BleepingComputer.com: Search Engine Redirect and System32

Hello,

I am at wits end trying to get rid of what ever it is that I have. I have had my issue for a few months and it is finally started to bug be. The two issues I am have may or may not be related. The first issue: every time I start my computer, the "System 32" folder opens up and one of the folder names is in blue text (see pic).



The second issue happens when searching the internet, I often get redirected after clicking a link (my web browser Firefox v. 3.6.16). For the past 3 years I have been using CenturyLink Online Security (an F Secure product) and I run a full system scan once a week. I uninstalled that virus software today and installed free AVG in hopes that it would be able to detect the issue on a full system scan. AVG was also unsuccessful in finding the problem.

Aside from a system reformat, what else can I try to clear this problem?

Thanks,
Jessica

I forgot to mention, I am on a Dell Inspiron Mini running Windows XP.

If you are infected, the infection seems to be a very weak one. Go to Http://www.malwarebytes.org and download Malwarebytes. Update it, and run the quick scan. Remove anything found & reboot your PC and then come back here.

Will do. Thanks.

The System32 folder opens at startup because of a corrupt registry value. The value could have been corrupted for a number of reasons to include malware or installing/uninstalling a program which did not install/uninstall itself properly.

The problem could also be caused by empty run entries in your startup shortcuts which will open the system32 folder. The first thing to do is check the startup run registry entries with AutoRuns and if any are present, remove those entries.

If that does not resolve the issue, click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #260 and click "System32 Folder Opens Upon Boot" in the right column. You will be prompted to download xp_systems32opens.vbs. Save the file to your desktop and double-click on it to run the script. Since the script modifies certain registry settings you may receive an alert from your anti-virus or any script blocking program. Ignore the warning and allow it to continue.

Also see System32 Folder Opens When Logging on to Windows.

CAUTION: This solution involves making changes in the Windows registry. Always Create a New Restore Point and back up your registry before making any changes. Vista/Windows 7 users can refer to these instructions. If you're not familiar with working in the registry, then you should NOT attempt to make any changes on your own. Improper changes to the registry could adversely affect your computer and render it inoperable. ERUNT is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.


Note: By design, Windows displays compressed or encrypted files and folders with a unique color. Windows compressed files that do not get used frequently are displayed in blue (NTFS compression) and encrypted files are in green.

• Why are some of my file names blue?
  
• Understanding Compression and the Encrypting File System
  
• NTFS Compression - a forensic view
  
• How To Use File Compression in Windows XP
  
• Best practices for NTFS compression in Windows
  
• Best practices for the Encrypting File System

Good advice, even still, run Malwarebytes just in the case that it was Malware that caused this in the first place.

Yes, I would still recommend warn23 scan with Malwarebytes.

• Follow these instructions for doing a Quick Scan in normal mode.
  
• Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.

Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• After completing the scan, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab .
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  
• Exit Malwarebytes' when done.

Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

I downloaded malwarebytes and did the quick scan but it did not find anything.

Try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.

• If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  
• Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.[/color][/i]

• Click the green button.
  
• Read the End User License Agreement and check the box:
• Check .
  
• Click the button.
  
• Accept any security warnings from your browser and allow the download/installation of any require files.
  
• Under scan settings, check and check Remove found threats
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• Click the Start button.
  
• ESET will install itself, download virus signature database updates, and begin scanning your computer.
  
• The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  If given the option (when threats are found), choose "Quarantine" instead of delete.
  
• When the scan completes, push
  
• Push , and save the file to your desktop as ESETScan.txt.
  
• Push the button, then Finish.
  
• Copy and paste the contents of ESETScan.txt in your next reply.

Ok, I'll do that now. Thanks.

Not a problem.

I am running the Eset scan now (on the infected computer). It is on step 3 or 4 at 37%. Thus far, it has found 2 infected files, one of which is a "variant of Win32/HackTool.Patcher:P application." Thanks again for all of the help.

Post the results when the scan is complete.