Originally Posted by jephree

Let us know how it goes/went.

My deepest sympathies to TheDoc. Unfortunately, having exhausted all known remedies, reformat and re-install is the only PRACTICAL solution. On the other hand, while I've already spent an inordinate amount of time on an XP Pro system with the exact same problem, I'm too intrigued by it to go that route just yet.

Like TheDoc and a number of others I've come across while googling for a solution, I've exhausted all KNOWN remedies to be rid of the system32 folder window on startup. I did remove a couple of trojans, some malware and a host of adware objects but nothing I can really fasten any blame on just yet. Every attempt to isolate the problem has failed thus far, though I have been able to eliminate any possibility of issues with loading startup items and system services or with the processing of win.ini and system.ini files.

Just what could cause the system32 folder to pop up on startup EVEN WITHOUT all those files and services really intrigues me. Is anyone else up to the challenge of finding a real solution?

A Repair Install would not require formatting. You just need to reload your SP2 (if not on your disk) and Windows Updates.

http://michaelstevenstech.com/XPrepairinstall.htm

This might be a good idea anyway after Trojan and Malware damage.

The cause might very well have been some malware very well disguised.

You could try to run a HijackThis log by our Pros in that section:



Please follow the instructions HERE & then post your log in a new thread in the Spyware, Adware, Viruses and HijackThis Logs section.
(Not in this section please).

Please specify what issues you appear to be experiencing along with your log.




I assume you've read all this:

http://support.microsoft.com/default...b;en-us;170086

http://groups.google.com/group/micro...ystem32+opens&


And tried Kelly's fix:

Item No. 260. In the right column, click on "System32 Folder Opens
Upon Boot". Download this repair file and then run the repair.

http://www.kellys-korner-xp.com/xp_tweaks.htm

I've already posted this problem in the malware forum.

PROBLEM:
I've already posted this problem in the malware forum.

PROBLEM:
As I mentioned before, I also have a WinXP Pro system that, after a lot of tinkering, is now working fine but for this same, highly annoying problem: The system32 folder window persistently appears on startup - definitely not a cool place to welcome novice users to poke around in!

TRIED ALREADY:
Everything I can think of. All efforts to isolate the problem via limited startup options failed (only safe boot is unaffected), System File Checker checked out okay, a careful check for invalid registry entries that typically cause this problem reveal nothing amiss, log files appear to hold no clues, ran Bitdefender, Panda Activescan, Ad-aware and Spybot S&D, McAfee, Ewido and Kaspersky Online Scanner (altogether, 2 trojan dialers and 150 spyware objects were identified and removed).

BACKGROUND:
This is a friend's PC. His initial complaint to me was that it always froze at the signon screen. Believe it or not, he was running WinXP Pro on a 3GB drive! My hard drive diagnostics CD found and disabled a bad sector, which resolved the logon issue but then revealed this one. I cloned this drive to another larger one and expanded the partition to 20GB. I then swapped the drives (master-slave), formatted the original drive and asigned the swap file to it. I then proceeded to repair the OS, clean out the trojans and spyware, and apply the standard updates, which had never been done. (Incidentally, the product code became corrupted in the process and triggered an activation request that took days of complaints to Microsoft to resolve.)

We're stumped. Any suggestions?


Logfile of HijackThis v1.99.1
Scan saved at 7:14:21 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLDial.exe
C:\PROGRA~1\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\1128057188\ee\AOLHostMana ger.exe
C:\PROGRA~1\COMMON~1\AOL\1128057188\ee\AOLServiceH ost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\progra~1\common~1\aol\1128057188\ee\services\an tiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\PROGRA~1\COMMON~1\AOL\1128057188\ee\AOLServiceH ost.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\DOCUME~1\AUGUST~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [HostManager] C:\PROGRA~1\COMMON~1\AOL\1128057188\ee\AOLHostMana ger.exe
O4 - HKLM\..\Run: [AOLDialer] C:\PROGRA~1\COMMON~1\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\Messenger\msmsgs.exe /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/res...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1143429099780
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...b?1143435190296
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

__________________________________________________ _____________________

http://groups.google.com/group/micro...9938d8f30aefcb

http://groups.google.com/group/micro...startup&qt_g=1

Eureka!

I thought that I had scanned the registry for all "run" keys but it wasn't until I took on another virus-plagued WINXP system with the same system32 folder pop-up problem that I found this invalid registry key entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer\run
Name = wininet.dll
Type = REG_SZ
Data = [single blank]

I had somehow overlooked it in the first example but, on going back to it, there it was! Deleting the invalid entry in both computers solved the problem.

Thanks for the update and the thanks!

Let us know if we can help further in the future!




This thread has been Resolved and Locked to prevent other users hijacking the thread and to help others know which threads have been Resolved and which are still being worked on.

If you started this thread and the problem returns or the case has not been properly Resolved, please send a Private Message to a Moderator of this forum to have the thread opened again. If you have a different problem, please start a new thread.