TERRIBLE TROUBLE -- HELP !!!!!

When I started up the pc this morning, as programs were loading, I received
ALERTS of systems leading to a total crash.
They read as follows:

usbwin32.exe

registry.pif

default.scr

CriticalUpdate.exe

Is there ANY way to salvage this by using any of the CD-ROMs for the pc to
locate these sites and repairing them without losing EVERYTHING ???
The pc is running and seems functional, but I don't know what to do ...
continue or quit ???
Can anyone help me with this ... what are these and what can I do to correct
them.
--
Thanks for any assistance or suggestions.
Amber

Hi Amber,

usbwin32.exe

Virus.

registry.pif

Virus

default.scs

Virus

CriticalUpdate.exe

And, low and behold, another virus. Sounds like your antivirus software did
half the job. It removed the infecting files but not the startup entries
that loaded them. Click start/run, type regedit and click ok. Expand the
plus (+) signs to reach these keys, one at a time:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

Click on the key, then look in the right pane for a string that loads each
of the files you listed. Click on the string and then delete it. Close the
registry editor when they are all removed and restart the system to see if
the problem is resolved.


--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org

"Amber" wrote in message
...
When I started up the pc this morning, as programs were loading, I
received
ALERTS of systems leading to a total crash.
They read as follows:

usbwin32.exe

registry.pif

default.scr

CriticalUpdate.exe

Is there ANY way to salvage this by using any of the CD-ROMs for the pc to
locate these sites and repairing them without losing EVERYTHING ???
The pc is running and seems functional, but I don't know what to do ...
continue or quit ???
Can anyone help me with this ... what are these and what can I do to
correct
them.
--
Thanks for any assistance or suggestions.
Amber

Hi Rick

Thanks for responding and researching my situation.

I ran a virus scan under the program from Trend Micro, and it showed
approx. 12 viruses, mostly Trojans, 2 Backdoors, and showed them as "Not
Cleanable".
I went through the registry and followed your directions, and some of the
changes you indicated were not "word for word" on my registry, but I deleted
the ones closest to the list, and I just hope I didn't make things worse.
There was one that couldn't be changed at all.

After this, I tried to restart, and got the same results.

I ran the ever-so-slow Norton Virus Scan (NSW Antivirus is the one I have
been using all along), and it didn't show any hits or viruses.

I tried to do a Restart, crossed my fingers, and hit the go button, and I
still get the "default.scr" , "CriticalUpdate.exe" , and the "usbwin32.exe"

I'm ready to pull my hair out. Is there ANYTHING I can try to get rid of
these glitches?

I'm ready to shoot the darn thing out its misery, or else myself

"Rick "Nutcase" Rogers" wrote:

Hi Amber,

usbwin32.exe

Virus.

registry.pif

Virus

default.scs

Virus

CriticalUpdate.exe

And, low and behold, another virus. Sounds like your antivirus software did
half the job. It removed the infecting files but not the startup entries
that loaded them. Click start/run, type regedit and click ok. Expand the
plus (+) signs to reach these keys, one at a time:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

Click on the key, then look in the right pane for a string that loads each
of the files you listed. Click on the string and then delete it. Close the
registry editor when they are all removed and restart the system to see if
the problem is resolved.


--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org

"Amber" wrote in message
...
When I started up the pc this morning, as programs were loading, I
received
ALERTS of systems leading to a total crash.
They read as follows:

usbwin32.exe

registry.pif

default.scr

CriticalUpdate.exe

Is there ANY way to salvage this by using any of the CD-ROMs for the pc to
locate these sites and repairing them without losing EVERYTHING ???
The pc is running and seems functional, but I don't know what to do ...
continue or quit ???
Can anyone help me with this ... what are these and what can I do to
correct
them.
--
Thanks for any assistance or suggestions.
Amber

Hi Amber,

You need to know exactly where they are loading from. Download the startup
programs tracker under WinXP Utilities at www.dougknox.com, and unzip it,
then run it. Copy/paste the results into a reply.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org

"Amber" wrote in message
...
Hi Rick

Thanks for responding and researching my situation.

I ran a virus scan under the program from Trend Micro, and it showed
approx. 12 viruses, mostly Trojans, 2 Backdoors, and showed them as "Not
Cleanable".
I went through the registry and followed your directions, and some of the
changes you indicated were not "word for word" on my registry, but I
deleted
the ones closest to the list, and I just hope I didn't make things worse.
There was one that couldn't be changed at all.

After this, I tried to restart, and got the same results.

I ran the ever-so-slow Norton Virus Scan (NSW Antivirus is the one I have
been using all along), and it didn't show any hits or viruses.

I tried to do a Restart, crossed my fingers, and hit the go button, and I
still get the "default.scr" , "CriticalUpdate.exe" , and the
"usbwin32.exe"

I'm ready to pull my hair out. Is there ANYTHING I can try to get rid of
these glitches?

I'm ready to shoot the darn thing out its misery, or else myself

"Rick "Nutcase" Rogers" wrote:

Hi Amber,

usbwin32.exe

Virus.

registry.pif

Virus

default.scs

Virus

CriticalUpdate.exe

And, low and behold, another virus. Sounds like your antivirus software
did
half the job. It removed the infecting files but not the startup entries
that loaded them. Click start/run, type regedit and click ok. Expand the
plus (+) signs to reach these keys, one at a time:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

Click on the key, then look in the right pane for a string that loads
each
of the files you listed. Click on the string and then delete it. Close
the
registry editor when they are all removed and restart the system to see
if
the problem is resolved.


--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org

"Amber" wrote in message
...
When I started up the pc this morning, as programs were loading, I
received
ALERTS of systems leading to a total crash.
They read as follows:

usbwin32.exe

registry.pif

default.scr

CriticalUpdate.exe

Is there ANY way to salvage this by using any of the CD-ROMs for the pc
to
locate these sites and repairing them without losing EVERYTHING ???
The pc is running and seems functional, but I don't know what to do ...
continue or quit ???
Can anyone help me with this ... what are these and what can I do to
correct
them.
--
Thanks for any assistance or suggestions.
Amber

Hello Rick

Thanks for not "leaving me hanging". I appreciate your time and research.

I have been desperately trying to backup and save as much as I can before
the viruses hits them. I have ALL of my financial information from Quicken
2004 that I need to get ready for tax time, all of my banking
records,documents, etc., but I'm wondering now if they may possibly already
be infected.
I am about ready to take this pc that someone gave me and torch it on the
BBQ grill.
I have the information for you ...
I have RESTORED the HKEY deletions so you can see exactly what they are.
The only major change I have made lately is adding the program "STOP SPAM",
and I have uninstalled it in case it has caused the problem.-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce

No Items Found

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

Zone Labs Client "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
ccApp "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
ccRegVfy "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
MSUpdate c:\CriticalUpdate.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
Digital Patrol Update 5 C:\Program Files\Proantivirus Lab\Digital
Patrol Scanner 5.0\update.exe /autoupdate

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce

No Items Found

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

PopUpStopperFreeEdition C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
FreeRAM XP "C:\Program Files\framxpro\FreeRAM XP Pro
1.40.exe" -win
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce

No Items Found

-- Start Menu - Current User --
No Items Found

-- Start Menu - All Users --
default.scr
usbwin32.exe

-- Disabled Items --
No Items Found

-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon --
Explorer.exe

-- Running Processes --
System Idle Process
System
smss.exe \SystemRoot\System32\smss.exe
csrss.exe
winlogon.exe winlogon.exe
services.exe C:\WINDOWS\system32\services.exe
lsass.exe C:\WINDOWS\system32\lsass.exe
svchost.exe C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
incdsrv.exe "C:\Program Files\Ahead\InCD\InCDsrv.exe"
svchost.exe
svchost.exe
spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
CCEVTMGR.EXE "C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe"
NAVAPSVC.EXE "C:\Program Files\Norton SystemWorks\Norton
AntiVirus\navapsvc.exe"
NMSAccess.exe "C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe"
NPROTECT.EXE "C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE"
PRISMXL.SYS "C:\Program Files\Common
Files\Lanovation\PrismXL\PRISMXL.SYS"
NOPDB.EXE C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
svchost.exe C:\WINDOWS\System32\svchost.exe -k imgsvc
explorer.exe C:\WINDOWS\Explorer.EXE
wdfmgr.exe
ccApp.exe "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
update.exe "C:\Program Files\Proantivirus Lab\Digital Patrol
Scanner 5.0\update.exe" /autoupdate
PSFree.exe "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
FreeRAM XP Pro 1.40."C:\Program Files\framxpro\FreeRAM XP Pro 1.40.exe" -win
SymWSC.exe "C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe"
alg.exe
zlclient.exe "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
Vsmon.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
FAST2.EXE "C:\Program Files\FAST Defrag\FAST2.EXE"
avant.exe "C:\Program Files\Avant Browser\avant.exe"
helpctr.exe "C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr. exe"
-FromStartHelp
helpsvc.exe "C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc. exe"
/Embedding
HelpHost.exe "C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe "
-guid {4C971553-B09D-4275-9F95-217E851644CF}
wordpad.exe "C:\Program Files\Windows NT\Accessories\wordpad.exe"
StartupTracker3.exe "C:\Documents and Settings\Bob\My
Documents\Unzipped\StartupTracker3[1]\StartupTracker3.exe"
msmsgs.exe "C:\Program Files\Messenger\msmsgs.exe" -Embedding
StartupTracker3.exe "C:\Documents and Settings\Bob\My
Documents\Unzipped\StartupTracker3[1]\StartupTracker3.exe"
wmiprvse.exe

-- Running Services --

Name: 6to4
Description: Provides DDNS name registration and automatic IPv6 connectivity
over an IPv4 network. If this service is stopped, other computers may not be
able to reach it by name and the machine will only have IPv6 connectivity if
it is connected to a native IPv6 network. If this service is disabled, any
other services that explicitly depend on this service will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: ALG
Description: Provides support for 3rd party protocol plug-ins for Internet
Connection Sharing and the Windows Firewall.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\alg.exe

Name: AudioSrv
Description: Manages audio devices for Windows-based programs. If this
service is stopped, audio devices and effects will not function properly. If
this service is disabled, any services that explicitly depend on it will fail
to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Browser
Description: Maintains an updated list of computers on the network and
supplies this list to computers designated as browsers. If this service is
stopped, this list will not be updated or maintained. If this service is
disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: ccEvtMgr
Description: Symantec Event Manager
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

Name: CryptSvc
Description: Provides three management services: Catalog Database Service,
which confirms the signatures of Windows files; Protected Root Service, which
adds and removes Trusted Root Certification Authority certificates from this
computer; and Key Service, which helps enroll this computer for certificates.
If this service is stopped, these management services will not function
properly. If this service is disabled, any services that explicitly depend on
it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: DcomLaunch
Description: Provides launch functionality for DCOM services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k DcomLaunch

Name: Dhcp
Description: Manages network configuration by registering and updating IP
addresses and DNS names.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Dnscache
Description: Resolves and caches Domain Name System (DNS) names for this
computer. If this service is stopped, this computer will not be able to
resolve DNS names and locate Active Directory domain controllers. If this
service is disabled, any services that explicitly depend on it will fail to
start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

Name: ERSvc
Description: Allows error reporting for services and applictions running in
non-standard environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Eventlog
Description: Enables event log messages issued by Windows-based programs and
components to be viewed in Event Viewer. This service cannot be stopped.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: EventSystem
Description: Supports System Event Notification Service (SENS), which
provides automatic distribution of events to subscribing Component Object
Model (COM) components. If the service is stopped, SENS will close and will
not be able to provide logon and logoff notifications. If this service is
disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: FastUserSwitchingCompatibility
Description: Provides management for applications that require assistance in
a multiple user environment.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: helpsvc
Description: Enables Help and Support Center to run on this computer. If
this service is stopped, Help and Support Center will be unavailable. If this
service is disabled, any services that explicitly depend on it will fail to
start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: InCDsrv
Description: Helper service for the InCD filesystem driver
Startup Mode: Auto
Run from: C:\Program Files\Ahead\InCD\InCDsrv.exe

Name: lanmanserver
Description: Supports file, print, and named-pipe sharing over the network
for this computer. If this service is stopped, these functions will be
unavailable. If this service is disabled, any services that explicitly depend
on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanworkstation
Description: Creates and maintains client network connections to remote
servers. If this service is stopped, these connections will be unavailable.
If this service is disabled, any services that explicitly depend on it will
fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: LmHosts
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and
NetBIOS name resolution.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: navapsvc
Description: Handles Norton AntiVirus Auto-Protect events.
Startup Mode: Auto
Run from: "C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe"

Name: Netman
Description: Manages objects in the Network and Dial-Up Connections folder,
in which you can view both local area network and remote connections.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Nla
Description: Collects and stores network configuration and location
information, and notifies applications when this information changes.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: NMSAccess
Description:
Startup Mode: Auto
Run from: C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe

Name: NProtectService
Description:
Startup Mode: Auto
Run from: "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE"

Name: PlugPlay
Description: Enables a computer to recognize and adapt to hardware changes
with little or no user input. Stopping or disabling this service will result
in system instability.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: PolicyAgent
Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE)
and the IP security driver.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\lsass.exe

Name: PrismXL
Description:
Startup Mode: Auto
Run from: C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

Name: ProtectedStorage
Description: Provides protected storage for sensitive data, such as private
keys, to prevent access by unauthorized services, processes, or users.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: RasMan
Description: Creates a network connection.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: RpcSs
Description: Provides the endpoint mapper and other miscellaneous RPC
services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k rpcss

Name: SamSs
Description: Stores security information for local user accounts.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: Schedule
Description: Enables a user to configure and schedule automated tasks on
this computer. If this service is stopped, these tasks will not be run at
their scheduled times. If this service is disabled, any services that
explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: seclogon
Description: Enables starting processes under alternate credentials. If this
service is stopped, this type of logon access will be unavailable. If this
service is disabled, any services that explicitly depend on it will fail to
start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SENS
Description: Tracks system events such as Windows logon, network, and power
events. Notifies COM+ Event System subscribers of these events.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: SharedAccess
Description: Provides network address translation, addressing, name
resolution and/or intrusion prevention services for a home or small office
network.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: ShellHWDetection
Description: Provides notifications for AutoPlay hardware events.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Speed Disk service
Description:
Startup Mode: Auto
Run from: C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

Name: Spooler
Description: Loads files to memory for later printing.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\spoolsv.exe

Name: srservice
Description: Performs system restore functions. To stop service, turn off
System Restore from the System Restore tab in My Computer-Properties
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: stisvc
Description: Provides image acquisition services for scanners and cameras.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc

Name: SymWSC
Description: Symantec WMI Service
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe"

Name: TapiSrv
Description: Provides Telephony API (TAPI) support for programs that control
telephony devices and IP based voice connections on the local computer and,
through the LAN, on servers that are also running the service.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TermService
Description: Allows multiple users to be connected interactively to a
machine as well as the display of desktops and applications to remote
computers. The underpinning of Remote Desktop (including RD for
Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost -k DComLaunch

Name: Themes
Description: Provides user experience theme management.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TrkWks
Description: Maintains links between NTFS files within a computer or across
computers in a network domain.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: UMWdf
Description: Enables Windows user mode drivers.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\wdfmgr.exe

Name: vsmon
Description: Monitors internet traffic and generates alerts for disallowed
access.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

Name: W32Time
Description: Maintains date and time synchronization on all clients and
servers in the network. If this service is stopped, date and time
synchronization will be unavailable. If this service is disabled, any
services that explicitly depend on it will fail to start.

Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: WebClient
Description: Enables Windows-based programs to create, access, and modify
Internet-based files. If this service is stopped, these functions will not be
available. If this service is disabled, any services that explicitly depend
on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: winmgmt
Description: Provides a common interface and object model to access
management information about operating system, devices, applications and
services. If this service is stopped, most Windows-based software will not
function properly. If this service is disabled, any services that explicitly
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: wscsvc
Description: Monitors system security settings and configurations.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: wuauserv
Description: Enables the download and installation of critical Windows
updates. If the service is disabled, the operating system can be manually
updated at the Windows Update Web site.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: WZCSVC
Description: Provides automatic configuration for the 802.11 adapters
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs




I really appreciate your help with this because


"Rick "Nutcase" Rogers" wrote:

Hi Amber,

You need to know exactly where they are loading from. Download the startup
programs tracker under WinXP Utilities at www.dougknox.com, and unzip it,
then run it. Copy/paste the results into a reply.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org

"Amber" wrote in message
...
Hi Rick

Thanks for responding and researching my situation.

I ran a virus scan under the program from Trend Micro, and it showed
approx. 12 viruses, mostly Trojans, 2 Backdoors, and showed them as "Not
Cleanable".
I went through the registry and followed your directions, and some of the
changes you indicated were not "word for word" on my registry, but I
deleted
the ones closest to the list, and I just hope I didn't make things worse.
There was one that couldn't be changed at all.

After this, I tried to restart, and got the same results.

I ran the ever-so-slow Norton Virus Scan (NSW Antivirus is the one I have
been using all along), and it didn't show any hits or viruses.

I tried to do a Restart, crossed my fingers, and hit the go button, and I
still get the "default.scr" , "CriticalUpdate.exe" , and the
"usbwin32.exe"

I'm ready to pull my hair out. Is there ANYTHING I can try to get rid of
these glitches?

I'm ready to shoot the darn thing out its misery, or else myself

"Rick "Nutcase" Rogers" wrote:

Hi Amber,

usbwin32.exe

Virus.

registry.pif

Virus

default.scs

Virus

CriticalUpdate.exe

And, low and behold, another virus. Sounds like your antivirus software
did
half the job. It removed the infecting files but not the startup entries
that loaded them. Click start/run, type regedit and click ok. Expand the
plus (+) signs to reach these keys, one at a time:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

Click on the key, then look in the right pane for a string that loads
each
of the files you listed. Click on the string and then delete it. Close
the
registry editor when they are all removed and restart the system to see
if
the problem is resolved.


--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org

"Amber" wrote in message
...
When I started up the pc this morning, as programs were loading, I
received
ALERTS of systems leading to a total crash.
They read as follows:

usbwin32.exe

registry.pif

default.scr

CriticalUpdate.exe

Is there ANY way to salvage this by using any of the CD-ROMs for the pc
to
locate these sites and repairing them without losing EVERYTHING ???
The pc is running and seems functional, but I don't know what to do ...
continue or quit ???
Can anyone help me with this ... what are these and what can I do to
correct
them.
--
Thanks for any assistance or suggestions.
Amber