Computer Hope
Microsoft => Microsoft Windows => Windows XP => Topic started by: hotdogdoxie on March 24, 2006, 10:58:01 PM
-
I don't know if I'm in the right place here. I pretty much don't know what to do when a problem arises. I'm good at following directions though! ;) A few weeks ago when I started my laptop up the system32 program (?) popped up and warned me not to change anything. I never opened it. Don't even know what it does. Anyway....now it comes on every time I boot up the computer. How the heck do I rectify this? I did a McAfee scan and there are no infected files. Please help! Thanks!
Amanda
-
Hello Amanda & welcome to the forum.
Please post the exact message displayed.
-
Is it the System32 folder opening?
Is a SoundBlaster Audigy card installed?
-
Yes it's the actual folder. There are no error messages coming up...just not to remove stuff or it could damage the system. Actually that message doesn't even come up anymore. I didn't see the SoundBlaster on there. Where would I find that? I just don't want this to be a hacker problem but I don't know. Thanks for trying to help me on this!
-
It's most certainly not the work of a "hacker". ;D
Copy the following exactly, paste it into Notepad and save it to your desktop as sys32fix.vbs
On Error Resume Next
Set WshShell = WScript.CreateObject("WScript.Shell")
X = WshShell.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SB Audigy 2 Startup Menu")
If X <> "" Then
WshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SB Audigy 2 Startup Menu", "/L:ENG"
X = MsgBox("Your System32 folder should no longer open at boot.", vbOKOnly, "Done")
Else
MsgBox "No Audigy card installed; repair failed.", vbOKOnly, "Finished."
End If
Set WshShell = Nothing
Now double click the desktop\sys32fix.vbs file.
-
I did this and McAfee gave me a warning. "Suspicious script detected" and stopped it. I have the option to let it pass but I want to make sure it isn't going to kill my computer. LOL. Sorry I'm being a PITA but if I lose my computer I lose my connection to the outside world. LOL. Just being cautious! Just give me a little piece of mind please. Again...sorry for being a PITA!
-
McAfee is doing it's job.
The script is most certainly safe to run. It checks for an erroneous registry key. If that error exists, it fixes it. If that error doesn't exist, it exits without doing anything.
-
Hmmmm...didn't do anything. Said it didn't exist. Thanks for easing my mind on it first! LOL
-
Ok, there are a host of other reasons for this behaviour and some are malware related.
Carry out the procedures listed [highlight]in this post (http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1140729094/1#1)[/highlight] and post a Hijackthis logfile here when done.
If possible, zip the logfile and attach it rather than post it.
-
OK I think I did it all. The Panda website though when I downloaded it froze my computer so I didn't do that one. I think I attached it correctly. Thanks for all your help!
-
I've had a quick glance at your logfile and one or two infections are present. I'm quite busy at the moment so I'll post directions for removal later.
In the meantime, have a look at your Add/Remove Programs applet and if "iWon" is listed, remove it.
-
OK will do. That used to be my homepage until it changed. Oh well. Thanks so much for taking the time to help me!
-
Run Hijackthis and fix the following:
O4 - HKLM\..\Run: [iWon Messenger Pipe] C:\Program Files\iWon\Messenger\bin\i1IMPipe.exe
O4 - HKLM\..\Run: [cat]
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {70522fa2-4656-11d5-b0e9-0050dac24e8f} - http://download.iwon.com/ct/pm3/iwonpm_8_1,0,2,5.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
Fix this entry if Panda AV was once installed but has since been removed:
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
Reboot and delete the following folders:
C:\Program Files\iWon\
C:\Program Files\Viewpoint\
Download and run [highlight]CCleaner (http://www.ccleaner.com)[/highlight] but check it's settings first in case there's anything that you don't want removed.
-
Am I supposed to click on those links or fix it from hijackthis? I'm sorry. I'm not very computer literate.
-
Fix those entries from within Hijackthis.
Do not click on the links!!!!!
You can of course, click on the CCleaner link.
-
Didn't do CCleaner yet....tried to delete viewpoint but it says...."cannot delete viewmgr.exe. Access denied. Make sure disk is not full or write-protected and that the file is not in use." [smiley=huh.gif]
-
Fix the links in Hijackthis, reboot and then delete the folders.
-
That's what I did the first time....just tried again and it still gives me the same message
-
If all the items listed were fixed, viewmgr.exe should not be loading. If it was removed via the Add/Remove Programs applet as requested, it shouldn't even be listed anyway.
Post another logfile.
-
got viewmgr deleted and ran CCleaner. Still want a log file?
-
No, it should be OK now. Just ensure that you follow the instructions with regard to protection by installing and using Spybot, SpywareBlaster and Ewido etc.
-
OK I will use those. However, it still brings up system 32 on startup. [smiley=huh.gif] I guess it isn't hurting anything. I just didn't want to see it all the time. LOL
-
There are a host of reasons for this occurrence but we had to ensure that it wasn't caused by malware first.
I'm a bit pushed at the moment but I'll sort out a few links for you to explore a little later.
-
[smiley=thumbsup.gif] Okie Dokie. Thanks so much for taking the time to help me with this!