Device Manager Empty 5

[hayt]

I have searched everywhere for this solution, and have had no success.

I am running XP Home on a Celeron 2.4 (i know that "Home" is my first problem)

The device manager is empty, and my dialup service sees my modem as in use by another program (as the port must be open). The phone and Modem section of my control panel does not have a modem listed, and i cannot add it to the list as it says there is no modem. The modem was working fine, but my kid did "nothing" to it, and now it doesn't work.

I have set the permissions in HKLM/System/CurrentControlSet/Enum to Read Only for Everyone, and Full for System.

I have ensured that plug n play service is started and auto (as well as universal pnp). I have cleaned the system of all spyware (and do not have any apropos files).

My device manager sees everything in safe mode, but i do not have a phone and modem section in my control panel in safe mode.

PLEASE PLEASE PLEASE help me, i will name my first born for you.

 

[wolluf]

see if the link in my second post here thread779-1156478 is any help

 

[smah]

I had to reboot back to Windows to see if the Plug and Play service has any dependencies and didn't finish my earlier thought properly. The Plug and Play service does not seem to depend on any others. Just to make sure though: the Plug and Play service should be started as a Local System account, not a normal user account. I assume that you get the same results if you start device manager from the run dialog: Start, Run, devmgmt.msc

I would think that this must be caused by some device conflict if it works properly in safe mode and not normal mode. Do a search of your hard drive for devmgr.dll (include hidden & system files). How many do you find, where are they, & what version (right click, properties)?

 

[jujet84]

You must use regedt32.exe in Windows 2000/XP
Be very carefull making changes in the regisrty!

You must be logged on as a local administrator to perform this task:

1. Go to "Start", "Run", and enter "regedt32"
2. Maximize the "HKEY_LOCAL_MACHINE" window.
3. Scroll down to "SYSTEM\CurrentControlSet\Enum"
4. With "Enum" selected click the "Security", "Permissions" menu.

Note: At this point you will probably notice there are no permissions on this key.

5. Click "Add".
6. Add the group "Everyone" and the user "SYSTEM".
7. Select "Everyone" and check "Read" ONLY!
8. Select "SYSTEM" and check "Full Control".
9. Click the "Advanced" button at the bottom of the window.
10. On the Advanced window check "Reset permissions on all child objects..."
11. Click "OK"
12. On the warning window click "Yes"
13. Close REGEDT32

You should now be able to see everything in Device Manager, Network Places Properties,
and Printers.

 

[linney]

Is it and internal or external modem, is it connected?

Error Message: Error 633 Modem Is Already in Use

http://support.microsoft.com/default.aspx?scid=kb;en-us;324760&FR=1&PA=1&SD=HSCH

Xp Modem problem
thread779-576433

WinXP Connectivity Issues
Lost Connectivity after Registry or Malware Cleanup
faq779-4625

If you have removed something that you shouldn't have, many antispyware tools have a restore function.


Some general things to try.

See if System Restore will get you back to a restore point before your problem with Windows.

Try running ChkDsk to check your drive for errors. Right click your Drive icon/ Properties/ Tools/ Error Checking.

Run the System File Checker program from the Run Box by typing.....Sfc /Scannow in it and have your XP CD handy.

HOW TO: Verify Unsigned Device Drivers in Windows XP

http://support.microsoft.com/support/kb/articles/q308/5/14.asp

If they don't work you could try repairing windows by running it over itself. You will lose all your windows updates but your files will be untouched.

How to Perform an In-Place Upgrade (Reinstallation) of Windows XP (Q315341)

http://support.microsoft.com/support/kb/articles/q315/3/41.asp

Sounds like you have been down this path but I will include these links for others.

311504 - No Items Appear in the Device Manager List When You Open It

http://support.microsoft.com/default.aspx?scid=kb;en-us;311504&FR=1&PA=1&SD=HSCH

No Device Manager
thread779-1138667

"My Computer" takes a full minute to open
thread779-1157000

 

[hayt]

Everyone - Thank you for responding so quickly, this problem is driving me crazy.

Wullof - i tried to apropos fix, and unfortunately that did not get it (the log said that none of the folders or files existed).

smah - the services are all running, i even restarted the PNP service and the universal pnp service, that had no effect.

jujet84 - I had already changed the permissions in the registry using regedt32. the first time i did that, and said to force children to inherit and replace the permissions of children, it gave me an error that not all children could change the permissions, so i changed each key individually. No effect thus far. Also, i am using the "Administrator" profile to make these changes .

linney - it is actually an error 797 that i get. i tried your solutions, ran the winsock fix tool, and the sp1 fix, but that had no effect.

All - my current opinion is that the registry somehow got corrupted. there is a stupid program on the desktop called windows registry fixer (or something like that), and i have a horrible feeling that someone decided to run that. I removed 730+ instances of spyware using spybot and adaware, and removed some things with hijackthis. Hijackthis did list some weird things that i am researching (i don't remove ANYTHING that i don't know what it is).

Does anyone have any other ideas?

 

[hayt]

I went back into the registry after my last post. Talking about the error i got trying to replace child key permissions to read only for "everyone" got me thinking about it. I tried it again, and again got the error. i then went back and changed each individual key in the Enum key, and set the permissions. somehow i must have skipped one, because when i tried the set the enum/root key permissions, i got the same error. so i began changing each key's permissions in enum/root, and i have a key that gives me an error. There is nothing in the key. the key is HKLM/System/CurrentControlSet/Enum/Root/Legacy_mspkwks

Any ideas???

i am going to do some research to determine what that key is.


Thanks

 

[linney]

http://www.modemsite.com/56k/duns797.asp

Use this as a rough guide to what might be a problem in your Hijack This log.
HijackThis log file analysis

http://www.hijackthis.de/index.php

An empty entry in a Registry Key may just be a result of removing or uninstalling something incorrectly.

In your situation, after removing so much malware and now having all this resulting trouble I would be inclined to save my valuable data and format and re-install XP.

 

[hayt]

I've done a little more digging with the registry issue. In Safe Mode, the key is fine, has data and i can access it without a problem. However, in normal mode, the key is empty and returns an "error opening key" or an "error deleting key."

I deleted the key in safe mode, and it reappears in normal mode with the error. Since this is th eonly key in the currentcontrolset key that has an issue, i am begining to suspect that this is the culprit.

the modem looks fine in safe mode, however, the device manager in safe mode cannot give me the status of that device. Therefore, i cannot update the driver in normal mode. I cleaned all of the malware, and emptied the entries in hijackthis that were malware, or suspect (after much research on each individual file).

Any idea how i can fix or why the registry key returns an error in normal vs safe mode???

 

[linney]

What user did you log on in Safe Mode, is it the same user from Normal Mode?

For what it is worth (probably means nothing), I don't have this key, Google has no hits on it, one tends to assume it is not a Microsoft XP key?

 

[hayt]

IT is XP Home, with fast switching and the welcome screen. The two logins for normal mode are setup as admins, and the safe mode is the administrator login (which is what i sign in as) and one of the other two logins (there is no Administrator login for normal mode).

I tried searching for the mspkwks in google and got nothing as well, but my guess is that it belongs to ms Works.

Like i said, i've deleted the key in safe mode, but the key remains in normal mode and reappears in safe mode after a restart. I have the values that should be in the key (i made a reg file with the data), but when i try to put it into the key in normal mode, it gives me the "error writing to key."

I still get the 797 modem error, and i have NO IDEA why. there are no processes that are using the modem. the next thing i am going to do is remove the modem, reboot, then put the modem back in. the only problem is that when i removed the modem in safe mode, and rebooted into normal mode, it detected the new hardware, but errored on installing it. i tried the manually install the drivers in normal mode, but it would fail. i ended up having to install it in safe mode.

 

[erikhertzel]

Post your Hijack This log to this forum and we will take a look at it.

Also download this:

http://www.ewido.net/en/

Check for updates and then run a complete system scan.

I think we may have a problem with spyware here, or removing something that was spyware related and it broke something else.

Erik

 

[hayt]

Here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 12:33:32 PM, on 12/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Autospell60\autospel.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\rdso\eetu.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\regedit.exe
C:\Program Files\3B Software\Windows Registry Repair Pro\Windows Registry Repair Pro.exe
C:\hijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AutoSpell] C:\Program Files\Autospell60\autospel.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt rbnd
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -

https://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c8.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) -

http://download.toontown.com/sv1.0.14.48/ttinst.cab

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Smart Viewer 7) -

http://crystalweb1.clerk.co.brevard.fl.us/viewer/activeXViewer/activexviewer.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

the PC was using spyhunter, but i removed it. (using adaware and spybot).

i cannot delete the key in question (i can delete it in safe mode, but it reapears in normal mode). It exists in controlset003 which is, i imagine, where it is pulling it from. i delete it from controlset001, controlset002, and controlset003, and it just comes right back. the modem works FINE in safe mode, but that doesn't do em any real good.

again, when i ran adaware and spybot yesterday, i removed 730 malware instances. mostly search and rebate tracking files.

 

[hayt]

one more thing, i was searching the registry for the "mspkwks" key, and saw it listed under services in the controlset as well. i looked in the key (in safe mode, as i got the same error in normal mode), and it refernces a file in my system32/drivers folder called "wchmcd.sys"

the file properties lists it as unknown application, and google returns no hits on it. any ideas??? can i just wipe the file and all keys associated with it???

 

[erikhertzel]

Remove the following:

C:\WINDOWS\System32\l?ass.exe

C:\Program Files\rdso\eetu.exe

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c8.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) -

http://download.toontown.com/sv1.0.14.48/ttinst.cab

Also download this:

http://www.ewido.net/en/

Check for updates and then run a complete system scan.

 

[linney]

While not related to your infection this is a good example of how malware can mess up your machine and frustrate your attempts to remove it. If you read it you will notice one or two similarities.

The HaxDoor virus may cause a "STOP 0x00000050" or "STOP 0x0000008e" error message

http://support.microsoft.com/default.aspx?scid=kb;en-us;903251&FR=1&PA=1&SD=HSCH

 

[hayt]

IT WORKS!!!

I removed the wchmcd.sys file, and removed all mspkwks keys in the registry, and it works! the device manager has all items listed, and the modem works perfectly. What a Pain in the @$$. Thank you to everyone for your help, Start all around!

Hayt