System32 missing?

[drunkbum222]

When I go to my windows folder my system32 folding seems to be missing. This happened about when I think I got a virus, I can't use find to locate it and I also can't use any run commands due to it. I have used Nortons and it can't find anything.

 

[calumn]

Are you sure that you have hidden folders enabled? because if you are in windows now then it is not gone because you wouldnt be able to use windows.
Go to My Computer and in tools click folder options and under view check the box for show hidden files and folders

 

[Geoff]

Well if your computer still runs, it's obviously there. Some viruses may hide folders from being seen so you cant manually delete the virus.

 

[drunkbum222]

Are you sure that you have hidden folders enabled? because if you are in windows now then it is not gone because you wouldnt be able to use windows.
Go to My Computer and in tools click folder options and under view check the box for show hidden files and folders

If that was it don't you think I could find it using search.

So would there be any way to get rid of the virus besides reinstalling windows?

 

[calumn]

So have you tried showing hidden files?
It will only appear in search if you make it search for hidden files and folder.
Go into search and click All Files and Folder and click advanced options and then check the box that says include hidden files and folders or something like then search for system32

 

[PC eye]

If that was it don't you think I could find it using search.

So would there be any way to get rid of the virus besides reinstalling windows?

That will depend on how many files have been effected if it is a virus. First you have to find out if this is from a virus and what type virus or malware it is. The first thing to do there is run a few antivirus and spyware removers to see if anything is found. There are a few free online scanners as well as donwloads you can try at the links here.
AVG 7.5 and Grisoft's new version of Ewido now know as AVG Anti-Spyware Free can be found at http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
Avira's AntiVir can be found at http://www.avira.com/en/download/index.html
Symantec has an free online security check and virus scanner at http://security.symantec.com/sscv6/...d=22&pkj=NCGSCKMRKRFPECDMEYI&setjsax=1&bhcp=1
Trend Micro has a 30day trial perion on their PC-cillin that requires an activation code for the antivirus, antispyware, antispam, personal firewall program they offer. You would need to download and install separate from any others in order to run House Call. http://housecall.trendmicro.com/

So have you tried showing hidden files?
It will only appear in search if you make it search for hidden files and folder.
Go into search and click All Files and Folder and click advanced options and then check the box that says include hidden files and folders or something like then search for system32

The option to hide protected system files does not hide folders along with certain essential system files, the boot.ini found at the root of C, or others generally in the system32 folder itself like the wpa.dbl file for Windows activation. EIther by using Windows Explorer or opening the Windows directory through MyComputer you should be able to browse directly to any folder unless found under a different user account.

 

[drunkbum222]

Thanks a lot guys, I ran a spyware and virus check and found no spyware, but I did find some stuff using AVG virus scan.

Then I got a pop up while I was running it from Nortons.

I was not able to locate the one Nortons found but tonight I was going to run a virus scan using Nortons and see if I could find anything else. Still can't get my desktop to show up though.

 

[PC eye]

Have you tried booting up in safe mode? The variant found there is worm geared for infecting networks. One set of removal instructions as well as a one or two removal tools is found at http://www.precisesecurity.com/computer-virus/avwaf-feb021.htm

Symantec has a full page to look over with instructions found at http://www.sarc.com/avcenter/venc/data/w32.alcra.f.html
Another pair of links offers some more help on removing the W32.Alcra.F.
http://www.antivirusprogram.se/virusinfo/W32.Alcra.F_8954.html
http://www.sophos.com/support/disinfection/worms.html

 

[SirKenin]

lol

Umm, a virus hides your System 32 folder. It does this because it has changed the attributes of several key files in the folder and even substitutes some key files for others.

It can be a bugger fixing it, because the rights will be altered, preventing you from changing the attributes. It's a pain in the butt.

 

[chrisalviola]

system32 is not a hidden folder. you can delete the folder and it wont bother windows. it dosnt contain important files.

 

[Buzz1927]

system32 is not a hidden folder. you can delete the folder and it wont bother windows. it dosnt contain important files.

What??

Drunkbum, post a Hijackthis log.

 

[chrisalviola]

its the systems folder that you prevent viruses not the system32

only things on my system32 folder
1. adobe folder
2. driver folder contains a file gm.dls

 

[Buzz1927]

its the systems folder that you prevent viruses not the system32

only things on my system32 folder
1. adobe folder
2. driver folder contains a file gm.dls

Have you been drinking or something?

 

[chrisalviola]

then my computer must be wacked

 

[SirKenin]

then my computer must be wacked

either that or you are.

 

[PC eye]

lol

Umm, a virus hides your System 32 folder. It does this because it has changed the attributes of several key files in the folder and even substitutes some key files for others.

It can be a bugger fixing it, because the rights will be altered, preventing you from changing the attributes. It's a pain in the butt.

Well it appears the only other one making sense around here has spoken.

Besides system files as the general rule a number of other files on a drive can be infected. One method was to delete the non system related and overwrite the infected system files if there are only a small number found. You first have to know which ones were hit. The system restore also has to be turned off temporarily to remove any possible reinfection from that direction. And don't get too close to a couple of these ??? people. You know what they say about "second hand smoke".

 

[drunkbum222]

I think it may just be wise to use install disk that came with my computer. I already have all my pictures on our other computer and I was thinking about getting some DVD R disks to save some stuff on. (UT2004, My music files, Downloaded files, Diablo 2 <Hell yes I still play it>and some other files) I thought it would be wise to scan the disk before I move the folders into my C drive.

This is talking about if I can't get rid of this virus. I did run the hijack program but I didn't know what to do after everything was done. I'm planing on running a nortons sweep tonight when I am sleeping. Really all I want back is my desktop background.

 

[Geoff]

system32 is not a hidden folder. you can delete the folder and it wont bother windows. it dosnt contain important files.

its the systems folder that you prevent viruses not the system32

only things on my system32 folder
1. adobe folder
2. driver folder contains a file gm.dls

The System32 folder is what contains the majority of important Windows files, as you can see here:

 

[drunkbum222]

Ran Norton and I came across a W32.Alcra.F virus, that was deleted. I also had 2 files of adware that I got rid of.

Hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 12:29:29 AM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Folding@Home\winfah.exe
C:\Program Files\Folding@Home\FahCore_82.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\FixCDT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 170.115.249.27:80
R3 - URLSearchHook: ScriptInocUI Class - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [K0xERQYEP] powfo.exe
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} - http://downloads.shopathomeselect.com/axinstall/SRInstall4110_sp2.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~3\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

[Buzz1927]

Well it appears the only other one making sense around here has spoken.

Hope you're not including yourself in that.

drunkbum.

You seem to be running 2 anti-virus programs, Norton and Avg. This is a bad idea, as they can conflict with each other, leaving you more vulnerable. Choose which to keep and uninstall the other.

Run Hijackthis and select "Do a system scan only", place a check by the following entries.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: ScriptInocUI Class - - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - (no file)
O4 - HKCU\..\Run: [K0xERQYEP] powfo.exe
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

And these, if you don't know what they are.

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Close all open windows and browsers, and hit "Fix Checked".

Search for and delete these files.

powfo.exe
svcnet.exe

Then restart the computer and post a new Hijackthis log.