System32 back yet again...DOH!

  Fanianni 21:53 20 Jan 04
Locked

Hi there... Fani's other half here. We still have not managed to sort out our problem with System32 folder opening on start up, this has been going on for a couple of months now and is really doing our heads in.
(PLEASE no links to microsoft site about this as we have been there many times and dont think that it is our problem THANKS).

Every time the System32 folder opens at start we get this value:
(Default) REG_EXPAND_SZ c:\Windows\System32
In these registry folders:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The value Should be:
(Default) REG_SZ (no value set)
In both folders.

It also puts two copies of the c:\Windows\System32\ in the start up list in msconfig.

After deleting the value: c:\Windows\System32\ in the registry folders and un-checking the c:\Windows\System32\ entries in msconfig all is ok for about a day, then it rears its ugly head again.
I keep reading about viruses causing this problem but none are found on the pc??. Has anyone got any idea on how to solve this problem as we are at a total loss here. I have just installed Hijack This, so here are the results of the scan, hope it helps.
Regards ZL/Fanianni

  Fanianni 21:56 20 Jan 04

Logfile of HijackThis v1.97.7
Scan saved at 17:45:51, on 20/01/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\Webshots\WebshotsTray.exe
C:\unzipped\hijackthis\HijackThis.exe

  Fanianni 21:57 20 Jan 04

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = click here
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = click here
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A09DDD01-1A5A-945A-1521-7B34C8BD0599} - C:\WINDOWS\system32\fqxggwtd.dll
O2 - BHO: (no name) - {CC75E29F-495A-473F-D5BD-D0085DB5F37F} - C:\WINDOWS\system32\iifhkbor.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2E0099} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MDBDR] C:\WINDOWS\MDBDR.exe
O4 - HKLM\..\Run: [System Tray] SysTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe /STARTMONITOR
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=click here
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - click here
O16 - DPF: Yahoo! Chat - click here
O16 - DPF: Yahoo! Literati - click here
O16 - DPF: Yahoo! Spelldown - click here
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - click here
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - click here
O16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - click here
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - click here
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - click here
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_02) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - click here
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - click here
O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_02) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - click here

  Gaz 25 22:00 20 Jan 04

Something is placing it there!

Be it a EXE file.

  Fanianni 22:00 20 Jan 04

Dont know where the Click Here come from????

  Fanianni 15:20 21 Jan 04

Yeh Gaz but what??? Am running McAfee7 which is up to date and spybot S&D all saying pc is clean.
I have cleaned out some registry entries with Reg Cleaner, but only files from programs that I know I have uninstalled.
There are many files that it thinks are safe to delete as they point nowhere, but as I do not no what these files are, I do not want to delete them incase I screw things up and the pc will not re-boot or something just as bad...lol.
Regards Fanianni

  Fanianni 01:43 25 Jan 04

Hi all, just to let you know we seem to have fixed the problem.
We fix some files with HJT and RegCleaner4.3, will post HJT fixes but fogot to create list of RegCleaner fixes (sorry).


R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = click here
O4 - HKLM\..\Run: [MDBDR] C:\WINDOWS\MDBDR.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = click here
O2 - BHO: (no name) - {A09DDD01-1A5A-945A-1521-7B34C8BD0599} - C:\WINDOWS\system32\fqxggwtd.dll
O2 - BHO: (no name) - {CC75E29F-495A-473F-D5BD-D0085DB5F37F} - C:\WINDOWS\system32\iifhkbor.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2E0099} - (no file)
O4 - HKLM\..\Run: [MDBDR] C:\WINDOWS\MDBDR.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - click here
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - click here
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - click here
O16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - click here
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_02) -
O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_02) -

This thread is now locked and can not be replied to.

What is Amazon Go and will it come to the UK? The store without checkouts or queues

1995-2015: How technology has changed the world in 20 years

Why ecommerce hasn't taken off on social media

New MacBook Pro 2016 review | MacBook Pro with Touch Bar review: Apple's expensive and powerful…