BleepingComputer.com: System32 Window won't go away

My desktop computer is an old HP Pavillion running XP. Everytime I boot up the System32 window opens on my desktop. It doesn't keep the computer from working properly; it's just annoying to always have to X it out. Is there way I can keep this from happening?

Thanks!

Try the fix at Kelly's Korner.

System32 Folder Opens Upon Boot - #260 on the right.

Right click on it and save the .vbs file to your desktop. Then, double click on the file icon (on your desktop) to run the script. You may need to reboot your computer for the changes to take affect.

With any fix like this you should create a new restore point and backup the registry first. For backing up the registry I like to use ERUNT.

Good Day Budapest!

Thanks for the info. Can you direct me a little more on the ERUNT page. I'm not sure where to click. Server 1, 2...

It doesn't matter which one you use. They are just different download locations where you can download the file from. But it's the same file regardless of which one you pick.

ok. gottcha.

I ran it and it says

The script can not repair your issue. The expected Registry value was not found.

Try this:

http://support.microsoft.com/kb/170086

If you feel confused how to go through your registry, just run the attached file. It would generate c:\registry_start.txt. Copy/paste its contents here and we will tell you how and which entry is to be deleted in your registry.

XP wants to run some programs when your system starts and when you login and if it can't figure it out because the registry contains an invalid parameter (usually double quotes ""), Windows will politely offer you the Explorer window for you to find it.

After backing up your registry, read the Resolution section of the Microsoft article - that says it best.

Navigate to those two places - the HKLM is for when the machine starts, and the HKCU is for when somebody logs in. Check them both.

With the Run key highlighted on the left, look at the Data column on the right for missing, incomplete, corrupt or "" (double quotes). These are wrong and the entire key should be deleted.

Pay attention to the Name column to see if it is some program you need that might need to be reinstalled. It may be something you uninstalled before this started happening. Anything look familiar?

If you are not sure, post the info about the contents of the Run folder here for analysis.

I am just not sure how Kelly's #260 is going to fix this (in spite of the title) or the zip file download. Maybe Budapest and Romeo29 can look at those and double check and enlighten me.

A bogus Run entry could also have been created by malware so a good malware scan won't hurt:

Download, install, update and do a full scan with these free malware detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

joseibarra, on Aug 7 2009, 06:49 AM, said:

The zip file I attached has a program which dumps all registry entries of HKLM > RUN and HKCU > RUN keys into a text file. If you run it ad paste the result here, we can see which entry is faulty and then we can tell which registry entry is to be deleted. It is safer than to trying to edit Registry by oneself. I could have written the program to auto-repair but then the faulty key may have a value single quote, empty double quote or just any incomplete command line. This is why I thought it is better to review the registry values manually and then decide which of them are faulty and need to be removed.

Kelly's #260 is useless as it looks for only a specific entry in Registry - a long shot.

Oh, I see, yeah - good idea. I did not read .

Good Morning everyone

Thank you all for your input. I freely admit this is way new territory for me so I'm moving slowly. I must of read the Microsoft page 10 times and just didn't really get it.

I opted to download the reg_start zip and run it. I'm hoping this is what it was supposed to provide. Let me know if I did this right.

Thanks again.



[HKLM ---> Run]hpsysdrv ==> [c:\windows\system\hpsysdrv.exe]KBD ==> [C:\HP\KBD\KBD.EXE]Recguard ==> [C:\WINDOWS\SMINST\RECGUARD.EXE]NvCplDaemon ==> [RUNDLL32.EXE NvQTwk,NvCplDaemon initialize]IgfxTray ==> [C:\WINDOWS\System32\igfxtray.exe]HotKeysCmds ==> [C:\WINDOWS\System32\hkcmd.exe]S3TRAY2 ==> [S3tray2.exe]PS2 ==> [C:\WINDOWS\system32\ps2.exe]DXM6Patch_981116 ==> [C:\WINDOWS\p_981116.exe /Q:A]Messenger Plus ==> [ ]DeadAIM ==> [rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs]JDJTFPVBH ==> [C:\WINDOWS\JDJTFPVBH.exe]e ==> [C:\WINDOWS\System32\eimgvo.exe] ==> [c:\WINDOWS\System32\]QuickTime Task ==> ["C:\Program Files\QuickTime\qttask.exe" -atboottime]PrimaLauncher ==> [C:\WINDOWS\system32\Launcher.exe]EPSON Stylus CX4800 Series ==> [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"]HostManager ==> [C:\Program Files\Common Files\AOL\1183654668\ee\AOLSoftware.exe]iTunesHelper ==> ["C:\Program Files\iTunes\iTunesHelper.exe"]LELA ==> ["C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized]nmctxth ==> ["C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"]WebEx Document Loader ==> [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P21 "WebEx Document Loader" /O26 "WebEx Document Loader Port" /M "Stylus CX4800"]mcagent_exe ==> ["C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey]SunJavaUpdateSched ==> ["C:\Program Files\Java\jre6\bin\jusched.exe"]TkBellExe ==> ["C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot]Adobe Reader Speed Launcher ==> ["C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"][HKCU ---> Run]Microsoft Works Update Detection ==> [c:\Program Files\Microsoft Works\WkDetect.exe]Yahoo! Pager ==> [C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet] ==> [c:\WINDOWS\System32\]ctfmon.exe ==> [C:\WINDOWS\system32\ctfmon.exe]Aim6 ==> []swg ==> [C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe]

Don't sweat the learning process!

Did you run MBAM and SAS yet? You really should, THEN see what we got.

Your output is curious to I will see what the experts have to say.

I think it's just a scratch. Run the scans ASAP so we will know what it is not.


FYE - here is my results of the reg_start.exe:

[HKLM ---> Run]
SoundMAXPnP ==> [C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe]

[HKCU ---> Run]


I run lean...

I ran MBAM. But I can run them again. Should I run them in Safe Mode?

From the MBAM page:

Quote

I always do a full scan with MBAM in Normal Mode. How can full hurt (except it takes longer).

SAS page seems to recommend Safe Mode as the first place to start. Can't get a CEO quote though.

If someone has a more definitive answer, I will be glad to hear and adjust.

Removing malware sometimes leave little things behind - I think this is you.