System32 Folder Opening On Startup - tried both solutions already

[Guest]

I went to this article:

- System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/default.aspx?id=170086

But I don't have any blank entries or partial with "'s in my registry file. For registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, my first entry for default says

Name (Default)
Type REG_EXPAND_SZ
c:\WINDOWS\System32

At the end of article it says:

The following entry to run the System Tray is the only required Windows default entry:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: SystemTray
Value Type: REG_SZ
Value Data: SysTray.exe

I don't have such an entry.

I also tried that http://www.kellys-korner-xp.com/xp_tweaks.htm thing and it did not work either.

Help!

 

[DL]

Have you tried a sys restore, or for that matter added the missing key
(system tray)
David

I went to this article:

- System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/default.aspx?id=170086

But I don't have any blank entries or partial with "'s in my registry

file. For registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, my first
entry for default says

 

[Rick \Nutcase\ Rogers]

Hi Lynne,

Start/run msconfig, and see if there is a line that loads /L:ENG. If so,
disable it. It comes from a SoundBlaster Audigy driver, but should not
affect that hardware. You can also repair the registry entry if you like by
removing the leading space in the string that loads it.

However, it can also be caused by other incorrectly built registry strings.
Could you please export and post the contents of these keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To do this, start/run regedit, expand the branches to each key (do this one
at a time). Click on the key, then on file/export. Give it any name, then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose edit, it
should open in notepad. Click edit/select all/edit/copy. Open a response to
this post and click in the message text area. Hit ctrl+v to paste the
contents. Repeat for the other saved key, then send the post for
examination.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

I went to this article:

- System32 Folder Opens When Logging on to Windows
http://support.microsoft.com/default.aspx?id=170086

But I don't have any blank entries or partial with "'s in my registry

file. For registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, my first
entry for default says

 

[Guest]

I don't appear to have that line so I exported as requested

Here's the current User Key

Windows Registry Editor Version 5.0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe
"EntrustCSP"="C:\\PROGRA~1\\Entrust\\ENTRUS~1\\cspsync.exe /m
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl
@=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,53, 00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,00,0

Here's the Local Machine Key

Windows Registry Editor Version 5.0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup
"LTWinModem1"="ltmsg.exe 9
"DellTouch"="C:\\WINDOWS\\DELLMMKB.EXE
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\"
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\"
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe
"BuildBU"="c:\\dell\\bldbubg.exe
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot
"nwiz"="nwiz.exe /install
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime
"MyWebSearch Email Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe
"iehelper"="C:\\Program Files\\syslaunch.exe
"mmtask"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe
"n"="C:\\WINDOWS\\System32\\ivxmug.exe
@=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,53, 00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,00,0
"nvid"="C:\\WINDOWS\\System32\\rqflaahe.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
"Installed"="1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
"Installed"="1
"NoChange"="1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
"Installed"="1

Thanks


----- Rick \"Nutcase\" Rogers wrote: ----

Hi Lynne

Start/run msconfig, and see if there is a line that loads /L:ENG. If so
disable it. It comes from a SoundBlaster Audigy driver, but should no
affect that hardware. You can also repair the registry entry if you like b
removing the leading space in the string that loads it

However, it can also be caused by other incorrectly built registry strings
Could you please export and post the contents of these keys in the registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru

To do this, start/run regedit, expand the branches to each key (do this on
at a time). Click on the key, then on file/export. Give it any name, the
save to the desktop. Once you have saved both keys, close the registr
editor. Right-click one of the saved files on the desktop, choose edit, i
should open in notepad. Click edit/select all/edit/copy. Open a response t
this post and click in the message text area. Hit ctrl+v to paste th
contents. Repeat for the other saved key, then send the post fo
examination

--
Best of Luck

Rick Rogers aka "Nutcase" MS-MVP - Win9
Windows isn't rocket science! That's my other hobby
http://mvp.support.microsoft.com
Associate Expert - WinXP - Expert Zon
www.microsoft.com/windowsxp/expertzon
Win98 Help - www.rickrogers.or

I went to this article

file. For registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, my first
entry for default says

 

[Rick \Nutcase\ Rogers]

Hi Lynne,

Problem #1 is this:

"nvid"="C:\\WINDOWS\\System32\\rqflaahe.exe"

It's a trojan and needs to be removed. Reboot in Safe mode and delete this
key. Locate the rqflaahe.exe file in the system32 folder and delete it.

Problem #2 is this:

"iehelper"="C:\\Program Files\\syslaunch.exe"

Which is another malicious trojan called Adclicker that needs to be removed,
please read:
http://securityresponse.symantec.com/avcenter/venc/data/w32.a.d.clicker.g.trojan.html

Problem #3 is this one:

"MyWebSearch Email
Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"

Which is another piece of crapware that has insinuated itself on your
system, please read:
http://www.kephyr.com/spywarescanner/library/websearchtoolbar.emailplug/index.phtml

Once these are all removed, if the System32 folder still opens at logon,
start/run msconfig. On the general tab put yourself in diagnostic mode.
Click apply/ok and reboot. Once rebooted, reverse the steps.

Would also suggest you disable the following to improve system performance:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
"TkBellExe"="\"C:\\Program Files\\Common

Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"QuickTime Task"="\"C:\\Program

Files\\QuickTime\\qttask.exe\" -atboottime"

"mmtask"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"

Disabling them will not remove them, and you still can use the programs. It
just prevents them from loading at boot.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

I don't appear to have that line so I exported as requested:

Here's the current User Key:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo
mponents][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo
mponents\IMAIL]

"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo
mponents\MAPI]

"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo
mponents\MSFS]
"Installed"="1"

Thanks.


----- Rick \"Nutcase\" Rogers wrote: -----

Hi Lynne,

Start/run msconfig, and see if there is a line that loads /L:ENG. If so,
disable it. It comes from a SoundBlaster Audigy driver, but should not
affect that hardware. You can also repair the registry entry if you like by
removing the leading space in the string that loads it.

However, it can also be caused by other incorrectly built registry strings.
Could you please export and post the contents of these keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To do this, start/run regedit, expand the branches to each key (do this one
at a time). Click on the key, then on file/export. Give it any name, then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose edit, it
should open in notepad. Click edit/select all/edit/copy. Open a response to
this post and click in the message text area. Hit ctrl+v to paste the
contents. Repeat for the other saved key, then send the post for
examination.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

I went to this article:

registry
file. For registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, my first
entry for default says

Type REG_EXPAND_SZ
c:\WINDOWS\System32

Windows
default entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: SystemTray
Value Type: REG_SZ
Value Data: SysTray.exe

thing and
it did not work either.

 

[Guest]

Thanks for the help. I got rid of the System32 problem thanks to you. For Problem #2, I can't get that website to open. It times out everytime. Can I just delete that line from my registry while in safe mode

----- Rick \"Nutcase\" Rogers wrote: ----

Hi Lynne

Problem #1 is this

"nvid"="C:\\WINDOWS\\System32\\rqflaahe.exe

It's a trojan and needs to be removed. Reboot in Safe mode and delete thi
key. Locate the rqflaahe.exe file in the system32 folder and delete it

Problem #2 is this

"iehelper"="C:\\Program Files\\syslaunch.exe

Which is another malicious trojan called Adclicker that needs to be removed
please read
http://securityresponse.symantec.com/avcenter/venc/data/w32.a.d.clicker.g.trojan.htm

Problem #3 is this one

"MyWebSearch Emai
Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe

Which is another piece of crapware that has insinuated itself on you
system, please read
http://www.kephyr.com/spywarescanner/library/websearchtoolbar.emailplug/index.phtm

Once these are all removed, if the System32 folder still opens at logon
start/run msconfig. On the general tab put yourself in diagnostic mode
Click apply/ok and reboot. Once rebooted, reverse the steps

Would also suggest you disable the following to improve system performance

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsof Money\\System\\Activation.exe\"
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe
"TkBellExe"="\"C:\\Program Files\\Commo

Files\\Real\\Update_OB\\realsched.exe\" -osboot

"QuickTime Task"="\"C:\\Progra

Files\\QuickTime\\qttask.exe\" -atboottime

"mmtask"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe

Disabling them will not remove them, and you still can use the programs. I
just prevents them from loading at boot

--
Best of Luck

Rick Rogers aka "Nutcase" MS-MVP - Win9
Windows isn't rocket science! That's my other hobby
http://mvp.support.microsoft.com
Associate Expert - WinXP - Expert Zon
www.microsoft.com/windowsxp/expertzon
Win98 Help - www.rickrogers.or

I don't appear to have that line so I exported as requested

Here's the current User Key
Windows Registry Editor Version 5.0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalC
mponents[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalC
mponents\IMAIL

"Installed"="1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalC
mponents\MAPI

"Installed"="1
"NoChange"="1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalC
mponents\MSFS

"Installed"="1
Hi Lynne
Start/run msconfig, and see if there is a line that loads /L:ENG. I

so
disable it. It comes from a SoundBlaster Audigy driver, but shoul no
affect that hardware. You can also repair the registry entry if yo like b
removing the leading space in the string that loads it

However, it can also be caused by other incorrectly built registr

strings
Could you please export and post the contents of these keys in th registry

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
To do this, start/run regedit, expand the branches to each key (do

this one
at a time). Click on the key, then on file/export. Give it any name, then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose edit, it
should open in notepad. Click edit/select all/edit/copy. Open a response to
this post and click in the message text area. Hit ctrl+v to paste the
contents. Repeat for the other saved key, then send the post for
examination.

-- Best of Luck,
Rick Rogers aka "Nutcase" MS-MVP - Win9x

Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

I went to this article:

registry
file. For registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, my first
entry for default says

Type REG_EXPAND_SZ
c:\WINDOWS\System32

Windows
default entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: SystemTray
Value Type: REG_SZ
Value Data: SysTray.exe

thing and
it did not work either.

 

[Guest]

I got to the site. The instructions say to delete the key starting with "Wardo"= not "iehelper" = as you say below. Is it the same so I should delete it?

----- LynneB wrote: -----

Thanks for the help. I got rid of the System32 problem thanks to you. For Problem #2, I can't get that website to open. It times out everytime. Can I just delete that line from my registry while in safe mode?

----- Rick \"Nutcase\" Rogers wrote: -----

Hi Lynne,

Problem #1 is this:

"nvid"="C:\\WINDOWS\\System32\\rqflaahe.exe"

It's a trojan and needs to be removed. Reboot in Safe mode and delete this
key. Locate the rqflaahe.exe file in the system32 folder and delete it.

Problem #2 is this:

"iehelper"="C:\\Program Files\\syslaunch.exe"

Which is another malicious trojan called Adclicker that needs to be removed,
please read:
http://securityresponse.symantec.com/avcenter/venc/data/w32.a.d.clicker.g.trojan.html

Problem #3 is this one:

"MyWebSearch Email
Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"

Which is another piece of crapware that has insinuated itself on your
system, please read:
http://www.kephyr.com/spywarescanner/library/websearchtoolbar.emailplug/index.phtml

Once these are all removed, if the System32 folder still opens at logon,
start/run msconfig. On the general tab put yourself in diagnostic mode.
Click apply/ok and reboot. Once rebooted, reverse the steps.

Would also suggest you disable the following to improve system performance:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
"TkBellExe"="\"C:\\Program Files\\Common

Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"QuickTime Task"="\"C:\\Program

Files\\QuickTime\\qttask.exe\" -atboottime"

"mmtask"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"

Disabling them will not remove them, and you still can use the programs. It
just prevents them from loading at boot.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

I don't appear to have that line so I exported as requested:

Here's the current User Key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo
mponents][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo
mponents\IMAIL]

"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo
mponents\MAPI]

"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo
mponents\MSFS]

"Installed"="1"
Hi Lynne,
Start/run msconfig, and see if there is a line that loads /L:ENG. If

so,
disable it. It comes from a SoundBlaster Audigy driver, but should not
affect that hardware. You can also repair the registry entry if you like by
removing the leading space in the string that loads it.

However, it can also be caused by other incorrectly built registry

strings.
Could you please export and post the contents of these keys in the registry:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
To do this, start/run regedit, expand the branches to each key (do

this one
at a time). Click on the key, then on file/export. Give it any name, then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop, choose edit, it
should open in notepad. Click edit/select all/edit/copy. Open a response to
this post and click in the message text area. Hit ctrl+v to paste the
contents. Repeat for the other saved key, then send the post for
examination.

-- Best of Luck,
Rick Rogers aka "Nutcase" MS-MVP - Win9x

Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

I went to this article:

registry
file. For registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, my first
entry for default says

Type REG_EXPAND_SZ
c:\WINDOWS\System32

Windows
default entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: SystemTray
Value Type: REG_SZ
Value Data: SysTray.exe

thing and
it did not work either.

 

[Rick \Nutcase\ Rogers]

Hi LynneB,

Can I just delete that line from my registry while in safe mode?

Pretty much, but there are few other things. From that link (basis trojan
removal steps actually):

- Disable System Restore (Windows Me/XP).
- Update the virus definitions.
- Restart the computer in Safe mode or VGA mode.
- Run a full system scan and delete all the files detected as
W32.Adclicker.G.Trojan.
- Delete the value that was added to the registry.

Glad to have helped you get the rest of it sorted.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Thanks for the help. I got rid of the System32 problem thanks to you.

For Problem #2, I can't get that website to open. It times out everytime.
Can I just delete that line from my registry while in safe mode?

----- Rick \"Nutcase\" Rogers wrote: -----

Hi Lynne,

Problem #1 is this:

"nvid"="C:\\WINDOWS\\System32\\rqflaahe.exe"

It's a trojan and needs to be removed. Reboot in Safe mode and delete this
key. Locate the rqflaahe.exe file in the system32 folder and delete it.

Problem #2 is this:

"iehelper"="C:\\Program Files\\syslaunch.exe"

Which is another malicious trojan called Adclicker that needs to be removed,
please read:
http://securityresponse.symantec.com/avcenter/venc/data/w32.a.d.clicker.g.trojan.html

Problem #3 is this one:

"MyWebSearch Email
Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"

Which is another piece of crapware that has insinuated itself on your
system, please read:
http://www.kephyr.com/spywarescanner/library/websearchtoolbar.emailplug/index.phtml

Once these are all removed, if the System32 folder still opens at logon,
start/run msconfig. On the general tab put yourself in diagnostic mode.
Click apply/ok and reboot. Once rebooted, reverse the steps.

Would also suggest you disable the following to improve system performance:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
"TkBellExe"="\"C:\\Program Files\\Common

Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"QuickTime Task"="\"C:\\Program

Files\\QuickTime\\qttask.exe\" -atboottime"

"mmtask"="C:\\Program Files\\MusicMatch\\MusicMatch

Jukebox\\mmtask.exe"

Disabling them will not remove them, and you still can use the programs. It
just prevents them from loading at boot.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

I don't appear to have that line so I exported as requested:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\IMAIL]

"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MAPI]

"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MSFS]

"Installed"="1"
Thanks.
----- Rick \"Nutcase\" Rogers wrote: -----
Hi Lynne,
Start/run msconfig, and see if there is a line that loads

/L:ENG. If
so,

disable it. It comes from a SoundBlaster Audigy driver, but

should

not
affect that hardware. You can also repair the registry entry

if you
like by

removing the leading space in the string that loads it.

registry

strings.
Could you please export and post the contents of these keys in

the

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

key (do
this one

at a time). Click on the key, then on file/export. Give it any

name,

then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop,

choose
edit, it

should open in notepad. Click edit/select all/edit/copy. Open

a
response to

this post and click in the message text area. Hit ctrl+v to paste the
contents. Repeat for the other saved key, then send the post for
examination.
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

message
registry
file. For registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, my

 

[Guest]

OK, I'm starting to get real frustrated. I've done all this, rechecked to see if any of this came back, it hasn't - BUT the System32 folder is opening AGAIN at startup!!!

----- Rick \"Nutcase\" Rogers wrote: -----

Hi LynneB,

Can I just delete that line from my registry while in safe mode?

Pretty much, but there are few other things. From that link (basis trojan
removal steps actually):

- Disable System Restore (Windows Me/XP).
- Update the virus definitions.
- Restart the computer in Safe mode or VGA mode.
- Run a full system scan and delete all the files detected as
W32.Adclicker.G.Trojan.
- Delete the value that was added to the registry.

Glad to have helped you get the rest of it sorted.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Thanks for the help. I got rid of the System32 problem thanks to you.

For Problem #2, I can't get that website to open. It times out everytime.
Can I just delete that line from my registry while in safe mode?

----- Rick \"Nutcase\" Rogers wrote: -----
Hi Lynne,
Problem #1 is this:
"nvid"="C:\\WINDOWS\\System32\\rqflaahe.exe"
It's a trojan and needs to be removed. Reboot in Safe mode and delete

this
key. Locate the rqflaahe.exe file in the system32 folder and delete it.

Problem #2 is this:
"iehelper"="C:\\Program Files\\syslaunch.exe"
Which is another malicious trojan called Adclicker that needs to be

removed,
please read:
http://securityresponse.symantec.com/avcenter/venc/data/w32.a.d.clicker.g.trojan.html

Problem #3 is this one:
"MyWebSearch Email Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"
Which is another piece of crapware that has insinuated itself on your

system, please read:
http://www.kephyr.com/spywarescanner/library/websearchtoolbar.emailplug/index.phtml

Once these are all removed, if the System32 folder still opens at

logon,
start/run msconfig. On the general tab put yourself in diagnostic mode.
Click apply/ok and reboot. Once rebooted, reverse the steps.

Would also suggest you disable the following to improve system performance:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
"TkBellExe"="\"C:\\Program Files\\Common

Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"QuickTime Task"="\"C:\\Program

Files\\QuickTime\\qttask.exe\" -atboottime"

"mmtask"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
Disabling them will not remove them, and you still can use the

programs. It
just prevents them from loading at boot.

-- Best of Luck,
Rick Rogers aka "Nutcase" MS-MVP - Win9x

Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

I don't appear to have that line so I exported as requested:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\IMAIL]

"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MAPI]

"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MSFS]

"Installed"="1"
Thanks.
----- Rick \"Nutcase\" Rogers wrote: -----
Hi Lynne,
Start/run msconfig, and see if there is a line that loads

/L:ENG. If
so,

disable it. It comes from a SoundBlaster Audigy driver, but

should

not
affect that hardware. You can also repair the registry entry

if you
like by

removing the leading space in the string that loads it.

registry

strings.
Could you please export and post the contents of these keys in

the

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

key (do
this one

at a time). Click on the key, then on file/export. Give it any

name,

then
save to the desktop. Once you have saved both keys, close the registry
editor. Right-click one of the saved files on the desktop,

choose
edit, it

should open in notepad. Click edit/select all/edit/copy. Open

a
response to

this post and click in the message text area. Hit ctrl+v to paste the
contents. Repeat for the other saved key, then send the post for
examination.
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

message
registry
file. For registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, my

 

[Rick \Nutcase\ Rogers]

Hi Lynn,

Ok, start/run msconfig, on the general tab click on diagnostic startup.
Click apply/ok and reboot. Then reverse the steps.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

OK, I'm starting to get real frustrated. I've done all this, rechecked to

see if any of this came back, it hasn't - BUT the System32 folder is opening
AGAIN at startup!!!

----- Rick \"Nutcase\" Rogers wrote: -----

Hi LynneB,

Can I just delete that line from my registry while in safe mode?

Pretty much, but there are few other things. From that link (basis trojan
removal steps actually):

- Disable System Restore (Windows Me/XP).
- Update the virus definitions.
- Restart the computer in Safe mode or VGA mode.
- Run a full system scan and delete all the files detected as
W32.Adclicker.G.Trojan.
- Delete the value that was added to the registry.

Glad to have helped you get the rest of it sorted.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Thanks for the help. I got rid of the System32 problem thanks to

you.
For Problem #2, I can't get that website to open. It times out everytime.
Can I just delete that line from my registry while in safe mode? and delete
this

key. Locate the rqflaahe.exe file in the system32 folder and

delete

it.

to be
removed,

please read:

http://securityresponse.symantec.com/avcenter/venc/data/w32.a.d.clicker.g.trojan.html

on your
system, please read:

http://www.kephyr.com/spywarescanner/library/websearchtoolbar.emailplug/index.phtml opens at
logon,

start/run msconfig. On the general tab put yourself in

diagnostic

mode.
Click apply/ok and reboot. Once rebooted, reverse the steps.

system

performance:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
"TkBellExe"="\"C:\\Program Files\\Common

Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"QuickTime Task"="\"C:\\Program

Files\\QuickTime\\qttask.exe\" -atboottime"

"mmtask"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
Disabling them will not remove them, and you still can use

the
programs. It

just prevents them from loading at boot.
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

message

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\IMAIL]

"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MAPI]

"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo

mponents\MSFS]
"Installed"="1"
Thanks.
----- Rick \"Nutcase\" Rogers wrote: -----
Hi Lynne,
Start/run msconfig, and see if there is a line that loads

/L:ENG. If
so,

disable it. It comes from a SoundBlaster Audigy driver, but

should

not
affect that hardware. You can also repair the registry entry

if you
like by

removing the leading space in the string that loads it.
However, it can also be caused by other incorrectly built

registry

strings.
Could you please export and post the contents of these keys

in

the key (do
this one

any

name, choose
edit, it a
response to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, my

first
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run