System32 Folder Appears

[Guest]

Hi there,
I have another computer that the system32 folder appears on startup. I've
tried the Kellys Korner patch and it says,"This script cannot repair your
issue. The expected Registry value was not found." I've tried looking
manually through the system registry and found no blank, no "", and no \
entries. There are two in the "HKEY_LOCAL_MACHINE...Run" that I'm a little
weary of:

Name - UserFaultCheck, Type - REG_SZ, Data - %systemroot%\system32\dumprep 0
-u

Name - szofgz, Type - REG_SZ, Data - C:\szofgz.exe

And some of the data fields are surrounded by quotes, while others aren't:

"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
C:\Program Files\Microsoft Works\WkDetect.exe

What do I do?

 

[Rick \Nutcase\ Rogers]

Hi,

This is certainly suspect, likely to be a trojan:

Name - szofgz, Type - REG_SZ, Data - C:\szofgz.exe

This is not a valid string unless it is enclosed in quotes:

C:\Program Files\Microsoft Works\WkDetect.exe

and could be the cause of your problem.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org

 

[Guest]

I'm with Siddhartha Gandhi on this one. I've read his posts and I'm having
the same kind of trouble as he is. I've gone through the same steps he has.
The kellys korner script didn't work. unchecking everything in the msconfig
area didn't work. Computer Associates Antivirus and Pest Patrol haven't
picked up anything. Norton Antivirus hasn't picked up anything. I don't want
to have to start over with the system again.

 

[Rick \Nutcase\ Rogers]

Hi,

This can be caused by leftovers from cleaning up spyware as well. Try this:

Control Panel/Folder Options/View tab, uncheck the line "restore previous
folder windows at logon". Click apply/ok, do not reboot yet.

Start/run msconfig, on the general tab select the diagnostic mode. Click
apply/ok and reboot at prompted.

The folder should not show up now. Rerun msconfig, put the system back in
normal mode. Click apply/ok and reboot once more. Does this help?

For most users, this will resolve the issue. For some that still have
registry damage it will not. If this is the case, could you please export
and post the contents of these keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To do this, start/run regedit, expand the branches to each key (do this one
at a time). Click on the key, then on file/export. Give it any name, then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose edit, it
should open in notepad. Click edit/select all/edit/copy. Open a response to
this post and click in the message text area. Hit ctrl+v to paste the
contents. Repeat for the other saved key, then send the post for
examination.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org

 

[Guest]

This can be caused by leftovers from cleaning up spyware as well. Try this:

Control Panel/Folder Options/View tab, uncheck the line "restore previous
folder windows at logon". Click apply/ok, do not reboot yet.

Start/run msconfig, on the general tab select the diagnostic mode. Click
apply/ok and reboot at prompted.

The folder should not show up now. Rerun msconfig, put the system back in
normal mode. Click apply/ok and reboot once more. Does this help?

Nope, that didn't help. Here are the registry entries:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\\Program Files\\Compaq\\Easy Access Button
Support\\StartEAK.exe"
"Zone Labs Client"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ
Firewall\\ca.exe\""
"WCOLOREAL"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\""
"UserFaultCheck"="%systemroot%\\system32\\dumprep 0 -u"
"szofgz"="C:\\WINDOWS\\szofgz.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"Smapp"="Smtray.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP
Share-to-Web\\hpgs2wnd.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"QOELOADER"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust
Anti-Spam\\QSP-2.1.215.5\\QOELoader.exe\""
"PCTVOICE"="pctspk.exe"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft
Works\\WkDetect.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe
/AllUsers"
"HPDJ Taskbar
Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb12.exe"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software
Update\\HPWuSchd2.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust
PestPatrol\\PPActiveDetection.exe\""
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital
Imaging\\bin\\hpotdd01.exe"
"CAVRID"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ
Antivirus\\CAVRID.exe\""
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital
Imaging\\\\Unload\\hpqcmon.exe"
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ
Antivirus\\CAVTray.exe\""
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator
5\\DirectCD\\DirectCD.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
------------------------------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"IECHECK.EXE"="C:\\WINDOWS\\iecheck.exe"

------------------------------------------------------------------------------------------------

 

[Guest]

A little update, probably not much help, but...

It does not happen when booting in Safe Mode, and again the antivirus and
spyware programs don't detect anything when running in Safe Mode.

 

[Guest]

Sorry, that one entry should read:
Name - szofgz, Type - REG_SZ, Data - C:\WINDOWS\szofgz

 

[Rick \Nutcase\ Rogers]

Hi,

Delete this:

"szofgz"="C:\\WINDOWS\\szofgz.exe" (and also the file szofgz.eze itself)

Then download this patch, as you may have been affected by a recent update:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Line 383, on the right.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org

This can be caused by leftovers from cleaning up spyware as well. Try
this:

Control Panel/Folder Options/View tab, uncheck the line "restore previous
folder windows at logon". Click apply/ok, do not reboot yet.

Start/run msconfig, on the general tab select the diagnostic mode. Click
apply/ok and reboot at prompted.

The folder should not show up now. Rerun msconfig, put the system back in
normal mode. Click apply/ok and reboot once more. Does this help?

Nope, that didn't help. Here are the registry entries:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\\Program Files\\Compaq\\Easy Access Button
Support\\StartEAK.exe"
"Zone Labs Client"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ
Firewall\\ca.exe\""
"WCOLOREAL"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\""
"UserFaultCheck"="%systemroot%\\system32\\dumprep 0 -u"
"szofgz"="C:\\WINDOWS\\szofgz.exe"
"SunJavaUpdateSched"="C:\\Program
Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"Smapp"="Smtray.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP
Share-to-Web\\hpgs2wnd.exe"
"QuickTime Task"="\"C:\\Program
Files\\QuickTime\\qttask.exe\" -atboottime"
"QOELOADER"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust
Anti-Spam\\QSP-2.1.215.5\\QOELoader.exe\""
"PCTVOICE"="pctspk.exe"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft
Works\\WkDetect.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe
/AllUsers"
"HPDJ Taskbar
Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb12.exe"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software
Update\\HPWuSchd2.exe"
"HP Component Manager"="\"C:\\Program
Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust
PestPatrol\\PPActiveDetection.exe\""
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital
Imaging\\bin\\hpotdd01.exe"
"CAVRID"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ
Antivirus\\CAVRID.exe\""
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital
Imaging\\\\Unload\\hpqcmon.exe"
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ
Antivirus\\CAVTray.exe\""
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator
5\\DirectCD\\DirectCD.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
------------------------------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"IECHECK.EXE"="C:\\WINDOWS\\iecheck.exe"

------------------------------------------------------------------------------------------------

 

[Guest]

That didn't work either, but I think you're still right about the update
part. This all started after I checked for updates on just about everything.

 

[Rick \Nutcase\ Rogers]

Hi,

Try this: http://support.microsoft.com/kb/918165

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org

 

[Guest]

The value for the verclsid.exe already exists. I added the 3 values for the
NVIDIA because I do have an NVIDIA Vanta graphics card, but that still didn't
work.

I gotta say, I'm getting frustrated with this situation here Mr. Rogers.

 

[Rick \Nutcase\ Rogers]

Hi,

Have you updated the Nvidia drivers as directed (and linked to) at the
bottom of the page?

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org

 

[Guest]

According to nVIDIA my drivers are up-to-date. Their latest and greatest
updater no longer supports the Vanta, they haven't released anything for it
since 7/28/03. Unless you or anyone else here (since no one else has even
tried to reply (that itself pisses me off)) I give up. I guess I'll have to
live with this dumbass issue that Microsuck created with their automatic
updates.

In the words of Eric Cartman, "Screw you guys, I'm going home."

 

[Rick \Nutcase\ Rogers]

One question: When I had you put the system in diagnostic mode, did the
problem reoccur?

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org

 

[Guest]

Yes, it happened when in diagnostic mode.

 

[Rick \Nutcase\ Rogers]

Hi,

Hmm, I haven't seen this problem occur while in diagnostic mode, but since
it doesn't happen in safe mode, then I am inclined to think it is related to
a driver file that is loading (in safe mode, it is likely a windows default
driver that is opening instead). Run msconfig, uncheck the line that loads
this one:

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

What happens when you reboot?

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org

 

[Guest]

The folder still pops-up. The first thing I did to try and fix this was
uncheck all the boxes in msconfig. I've been told that by unchecking all of
them the computer shouldn't run at all, but it does, and the folder still
pops-up. I have absolutely had it with this $#!*.

 

[Rick \Nutcase\ Rogers]

Hi,

Disabling everything in msconfig's startup tab wouldn't prevent a boot.
That's basically what diagnostic mode does. Could you please send directly
to me the two reg files I previously had you export and post. I want to test
something. Send to the address used here ([email protected]) and use a subject
line of "per req".

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org