Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unusual System32 Folder Pop Up


  • Please log in to reply
14 replies to this topic

#1 robo1006

robo1006

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:07:39 PM

Posted 24 September 2008 - 01:53 AM

hi,

every time i start my windows xp the system32 folder(DRVSTORE folder and many files names are written in blue font)
just pops up, i can't see anything strange happening to my computer,
but there must be a reason for the unusual folder appearance.
please let me know what other info you need to move on with this.

thank you.

BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,596 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:39 PM

Posted 24 September 2008 - 05:17 AM

If you have AVG installed on your computer, open AVG and click Test Center. Press the F3 key and then click Confirm Changes on any popups that appear as it scans.

EDIT: Blue colored files in Windows indicates the files are compressed to save disk space.

Edited by buddy215, 24 September 2008 - 05:32 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 robo1006

robo1006
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:07:39 PM

Posted 24 September 2008 - 08:19 AM

I'm running kaspersky, and if installing AVG I"ll have to uninstall Kaspersky! Do you think it's nessecery?
The other thing I noticed in the system32 folder is this faded folder named GroupPolicy, could that have anything to do with it?
And my cpu usage is 22-25% on average, running just couple of taps in Opera or/and Mozillla. is that normal?

#4 buddy215

buddy215

  • BC Advisor
  • 12,596 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:39 PM

Posted 24 September 2008 - 08:43 AM

NO, do not install AVG.

Have you done any scans for malware? If so, what programs?

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 robo1006

robo1006
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:07:39 PM

Posted 24 September 2008 - 08:47 AM

i did adware scan (found new media torjan), spyware search and destroy and mcafee stinger

#6 robo1006

robo1006
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:07:39 PM

Posted 24 September 2008 - 08:49 AM

sorry it's Ad-Aware

#7 buddy215

buddy215

  • BC Advisor
  • 12,596 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:39 PM

Posted 24 September 2008 - 09:08 AM

Do a scan with your Kaspersky and Super Antispyware Free.
http://www.superantispyware.com/ Run SAS scan in safe mode.

Post the logs for those two programs if they find anything other cookies.

Open task manager and click on processes tab. Let us know what processes are causing the excess usage.

(right click on clock and choose "task Manager".)

EDIT: I suspect what AdAware found was installed by the Zlob trojan. SAS should remove it.

Edited by buddy215, 24 September 2008 - 09:18 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#8 robo1006

robo1006
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:07:39 PM

Posted 24 September 2008 - 01:00 PM

kaspersky didn't find anything critical. I'm posting couple of things with system32 in it.
24/9/2551 22:25:27 Detected: http://www.viruslist.com/en/advisories/28083 c:\windows\system32\Flash8a.ocx
24/9/2551 22:25:39 Detected: http://www.viruslist.com/en/advisories/31010 c:\windows\system32\java.exe
24/9/2551 22:26:07 Detected: http://www.viruslist.com/en/advisories/29293 c:\windows\system32\QuickTime.qts

I can't log on to windows in safe mode. It's been loading something. This was the last line:
multi(0)disk(0)rdisk(0)partition(1)\windows\system32\drivers\TDI.SYS

I did a full scan with SAS but found mostly only adware tracking cookie and

Rogue.AntiVirus 2008 Pro
HKU\S-1-5-21-1220945662-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run#antivirus-2008pro.exe [ ]
Trojan.Dropper/Gen-CW
C:\PTGTTUAQ.EXE

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\vsnpstd3.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\GADMEI TVHome Media\ScheduleTV.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\DOCUME~1\ww\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

#9 buddy215

buddy215

  • BC Advisor
  • 12,596 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:39 PM

Posted 24 September 2008 - 03:00 PM

You need to update Sun Java, Quicktime, and Adobe flash. After updating Java, go to ADD/ REMOVE and remove all old Java programs.

Some adware, spyware, and other malware may prevent anti-spyware scanners and applications from running correctly, if at all. Plus, some adware and spyware is written so that if one part is removed, background processes automatically reinstall the removed piece, making it extremely difficult to completely remove such nefarious programs.

You had/have some bad malware. Please do another scan with SAS IN SAFE MODE and allow it to remove whatever it finds.

Cleanup your computer using Ccleaner. Yahoo Toolbar will be offered during install. UNcheck if NOT wanted.
http://www.ccleaner.com/

Post the SAS log

Edited by buddy215, 24 September 2008 - 03:10 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#10 robo1006

robo1006
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:07:39 PM

Posted 25 September 2008 - 06:26 AM

hi, now i have a problem,
i tried to log on to windows in safe mode by pressing F8, but it was just loading stuff with a message at the bottom
saying press Esc to cancel loading SPTD.sys this was the last line after i pressed esc multi(0)disk(0)rdisk(0)partition(1)\windows\system32\drivers\TDI.SYS
So I set my computer through task manager to start in safe mode but that didn't work either and now I can't log on
to windows with the normal start up either, I tried last known configuration too but no success.
Do you know what to do?

#11 buddy215

buddy215

  • BC Advisor
  • 12,596 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:39 PM

Posted 25 September 2008 - 07:42 AM

My suggestion would be a reformat of your HDD and reinstall of your OS.

I will ask someone else to take a look at this topic.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:39 PM

Posted 25 September 2008 - 07:58 AM

If you cannot boot up in Normal or Safe mode, you may be able to use a Windows XP bootable Floppy Disk to boot from a diskette instead of your hard drive. If your hard drive's boot sector or Windows' basic boot files have been corrupted, this disk will circumvent the problem and boot you into Windows. If you don't have an emergency boot floppy, you may be able to use one created on another PC running Windows XP but there's no guarantee that it will boot your machine.

"Resolving Boot Issues with a Boot Floppy Disk".
"How to obtain Windows XP Setup boot disks" and select the download that's appropriate for your Operating System. The Setup boot disks are available so that you can run the Setup program on computers that cannot use a bootable CD-ROM.

Another option is to create a Bootable CD:
Bootable CD FAQs
How To Boot your Computer from a Bootable CD or DVD
How to Create a Bootable Windows XP Setup Disk on a Preinstalled/Preloaded Windows System
Creating A Windows XP Recovery Console CD Image

You can try doing a "Repair Install with Recovery Console". The Recovery Console is a Windows utility that provides a DOS-like command line from which you can run some repair programs. If you have a Microsoft Windows CD-ROM, you can get to the Recovery Console by booting from that CD and pressing any key when you told to 'Press any key to boot from CD'. At the 'Welcome to Setup' screen, press r for Repair.

"Langa Letter: XP's No-Reformat, Nondestructive Total-Rebuild Option"
"How to perform a Repair/Reinstall" (with screenshots).
"How to install and use the Windows XP Recovery Console"


If you don't have your XP CD you can download an ISO of the Recovery Console files:
Recovery Console ISO file
NTFS4FreeDos ISO
XP Recovery Console zip file

Burn it as an image to a disk to get a bootable CD which will startup the Recovery Console for troubleshooting and fixing purposes. This is especially useful for those with OEM systems with factory restore partitions or disks but no original installation CD. If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO.

You can start a new topic in the Hardware forum if you need assistance with this.

Important Note: If this is a virus/Trojan related issue, you should know that some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action. W32.Sistdi is an encrypted, polymorphic Win32 virus that creates a Tdi.sys file.

Please read:
"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 robo1006

robo1006
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:07:39 PM

Posted 26 September 2008 - 02:11 AM

I'm back in windows normal mode.
I restarted my computer and just left it there with the black screen on when I came back after an hour
my computer was logged on to windows in safe mode, I did SAS scan restarter my laptop
and I didn't see anything pop up, so I would say that the problem with system32 folder pop up has been removed with the SAS scan.
However my CPU usage seems to be still quite high between 25 to 30 at the moment,
shall i go to start up menu and disable programs which are not necessary to start when windows start?
I did the CCleaner scan too.

#14 buddy215

buddy215

  • BC Advisor
  • 12,596 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:39 PM

Posted 26 September 2008 - 06:02 AM

The likely programs causing the excessive use is Alcohol and Rich Video.

If the W32.Sistdi file is malware as suspected, and pointed out by Quietman7, your computer will likely not be malware free and repaired until you reformat and reinstall your OS.

Files downloaded using P2P programs often have malware. Dangerous to use.

Update SAS and Kaspersky, run scans with both and post their logs. Run both scans in Safe Mode.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#15 robo1006

robo1006
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:07:39 PM

Posted 27 September 2008 - 11:21 PM

I got rid of the power dvd program i don't think i've ever used it, I did the scans as advised plus used uniblue pack to clean the copmuter up too. SAS found nothing at all and
Kaspersky:
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\de.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\es.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\fi.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\QuickTimePlayer.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\fr.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\it.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\ja.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\ko.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\nb.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\nl.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\pl.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\pt_PT.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\ru.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\sv.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\zh_CN.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:56 Detected: http://www.viruslist.com/en/advisories/29293 c:\program files\quicktime\QuickTimePlayer.Resources\zh_TW.lproj\QuickTimePlayerLocalized.qtr
27/9/2551 23:21:58 Detected: http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
27/9/2551 23:25:04 Detected: http://www.viruslist.com/en/advisories/29434 c:\program files\Utilities\7-Zip\7z.exe
28/9/2551 0:12:07 Detected: http://www.viruslist.com/en/advisories/28083 c:\WINDOWS\system32\Flash8a.ocx
28/9/2551 0:14:57 Detected: http://www.viruslist.com/en/advisories/29293 c:\WINDOWS\system32\QuickTime.qts
28/9/2551 0:55:09 Task completed

I updated quick time, sun java, adobe flass, and removed quick time after the kaspersky's report.

It probably was the richvideo.exe as indicated by you guys.
The good news is my cpu is back down to 3% usage as I type,
I'm happy for now as everything seems back to normal, I'll be talking to you soon in a new post.

thank you for your help.

Robo.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users