%fystemRoot% Need to get this fix

Richard aka:finder · External Since: Feb 28, 2006 Posts: 14

In the Registry there is a few places I have seen this and I know it not
right. But I do not know how to change it to it right name %SystemRoot%. I
find this in the bitt and winupdate. When I try to edit Image path it tell me
I can't. So can one point mr it where I can learn how to edit it to make it
right. Windows XP SP3.

1PW · External Since: Feb 06, 2009 Posts: 14

On 02/24/2009 10:57 PM, Richard aka:finder sent:
> In the Registry there is a few places I have seen this and I know it not
> right. But I do not know how to change it to it right name %SystemRoot%. I
> find this in the bitt and winupdate. When I try to edit Image path it tell me
> I can't. So can one point mr it where I can learn how to edit it to make it
> right. Windows XP SP3.

<http://www.malwarebytes.org/forums/index.php?showtopic=11558&mode=linear>

Your system is likely infected with malware. Have you checked using
scans with good antimalware recently? If not, consider downloading,
installing, updating and running the freeware version of MBAM:

<http://www.malwarebytes.org/mbam.php>

Please update this thread with your progress.

Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Jim · External Since: Jan 11, 2009 Posts: 77

On Tue, 24 Feb 2009 22:57:01 -0800, Richard aka:finder
wrote:

>In the Registry there is a few places I have seen this and I know it not
>right. But I do not know how to change it to it right name %SystemRoot%. I
>find this in the bitt and winupdate. When I try to edit Image path it tell me
>I can't. So can one point mr it where I can learn how to edit it to make it
>right. Windows XP SP3.

Run your a/v program .

mike12345 · Joined: Feb 25, 2009 Posts: 2

The way to fix this is to run regedit. Search for "fystem," you won't be able to edit the name to change to "system" because the permissions have been changed to read-only, so go to permissions at the top and change them to full access. now you can change the path to "SystemRoot." Also make sure that the BITS and waupdate services are starting automatically: change the start type to 2 (hexadecimal), or you can run services.msc and change settings there now.

mike12345 · Joined: Feb 25, 2009 Posts: 2

by the way MBAM does not fix this yet, and neither does about half dozen antispyware and antivirus programs that i've run in the process of recovering an infected laptop. at the moment it seems like you have to do this change manually, but it's not very hard.

don morell · External Since: Feb 25, 2009 Posts: 1

Richard your post is , at least to me, confusing. Exactly what is the
problem. You mention %SystemRoot% - the terms "%" function as a
placeholder referring to whatever file/folder is functioning as System
Root - default for a Windows installation is C:\Windows.

"Richard aka:finder" wrote in
message
> In the Registry there is a few places I have seen this and I know it not
> right. But I do not know how to change it to it right name %SystemRoot%. I
> find this in the bitt and winupdate. When I try to edit Image path it tell
> me
> I can't. So can one point mr it where I can learn how to edit it to make
> it
> right. Windows XP SP3.

Richard aka:finder · External Since: Feb 28, 2006 Posts: 14

Don I have a feww places in the reg that show %f and not %s for the word
system. as for running melware. I think I have run more of it then it than
anyone has. None of it show anything. At frist I pick up some adware and
cookies and one mid trogan. All is gone and I can still see the %F and I am
not able to upgade on Microsoft site.

"don morell" wrote:

> Richard your post is , at least to me, confusing. Exactly what is the
> problem. You mention %SystemRoot% - the terms "%" function as a
> placeholder referring to whatever file/folder is functioning as System
> Root - default for a Windows installation is C:\Windows.
>
>
> "Richard aka:finder" wrote in
> message
> > In the Registry there is a few places I have seen this and I know it not
> > right. But I do not know how to change it to it right name %SystemRoot%. I
> > find this in the bitt and winupdate. When I try to edit Image path it tell
> > me
> > I can't. So can one point mr it where I can learn how to edit it to make
> > it
> > right. Windows XP SP3.
>
>
>

1PW · External Since: Feb 06, 2009 Posts: 14

On 02/25/2009 12:55 PM, don morell sent:
> Richard your post is , at least to me, confusing. Exactly what is the
> problem. You mention %SystemRoot% - the terms "%" function as a
> placeholder referring to whatever file/folder is functioning as System
> Root - default for a Windows installation is C:\Windows.

Hello Don:

At a quick glance one might think that the poster mistyped the Subject:

"%fystemRoot% Need to get this fix"

However %fystemRoot% *IS* the problem and indicates malware infestation.

<http://www.malwarebytes.org/forums/index.php?showtopic=11558>

We await the OP's reply to see what has happened since.

Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

1PW · External Since: Feb 06, 2009 Posts: 14

On 02/25/2009 03:45 PM, Richard aka:finder sent:
> Don I have a few places in the reg that show %f and not %s for the word
> system. as for running malware. I think I have run more of it then it than
> anyone has. None of it show anything. At first I pick up some adware and
> cookies and one mid trojan. All is gone and I can still see the %F and I am
> not able to upgrade on Microsoft site.

Hello Richard:

Please reply with *exactly* what antimalware you have used. Please
carefully identify the trojan that was found. What is the exact version
of XP? Home, Pro, MCE???

Thank you.

Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Richard aka:finder · External Since: Feb 28, 2006 Posts: 14

Here is the info you asked for: OS
Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600
Processor x86 Family 15 Model 67 Stepping 3 AuthenticAMD ~3216 Mhz
BIOS Version/Date Phoenix Technologies, LTD ASUS M2N-E SLI ACPI BIOS
Revision 0801, 4/25/2007
SMBIOS Version 2.4
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Total Physical Memory 4,096.00 MB

Antimelware
spybotsd162 no tea time and Malwarebytes' Anti-Malware

Anti spy/virus
McAfee Internet security Sute

trojan found

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services
(Trojan.Agent) -> Quarantined and deleted successfully.

***********************************************************************
"1PW" wrote:

> On 02/25/2009 03:45 PM, Richard aka:finder sent:
> > Don I have a few places in the reg that show %f and not %s for the word
> > system. as for running malware. I think I have run more of it then it than
> > anyone has. None of it show anything. At first I pick up some adware and
> > cookies and one mid trojan. All is gone and I can still see the %F and I am
> > not able to upgrade on Microsoft site.
>
> Hello Richard:
>
> Please reply with *exactly* what antimalware you have used. Please
> carefully identify the trojan that was found. What is the exact version
> of XP? Home, Pro, MCE???
>
> Thank you.
>
> Pete
> --
> 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
>

jwconklin · External Since: Apr 29, 2009 Posts: 1

Just experienced this same problem...My customer got hit with all kinds
of viruses, malware, spyware..to the point where only the wallpaper
loaded...I ran a repair install of XP and it brought everything back to
normal (but only on the surface). I couldn't run any updates... serveral
days of research and recommended fixes produced nothing...I ran symantec
and Malwarebytes more than several times...It seamed clean but then I
couldn't run Windows Updates or get symantec to update... then symantec
wouldn't reinstall...I thought all was lost...then someone suggested
running RootRepeal and then SuperAntSpyware. 'Bingo'... SuperAntiSpyware
cleaned out a bunch of stuff and allowed me to reset the Admins
permissions in the registry and then Modify the %systemRoot% values...I
ran a complete registry search for any other %fystemroot% values and
changed them...and all held fast....I was then able to restart the BITS
and Auto updates...Systems are now running normal and updates are now
loading.

--
jwconklin
------------------------------------------------------------------------
jwconklin's Profile: http://forums.techarena.in/members/94938.htm
View this thread: http://forums.techarena.in/windows-xp-support/1129836.htm

http://forums.techarena.in

DrOct · Joined: Jun 17, 2009 Posts: 3

Vistar · Joined: Sep 09, 2009 Posts: 4

Running XP SP3 on IBM - using Malwarebytes found %fystem% entries in registry in BITS and WUAUSER - attempted to edit properties to change f's to s's and found I did not have permission. Odd, in that this is a single machine and I am the only administrator. Also, noticed that my edit worked on the surface and appeared to have corrected the "key" - no more f's there. Rebooted. Checked registry. Key correction was gone. Error was back. Attempting to run in safe mode, I was asked to enter the administrator password - there was never one. Rebooted. Checked system properties and found there is no longer an administrator account, only a user account. Cannot load software any longer. Not knowing what this virus is up to - I disabled BIT and WUAUSER in Services using selective start-up. (MSCONFIG - an added as it is not native to XP)
Any suggestions would be greatly appreciated. Research makes me believe this is going to be challenging to repair.

DrOct · Joined: Jun 17, 2009 Posts: 3

Vistar · Joined: Sep 09, 2009 Posts: 4

Log shows admin was deleted from machine on 28 August and at same time a new user account was created. Without admin, cannot change permissions. This is a Catch 22 as only an admin can create an admin. Need to find a work-around to create an admin. I've taken machine offline as the corrupt update commands appear be sending data - possibly e-mail - as IP black listed me due to over quota email activity. Other than Malwarebytes detection of the fystem issue, machine is clean using F-Prot and Panda full scans. Outlook was never installed. Eudora mail client is used.

DrOct · Joined: Jun 17, 2009 Posts: 3

Well... You may be at the point where you'll need to just wipe start over. Whatever you got hit by was pretty damn malicious, and clever!

Vistar · Joined: Sep 09, 2009 Posts: 4

I've come to the same conclusion and am holding off on reformat and reinstall for the time being hoping one of the AV vendors soon will have a fix and a reset feature. If I could roll back machine time, I might be back in business.

Vistar · Joined: Sep 09, 2009 Posts: 4

There is some clever irony at play here... way back when all s's were f's.

DJohnG · External Since: Sep 22, 2009 Posts: 1

Thanks to those people who have contributed to this solution in regard
to fixing Windows Automatic Updates. You can go through all the MS
solutions you want but you will not find this.

It is as stated, caused by malware that renames registry entries. After
cleaning out the malware with the various available methods: SpyBot S&D,
MalwareBytes, Superantispyware and as many others as you can. Even pay
for Prevx because they all find other ones if you've been hit bad (or
bought a machine from some idiot who knows not what they do) and don't
forget to donate where possible:

Start > Run > regedit (open registry editor)
Then: Edit > Find > fystem

Find: ImagePath entries
Click/select then go to Edit > Permissions > check Full Control

Then right-click ImagePath > Modify
Change the f to S

F3 on keyboard to go through all entries and edit permissions then the
entry.

Next: Run > services.msc

Find: Background Intelligent Transfer Service (BITS), double-click and
change start-up type to manual the click Start. Change start-up type
back to automatic.

Still in services: Find Automatic Updates and start as above if not
started.

Go to the updates site and start again. All should be well. If not
you'll be a lot closer to fixing it.

--
DJohnG
------------------------------------------------------------------------
DJohnG's Profile: http://forums.techarena.in/members/137450.htm
View this thread: http://forums.techarena.in/windows-xp-support/1129836.htm

http://forums.techarena.in

Shenan Stanley · External Since: Mar 03, 2005 Posts: 7898

<snipped>

<Well - not really - it was responded to on a forum instead of in the
newsgroups>

<In my response you will find a link to the entire conversation>

DJohnG wrote:
> Thanks to those people who have contributed to this solution in
> regard to fixing Windows Automatic Updates. You can go through all
> the MS solutions you want but you will not find this.
>
> It is as stated, caused by malware that renames registry entries.
> After cleaning out the malware with the various available methods:
> SpyBot S&D, MalwareBytes, Superantispyware and as many others as
> you can. Even pay for Prevx because they all find other ones if
> you've been hit bad (or bought a machine from some idiot who knows
> not what they do) and don't forget to donate where possible:
>
> Start > Run > regedit (open registry editor)
> Then: Edit > Find > fystem
>
> Find: ImagePath entries
> Click/select then go to Edit > Permissions > check Full Control
>
> Then right-click ImagePath > Modify
> Change the f to S
>
> F3 on keyboard to go through all entries and edit permissions then
> the entry.
>
> Next: Run > services.msc
>
> Find: Background Intelligent Transfer Service (BITS), double-click
> and change start-up type to manual the click Start. Change start-up
> type back to automatic.
>
> Still in services: Find Automatic Updates and start as above if not
> started.
>
> Go to the updates site and start again. All should be well. If not
> you'll be a lot closer to fixing it.

Another Forum poster that leaves everyone actually reading the original
newsgroup post scratching their head at what they are referring to...

This is the conversation, uninterrupted and fully quoted:
http://groups.google.com/group/microsoft.public.windowsxp.help_and_sup...t/brows

Now - as to how to properly cleanup and fix your Windows Update system -
especially given that this concerns Windows XP - this has been posted many
times over. Here is everything you could do to ensure your Windows XP
(32-bit) updates system is working as it should be and you are fairly
certain (90%) that you are free of malware that would affect the
functionality of it in any way...

The details they have added on how to search the registry are nice, I
admint.

But - the more it is posted, the more it will come up when searched for in
the many different ways it could be searched for - so here it is one more
time... Wink

Start button --> RUN
(no "RUN"? Press the "Windows Key" + R on your keyboard)
--> type in:
winver
--> Click OK.

The picture at the top of the window that opens will give you the general
(Operating System name and flavor) while the line starting with the word
"version" will give you the rest of the story.

Post _both_ in response to this message verbatim. Wink

Fix your file/registry permissions...

Ignore the title and follow the sub-section under "Advanced Troubleshooting"
titled, "Method 1: Reset the registry and the file permissions"
http://support.microsoft.com/kb/949377
*will take time
(** Ignore the last step - you should have SP3 installed - if not - you can
do that *later* - it is not necessary to continue with the cleanup.)

Reboot and ...

Search your registry for %fystem and replace the "f" with an "s". May be
three or four matches, may be none. You may even have to take ownership
(even after doing the above) of the keys in order to make the change.

Reboot and ...

Download/install this:
http://support.microsoft.com/kb/290301

After installing, do the following:

Start button --> RUN --> type in:
"%ProgramFiles%\Windows Installer Clean Up\msizap.exe" g!
--> Click OK.
(The quotation marks and percentage signs and spacing should be exact.)

Download, install, run, update and perform a full scan (separately) with the
following two applications (freeware versions are the ones to use for this):

SuperAntiSpyware
http://www.superantispyware.com/

MalwareBytes
http://www.malwarebytes.com/

After performing a full scan with one and then the other and removing
whatever they both find completely, you may uninstall these products,
if you wish.

Download and run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

Reboot.

CHKDSK
How to scan your disks for errors
http://support.microsoft.com/kb/315265
* will take time and a reboot

Defragment
How to Defragment your hard drives
http://support.microsoft.com/kb/314848
* will take time

Ensure your hardware drivers are up to date (from the hardware
manufacturer's respective web pages.) Never get hardware drivers
for hardware that was not created/sold by Microsoft from Microsoft.
Installing the latest updates may have you rebooting several times,
which is fine - but after you are sure you are done - still...

Reboot.

Download/Install the latest Windows Installer (for your OS):
( Windows XP 32-bit : WindowsXP-KB942288-v3-x86.exe )
http://www.microsoft.com/downloadS/details.aspx?familyid=5A58B56F-60B6...12-95B9

Reboot.

and...

Download the latest version of the Windows Update agent from here (x86):
http://go.microsoft.com/fwlink/?LinkID=91237
.... and save it to the root of your C:\ drive. After saving it to the root
of the C:\ drive, do the following:

Close all Internet Explorer windows and other applications.

Start button --> RUN and type in:
%SystemDrive%\windowsupdateagent30-x86.exe /WUFORCE
--> Click OK.

(If asked, select "Run.) --> Click on NEXT --> Select "I agree" and click on
NEXT --> When it finishes installing, click on "Finish"...

Reboot.

Then follow the instructions here:

How do I reset Windows Update components?
http://support.microsoft.com/kb/971058

Reboot.

Log on as an user with administrative rights and open Internet Explorer
and visit http://windowsupdate.microsoft.com/ and select to do a
CUSTOM scan...

Every time you are about to click on something while at these web pages -
first press and hold down the CTRL key while you click on it. You can
release the CTRL key after clicking each time.

Once the scan is done, select just _ONE_ of the high priority updates
(deselect any others) and install it.

Reboot again.

If it did work - try the web page again - selecting no more than 3-5 at a
time. Rebooting as needed.

The Optional Software updates are generally safe - although I recommend
against the "Windows Search" one and any of the "Office Live" ones or
"Windows Live" ones for now. I would completely avoid the
Optional Hardware updates. Also - I do not see any urgent need to install
Internet Explorer 8 at this time.

Seriously - do all that. This is like antibiotics - don't skip a single
step, don't quit because you think things will be okay now - go through
until the end, until you have done everything given in the order given. If
you have a problem with a step come ask and let someone here get you
through that step. If you don't understand how to do a step, come back and
ask here about that step and let someone walk you through it.

In any case - no matter what - when you are done doing whatever you decide
to do - please - come back here and let everyone know what you did and
how things turned out.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html