System32.exe

System32.exe was infeted with a virus, I need to replace it but don't have the disk... Any ideas?

Its for XP Home

Thank you

 

This isn't an XP file:

http://www.annoyances.org/exec/forum/winxp/n1047382324

http://www.annoyances.org/exec/forum/win2000/n1029276973

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sysxxx.html

There are a large number of viruses that copy themselves as system32.exe.

Online scan here:
http://housecall.trendmicro.com/housecall/start_pcc.asp

 

Thank you

I need somewhere to download the file though... I have removed the virus (W32.pinfi) fully... I just want to get my PC running as it was!

Thank you anyway!

Ps. Can anyone send me a genuine copy of there system32.exe (running of XP Home please?)

 

There is no system32.exe in XP. That is the virus. What makes you think you need the file? Is there a message appearing?

 

Yes, saying that system32.exe could not be found! It apprears as I log on! Can you help please?

 

OK. It's looking for the old virus file.

Download and install this Startup Control Panel.

http://www.mlin.net/files/StartupCPL.zip

Then, go to your Control Panel and you will see an applet called "Startup ". Look through the entries until you find system32.exe and remove it from startup.

 

System32.exe doesn't apear in that program...

Any ideas?

 

Strange. Try going to Strat > Run and typing: msconfig

Chances are you'll see the same startups, but worth a try. If there, you can uncheck it.

You should also check the registry. Start > Run: regedt32
Navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

and look for an entry: PINF

Delete it.

Empty all your temporary files under Documents and Settings\<username>\Local Settings\Temp

(If this is not visible, you need to unhide hidden folders in Control Panel, Folder Options, View tab.)

Then, right-click My Computer, Properties, System Restore tab. Turn off SR on all drives to delete all SR files that may contain the virus, restart and turn SR back on.

 

no sorry, I've already tried that... how sure are u XP doesnt use system32.exe

 

Very sure. Please look at my edit above and remove the entry from mthe registry.

 

Yeah, that is all done!

Message is still poping up!

Thats how I got rid of the virus! The virus is 100% gone! There is no problem with that! It is just calling "system32.exe" from somewhere that I can't find.

Thank you for your help so far

 

See what is running in Task Manager that looks like this (or any temp file, for that matter). Check under the applications tab, too:

[3 random letters][4 random hexadecimal digits].tmp

If there is such a process, terminate it and empty your temp folder again, including Windows\Temp.

Look for entries for cmd32.exe, too. This isn't a Windows file, either.

 

I have done all this still it pops up.. should I just give up?

 

Have you checked these 4 keys?

• HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
• HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
• HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce
• HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce

 

That's up to you. Can you list your startups so we can take a look at them?

You may want to run the scan again to be sure you aren't reinfected and check the startups again, including

HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Runonce

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>RunServices

HKEY_USERS>.DEFAULT>Software>Microsoft>Windows>
CurrentVersion>Runonce

Look for cmd32.exe as well, since that is not an XP file, either.

 

Gary ~

Also, delete the items in your C:\WINDOWS\Downloaded Program Files. Reboot.

If you still get the pop-up, then run StartupList and post the results back here.

 

Yeah, thanx, all clear!

Any other ideas? This is really annoying

 

Gary ~

Post you your results now please with StartupList.

 

Ok, I have posted a picture of the warning on www.monkey-ear.tk

 

Gary ~

We don't want the pop-up. Click on the link above that says "StartupList ", download it, run it, and post the results here, please.