SYSWOW64 Folders pop up after reboot

[RacerX]

I have 3 of these folders that pop up automatically on my desktop within about a minute of rebooting my pc. Was posted in the Win Update forum, but couldn't be resolved, so it was suggested that I post here.

https://www.sysnative.com/forums/wi...ant-fix-corrupt-files-thread-please-help.html

I don't seem to be having any other problems at the moment, but would like to get this fixed before it gets worse.
Let me know if you have any suggestions.

Thanks,
Dean

 

[Deejay100six]

Hi Dean,

Try running Process Explorer, it should show which process is launching the folders.

Could also be a sign of malware.

 

[RacerX]

Hi Dean,

Try running Process Explorer, it should show which process is launching the folders.

Could also be a sign of malware.

I've run it, bit I'm not sure what to look for. The "verify image signatures" is checked, and nothing seems suspicious. There is a few processes that appear red, or green, but they only appear for a second. I don't know how to investigate them.

Is there a specific screen shot I can post to help out?

 

[Patrick]

SysWOW64 folder popups are extremely indicative of malware, especially on startup. If it's also occurring at regular intervals afterwards too, then that's also a symptom. I'd skip right ahead to running a scan with Malwarebytes free - https://www.malwarebytes.org/mwb-download/

 

[RacerX]

SysWOW64 folder popups are extremely indicative of malware, especially on startup. If it's also occurring at regular intervals afterwards too, then that's also a symptom. I'd skip right ahead to running a scan with Malwarebytes free - https://www.malwarebytes.org/mwb-download/

I've run that multiple times, and it never finds anything. The Syswow folders only popup once after reboot.

 

[RacerX]

When I click on "Check Virustotal.com" Process explore locks up, and Windows looks for a solution, but closes it.

Any ideas?

 

[Patrick]

What process are you looking to submit the hash to within PE?

 

[RacerX]

What process are you looking to submit the hash to within PE?

No idea, just clicked it to see what it would do.

 

[niemiro]

Hello :)

Can you please download AutoRuns: Autoruns for Windows
Run autoruns.exe > File > Save > startup.arn on your Desktop > go to Desktop > Right click on startup.arn > Send to > Compressed (zipped) folder > upload it here.


There's a good chance this is just a small registry issue. Quite possible just one of the shell keys - instead of popping up the Documents/This PC folder, yours is popping up the SysWOW64 folder.

Thank you!

Richard

 

[RacerX]

I think I did it right.

 

[niemiro]

I think I did it right.

You did it perfectly - thank you so much for that. I'll have another look tomorrow evening when I have more time, but for now the couple of issues I was specifically looking for weren't there. Which means it's still a mystery.

Most likely culprit from that list is LockHunter though. Can you please completely uninstall LockHunter is a free 64/32 bit tool to delete files blocked by any processes and restart your computer as a test. If the problem persists, you can put it back on again as we'll have ruled it out as a cause. If it goes away, we'll look to see if there's anything we can do to fix the issue.

Thank you very much.

Richard

 

[Patrick]

Most likely culprit from that list is LockHunter though

How did you come to this possibly being the culprit, Richard? I am interested to know. I had a look too and I couldn't really figure out how to conclude what's causing the SysWOW64 issue from the log alone. I looked for anything with a path to SysWOW64 and saw a codec, and thought maybe it was that of all things.

 

[niemiro]

Most likely culprit from that list is LockHunter though

How did you come to this possibly being the culprit, Richard? I am interested to know. I had a look too and I couldn't really figure out how to conclude what's causing the SysWOW64 issue from the log alone. I looked for anything with a path to SysWOW64 and saw a codec, and thought maybe it was that of all things.

I don't actually have any evidence at all, nothing to link it for sure. Since I failed to find any evidence linking anything, drawing a blank, I simply looked at which programs were installed and which were a) likely to hook into the shell & registry in ways which could cause this and b) most likely to be buggy. I jumped at this program, almost certainly completely unfairly. Sadly, I couldn't find any evidence, and then decided that a trial and error approach was warranted.

 

[RacerX]

I think I did it right.

Most likely culprit from that list is LockHunter though. Can you please completely uninstall LockHunter is a free 64/32 bit tool to delete files blocked by any processes and restart your computer as a test. If the problem persists, you can put it back on again as we'll have ruled it out as a cause. If it goes away, we'll look to see if there's anything we can do to fix the issue.

Thank you very much.

Richard

I uninstalled it, but Windows said not all components were removed, they would have to be done manually. Still get the folders popping up.

 

[xilolee]

Hi to all. :smile9:
Did you already try adwcleaner?
It usually removes those strange popups (click scan, check the found entries, select what you want to remove, and follow its instructions).

:wave:

 

[RacerX]

Just for the hell of it, I ran Hijackthis. Doesn't look too good to me.

 

[xilolee]

It looks clean, to me.

 

[Patrick]

Doesn't look too good to me.

In regards to what, the file missing strings? It's because you're on an x64 OS while HJT afaik is an x86 application, which is why it's reporting file missing strings. All calls have to be redirected to SysWOW64, and HJT cannot pick this up as it's a native x86 application and doesn't have access to x64's paths/locations. As xilolee said, your log is fine.

Now that you've mentioned scans turn up fine, and the log looks clean, I doubt this is actually a malware issue. Malware that would cause something like a SysWOW64 popup on startup would be really easy to catch and would show up in just about any scan. The only theory I have is the Cinepak® Codec from Radius Inc. (path - c:\windows\syswow64\iccvid.dll) is contributing to the possible folder popups. Can you try and uninstall this and see what happens?

 

[RacerX]

Doesn't look too good to me.

In regards to what, the file missing strings? It's because you're on an x64 OS while HJT afaik is an x86 application, which is why it's reporting file missing strings. All calls have to be redirected to SysWOW64, and HJT cannot pick this up as it's a native x86 application and doesn't have access to x64's paths/locations. As xilolee said, your log is fine.

Ya, I never saw any of that in XP.


Now that you've mentioned scans turn up fine, and the log looks clean, I doubt this is actually a malware issue. Malware that would cause something like a SysWOW64 popup on startup would be really easy to catch and would show up in just about any scan. The only theory I have is the Cinepak® Codec from Radius Inc. (path - c:\windows\syswow64\iccvid.dll) is contributing to the possible folder popups. Can you try and uninstall this and see what happens?


Just find the file, and delete it?

 

[Patrick]

Just find the file, and delete it?

If there's no actual Cinepak software installed in Control Panel's Add/Remove, then navigate to that patch and break the .DLL for curiosity's sake. Break it by not deleting, but renaming from iccvid.dll to iccvid.old, and then restart the computer. Let me know if anything explodes or if the popups still continue.

Consider creating a restore point before renaming, just in case.