1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Disappearing Regedit, etc./Hijack Log

Discussion in 'Virus & Other Malware Removal' started by legaleagle, Apr 7, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. legaleagle

    legaleagle Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    2
    I'm having the same problem as a lot of folks: My regedit box will not stay open for more than 10 seconds. Also, I cannot install or download certain things (e.g. Windows updates or anti-virus software) because again the box will close before the action is completed. Here is my Hijack log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:33:29 AM, on 4/7/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\sysbcp32.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\SBC\Connection Manager\CManager.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\System32\spoolsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Yahoo!\browser\YBrowser.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Yahoo!\browser\YBrowser.exe
    C:\Documents and Settings\default\Desktop\stinger.exe
    C:\Documents and Settings\default\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coserv.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://totalinternet.snap.com:8005/channel/search/0,11,totalinternet-0,00.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://gateway.yahoo.com/
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,8,0.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,8,0.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll (file missing)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Service Host Process] spoolsvc.exe
    O4 - HKLM\..\Run: [System Backup] sysbcp32.exe
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\RunServices: [Service Host Process] spoolsvc.exe
    O4 - HKLM\..\RunServices: [System Backup] sysbcp32.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
    O4 - Global Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmcache.html
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmtrans.html
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Win32 Classes -
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38081.5977083333
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4348/mcfscan.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F409793E-E1BA-4DF4-86F5-CCB7661AF2FD}: NameServer = 151.164.1.8 151.164.11.201

    Thanks in advance for your help!
     
  2. Pancake

    Pancake

    Joined:
    Jan 9, 2004
    Messages:
    313
    I see nothing that would close regedit or stop updates.
     
  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Actually you have a couple of things there that must go.

    To do this properly you should restart the system in Safe Mode (see the link below for instructions).

    In Safe Mode run HijackThis and check and fix the following items:

    O4 - HKLM\..\Run: [Service Host Process] spoolsvc.exe
    O4 - HKLM\..\Run: [System Backup] sysbcp32.exe
    O4 - HKLM\..\RunServices: [Service Host Process] spoolsvc.exe
    O4 - HKLM\..\RunServices: [System Backup] sysbcp32.exe

    You will also need to find and delete the bolded files above. Make sure "show hidden files" is selected in Folder Options > View

    Both files are in the c:\windows\system32 folder

    Warning! do NOT confuse spoolsvc.exe with spoolsv.exe in c:\windows\system32. The last is legitimate.

    After doing this and rebooting you should also run a full, updated antivirus scan.

    You can use one of the Online Scanners in this post, or download and install AVG for free.

    http://forums.techguy.org/showthread.php?s=&postid=663486

    How to start in Safe Mode:

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039

    I will move this to the Security forum for follow-ups
     
  4. legaleagle

    legaleagle Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    2
    Rollin' Rog,

    Thank you for your help.

    I followed your instructions and deleted the files you suggested. Then, in normal mode I ran an online virus scan (Housecall) which found a trojan called TROJ_TARNO.A in C:\WINDOWS\MSIN32.DLL. Housecall said it was not cleanable, and when I tried to use their link to find out more about the virus, everything went haywire.

    A Netscape browser opened and shortly afterwards I got a popup box informing me that my system was shutting down due to the fact that the Remote Procedure Call terminated unexpectedly. This has happened several times as I have continued trying to resolve this problem, but it doesn't happen every time I start the system. On those occasions that it does happen, I receive an system fatal error message during start up from CManager which references an inability to run CCD.

    In addition, I have tried to install McAfee virus scan and that failed, and my registry editor still won't stay open for more than a few seconds. Recent Windows updates also do not complete successfully. If you can help with any of these issues, I would be extremely grateful.

    Here is a new Hijack log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:10:00 PM, on 4/7/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\csrsss.exe
    C:\Program Files\SBC\Connection Manager\CManager.exe
    C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\System32\svchost64.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Yahoo!\browser\YBrowser.exe
    C:\Documents and Settings\default\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coserv.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://totalinternet.snap.com:8005/channel/search/0,11,totalinternet-0,00.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://gateway.yahoo.com/
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,8,0.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,8,0.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll (file missing)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Net Framework Controler] svchost64.exe
    O4 - HKLM\..\Run: [Device Configuration Loader] msvd32.exe
    O4 - HKLM\..\Run: [soundman] soundman.exe
    O4 - HKLM\..\Run: [CSRSS Loader] csrsss.exe
    O4 - HKLM\..\RunServices: [Net Framework Controler] svchost64.exe
    O4 - HKLM\..\RunServices: [Device Configuration Loader] msvd32.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    O4 - HKLM\..\RunServices: [CSRSS Loader] csrsss.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
    O4 - Global Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmcache.html
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmtrans.html
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Win32 Classes -
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38081.5977083333
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4348/mcfscan.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F409793E-E1BA-4DF4-86F5-CCB7661AF2FD}: NameServer = 151.164.1.8 151.164.11.201

    Thanks in advance for your help!!!
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You have picked up additional viral files. How up to date are you in your Critical Updates? The rpc shutdown issue is caused by vulnerablity to msblast worm exploits and their variations. You need to install the patches to protect against this and enable the XP firewall to boot.

    Review the information at Microsoft Security and Privacy regarding msblaster and other recent exploits:

    http://www.microsoft.com/security/

    To immediately address your current problems you should restart in Safe Mode. Have these instructions in a convenient notepad file since you won't have internet access to read them.

    How to restart in Safe Mode:

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039

    In Safe Mode, run HijackThis and check and Fix the following entries:

    O4 - HKLM\..\Run: [Net Framework Controler] svchost64.exe
    O4 - HKLM\..\Run: [Device Configuration Loader] msvd32.exe
    O4 - HKLM\..\Run: [CSRSS Loader] csrsss.exe
    O4 - HKLM\..\RunServices: [Net Framework Controler] svchost64.exe
    O4 - HKLM\..\RunServices: [Device Configuration Loader] msvd32.exe
    O4 - HKLM\..\RunServices: [CSRSS Loader] csrsss.exe

    >> Next go to start > run, enter cmd

    a command shell will open. Carefully type and enter the following commands:

    del C:\WINDOWS\System32\csrsss.exe
    del C:\WINDOWS\System32\svchost64.exe
    del c:\windows\system32\msvd32.exe


    >> on this last file, I am assuming it is in the c:\windows\system32 folder; if it is not, do a manual file search for it. Make sure "show hidden files" is selected in Folder Options > View.

    Before reconnecting to the internet, enable the XP firewall:

    http://www.duxcw.com/faq/win/xp/firewall.htm
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217928

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice