I have a PC with Windows XP and I use the Zone Alarm firewall. Now each time I boot up it tells me that system32.exe wants to access the internet. I say no and I am fine. But could a virus be involved.


And thanks in advance I have received much valuable help here.

you might want to check this link out :

http://securityresponse.symantec.com/avcenter/venc/data/w32.mari@mm.html

there are others similar.

As you might imagine I was afraid of that. but I do not seem to be able to remove the worm. Oh weel.

Geronimo, Do you have a anti-virus SW (with a valid definition subscription?), it didn't look like you were running one from what you described?

I'd get one ASAP.

I sure do but it is malfunctioning and it won't uninstall. therein lies the problem.

You might want to try AVG from http://www.grisoft.com . It's free and woks pretty well.

You might want to try AVG from http://www.grisoft.com . It's free and woks pretty well.


I tahnk you for the idea but I downloaded the free versiona nd executed the file. It went through a setup but nothing is there. I tried it 3 times. No icon No entry in the start menu. No directory.

I tahnk you for the idea but I downloaded the free versiona nd executed the file. It went through a setup but nothing is there. I tried it 3 times. No icon No entry in the start menu. No directory.That's strange. I have installed AVG on everything from Win95 to XP and never had any trouble installing it. Not to pick on you, but a couple of weeks ago I downloaded a copy of AVG and burned it on a CD for my computer inept (outside of typing) secretary (she's just got a dial-up connection) and she installed it with no problem. I've been using it for about 4 years now and have never had a problem.

A buddy of mine with a hardware firewall, software firewall, and McAffee had a worm go through 7 computers last year. He installed AVG on the one box that wasn't completely fried and it found 7 viruses that McAffee missed. Are you saving the file and then opening it, or just opening it and installing? Although both ways should work.

I saved it and opend it. It appears to run but there is no icon and I cannot locate a program.

Have you tried to install from safe mode ?

Have you tried to install from safe mode ?


I tried safe mode. Same result. It goes through the self extraction and then nothing happens. And I cant find a directory or anything to work with

Go to mcafee's site. They can do an online based scan.

I think you are in OS reinstall territory, though.


One more tip- whenever you have a program or process running that you don't know what it is, simply type it in to google. 90% of the time you will get what you want. I do it all the time at work. We have had a couple viruses because people don't keep their definitions up to date.

I tried McAfee as well it seemed to jusdt whir away doing nothing maybe I will let it run unattended for a long period.

Some Retail anti-virus apps come with "Repair Disks", so they can boot from floppy (or CD) and repair the C: drive system files (because the Floppy or CD is running as the system for the time being and the system C: files are unlocked at the moment as well) It might pay to purchase McAfee CD retail or Norton Anti-Virus retail (or borrow from a friend)

t this point I have the pate32b virus. Anything I downlad gets infected. That explains the problem with the other software recommended.

McAfee is out. It keeps saying it cant install because I have an older version but I cant remove the older version. As for borroweing a disk I would not have the recent dat files. That means that wont work well.

So i will have to resort to another product.

Here is a link that suggests it can fix the problem :

.---------------------------------------------------------------------------------
Go here and download and run Panda's removal tool. (Parite.b)
http://www.pandasoftware.com/download/utilities/
.---------------------------------------------------------------------------------

I can not vouch for it ... and I'm still looking for alternatives ...

Here is another link :

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_PARITE.B

If you use and on-line removal tool, you may want to try to run the executable from the web site and not download first. That way the executable remains "read-only" and is not infected before execution.

If you use and on-line removal tool, you may want to try to run the executable from the web site and not download first. That way the executable remains "read-only" and is not infected before execution.


Thank you for your help Pand aseems to have cleaned it. I am rerunning it. I can also now access the MCAfee site and will allow it to scan as well

I amy later redownload the other software and try it againa s well. I thank you and all others for your help. I purcahde the machine last 4th of July in an online auction. Almost no bids were received and I got a fairly decent machine rather cheaply. I would hate to have to start over again so sson after the purchase.


IF you need anything from the reservation let me know.

t this point I have the pate32b virus. Anything I downlad gets infected. That explains the problem with the other software recommended.

McAfee is out. It keeps saying it cant install because I have an older version but I cant remove the older version. As for borroweing a disk I would not have the recent dat files. That means that wont work well.

So i will have to resort to another product.

Yes you would need a later set, but the virus pate32b may have been on the latest CD, so unless you know for a fact that pate32B is NOT on the CD, it is worth a look (obviously the latest boxed edition would be the most helpful)

Grisoft seems to have killed everything except that original system32.exe file. That shows as having a trjan horse called IRC/Backddor.sdbot. So far it cant be deleted.

you might be able to get rid of it manually by...
1. take note of it's location
2. re-boot and hit the f8 key (tap it frequently while booting) to get the boot options menu
3. boot into safe-mode and command line only
4. use the delete command to directly delete the file
5. reboot as normal.

Already tried that MR MOuntain. The file cannot be deleted that way either. I heard that Ttrend Micro can delete it but I don'st see anything like what you posted above for that Trojan Horse.

What kind of error do you get when doing the command line delete?

IT should be very possible to kill that file from the safe mode command line )make sure you are in "command line only")

If the file is not deleting then it mat be marked as "read-only"

you could do :
attrib -r -h -s c:\somewhere\thisbadfile.exe

and then :
del c:\somewhere\thisbadfile.exe

If that is not giving you an error message butis instead "popping" back up after yo u re-boot then you may have "auto-restore" turned on. If that is the case you'll have to turn that off first ...

I will give it another try and modify this post to report back.


OK. I deleted it. Noiw I get an error message at bootup tha tthe file cannot be found. But I seem OK> My guess is that somewhere in an ini file or whatever there is reference to loading or running this file. I have not located it yet.

Tendmicro, does offer removal instuctions if you use their recommended products.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_SDBOT.05.AX

It looks like you are already mostly there though, it's just a matter of killing that last file.

Geronimo,
If you are comfortable with registry edits, the file is probably being started under the windows current version run portion.

First run regedt
then save the entire file just in case
and then do and edit find for :

\KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

Look for an entry that calls out for the system32.exe and delete it.

Be very careful though ...

That was mentioned in the Symantec guidance you provided but there is no such statement there or in win.ini

not in the startup folder,autoexec.bat or config.sys either ?
(the last two are mostly foobar, but who knows)

also, can you post the items listed under the run section.

One of them might be an indirect link to that file ...

Not in startup either. I don't even think I have abn autoexec.bat or a config.sys Not sure relaly how to list everything in the run section. But here is my attempt

Default Empty
alogserve C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

checktime c:\program files\HPSelect\Frontend\ct.exe

hotkeycmds C:\WINDOWS\System32\hkcmd.exe

hpsysdrv c:\windows\system\hpsysdrv.exe

igfxtray C:\WINDOWS\System32\igfxtray.exe

KBD C:\HP\KBD\KBD.EXE

MCAfee Guardian "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

MCAgentEXe C:\Program Files\McAfee.com\Agent\mcagent.exe
MCUpdateexe

msconfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

NVCPLDAEMON RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

PS2 C:\WINDOWS\system32\ps2.exe

QuickTimeTask "C:\Program Files\QuickTime\qttask.exe" -atboottime

Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
Stray2 S3tray2.exe

Tkbellexe C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Wow, that's a lot of stuff to run at startup. I have two entries in mine !

I personally would kill just about all of those entries. Several of them look suspicious.


The below items probably are not needed, but it is completely up to you. Taking them out may disable some feature that you are used to :

alogserve C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

checktime c:\program files\HPSelect\Frontend\ct.exe

hotkeycmds C:\WINDOWS\System32\hkcmd.exe

hpsysdrv c:\windows\system\hpsysdrv.exe

igfxtray C:\WINDOWS\System32\igfxtray.exe

KBD C:\HP\KBD\KBD.EXE

msconfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

NVCPLDAEMON RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

PS2 C:\WINDOWS\system32\ps2.exe

QuickTimeTask "C:\Program Files\QuickTime\qttask.exe" -atboottime

Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
Stray2 S3tray2.exe

....
anyways ...

Question ... are you running mcafee AND grisoft AVG ? If so you may run into problems with the real time protection.

I took another look a t the trendmicro help file. It recommended I download a file called Process explorer. I now know that the command line for explorer.exe reads "Explorer.exe C:\WINDOWS\System32\System32.exe"

The question is how do I change that sucker? Or do I simply kill that process?

yep, you aught to kill that process first ...

Be sure to check the properties on the desktop link to explorer before restarting explorer

it sounds like autoload is set to run that automatically. ...

so then ...

have you tried a regedit search for "system32.exe"

It should be in there somewhere, I'm just not sure where to look for the explorer defaults.
It's probably even in there everywhere that explorer.exe is called by the os

HOW do I kill it? The regedit search worked. Thanks again

i get this messege every time i start up my computer

"Windows cannot find 'C:/WINDOWS/System32/System32.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and click search."

HELP PLZ

This is a pretty old thread poker but I don't think you understand. No one is typing anything it was happening at start up. The PC was infected with a worm. Sytem32.exe had already been deleted but something in the registry was trying to call it up. The problem has since been corrected. butt hanks for your help.

So is there any way i can fix this?

poker818,
yes, but only if you know how to modify your registry safely.
(assuming this is not in your startup folder and you are running 2k or xp)

see the thread notes about searching for system32.exe and VERY CAREFULLY removing the references.
also please note that any time you are considering modifying your regsitry, you need to make a back up first. be safe !

I am confused here. Poker are you offering to help me or are you experiencing the same problem yourself?

Read this thread carefully. The file system32.exe was prodiced by a worm. The poster above provided links to programs that eradicated the worm. Howwever ther was still a line in my registry that tried to call it up. Search for those words in your registry. They are not needed. Then modify the line to remove them.


If i misunderstood you at first I apologize.

Yes i had same problem, but i dont know how to do the things you are telling my to do.

Yes i had same problem, but i dont know how to do the things you are telling my to do.


I am not sure what else to tell you. Where is it that you get lost.?

modify your registry safely

that part

Read the rest of that post. I believe it explains it.

Do i delete those files?

What files? The instruction wa sto modify the registry not to delete a file.

registry, how to i open and modify that?

poker818,

The registry is a very dangerous file on your computer.

I personally do NOT believe you should try to fix it yourself.

Ask someone that you know that is very good with computers to help you.

To try and fail would be a disaster for you.

Get help !

Ger, I suggest that if you are going to buy a new antivirus program you consider getting Norton SystemWorks 2003. With your old / obsolete version of ANY antivirus, I have seen this program go for as low as FREE, after rebates.

Not only will you get the antivirus (which can be set to auto-update) but you will get Norton Utilities which will repair your registry. This can be done without all the "mucking around" in regedit...which can be very dangerous to the unwashed (like me!).

See you back on Dish/Yahoo soon!

X

Oooo, i get it now, sorry, i didnt see the first page of this post.

Is there a different virus that can attack the System32.exe? Because my computer didnt do any of the things symantec said it does.

System32.exe is not a requitred windows file. It is a file left by the worm that infected your machine. It needs to be removed and then the line that calls it up (or tries to needs to be deleted. But I agree that if you are not fairly good with computers you should get someone to do this for you.

Anti virus programs tend not to fix this line. As you can see in this thread I tried several.

I tried the registry thing, found nothing that looks for system32.exe but that same messege keeps poping up.