# What is system32.exe?



## Geronimo (Mar 23, 2002)

I have a PC with Windows XP and I use the Zone Alarm firewall. Now each time I boot up it tells me that system32.exe wants to access the internet. I say no and I am fine. But could a virus be involved.


And thanks in advance I have received much valuable help here.


----------



## UpOnTheMountain (Mar 24, 2002)

you might want to check this link out :

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

there are others similar.


----------



## Geronimo (Mar 23, 2002)

As you might imagine I was afraid of that. but I do not seem to be able to remove the worm. Oh weel.


----------



## gcutler (Mar 23, 2002)

Geronimo, Do you have a anti-virus SW (with a valid definition subscription?), it didn't look like you were running one from what you described?

I'd get one ASAP.


----------



## Geronimo (Mar 23, 2002)

I sure do but it is malfunctioning and it won't uninstall. therein lies the problem.


----------



## UpOnTheMountain (Mar 24, 2002)

You might want to try AVG from http://www.grisoft.com . It's free and woks pretty well.


----------



## Geronimo (Mar 23, 2002)

UpOnTheMountain said:


> You might want to try AVG from http://www.grisoft.com . It's free and woks pretty well.


I tahnk you for the idea but I downloaded the free versiona nd executed the file. It went through a setup but nothing is there. I tried it 3 times. No icon No entry in the start menu. No directory.


----------



## Bogy (Mar 23, 2002)

Geronimo said:


> I tahnk you for the idea but I downloaded the free versiona nd executed the file. It went through a setup but nothing is there. I tried it 3 times. No icon No entry in the start menu. No directory.


That's strange. I have installed AVG on everything from Win95 to XP and never had any trouble installing it. Not to pick on you, but a couple of weeks ago I downloaded a copy of AVG and burned it on a CD for my computer inept (outside of typing) secretary (she's just got a dial-up connection) and she installed it with no problem. I've been using it for about 4 years now and have never had a problem.

A buddy of mine with a hardware firewall, software firewall, and McAffee had a worm go through 7 computers last year. He installed AVG on the one box that wasn't completely fried and it found 7 viruses that McAffee missed. Are you saving the file and then opening it, or just opening it and installing? Although both ways should work.


----------



## Geronimo (Mar 23, 2002)

I saved it and opend it. It appears to run but there is no icon and I cannot locate a program.


----------



## UpOnTheMountain (Mar 24, 2002)

Have you tried to install from safe mode ?


----------



## Geronimo (Mar 23, 2002)

UpOnTheMountain said:


> Have you tried to install from safe mode ?


I tried safe mode. Same result. It goes through the self extraction and then nothing happens. And I cant find a directory or anything to work with


----------



## Rick_EE (Apr 5, 2002)

Go to mcafee's site. They can do an online based scan.

I think you are in OS reinstall territory, though.


One more tip- whenever you have a program or process running that you don't know what it is, simply type it in to google. 90% of the time you will get what you want. I do it all the time at work. We have had a couple viruses because people don't keep their definitions up to date.


----------



## Geronimo (Mar 23, 2002)

I tried McAfee as well it seemed to jusdt whir away doing nothing maybe I will let it run unattended for a long period.


----------



## gcutler (Mar 23, 2002)

Some Retail anti-virus apps come with "Repair Disks", so they can boot from floppy (or CD) and repair the C: drive system files (because the Floppy or CD is running as the system for the time being and the system C: files are unlocked at the moment as well) It might pay to purchase McAfee CD retail or Norton Anti-Virus retail (or borrow from a friend)


----------



## Geronimo (Mar 23, 2002)

t this point I have the pate32b virus. Anything I downlad gets infected. That explains the problem with the other software recommended.

McAfee is out. It keeps saying it cant install because I have an older version but I cant remove the older version. As for borroweing a disk I would not have the recent dat files. That means that wont work well.

So i will have to resort to another product.


----------



## UpOnTheMountain (Mar 24, 2002)

Here is a link that suggests it can fix the problem :

.---------------------------------------------------------------------------------
Go here and download and run Panda's removal tool. (Parite.b)
http://www.pandasoftware.com/download/utilities/
.---------------------------------------------------------------------------------

I can not vouch for it ... and I'm still looking for alternatives ...


----------



## UpOnTheMountain (Mar 24, 2002)

Here is another link :

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_PARITE.B


----------



## UpOnTheMountain (Mar 24, 2002)

If you use and on-line removal tool, you may want to try to run the executable from the web site and not download first. That way the executable remains "read-only" and is not infected before execution.


----------



## Geronimo (Mar 23, 2002)

UpOnTheMountain said:


> If you use and on-line removal tool, you may want to try to run the executable from the web site and not download first. That way the executable remains "read-only" and is not infected before execution.


Thank you for your help Pand aseems to have cleaned it. I am rerunning it. I can also now access the MCAfee site and will allow it to scan as well

I amy later redownload the other software and try it againa s well. I thank you and all others for your help. I purcahde the machine last 4th of July in an online auction. Almost no bids were received and I got a fairly decent machine rather cheaply. I would hate to have to start over again so sson after the purchase.

IF you need anything from the reservation let me know.


----------



## gcutler (Mar 23, 2002)

Geronimo said:


> t this point I have the pate32b virus. Anything I downlad gets infected. That explains the problem with the other software recommended.
> 
> McAfee is out. It keeps saying it cant install because I have an older version but I cant remove the older version. As for borroweing a disk I would not have the recent dat files. That means that wont work well.
> 
> So i will have to resort to another product.


Yes you would need a later set, but the virus pate32b may have been on the latest CD, so unless you know for a fact that pate32B is NOT on the CD, it is worth a look (obviously the latest boxed edition would be the most helpful)


----------



## Geronimo (Mar 23, 2002)

Grisoft seems to have killed everything except that original system32.exe file. That shows as having a trjan horse called IRC/Backddor.sdbot. So far it cant be deleted.


----------



## UpOnTheMountain (Mar 24, 2002)

you might be able to get rid of it manually by...
1. take note of it's location
2. re-boot and hit the f8 key (tap it frequently while booting) to get the boot options menu
3. boot into safe-mode and command line only
4. use the delete command to directly delete the file
5. reboot as normal.


----------



## Geronimo (Mar 23, 2002)

Already tried that MR MOuntain. The file cannot be deleted that way either. I heard that Ttrend Micro can delete it but I don'st see anything like what you posted above for that Trojan Horse.


----------



## UpOnTheMountain (Mar 24, 2002)

What kind of error do you get when doing the command line delete?

IT should be very possible to kill that file from the safe mode command line )make sure you are in "command line only")

If the file is not deleting then it mat be marked as "read-only" 

you could do :
attrib -r -h -s c:\somewhere\thisbadfile.exe

and then :
del c:\somewhere\thisbadfile.exe

If that is not giving you an error message butis instead "popping" back up after yo u re-boot then you may have "auto-restore" turned on. If that is the case you'll have to turn that off first ...


----------



## Geronimo (Mar 23, 2002)

I will give it another try and modify this post to report back.


OK. I deleted it. Noiw I get an error message at bootup tha tthe file cannot be found. But I seem OK> My guess is that somewhere in an ini file or whatever there is reference to loading or running this file. I have not located it yet.


----------



## UpOnTheMountain (Mar 24, 2002)

Tendmicro, does offer removal instuctions if you use their recommended products.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_SDBOT.05.AX

It looks like you are already mostly there though, it's just a matter of killing that last file.


----------



## UpOnTheMountain (Mar 24, 2002)

Geronimo,
If you are comfortable with registry edits, the file is probably being started under the windows current version run portion.

First run regedt
then save the entire file just in case
and then do and edit find for :

\KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Look for an entry that calls out for the system32.exe and delete it.

Be very careful though ...


----------



## Geronimo (Mar 23, 2002)

That was mentioned in the Symantec guidance you provided but there is no such statement there or in win.ini


----------



## UpOnTheMountain (Mar 24, 2002)

not in the startup folder,autoexec.bat or config.sys either ?
(the last two are mostly foobar, but who knows)

also, can you post the items listed under the run section.

One of them might be an indirect link to that file ...


----------



## Geronimo (Mar 23, 2002)

Not in startup either. I don't even think I have abn autoexec.bat or a config.sys Not sure relaly how to list everything in the run section. But here is my attempt

Default Empty
alogserve C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

checktime c:\program files\HPSelect\Frontend\ct.exe

hotkeycmds C:\WINDOWS\System32\hkcmd.exe

hpsysdrv c:\windows\system\hpsysdrv.exe

igfxtray C:\WINDOWS\System32\igfxtray.exe

KBD C:\HP\KBD\KBD.EXE

MCAfee Guardian "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

MCAgentEXe C:\Program Files\McAfee.com\Agent\mcagent.exe
MCUpdateexe 

msconfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

NVCPLDAEMON RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

PS2 C:\WINDOWS\system32\ps2.exe

QuickTimeTask "C:\Program Files\QuickTime\qttask.exe" -atboottime

Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
Stray2 S3tray2.exe

Tkbellexe C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


----------



## UpOnTheMountain (Mar 24, 2002)

Wow, that's a lot of stuff to run at startup. I have two entries in mine !

I personally would kill just about all of those entries. Several of them look suspicious.


The below items probably are not needed, but it is completely up to you. Taking them out may disable some feature that you are used to :

alogserve C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

checktime c:\program files\HPSelect\Frontend\ct.exe

hotkeycmds C:\WINDOWS\System32\hkcmd.exe

hpsysdrv c:\windows\system\hpsysdrv.exe

igfxtray C:\WINDOWS\System32\igfxtray.exe

KBD C:\HP\KBD\KBD.EXE

msconfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

NVCPLDAEMON RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

PS2 C:\WINDOWS\system32\ps2.exe

QuickTimeTask "C:\Program Files\QuickTime\qttask.exe" -atboottime

Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
Stray2 S3tray2.exe

....
anyways ...

Question ... are you running mcafee AND grisoft AVG ? If so you may run into problems with the real time protection.


----------



## Geronimo (Mar 23, 2002)

I took another look a t the trendmicro help file. It recommended I download a file called Process explorer. I now know that the command line for explorer.exe reads "Explorer.exe C:\WINDOWS\System32\System32.exe"

The question is how do I change that sucker? Or do I simply kill that process?


----------



## UpOnTheMountain (Mar 24, 2002)

yep, you aught to kill that process first ...

Be sure to check the properties on the desktop link to explorer before restarting explorer

it sounds like autoload is set to run that automatically. ...

so then ...

have you tried a regedit search for "system32.exe"

It should be in there somewhere, I'm just not sure where to look for the explorer defaults.
It's probably even in there everywhere that explorer.exe is called by the os


----------



## Geronimo (Mar 23, 2002)

HOW do I kill it? The regedit search worked. Thanks again


----------



## poker818 (Aug 15, 2003)

i get this messege every time i start up my computer

"Windows cannot find 'C:/WINDOWS/System32/System32.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and click search."

HELP PLZ


----------



## Geronimo (Mar 23, 2002)

This is a pretty old thread poker but I don't think you understand. No one is typing anything it was happening at start up. The PC was infected with a worm. Sytem32.exe had already been deleted but something in the registry was trying to call it up. The problem has since been corrected. butt hanks for your help.


----------



## poker818 (Aug 15, 2003)

So is there any way i can fix this?


----------



## UpOnTheMountain (Mar 24, 2002)

poker818,
yes, but only if you know how to modify your registry safely.
(assuming this is not in your startup folder and you are running 2k or xp)

see the thread notes about searching for system32.exe and VERY CAREFULLY removing the references.
also please note that any time you are considering modifying your regsitry, you need to make a back up first. be safe !


----------



## Geronimo (Mar 23, 2002)

I am confused here. Poker are you offering to help me or are you experiencing the same problem yourself? 

Read this thread carefully. The file system32.exe was prodiced by a worm. The poster above provided links to programs that eradicated the worm. Howwever ther was still a line in my registry that tried to call it up. Search for those words in your registry. They are not needed. Then modify the line to remove them.


If i misunderstood you at first I apologize.


----------



## poker818 (Aug 15, 2003)

Yes i had same problem, but i dont know how to do the things you are telling my to do.


----------



## Geronimo (Mar 23, 2002)

poker818 said:


> Yes i had same problem, but i dont know how to do the things you are telling my to do.


I am not sure what else to tell you. Where is it that you get lost.?


----------



## poker818 (Aug 15, 2003)

modify your registry safely

that part


----------



## Geronimo (Mar 23, 2002)

Read the rest of that post. I believe it explains it.


----------



## poker818 (Aug 15, 2003)

Do i delete those files?


----------



## Geronimo (Mar 23, 2002)

What files? The instruction wa sto modify the registry not to delete a file.


----------



## poker818 (Aug 15, 2003)

registry, how to i open and modify that?


----------



## UpOnTheMountain (Mar 24, 2002)

poker818,

The registry is a very dangerous file on your computer.

I personally do NOT believe you should try to fix it yourself.

Ask someone that you know that is very good with computers to help you.

To try and fail would be a disaster for you.

Get help !


----------



## ERSanders (Apr 24, 2002)

Ger, I suggest that if you are going to buy a new antivirus program you consider getting Norton SystemWorks 2003. With your old / obsolete version of ANY antivirus, I have seen this program go for as low as FREE, after rebates. 

Not only will you get the antivirus (which can be set to auto-update) but you will get Norton Utilities which will repair your registry. This can be done without all the "mucking around" in regedit...which can be very dangerous to the unwashed (like me!).

See you back on Dish/Yahoo soon!

X


----------



## poker818 (Aug 15, 2003)

Oooo, i get it now, sorry, i didnt see the first page of this post.


----------



## poker818 (Aug 15, 2003)

Is there a different virus that can attack the System32.exe? Because my computer didnt do any of the things symantec said it does.


----------



## Geronimo (Mar 23, 2002)

System32.exe is not a requitred windows file. It is a file left by the worm that infected your machine. It needs to be removed and then the line that calls it up (or tries to needs to be deleted. But I agree that if you are not fairly good with computers you should get someone to do this for you.

Anti virus programs tend not to fix this line. As you can see in this thread I tried several.


----------



## poker818 (Aug 15, 2003)

I tried the registry thing, found nothing that looks for system32.exe but that same messege keeps poping up.


----------

