Solved essential services do not load at startup

Were you in the middle of installing something, or just finished installing something, when this happened?

If you're comfortable editing the registry, delete the following keys.

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59fd6a03-73bf-11dc-9ccc-0012f0853aff}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FBD561C7-3FD5-2B0E-2DD8-5F3F1C46D6E6}]

 

As mentioned in the initial post to this thread, my computer was "saving personal settings" during shutdown when I accidently powered off my computer. Prior to shutdown, I was not installing anything. The next time I started up my computer, I found it lost many of its normal functionalities (post #1 lists some of them). The McAfee icon and network connections icons in the notification area disappeared. I tried "help and support ", it wouldn't show up. I tried "system restore ", it wouldn't respond. The "device manager" window was empty. "Add hardware" wizard would not work, etc. Normally, the taskmanager "processes" tab would show more than a page of processes. Now there are only 25 (post #5 lists some of them).
I am comfortable with regedit. I deleted the 2 keys you mentioned. There was no change in computer behavior.

 

Download GMER

Right click and extract it to it's own folder on the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "˜Show All’.
Click on Scan.
When the scan has completed, click Copy and paste the results (if any) into this topic.

 

Here are the results of the GMER scan.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-14 09:04:38
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA92499AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9249958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA924996C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA92499EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA9249930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA9249944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA92499BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA9249996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA9249982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9249A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9249A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA92499D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP A92499D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP A92499AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A7500 7 Bytes JMP A92499EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8316 5 Bytes JMP A9249A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA94 7 Bytes JMP A92499C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1322 5 Bytes JMP A9249934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15AE 5 Bytes JMP A9249948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE0 5 Bytes JMP A9249986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F6 7 Bytes JMP A9249970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AC 5 Bytes JMP A924995C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B6 5 Bytes JMP A924999A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB6 5 Bytes JMP A9249A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00060F5C
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00060F6D
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00060078
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00060F26
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00060EDF
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00060F04
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 0006009D
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00060F41
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00060F15
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00050FD4
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00050F8A
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0005001B
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00050051
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00050FA5
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 25, 88 ]
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00050036
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D00F5A
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D00F6B
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D00F86
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D00FA1
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D00039
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D00085
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D00074
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D00EFD
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D000A0
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D00EEC
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D00FB2
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D00F49
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D00FCD
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D00FDE
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D00F18
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CF0054
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CF0025
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CF0F97
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00CF0FA8
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ EF, 88 ]
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CF0FC3
.text C:\WINDOWS\system32\lsass.exe[960] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CD0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1228] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F4B
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0040
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F72
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F83
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FA5
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F13
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F30
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00AC
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0091
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0EF8
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0F94
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A005B
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A001B
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A000A
.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0076
.text C:\WINDOWS\Explorer.EXE[1920] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002E0014
.text C:\WINDOWS\Explorer.EXE[1920] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002E0F83
.text C:\WINDOWS\Explorer.EXE[1920] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002E0FB9
.text C:\WINDOWS\Explorer.EXE[1920] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002E0FD4
.text C:\WINDOWS\Explorer.EXE[1920] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002E004A
.text C:\WINDOWS\Explorer.EXE[1920] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002E0FEF
.text C:\WINDOWS\Explorer.EXE[1920] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 002E0F9E
.text C:\WINDOWS\Explorer.EXE[1920] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4E, 88 ]
.text C:\WINDOWS\Explorer.EXE[1920] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002E0025
.text C:\WINDOWS\Explorer.EXE[1920] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00310FEF
.text C:\WINDOWS\Explorer.EXE[1920] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 0031000A
.text C:\WINDOWS\Explorer.EXE[1920] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00310025
.text C:\WINDOWS\Explorer.EXE[1920] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00310FD4
.text C:\WINDOWS\Explorer.EXE[1920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 019B0000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xF8 0x31 0x0F 0xA9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\20?n 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\26Y\1x 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@ 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@IQ\ah 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\20?n 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\26Y\1x 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@ 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@IQ\ah 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\26\1x -536803324
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\26\1x 12

---- EOF - GMER 1.0.14 ----

 

Please see if you're able to create a new user account. If unable to from your account, try the Administrator account in safe mode. If successful, let me know if the behavior is the same.

 

I was unable to create a new user account, even as administrator in safe mode. Also, the behavior in safe mode as administrator has the same problems as before. The "Processes" tab in task manager had only 13 processes.

 

Before I recommend a repair install of XP, lets see if rolling back to SP2 helps. Navigate to and c:\windows\$NtServicePackUninstall$\spuninst see if spuninst.exe will run. Reboot if successful and let me know the outcome.

 

spuninst.exe could not successfully run.

 

Short of a repair install, the only other thing I can suggest is zipping up the registry hive backups created with ERUNT when ComboFix was run, then sending them to me for analysis. No guarantees I'd find the problem, but there is a chance. If you're game, let me know and I'll give you details.

 

Where are these registry hive backups located?

I have a registry backup dated Nov-6-2008, before any of these problems occured. Will that do? How do I get it to you?

 

What was that registry backup created with?

 

I think it was created with a cleanup program.

 

I would be very surprized if that was a full registry backup. Generally, only what has been removed with the cleanup app is backed up.

The ERUNT backups are located at C:\WINDOWS\ERDNT\Hiv-backup
They are files named software and system and should be zipped separately.
The user hives are in the Users subfolder, inside another subfolder named 0000001, 00000002, etc.
I cannot tell you which one will represent your profile hive. Generally, the user hive is located in the odd named folders and is named NTUSER.DAT
If you open them with notepad you can see your username in the first line. My first choice to check would be 00000003
I also need that file zipped.

If successful, send them to me with jharry hives in the subject line. The system and software hives can be quite large and may need separate mailings, even when zipped.

 

Files received. I'll let you know something as soon as possible, though I don't expect it will be tonight.

 

Please execute the following commands.

ren C:\WINDOWS\ERDNT\Hiv-backup\software oldsoftware
ren C:\WINDOWS\ERDNT\Hiv-backup\system oldsystem
copy C:\WINDOWS\repair\software C:\WINDOWS\ERDNT\Hiv-backup
copy C:\WINDOWS\repair\system C:\WINDOWS\ERDNT\Hiv-backup


Now, run ERDNT.exe in the C:\WINDOWS\ERDNT\Hiv-backup folder.
Restore the System hives only.
Reboot when prompted.

Things should appear mostly normal upon logon, though it will appear as a first time logon.
Do NOT run any programs or open anything!
Go directly to System Restore and see if it works, and if you have an available restore point just prior to the mishap.
If so, invoke the restore operation. If not, stop right there and post back for further instructions.

Do NOT change anything else!


Please verify if your system is XP Home.

 

During reboot, right after the Windows logo, I get an error message:

Isass.exe System error

When trying to update a password this return status indicates that the value provided as the current password is incorrect.

The computer then cycles through this error message again and again, without displaying the desktop. I have to manually shut off the power.

My operating system is XP Home.

 

Ughhhh. OEM computer?

Boot to the cd and access the Recovery Console. Let me know if you need specifics for doing so.

Once there, execute the following commands and restart.

cd ERDNT\Hiv-backup
ren software software.bak
ren system system.bak
ren oldsoftware software
ren oldsystem system
batch erdnt.con

Type exit when done to restart.
Should put you back where we were, where we'll do this another way.

If unable to access the recovery console, is it possible for you to burn a cd?

 

I do not have a bootable CD.
My computer is not working at all, so I can't burn a CD. Neither can the public computer. But I can download to my USB flash disk, and maybe have someone else burn a CD for me.

 

I'll post instructions for ERD Commander, which is one method. Another would be a bootable linux cd, if you're at all familar with navigating in linux. You could also just try to get your hands on an XP cd long enough to access the recovery console.

Download and install the ISO Recorder version for your operating system. (after selecting the XP SP2 link, click the red text labled Here is the current 32 bit build).


Download and install the Microsoft Diagnostics and Recovery Toolset, choosing the Typical installation during setup

Insert a blank cd into your cd/dvd burner. Browse to C:\Program Files\Microsoft Diagnostics and Recovery Toolset and right click erd50.iso, then select Copy image to CD. Follow the instructions in the following link to finish creating the bootable cd.

http://isorecorder.alexfeinman.com/HowTo.htm

Once finished, restart the PC with the cd in the drive and boot to the cd to verify it works properly. If successful, restart the computer but remove the cd upon startup and boot back into normal mode, then post back here to let me know it was successful. I'll post instructions on how to proceed from there.


Just so you know, the hives that you sent are missing a number of critical registry keys that are not easily rebuilt. The idea was to get back to a normally working computer that would enable us to get a good set of hives from system restore.

 

Since I'll need to use someone else's computer to create the bootable CD, how do I get rid of the isorecorder shell extension after I'm done? Also, how do I uninstall Microsoft Diagnostics and Recovery Toolset from that computer?

My XP is English. If I choose the option of borrowing a XP CD, does it have to be an English version (hard to find where I'm right now in China)?

For the linux option, do I just navigate to the C:\windows\erdnt\hiv-backup folder and execute the commands in your post #57?