I too have had the annoying virus,
I am using Norton 2003, latest definitions.
The problem is that it wont clean or delete the system32.exe file and when i try to delete it manually it says windows is using it and i cant delete it.
Its probably hamrmless but it still shows up everytime i scan something and I want rid of it.

Pls Help

Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.
HijackThis!

Logfile of HijackThis v1.97.7
Scan saved at 23:06:24, on 04/12/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\SYSTEM32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVW32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {16664845-0E00-11D2-8059-000000000000} - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CATCHER.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\PROGRAM FILES\REGETDX\IEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [System32] System32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_All.htm
O8 - Extra context menu item: Download by Re&Get Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_Link.htm
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37872.4528356481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw14fd.law14.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bff3af7d050da5/housecall.antivirus.com/housecall/xscan53.cab

Run HijackThis again and place a check in the box next to the following item. Next, close all browser Windows, and have HT 'fix checked'.

You Must restart your computer when you're done.

O4 - HKLM\..\Run: [System32] System32.exe

After restarting delete System32.exe

i ran hijack and didnt have the same results. i have the virus but the item u said to select doesnt apear. i have this though: F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe

i have no idea how to get rid of this file. can anyone help me?

i just deleted that virus yesterday. actually, norton 2004 deleted system32.exe for me. now everytime i load up windows it tells me that it's missing system32.exe

does anybody know where i could download system32.exe for windows XP professional?
thanks

i deleted system32.exe myself (pain to do) and it doesnt ask for the file. im running XP pro w/o any SP and the latest updates.

I have windows xp pro with sp1 and latest updates. i once ran norton and now i get the system32.exe file missing error report on each boot. i've been through various 'startup' check methods...none work. i have been trying to get a copy of a windows xp system32.exe file but can't. i am going to now try getting a copy of the file from my sister's computer...even though i know her version may not work...at least she also has windows xp pro.

its in the registry:
open regedit (please be careful here you can mess up your computer).

run a serch for system32.exe
the only one that will come up is the string for the shell. the value should be something like 'Explorer.exe D:\WINDOWS\System32\System32.exe'

Delete the 'D:\WINDOWS\System32\System32.exe' part.

DONT DELETE THE EXPLORER.exe. This will cause your computer to not load a shell at all, leaving you with no interface.

Hope that helps.

hi iam having this problam with system32.exe
all the time when computer starts the windows shows up with system32. "make sure that u typed name corectly"
i read about it before that it got deleted by trojan virus and I got anti-virus but i cant find the way how to stop the masege about syste32.exe
I wondering if I can download it or something

hello

have the same problem buti can tell you that it's not a systemfile! i thout so to but i've done research en i can tell you: it's a virus!
don't now yet how to fix it thou.
so i reccomend to all of you to use a firewall because it's a worm!

ciao!

ok, to get rid of this system32 bs, download and run HiJackThis, search on www.google.com for it. run it and hit Scan, it should load a list of files, now anything that refers to system32.exe, delete it, reboot, good to go. hope this helps u all

crap, sorry, check the check boxes that have system32.exe in them, after that hit fix checked and delete them, then reboot, my bad...

Process File: system32 or system32.exe
Process Name: System32
Description: Added as a result of the MARI , SYSXXX and other VIRUSSES!.Mari is an Internet worm spreading with emails as attached EXE file. whereas SysXXX is a backdoor Trojan program that was written in the Delphi language. Backdoor.SysXXX gives a hacker complete access to your computer. By default, the Trojan opens two TCP ports, 31,556 and 6,051, which it uses to communicate with the hacker. It notifies the hacker through email or ICQ. Also, Backdoor.SysXXX attempts to terminate various security products and system monitoring tools. system32.exe is a virus. To get rid of the problem... click start>run>regedit.... go to HKey_local_machine\software\microsoft\windowsNT\currentVersion\WinLogon.

On the right hand side you will find a value for SHELL "Explorer.exe C:\WINDOWS\System32\System32.exe". Here..delete "C:\WINDOWS\System32\System32.exe" so as to leave just Explorer.exe. Then boot to the safemode and delete the file "C:\WINDOWS\System32\System32.exe". This will remove the worm from the computer. Take care!

This will work for Win2K or WinXP

Thanks Geoff, you're the man.

I run winxp pro, had this virus, did exactly what you said, worked perfectly (no error on bootup, etc)

I'd recommend everyone follow this procedure (edit registry key, boot into safe mode, delete system32.exe, reboot as normal, you're good).

:)

-arebelspy

THis just happened to me today. I keep getting the message "missing system32.exe etc etc" at boot up. I am almost positive norton deleted it. I ran a virus scan,and came up with 144 infected. this is after 0 infected yesterday. so i deleted all i could, had the program fix a couple, and had to manually delete 2.

Now, i dont know if i fixed the problem or not. I still get the error message at boot up., and it takes my computer an extra 5 minutes to load everything.

i ran the program you guys suggested (hijackthis) and copied the log:

Logfile of HijackThis v1.97.7
Scan saved at 5:36:27 PM, on 1/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\MMTrayLSI.exe
C:\WINDOWS\System32\MMTray2k.exe
C:\WINDOWS\System32\MMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\zero\LOCALS~1\Temp\Rar$EX00.766\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cyberpowersystem.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ne2.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ne2.attbb.net
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [Supernova] C:\WINDOWS\Blaargh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tukati:4] C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:2
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cyberpowersystem.com
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw11fd.law11.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab

Now, what should my next step be? To find a replacement for the missing system32.exe? Any help would be better than my tech support.

update:

i went through the regedit process, and deleted the junk after explorer.exe

so now, i dont get the missing system32.ex message anymore, BUT, my computer is still taking a SUPER extra long time to load up. It wasnt like this yesterday.. how do i fix this?