# system32.exe



## bjanda (Jun 18, 2003)

Hi
I am having difficulty in removing the file system32.exe from my PC which I understand from this forum is not a Windows file.
I ran HiJackThis and fixed it there, rebooted and tried to delete it but it said file in use and wouldn't delete and now it's back in the HJT list again.

I have also run rbkiller, Adaware and Spybot and they don't show any problems.

Can you please tell me how I can delete this file and would this be the reason for my floppy drive A to run every time I connect to internet. (this seems to have started at about the same time as Rapidblaster probs)

Thanks, Bri.

This is my HJT log file which may help
Logfile of HijackThis v1.94.0
Scan saved at 17:12:09, on 19-06-2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://216.65.101.250/sbms/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=file:///C:/My%20Documents/Brian's%20File/My%20Site/Brian's%20Home%20Page.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://home.netscape.com/home/winsearch200.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer 6.0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost;
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=
O2 - BHO: (no name) - {A6927151-F5B4-11D4-AE7A-00D00925CF52} - (no file)
O2 - BHO: (no name) - {16664845-0E00-11D2-8059-000000000000} - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CATCHER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\NET UTILS\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\DATABASE\DATABASE\WBFILEMANAGER\DLL\MSDXM.OCX
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\NET UTILS\REGETDX\IEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\Scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ESSOLO] ESSOLO.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AccessRampMonitor] "C:\Program Files\Inverse IP InSight\CWCOM\ARMon32.exe"
O4 - HKLM\..\Run: [Netline User] C:\netchk.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [NetLaunch] C:\NET UTILS\NETLAUNCH\LAUNCH.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\NETUTI~1\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Imaging\Editors\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0\Monitor.exe
O4 - HKLM\..\Run: [System32] System32.exe
O4 - HKLM\..\RunServices: [BCDetect] c:\windows\SYSTEM\BCDetect.exe defer
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\NETUTI~1\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [System32] System32.exe
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\DiskeeperLite\DkService.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 810 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /A "C:\WINDOWS\SYSTEM\E_S7295.TMP"
O4 - Startup: Emptdrve.exe.lnk = C:\Utilities\EmptyDrive\emptdrve.exe
O4 - Startup: CapsLockOff.lnk = C:\Utilities\Misc Utils\CapsLockOff\CapsLockOff.exe
O4 - Startup: ScreenSaverControl.lnk = C:\Utilities\Misc Utils\sscontrol\ScreenSaverControl.exe
O4 - Startup: QuickLaunch.lnk = C:\Utilities\QuickLaunch\quicklaunch.exe
O4 - Startup: SpywareGuard.lnk = C:\Net Utils\SpywareGuard\sgmain.exe
O4 - User Startup: Emptdrve.exe.lnk = C:\Utilities\EmptyDrive\emptdrve.exe
O4 - User Startup: CapsLockOff.lnk = C:\Utilities\Misc Utils\CapsLockOff\CapsLockOff.exe
O4 - User Startup: ScreenSaverControl.lnk = C:\Utilities\Misc Utils\sscontrol\ScreenSaverControl.exe
O4 - User Startup: QuickLaunch.lnk = C:\Utilities\QuickLaunch\quicklaunch.exe
O4 - User Startup: SpywareGuard.lnk = C:\Net Utils\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_All.htm
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_Link.htm
O8 - Extra context menu item: Download using Download &Express - file://C:\Net Utils\Download Express\Add_Url.htm
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Grab! (HKLM)
O9 - Extra 'Tools' menuitem: Grab this Website (HKLM)
O9 - Extra button: DLExpert (HKLM)
O9 - Extra 'Tools' menuitem: &DLExpert (HKLM)
O9 - Extra button: Freeserve (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\trial\intrlnch\IntraLaunch.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37611.6031018519

Anything there that shouldn't be.


----------



## Rollin' Rog (Dec 9, 2000)

It's unclear whether these search entries are desired or not, they look like they may be "hijacks"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://216.65.101.250/sbms/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/

There are two system32.exe entries:

O4 - HKLM\..\RunServices: [System32] System32.exe
O4 - HKLM\..\Run: [System32] System32.exe

===========================

What you are probably going to need to do is download this exefix08 utility avaliable on Reticulated Toys,

http://home.earthlink.net/~rmbox/Reticulated/Toys.html

unzip it and then restart in Safe Mode

Run the exefix because the system32.exe may have attached itself to registry shell open commands which will execute any time an exe is run.

Then run the HijackThis ScanLog and remove the above entries.

After that you should be able to locate and delete system32.exe itself

If that doesn't work, give us a post of the StartupList using HijackThis, it will show running tasks as well: Click Config > Miscl Tools > Generate StartupList

*edit* I almost forgot, Another option would be to try Rmbox's new Dos Delete utility available on that same page. We are looking for some good test cases.


----------



## bjanda (Jun 18, 2003)

Thanks for help. Ran exefix as suggested, seems to have removed system32. 
Floppy access after internet connection still a problem though, this seems to have started about the same time.

Thanks once again anyway.
Bri


----------



## Metallica (Jan 28, 2003)

How did this happen?
O4 - Startup: Emptdrve.exe.lnk = C:\Utilities\EmptyDrive\emptdrve.exe
O4 - Startup: CapsLockOff.lnk = C:\Utilities\Misc Utils\CapsLockOff\CapsLockOff.exe
O4 - Startup: ScreenSaverControl.lnk = C:\Utilities\Misc Utils\sscontrol\ScreenSaverControl.exe
O4 - Startup: QuickLaunch.lnk = C:\Utilities\QuickLaunch\quicklaunch.exe
O4 - Startup: SpywareGuard.lnk = C:\Net Utils\SpywareGuard\sgmain.exe
O4 - User Startup: Emptdrve.exe.lnk = C:\Utilities\EmptyDrive\emptdrve.exe
O4 - User Startup: CapsLockOff.lnk = C:\Utilities\Misc Utils\CapsLockOff\CapsLockOff.exe
O4 - User Startup: ScreenSaverControl.lnk = C:\Utilities\Misc Utils\sscontrol\ScreenSaverControl.exe
O4 - User Startup: QuickLaunch.lnk = C:\Utilities\QuickLaunch\quicklaunch.exe
O4 - User Startup: SpywareGuard.lnk = C:\Net Utils\SpywareGuard\sgmain.exe

They are all starting up double.

Regards,

Pieter


----------



## bjanda (Jun 18, 2003)

Hi Pieter
Thanks for post. Don't know how this happened, is it ok to fix these with HJT and also the following entries from previous reply.

> Reply
>
> It's unclear whether these search entries are desired or not, they look like they may be "hijacks"
>
> R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://216.65.101.250/sbms/
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/

or would it be better to leave them.


----------



## Rollin' Rog (Dec 9, 2000)

Good catch there by Metallica. You have two different startup folders with the same items. Are there different profiles?

Did you also delete the registry entries for System32.exe in HijackThis and find and delete the actual file now?

(rmboxx is going to shoot me for missing the opportunity to test his new "toy" )


----------



## Metallica (Jan 28, 2003)

> _Originally posted by bjanda:_
> *Hi Pieter
> Thanks for post. Don't know how this happened, is it ok to fix these with HJT and also the following entries from previous reply.
> 
> ...


Nuke them. couldnotfind looks OK but you obviously didn 't choose them and the sbms entry looks like lop.com to me. :down:

@ Rollin' Rog,

Pleasure to meet you, sir.
Been admiring your work for quite a while.

Regards,

Pieter


----------



## Rollin' Rog (Dec 9, 2000)

Thanks Pieter, with members like you here now, I can spend more time in the peanut gallery knowing these issues are getting good help and I'm learning more myself as well.


----------



## Metallica (Jan 28, 2003)

> _Originally posted by Rollin' Rog:_
> *Thanks Pieter, with members like you here now, I can spend more time in the peanut gallery knowing these issues are getting good help and I'm learning more myself as well. *


I´m afraid I´m not an allrounder like Tony, so go easy on the peanuts. 

Regards,

Pieter


----------



## pincmonkey (Jun 7, 2003)

system32 is a default part of the WIN2k system.... no threat!


----------



## Rollin' Rog (Dec 9, 2000)

negative, pincmonkey -- system32 is a folder, not an exe.


----------



## bjanda (Jun 18, 2003)

Good catch there by Metallica. You have two different startup folders with the same items. Are there different profiles?

Did you also delete the registry entries for System32.exe in HijackThis and find and delete the actual file now?


Yes I did manage to delete System32.exe.
I can only find one startup folder so how do I prevent second from loading as I don't seem to have diff profiles.


----------



## Rollin' Rog (Dec 9, 2000)

Do I understand that you only see one "startup" folder on the Programs Menu?

I believe that would be what HijackThis is identifying as the "User Startup"

There is another which does not appear on the Programs Menu called the "All Users" Startup. In Win98 this is found in:

C:\WINDOWS\All Users\Start Menu\Programs\StartUp

Check to see if you have those entries there. If in both locations, I would delete the contents of the "all users" one.

Another method of finding where they are would be to do a Find files for, say:

*Emptdrve.exe.lnk*

the shortcut should show up in both startup folders and you can see which is which.

The double extension on that is rather curious as well; no real need for it, it should just have .ink to make it a shortcut.


----------



## TheGhost_sv (Jul 31, 2003)

Well, i have system32.exe then I no this is part off a trojan virus, but after the virus atak my PC don`t turn off, I run hijackthis and this is the result, please helpme.

Logfile of HijackThis v1.95.1
Scan saved at 12:19:07 p.m., on 31/07/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Ontrack\Fix-It\mxtask.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\Genius\F-23JO~1\JoyUpDrv.EXE
C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Archivos de programa\Winamp3\winampa.exe
C:\ARCHIV~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Archivos de programa\Kazaa Lite\kazaalite.kpp
C:\ARCHIV~1\Ontrack\Fix-It\mxtask.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\ACD Systems\ImageFox\ImageFox.exe
C:\Archivos de programa\VitalSigns\Net.Medic\Program\netMedic.exe
C:\ARCHIV~1\VITALS~1\Net.Medic\Program\syshook.exe
C:\Documents and Settings\TheGhost\Escritorio\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.loresolvi.com/loresolvi/...ccount&op=userinfo&bypass=1&uname=TheGhost_sv
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\ARCHIV~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O4 - HKLM\..\Run: [Game Device] C:\ARCHIV~1\Genius\F-23JO~1\JoyUpDrv.EXE
O4 - HKLM\..\Run: [Fix-It AV] C:\ARCHIV~1\Ontrack\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\ARCHIV~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Adaware Bootup] C:\Archivos de programa\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Archivos de programa\Lavasoft Ad-Aware\"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: ImageFox.lnk = ?
O4 - Global Startup: Net.Medic.lnk = C:\Archivos de programa\VitalSigns\Net.Medic\Program\netMedic.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\ARCHIV~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\ARCHIV~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download the &current page with Offline Explorer - file://C:\Archivos de programa\Offline Explorer Enterprise\Add_AllO.htm
O8 - Extra context menu item: Download using FlashGet - C:\ARCHIV~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Download using Offline &Explorer - file://C:\Archivos de programa\Offline Explorer Enterprise\Add_UrlO.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/es/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37707.6085300926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CC5E541-6D5E-4026-B844-B81C0973488F}: NameServer = 66.119.93.4,66.119.95.4


----------



## drsherlock (Nov 21, 2003)

Need to boot to dos to delete files that are locked.


----------

