycle bin for now, do not permanently delete it).

3) Also, let's expand the search a bit. Start/run msinfo32, expand the
software environment and click on the startup programs. Click edit/select
all/edit/copy, and (same as before) open a new post and use ctrl+v to paste
the contents.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

No go.....still comes up to the system 32 window. A quick check of the reg
entry shows that the items did not re appear at least. I'm game for
anything else!

Ross

Hi Ross,

Delete these two:

"oqgjffqk"="C:\\WINDOWS\\ucsyvfhi.exe"

"pytbxqor"="C:\\WINDOWS\\System32\\mnqwmpwg.exe"

Then reboot, see what happens. I suspect both may be trojans.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



Thanks! As requested for your help:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="\"C:\\Riva Tuner\\RivaTuner.exe\" /S"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"QuickTime Task"="\"C:\\Program
Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common
Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"FMT"="C:\\WINDOWS\\FMT.exe"
"oqgjffqk"="C:\\WINDOWS\\ucsyvfhi.exe"

@=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,5[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MSFS]
"Installed"="1"

NEXT KEY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>NEXT KEY

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"


Thanks Again!!


Hi Ross,

System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/?kbid=170086

However, there are a few other possible causes. Could you please export
and
post the contents of these keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To do this, start/run regedit, expand the branches to each key (do this
one
at a time). Click on the key, then on file/export. Give it any name,
then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose edit,
it
should open in notepad. Click edit/select all/edit/copy. Open a response
to
this post and click in the message text area. Hit ctrl+v to paste the
contents. Repeat for the other saved key, then send the post for
examination.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



Any reason my system 32 folder pops up first no matter who logs on?
Only
2
things in my startup folder is an MsWorks calendar reminder and a
program
called "updater". After tracking "updater" down it is in the
C:\programs\common files and that has an icon that says "sui MFC
application". My suspicions are that this should not be here.....

My XP Home has been up and running 14 months and has all the updates
installed. I've used Spybot religiously and it seems to catch most
everything but this system 32 popup has me a bit stumped!

Any help suggestions welcome!!

Thanks,

Ross

 

[Rick \Nutcase\ Rogers]

Hi Ross,

1) No, you misunderstand. Do not reinstall Norton's. It is known to cause
this problem, which is why I asked.

2) Wupdater.exe is a problem as well, hit ctrl+shift+escape and end task on
it. Then search the system for it and delete any files and shortcuts
identified as wupdater.exe.


--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Thanks....actually I do not have Norton, guess its time to put it on. I took
it off when I put on XP and set my system up as a RAID 0. Bad move on my
part. I did a check online at the Norton site and it found the following on
my system: W95.Hybris.Plugin , W95.Hybris.worm, Backdoor.Imiserv,
Downloader.MSCache , Trojan dropper and Trojan.Sinkin infecting a total of 7
files....anyway my startup is below. Thanks again!!

c:\windows\system32\ All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FMT c:\windows\fmt.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS "c:\program files\messenger\msmsgs.exe" /background LIVINGROOM\Ross
HKU\S-1-5-21-1715567821-152049171-1957994488-1004\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run
Microsoft Works Calendar Reminders
c:\windows\installer\{1f90c982-33c6-11d3-a3e0-00c04f7989d8}\8a70a30d.exe All
Users Common Startup
NvCplDaemon rundll32.exe nvqtwk,nvcpldaemon initialize All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RivaTunerStartupDaemon "c:\riva tuner\rivatuner.exe" /s All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SafeSurfingUpdate c:\windows\system32\ssupdate.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common
files\real\update_ob\realsched.exe" -osboot All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini LIVINGROOM\Ross Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup
updater c:\program files\common files\updater\wupdater.exe All Users Common
Startup

Hi Ross,

Ok, the rest of the entries look ok.

1) A question: Do you have any Norton Products installed?

2) Try deleting the updater.exe file from the startup folder (just leave it
in the recycle bin for now, do not permanently delete it).

3) Also, let's expand the search a bit. Start/run msinfo32, expand the
software environment and click on the startup programs. Click edit/select
all/edit/copy, and (same as before) open a new post and use ctrl+v to paste
the contents.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

No go.....still comes up to the system 32 window. A quick check of the reg
entry shows that the items did not re appear at least. I'm game for
anything else!

Ross


Hi Ross,

Delete these two:

"oqgjffqk"="C:\\WINDOWS\\ucsyvfhi.exe"

"pytbxqor"="C:\\WINDOWS\\System32\\mnqwmpwg.exe"

Then reboot, see what happens. I suspect both may be trojans.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



Thanks! As requested for your help:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="\"C:\\Riva Tuner\\RivaTuner.exe\" /S"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"QuickTime Task"="\"C:\\Program
Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common
Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"FMT"="C:\\WINDOWS\\FMT.exe"
"oqgjffqk"="C:\\WINDOWS\\ucsyvfhi.exe"

@=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,5[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MSFS]
"Installed"="1"

NEXT KEY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>NEXT KEY

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"


Thanks Again!!


Hi Ross,

System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/?kbid=170086

However, there are a few other possible causes. Could you please
export
and
post the contents of these keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To do this, start/run regedit, expand the branches to each key (do
this
one
at a time). Click on the key, then on file/export. Give it any name,
then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose
edit,
it
should open in notepad. Click edit/select all/edit/copy. Open a
response
to
this post and click in the message text area. Hit ctrl+v to

paste
the

contents. Repeat for the other saved key, then send the post for
examination.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



Any reason my system 32 folder pops up first no matter who

logs
on?

Only
2
things in my startup folder is an MsWorks calendar reminder

and

a

 

[Ross]

O.K.....found everything that had wupdater.exe or updater with it and sent
it to recycle bin....still no luck. Should I do a registry search for the
key entries and see what shows? Thanks!

Ross

Hi Ross,

1) No, you misunderstand. Do not reinstall Norton's. It is known to cause
this problem, which is why I asked.

2) Wupdater.exe is a problem as well, hit ctrl+shift+escape and end task on
it. Then search the system for it and delete any files and shortcuts
identified as wupdater.exe.


--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Thanks....actually I do not have Norton, guess its time to put it on. I took
it off when I put on XP and set my system up as a RAID 0. Bad move on my
part. I did a check online at the Norton site and it found the following on
my system: W95.Hybris.Plugin , W95.Hybris.worm, Backdoor.Imiserv,
Downloader.MSCache , Trojan dropper and Trojan.Sinkin infecting a total

of

7
files....anyway my startup is below. Thanks again!!

c:\windows\system32\ All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FMT c:\windows\fmt.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS "c:\program files\messenger\msmsgs.exe" /background LIVINGROOM\Ross

HKU\S-1-5-21-1715567821-152049171-1957994488-1004\SOFTWARE\Microsoft\Windows

\CurrentVersion\Run
Microsoft Works Calendar Reminders
c:\windows\installer\{1f90c982-33c6-11d3-a3e0-00c04f7989d8}\8a70a30d.exe All
Users Common Startup
NvCplDaemon rundll32.exe nvqtwk,nvcpldaemon initialize All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RivaTunerStartupDaemon "c:\riva tuner\rivatuner.exe" /s All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SafeSurfingUpdate c:\windows\system32\ssupdate.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common
files\real\update_ob\realsched.exe" -osboot All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini LIVINGROOM\Ross Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup
updater c:\program files\common files\updater\wupdater.exe All Users Common
Startup

Hi Ross,

Ok, the rest of the entries look ok.

1) A question: Do you have any Norton Products installed?

2) Try deleting the updater.exe file from the startup folder (just

leave
it

in the recycle bin for now, do not permanently delete it).

3) Also, let's expand the search a bit. Start/run msinfo32, expand the
software environment and click on the startup programs. Click edit/select
all/edit/copy, and (same as before) open a new post and use ctrl+v to paste
the contents.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



No go.....still comes up to the system 32 window. A quick check of

the
reg

entry shows that the items did not re appear at least. I'm game for
anything else!

Ross


Hi Ross,

Delete these two:

"oqgjffqk"="C:\\WINDOWS\\ucsyvfhi.exe"

"pytbxqor"="C:\\WINDOWS\\System32\\mnqwmpwg.exe"

Then reboot, see what happens. I suspect both may be trojans.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



Thanks! As requested for your help:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="\"C:\\Riva Tuner\\RivaTuner.exe\" /S"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"QuickTime Task"="\"C:\\Program
Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common
Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"FMT"="C:\\WINDOWS\\FMT.exe"
"oqgjffqk"="C:\\WINDOWS\\ucsyvfhi.exe"

@=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,5[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MSFS]
"Installed"="1"

NEXT KEY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>NEXT KEY

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"


Thanks Again!!


Hi Ross,

System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/?kbid=170086

However, there are a few other possible causes. Could you please
export
and
post the contents of these keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To do this, start/run regedit, expand the branches to each key (do
this
one
at a time). Click on the key, then on file/export. Give it any name,
then
save to the desktop. Once you have saved both keys, close the
registry
editor. Right-click one of the saved files on the desktop, choose
edit,
it
should open in notepad. Click edit/select all/edit/copy. Open a
response
to
this post and click in the message text area. Hit ctrl+v to paste
the
contents. Repeat for the other saved key, then send the post for
examination.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



Any reason my system 32 folder pops up first no matter who logs
on?
Only
2
things in my startup folder is an MsWorks calendar reminder

and

a
program
called "updater". After tracking "updater" down it is in the
C:\programs\common files and that has an icon that says "sui MFC
application". My suspicions are that this should not be here.....

My XP Home has been up and running 14 months and has all the
updates
installed. I've used Spybot religiously and it seems to catch
most
everything but this system 32 popup has me a bit stumped!

Any help suggestions welcome!!

Thanks,

Ross