re: Empty Device Manager - fixed by removing spyware
Tuesday, November 22, 2005 at 11:21 am
Windows XP Annoyances Discussion Forum
Posted by Lou Kurrelmeyer
(28 messages posted)
Wow! This is a long running thread...
It seems that anything that fouls up the registry will cause the Device Manager to
show empty. Reading this whole enormous thread, I see groups of causes.
1) Installing a device which comes with bad registry entries (wrong Permissions).
I see multiple examples of this, especially the Yamaha sound devices.
2) Not having the plug’n-play running. This does not foul up the registry so much
as it keeps Windows from reading the registry.
3) Other creative ways of hosing up the registry, like Microsoft’s security update
for Windows KB905749.
4) Spyway/Adware/Trojans which place deliberately corrupt entries in the registry
to keep you from deleting them.
If you see an empty Device Manager and…
a) You just installed a new device—Check the Permissions in the registry for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum.
If you get a message about not being able to change the permission of all of the
sub nodes (children), see “b)” below.
b) It is taking ages to display after clicking on My Computer, you can no longer
see you “Local Area Network” connection when you display connections, you are seeing
lots of pop-ups every time you access the Internet—Check for Spyware/Adware/Trojans.
I think the Apropos family of Spyware is the cause, but there may be others.
c) You don’t fall into the above two categories, make sure your Plug’n-Play service
is running.
d) Last choice seems to be removing Microsoft’s security update for Windows KB905749.
My experience report:
I checked my Plug’n-Play service and it was running.
My HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum permissions were okay. It took
me ages to look through them all, which I did because I got the message saying some
of the children (sub nodes) could not be changed. I could not find any problems,
but after right clicking the three gillionth entry I might have missed something.
A word to the wise, don’t waste your time checking all of the permissions. Not being
able to set them with the simple change-all-children approach is a symptom of another
problem, not a problem in itself.
I checked if I had Microsoft’s security update for Windows KB905749. I did. I removed
it. This did not fix the problem either.
I tried the free 30-day trial of the TuneUp Utilities. My registry is now 8mb smaller,
and no longer has ~4,200 problems in it. Other than that, this did not fix anything.
I looked in thread http://www.dslreports.com/forum/remark,14678998 and found the
link to swandog46.geekstogo.com/aproposfix.exe. This fixed the problem.
A few words on Apropos:
Norton (Symantec) detected a variation of Apropos and could not remove it. I tried
NoAdware, which claimed to find and remove it. I used the Symantec removal tool “FixAprop.exe”.
It claimed to have found and removed the problem. This Spyware/Trojan/Adware is extremely
stealthy, polymorphic (changes itself and finds a new hiding place), and extremely
destructive. It appears to place intentionally corrupt entries in the registry. I
assume this is so you can’t delete them using REGEDIT or REGEDIT32, neither of which
can remove a corrupt directory entry.
The author of aproposfix.exe who goes by the nic swandog46 came up with a very interesting
approach to finding this extremely stealthy and hard to fix problem. He fires off
a PING to IP 1.1.1.1 (non-existent), which makes apropos come out of hiding. He immediately
starts grep-ing (text searching) the registry. If he hits on apropos, he exports
the entire registry; fixes it; and imports the repaired version overwriting the corrupt
registry that REGEDIT can’t fix directly—but can export and import. (This is a massive
oversimplification of what that program does.)
After aproposfix.exe fixed the problem I could set the authority on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum
and all children with no error message.
Below is the log I got as output from aproposfix.exe, which the author requests you
post:
Log of AproposFix v1
************
Running from directory:
C:\Download\aproposfix\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\CrTPtAH2JS79]
@=" ntqFMPXYYXYYZYyBQM.MIXYYXnaY3tyy0YPVPQBJedYAOFSBOPYAOJSFOQ7ZPVP"
"Device"="\\\\.\\NetpRpl"
"DriverPath"="C:\\WINNT\\system32\\drivers\\drmvirta.sys"
"DriverName"="PCIFips"
"HideUninstallerName"="C:\\Program Files\\Hignents\\w3scoina.exe"
"UninstallerPath"="C:\\WINNT\\system32\\faxinger.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{3282FFA8-E511-44E8-BF08-45540AD7CBF1}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINNT\\system32\\cnvegobj.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X5712eb0-c117-6904-5bdd-e4720ea4d8c1}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Hignents\\nmsakley.exe"
************
Removing hidden service:
Service PCIFips removed.
Removing hidden folder:
Deletion of folder Hignents succeeded!
Deleting files:
Deletion of file C:\WINNT\system32\drivers\drmvirta.sys succeeded!
Deletion of file C:\WINNT\system32\infmgr32.exe succeeded!
Deletion of file C:\WINNT\system32\cnvegobj.dll succeeded!
Deletion of file C:\WINNT\system32\faxinger.exe succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\CrTPtAH2JS79]
[-HKEY_LOCAL_MACHINE\Software\CrTPtAH2JS79]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3282FFA8-E511-44E8-BF08-45540AD7CBF1}]
Done!
Finished!
|
All messages in this thread [show all]
 |  | | |  | Solution (Ed C: Mon, Feb 25, 2008, 7:04 pm) |
| |  | re: Empty Device Manager - fixed by removing spyware (Lou Kurrelmeyer: Tue, Nov 22, 2005, 11:21 am) |
| |
| |
| |
Return to the Windows XP Discussion Forum
|
|
