# [Resolved] sys32.exe not a valid win32 application



## corsolini (Jan 20, 2002)

on startup of 2 of my dell machines, I get the following error message at startup C:\windows\start menu\programs\start up\sys32.exe is not a valid win32 application.

Could someone tell me what happened and how to get rid of it?

On one of those machines at startup I get the msdos WININIT on the taskbar at the bottom. all I have to do is close it out but I would also like to know what happened and how to get rid of it.

Thanks:


----------



## TonyKlein (Aug 26, 2001)

You appear to have either something like the VBS.Cable worm, or a trojan such as a backdoor SubSeven.

Have your system scanned on line at Trend Micro HouseCall 

It would also be useful to see your startups:

Download Startup.log from this site: http://home.earthlink.net/~rmbox/Reticulated/Toys.html

It generates a text file on your desktop that will list all the applications that start in the many places when you start Windows.

Unzip, doubleclick the Startlog folder, and doubleclick Startlog.com.

We don't need to see StubPath.txt, just StartupLog.txt


----------



## corsolini (Jan 20, 2002)

Thanks for the help. however, I copied what came up so perhaps you could go a step further and tell me what to do. I see where the wininit is and where the sys32 is also but I don't know what to do to get rid of it. I copied all that came up so hopefully you can come to a conclusion . Thank you for your help.

---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 03-07-2002 12:21:33.54p 
__________________________________________________________________________ 
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox 
__________________________________________________________________________ 
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that 
are starting automatically every time you start Windows. 
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.55) - Release Date 2/19/2002

__________________________________________________________________________ 
__________________________________________________________________________

StartUp Log Index

1. HKLM Run 
2. HKCU Run 
3. HKLM RunOnce 
4. HKCU RunOnce 
5. HKLM RunServices 
6. HKLM RunServicesOnce 
7. WIN.INI file 
8. SYSTEM.INI file 
9. AUTOEXEC.BAT file 
10. StartUp folder 
11. All Users StartUp 
12. Misc. StartUp Configurations

__________________________________________________________________________ 
__________________________________________________________________________

The following is a list of your current Start-Ups 
__________________________________________________________________________ 
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath] 
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"OEMCleanup"="C:\\WINDOWS\\OPTIONS\\OEMRESET.EXE"
"SystemTray"="SysTray.ExE"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiPTA"="Atiptaxx.exe"
"Adaptec DirectCD"="C:\\PROGRA~1\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"EM_EXEC"="c:\\mouse\\system\\em_exec.exe"
"hppwrsav"="C:\\SCANJET\\PrecisionScanLT\\hppwrsav.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"NAV Agent"="c:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE"
"QuickTime Task"="C:\\WINDOWS\\SYSTEM\\QTTASK.EXE"
"WorksFUD"="c:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="c:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Ink Monitor"="C:\\PROGRA~1\\EPSON\\INKMON~1\\InkMonitor.exe"
"OneTouch Monitor"="C:\\PROGRA~1\\VISION~1\\ONETOU~2.EXE"
"NetZIPFolders"="C:\\Program Files\\Netzip Classic\\nzfprop.exe /startup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

========================================================================== 
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath] 
"StartUp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"PPWebCap"="C:\\PROGRA~1\\SCANSOFT\\PAPERP~1\\PPWebCap.exe"

========================================================================== 
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath] 
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

========================================================================== 
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath] 
"StartUp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

========================================================================== 
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath] 
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"
"ATIPOLAB"="ati2evxx.exe"
"ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"
"Machine Debug Manager"="C:\\WINDOWS\\SYSTEM\\MDM.EXE"

========================================================================== 
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath] 
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

========================================================================== 
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively. 
There should be nothing to the right of the equal signs.

These are the run and load lines in your WIN.INI file

run=

load=c:\windows\system\wininit.exe

========================================================================== 
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively. 
You should only see Explorer.exe following the equal sign.

This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

========================================================================== 
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)

These are your program startups and set paths in your autoexec.bat file

rem - By Windows 98 Network - c:\windows\net start
rem - By Windows 98 Network - c:\windows\net start
@ECHO OFF
SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI

REM [Header]

REM [CD-ROM Drive]
REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001

REM [Miscellaneous]

REM [Display]

SET CLASSPATH=C:\PROGRA~1\CANONC~1\PDELUXE\ADOBEC~1;C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables

========================================================================== 
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.

These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\sys32.exe
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Works Calendar Reminders.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\QuickBooks 2001 Delivery Agent.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Office Startup.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\WPChanger.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\EPSON Status Monitor 3 Environment Check.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Check for OneTouch Updates.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\EPSON Status Monitor 3 Environment Check 2.lnk

========================================================================== 
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.

These are the shortcuts located in your All Users StartUp folder

*(No start-ups found)*

========================================================================== 
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================- 
Registry StartUp Directories 
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders

.....................................................................

-=======================- 
Registry Shell Spawning 
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================- 
HKLM RunOnceEx - Registry 
-=========================-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]

-=========================- 
HKU (.Default) Run - Registry 
-=========================-

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"PPWebCap"="C:\\PROGRA~1\\SCANSOFT\\PAPERP~1\\PPWebCap.exe"

-==============================- 
HKU (.Default) RunOnce - Registry 
-==============================-

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]

-================================- 
StubPaths - Registry (Partial Listing) 
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components

"OldStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="c:\\windows\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="c:\\windows\\COMMAND\\sulfnbk.exe /L"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"

-=================- 
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

@echo off

REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer 
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows 
REM you to load programs that you might not want loaded in Windows, 
REM (because they have functional equivalents) but that you do 
REM want loaded under MS-DOS. The two primary candidates for 
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the 
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD 
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match 
REM the string in CONFIG.SYS following your CD-ROM device driver.

REM MSCDEX.EXE /D:OEMCD001 /l:d
REM MOUSE.EXE
C:\SBPCI\SBINIT

c:\mouse\mouse.exe

-=================- 
WININIT.BAK File - (c:\windows\wininit.bak) 
-=================-

[Rename]
C:\WINDOWS\SYSTEM\SYMDNS.VXD=C:\WINDOWS\SYSTEM\SYM983.TMP
C:\WINDOWS\SYSTEM\SYMFW.VXD=C:\WINDOWS\SYSTEM\SYM5B74.TMP
C:\WINDOWS\SYSTEM\SYMNDIS.VXD=C:\WINDOWS\SYSTEM\SYMC62.TMP
C:\WINDOWS\SYSTEM\SYMREDRV.VXD=C:\WINDOWS\SYSTEM\SYM510B.TMP
C:\WINDOWS\SYSTEM\SYMTDI.VXD=C:\WINDOWS\SYSTEM\SYM59A9.TMP
C:\WINDOWS\SYSTEM\SYMREDIR.DLL=C:\WINDOWS\SYSTEM\SYM987.TMP
-=====================- 
Screen Saver Settings (Possible system.ini start-up) 
-=====================-

========================================================================== 
__________________________________________________________________________

- Supplemental Environment Information -

TMP=c:\windows\TEMP
TEMP=C:\windows\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;c:\windows;c:\windows\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
SBPCI=C:\SBPCI
CLASSPATH=C:\PROGRA~1\CANONC~1\PDELUXE\ADOBEC~1;C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
windir=C:\WINDOWS

File - c:\windows\Wininit.bak 
File - c:\windows\deletefi.ini

========================================================================== 
__________________________________________________________________________

- End -


----------



## TonyKlein (Aug 26, 2001)

Looks like the Bymer Worm or something like that.

You might start by doing this:

Go to Start/run, and type Win.ini.

Edit the *load=c:\windows\system\wininit.exe* line by removing everything after the = sign, so that it reads *load=* exclusively.

Save in 'File', reboot, go to C:\Windows\System, and delete the Wininit.exe file you find there.

Warning: leave the one in C:\Windows, which belongs there


----------



## TonyKlein (Aug 26, 2001)

Also go to your Startup folder (Start/Programs/Startup) and remove the sys32.exe entry.

Afterwards, reboot, and do a a search for the sys32.exe fiole, and delete it.

Have you had your system scanned at HouseCall, like I advised you to do?

You should.


----------



## corsolini (Jan 20, 2002)

Thanks for the help. Sorry everything was transmitted twice. My internet service blew me out- it happens sometimes. I scanned my system at housecall and they didn't find anything, however, I have an active version of Norton 2002 running all of the time and it has been finding and quarantining several viruses. 

I have a few more things I could use some of your expertise on.
1. My scandisk, defrag, and diskcleanup that I performed regularly on this machine has dissappeared under accessories.
Scandisk is under windows\command but I cannot find out how to put it back and I also cannot find the other ones. I would appreciate your help on this and please provide detail because I am very much a beginner. 

Could you also tell my what that sys32.exe was? It said that it is a program and my computer seems to lock up a little bit since I deleted it. I have it in the recycle bin just in case you think I should put it somewhere else.

Thanks


----------



## TonyKlein (Aug 26, 2001)

Well, as I said, it could be this one: http://securityresponse.symantec.com/avcenter/venc/data/vbs.cable.html

And the file has also been associated with the SubSeven trojan : http://securityresponse.symantec.com/avcenter/venc/data/vbs.cable.html

As for Scandisk, do you still possess the file C:\Windows\Scandskw.Exe?

If so, drag it to your Start Menu/Programs/Accessories in order to create a shortcut.


----------



## corsolini (Jan 20, 2002)

thanks


----------

