System32.exe

Here is what u wanted:

>>>>>>>>>>>>>>>>>>>>>>>>>>> Start


StartupList report, 26/04/2003, 20:57:39
StartupList version: 1.52
Started from : C:\Documents and Settings\Gary Maton\Desktop\startuplist\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
C:\Documents and Settings\Gary Maton\Desktop\startuplist\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0b\aoltray.exe
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

RDLL = RunDll16.exe
EPSON Stylus C42 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42 "
taskmar = "C:\WINDOWS\taskmar.exe "
SoundMan = SOUNDMAN.EXE
RemHelp = remhelp.exe
KernelFaultCheck = %systemroot%\system32\dumprep 0 -k
GSICONEXE = GSICON.EXE
DSLAGENTEXE = dslagent.exe USB
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SystemSAS = system32.exe
RDLL = RunDll16.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\scrnsave.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,048 bytes
Report generated in 0.156 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



>>>>>>>>>>>>>>>>>>>>>>>>>>> End

 

You didn't check the keys like Abraxas asked you to because it listed right there:

HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run Services

SystemSAS = system32.exe

'System32.exe' is not a system file - delete that entry.

Although the virus is actually gone, it has written instructions to your computer to call it up and it can't find it. You need to delete these instructions.

It looks like your SYSTEM.INI file has reference to it as well.

---------------------------------------------------

Abraxas ~ does that 'RunDll16.exe' look valid to you?

 

Also check:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Shell should be "explorer.exe ". If it says "explorer.exe C:\WINDOWS\System32\system32.exe ", right-click it, Modify, and make it just "explorer.exe ".


Bruce--
As far as I know, rundll16 is part of the SubSeven virus. It often puts an entry in System.ini and the shell entry, too.

 

Never mind, problem found.

 

Thank you very much. Problem solved.

You guys have made having a virus a great learning experience !!!

(although I hope to avoid doing it again)

Gary.

 

You're welcome. So much for a simple download to solve your problem .

For our further edification, where did you find entries (if you even remember)?

Remove any entries referring to rundll16, too.

 

Great!

Now I am going to have a Chivas!

Thanks to Mike (mflynn) always cramming that StartupList down out throats That is a great utility for long distance online diagnosis!

 

Hi Abraxas,

Sorry, it was exactly where you said it would be ...../WindowsNT/CurrentVersion/WinLogon


Thank you very much once again

 

Same Problem... different OS

Hello guys I wanted to ask you a small favor; I have the same problem as the above guy. I have Windows 2003 Server and do not know which virus it was that infected my computer since I deleted the system32.exe right away, stupidly before looking at which virus it was.

Do you know if Windows 2003 Server uses system32.exe or as in windows XP it doesn't?
If it doesn't then I'll go through the above posts and do them step by step to eliminate the prob of the pop up at startup... well I dunno if it will ask anything at startup... didn't reboot since it gave me the message of a virus... some 20 mins ago.

Thank you very much.

JoJo

 

ZeroJoJo

System32.exe is not a windows system file. It is part of a worm.

See this: http://www.avp.ch/avpve/worms/email/mari.stm

Do 2 things before you run a full updated virus scan.

1. Search the registry for all refs to System32.exe and remove these entries.

2. In device manager at top select View, then "Show hidden devices ", then go thru the entire tree and look for any entry that says system32.exe or marijuana and remove these.

Now do a full updated virus scan.!

Mike

 

ZeroJoJo

Forgot!

Search for and delete the following in the registry also!

Stoner's Pot Palace.
Im A Pot Head!

Mike

 

...ok, given that I'm new in registry editing, I check all the things that were said to be cecked and did not find any of the "problems "... now I would like to do like the other guy did: give u the list of the running aps, the registry stuff... so if any of you are kind enough to read it thru (and actually in that format it's easier even for myself to look it thru) and see if I have neglected anything. The point is that I have no idea how to get all that info in a non time consuming way... that is, without having to go manually thru it all...

thanks

 

ZeroJoJo, go to BruceKrymow's post on Page 2 of this thread and click on StartupList and download it. That is what made the listing you see on this thread.

 

thanks man, that helped me find where the system32.exe reference was. I hope that now all is cleared up... if it ain't u will hear from me again.

For now thanks to all of you for helping me!!

 

Cool, thanks for posting back and letting us know it is cleared up.