System internals query 'win32'

**Spamlet** · 2008-07-22, 21:32

A bit puzzled by an entry that crops up when I run the 'system internals' tool. The entry is:

"An app is registered with windows but could not be found at the given location.

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\appPaths\Win32"

In most cases I am happy to take SD's hint and delete these dead links etc, but as this one appears to relate to windows itself, I'd like to know what exactly this means before I go ahead and delete. Is this just a fake registry path that should be deleted? The remains of some malware? What?

Cheers for any light that can be thrown.

S

**Zenobia** · 2008-07-22, 23:44

You should be a bit careful with the System Internals scan.From the help file:

Warning: Please be aware that changes to these items can corrupt your system! If you are not sure whether a setting is really a problem you´d better leave it alone!
This warning especially applies if you are using Microsoft Office™. This software suite has some registry entries pointing to wrong directories and some even pointing to non-existent help files. I have changed the first, but I would not delete the other one, because they may well point to files that will be installed on that "Install on first use" basis.

For wrong appath:

Application paths – some applications (mostly those registered to a file extension) are registered in the registry. If they are pointing to a program file no longer existing, Spybot-S&D can change their path or delete their entry.

I haven't ran a system internals scan for ages,so I'm a bit rusty on them.

What's the path?
Try this:Go to System Internals,click Check,then click Export,then click Save.Then,go to View Report,click View Previous Report,scroll down and find SpybotSD.System internals.txt,rightclick it,select Open.Next,go to Edit,select all.Return to Edit,select Copy,then Paste it here.

**Greyfox** · 2008-07-23, 05:29

You haven't said what operating system or service pack you are using, however if it is XP-Home then the message "An app is registered with windows but could not be found at..HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\appPaths\Win32" is saying that it didn't find the registry appPaths entry for the application, and neither it should, because I believe it's not normally there in an XP-Home installation.

The problem as I see it, is that it found a reference indicating an app (possibly Win32.exe) is registered, and this may have originally come from malware. In addition to posting the report file Zenobia mentioned, you could also do a search for a file Win32.exe or Win32.dll and if you find it, advise its size, date and path.

**Spamlet** · 2008-07-23, 19:42

Thanks ever so, for tips, and apologies for forgetting the system, this is XP Pro with SP2 and all the updates as received from MS. I'm still using IE6 too.

In the Spybot log the first two 'broken links' are presumably because those items are not connected at the mo.

I don't know what the 'advpack' thing is, so have left it.

Which leaves the 'Win32'

Searching for Win32.exe and dll, yield nothing but just searching Win32 gives a list which I have added below in case it throws any further light.

Thanks once again for your interest:

--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2007-06-09 unins000.exe (51.41.0.0)
2008-02-08 unins001.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-07-15 Includes\Adware.sbi
2008-07-15 Includes\AdwareC.sbi
2008-06-03 Includes\Cookies.sbi
2008-06-03 Includes\Dialer.sbi
2008-07-07 Includes\DialerC.sbi
2008-07-11 Includes\HeavyDuty.sbi
2008-07-10 Includes\Hijackers.sbi
2008-07-08 Includes\HijackersC.sbi
2008-07-15 Includes\Keyloggers.sbi
2008-07-15 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-07-16 Includes\Malware.sbi
2008-07-16 Includes\MalwareC.sbi
2008-07-15 Includes\PUPS.sbi
2008-07-15 Includes\PUPSC.sbi
2007-11-07 Includes\Revision.sbi
2008-06-18 Includes\Security.sbi
2008-07-08 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-07-11 Includes\Spyware.sbi
2008-07-15 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2008-07-15 Includes\Trojans.sbi
2008-07-15 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Category: Broken link
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
Filename: \\......\My Documents\MyPlacesGE
Data: C:\Documents and Settings\....\Desktop\Shortcut to MyPlacesGE.lnk

Category: Broken link
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
Filename: E:\...\My PicturesChrono
Data: C:\Documents and Settings\...\Desktop\Shortcut to My PicturesChrono.lnk

Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DECCHECK
Filename: RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DECCHECK.inf,Uninstall
Data:

Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MSTTS
Filename: RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSa22.inf, Uninstall
Data:

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\win32
Filename: win32
Data:

Searching 'Win32' with AgentRansack gets no exe but this is the list:

C:\Documents and Settings...\Desktop\Newsgroups Web\System internals query 'win32' - Safer Networking Forums.url (1 KB, 22/07/2008 20:32:47)
C:\Documents and Settings...\My Documents\Security\System internals query 'win32' - Safer Networking Forums.url (1 KB, 22/07/2008 20:32:47)
C:\Documents and Settings...\Recent\Files named Win32.fnd.lnk (1 KB, 23/07/2008 18:06:28)
C:\Program Files\HMRC\Employer CD-ROM 2007\xtras\pc\PrintOMatic MX (Win32) (15/08/2007 17:12:58)
C:\Program Files\Inland Revenue\Employer CD-ROM 2006\xtras\pc\PrintOMatic MX (Win32) (02/09/2006 11:14:00)
C:\Program Files\Java\jre1.6.0_01\lib\images\cursors\win32_CopyDrop32x32.gif (1 KB, 19/04/2007 12:13:09)
C:\Program Files\Java\jre1.6.0_01\lib\images\cursors\win32_CopyNoDrop32x32.gif (1 KB, 19/04/2007 12:13:09)
C:\Program Files\Java\jre1.6.0_01\lib\images\cursors\win32_LinkDrop32x32.gif (1 KB, 19/04/2007 12:13:09)
C:\Program Files\Java\jre1.6.0_01\lib\images\cursors\win32_LinkNoDrop32x32.gif (1 KB, 19/04/2007 12:13:09)
C:\Program Files\Java\jre1.6.0_01\lib\images\cursors\win32_MoveDrop32x32.gif (1 KB, 19/04/2007 12:13:09)
C:\Program Files\Java\jre1.6.0_01\lib\images\cursors\win32_MoveNoDrop32x32.gif (1 KB, 19/04/2007 12:13:09)
C:\Program Files\VideoLAN\VLC\plugins\libglwin32_plugin.dll (22 KB, 01/04/2008 23:41:12)
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\win32k.sys (1794 KB, 02/03/2005 02:11:25)
C:\WINDOWS\$hf_mig$\KB896424\SP2QFE\win32k.sys (1797 KB, 06/10/2005 01:10:04)
C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\win32k.sys (1801 KB, 08/03/2007 14:49:49)
C:\WINDOWS\$hf_mig$\KB941693\SP2QFE\win32k.sys (1803 KB, 19/03/2008 10:40:27)
C:\WINDOWS\$NtServicePackUninstall$\cimwin32.dll (1238 KB, 29/08/2002 11:40:50)
C:\WINDOWS\$NtServicePackUninstall$\cimwin32.mfl (1910 KB, 23/08/2001 13:00:00)
C:\WINDOWS\$NtServicePackUninstall$\cimwin32.mof (2704 KB, 23/08/2001 13:00:00)
C:\WINDOWS\$NtServicePackUninstall$\win32k.sys (1755 KB, 25/09/2003 09:35:48)
C:\WINDOWS\$NtServicePackUninstall$\win32k.sys.000 (1772 KB, 29/08/2002 10:14:20)
C:\WINDOWS\$NtServicePackUninstall$\win32spl.dll (97 KB, 29/08/2002 11:41:18)
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys (1655 KB, 23/10/2002 08:55:02)
C:\WINDOWS\$NtUninstallKB890859$\win32k.sys (1793 KB, 04/08/2004 07:17:40)
C:\WINDOWS\$NtUninstallKB896424$\win32k.sys (1794 KB, 02/03/2005 02:06:57)
C:\WINDOWS\$NtUninstallKB925902$\win32k.sys (1797 KB, 06/10/2005 01:05:59)
C:\WINDOWS\$NtUninstallKB941693$\win32k.sys (1801 KB, 08/03/2007 14:47:48)
C:\WINDOWS\$NtUninstallQ328310$\win32k.sys (1772 KB, 29/08/2002 10:14:20)
C:\WINDOWS\ServicePackFiles\i386\cimwin32.dll (1321 KB, 04/08/2004 08:56:41)
C:\WINDOWS\ServicePackFiles\i386\cimwin32.mfl (1915 KB, 04/08/2004 06:00:40)
C:\WINDOWS\ServicePackFiles\i386\cimwin32.mof (2710 KB, 04/08/2004 06:00:40)
C:\WINDOWS\ServicePackFiles\i386\win32k.sys (1793 KB, 04/08/2004 07:17:40)
C:\WINDOWS\ServicePackFiles\i386\win32spl.dll (100 KB, 04/08/2004 08:56:46)
C:\WINDOWS\system\WIN32CMI.DLL (29 KB, 28/08/1995 14:00:00)
C:\WINDOWS\system32\win32k.sys (1802 KB, 19/03/2008 10:47:00)
C:\WINDOWS\system32\win32spl.dll (100 KB, 04/08/2004 08:56:46)
C:\WINDOWS\system32\dllcache\win32k.sys (1802 KB, 19/03/2008 10:47:00)
C:\WINDOWS\system32\wbem\cimwin32.dll (1321 KB, 04/08/2004 08:56:41)
C:\WINDOWS\system32\wbem\cimwin32.mfl (1915 KB, 04/08/2004 06:00:40)
C:\WINDOWS\system32\wbem\cimwin32.mof (2710 KB, 04/08/2004 06:00:40)

**Terminator** · 2008-07-23, 21:29

You are running an Out-Of-Date version of Spybot, please uninstall (See THIS FAQ for the uninstall info) and download and install Spybot 1.6.0.30 and see if that helps.

Service Pack 3 is now out and I would recommend installing both that and IE 7.

**Spamlet** · 2008-07-23, 21:51

Had already proceded to update to the new Spybot and scan this evening.

Interestingly the system internals scan now picks up a different set of wrong uninstallers, but still the same 'Win32'.

I was in the process of tidying up our rather small (40gig) internal hard drive before going ahead with the IE7 & Service Pack3 ~ which is how I came to observe the odd entry on System Internals.

Would you also recommend I ditch McAfee anti vir at the same time and go for a free one? At one time I was advised that McAfee slowed IE down rather more than necessary.

Cheers,

S

**Zenobia** · 2008-07-23, 22:36

Doesn't show or there is no file extension.
Okay,I wouldn't fix that with System Internals just yet.Maybe try this,but please do it carefully:Do a system internals scan,when it's done rightclick and deselect all.Checkmark the win32 entry only,and click Fix selected Problems.In the pull down menu beside New Path,select C:\,and then click Search.Let me know if anything comes up in the Search Results box.There's no log for that,that I know of,so you'll have to jot it down somewhere.Don't click on or accept the new path if anything shows up in Search,just hit the Close button on the window(red X,upper right corner.)It will disappear,but do not worry,it will appear again when you do your next system internals scan.Please post back what you find.

Did you have any recent malware problems before doing the system internals scan?Or,are you having any problems now?

**Terminator** · 2008-07-23, 22:40

I only used McAfee twice though never again, it caused me nothing but grief. I Currently use: Avast! 4.8 Home, Edition (Free), Zone Alarm 7.1 Free Edition (Vista only version), AnalogX Script Defender 1.4, Spybot 1.6.0.30, Windows Defender, Google Toolbar (For the Pop-up Stopper) and Spyware Blaster 4.1. I never had any conflicts with these products

.

**Spamlet** · 2008-07-24, 00:10

Hi Zenobia and thanks Terminator,

Running the c:\ search crashed Spybot first go, and found nothing the next.

The new Spybot came with TeaTimer enabled.
Which now explains another puzzle I'd been getting and poses a third.

2 users on this pc, one had been using TT already, I had not. Other user side had been getting 'Hosts-Secure, failure to find JIT debugger' messages on start up. Not mine. Now with new SD I get the message too, so TT is killing Hosts-Secure.

On top of this TT is taking up most of the system resources on start up. I would have killed it then and there except that it suddenly came up with the news that it had 'encountered and terminated Win32.Rbot in C:\windows\system32\winlogon.exe!'

Numerous scans with other gear have never come up with this. What is this, and how did it get past all the scans and antivirus?

Is it coincidental that this has a 'Win32' in it like the odd sys internals entry? Redoing the sys int scan after TT's termination of the offender shows the Win32 entry still there.

Now at rather a loss what to do. TT really resource hogging, but if it is finding stuff that gets past everything else...

**Zenobia** · 2008-07-24, 02:13

Please open Spybot,then go to Tools,then Resident.In the window to the right,please rightclick and select Select All.Rightclick again,select Copy,then Paste it here.

Did you have any recent malware problems before doing the system internals scan?Or,are you having any problems now?

Thread: System internals query 'win32'

Thread Tools

Display

System internals query 'win32'

Posting Permissions