Posts by gerbil

If you think that the folders may still be on your desktop, but hidden, go start, run, and enter:
cmd
In the cmd window enter in sequence:
cd desktop
dir /a/s

A file finder which I can recommend is REST2514.EXE
-use another machine to dl it to a thumb or floppy, and then run it from that. That way you reduce the risk of overwriting deleted files. Finds files you did a Shift+del job on, also.

Actually, the value in this key will override the value in the key in my earlier post:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=dword:00000000

Gog, it is just this entry that I was wondering about
BITS: hxxp://auj+|Cv+@J:NGD_DQ{zcxLJS@]6A
which is a URL for the background intelligent transfer service, and really http://auj+|Cv+@J:NGD_DQ{zcxLJS@]6A
This is the username: auj+|Cv+@J
and all is at this key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
I cannot advise you on what to do with it. If you were to export that key and post it here it would be confusing cos a lot of it would be in hex ascii representation....
It could be legit.. it is the sort of jargon a machine would come up with....
Help!!

Lessee, if you address the drive from the run command by entering G: does it open in Explorer?
[Start, Run, type G:, press Enter].
Or it opens if you type G: into the explorer address bar?
Then run this:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDrives"=dword:00000000

There does not seem to be any problem left in there, gog. Combofix removed a worm file.
Your computer is on a network, and this server name means something to you: "]6A" ?

Oww... did I pick up the wrong end of the stick! Perhaps because I am aware of how little I really do know about Windows... I'm not intimidated by that, it's just how things are in this world. I should be bothered, though, about how i let an annoying day influence my attitude to something else entirely. Anyway, if I explain a lil, maybe you will understand why I took exception to being tagged an expert, a wrong one at that.
I admit to using this room as a learning tool; my computer rarely gives cause for alarm, hardware or software wise, and I have long been of the opinion that if you wish to learn about something then have a go at fixing it when it is broken - that focusses the mind in a way that just reading will not do. So I use these threads quite often to learn an aspect, often getting pointed at a new topic which I try to carefully research [it's a dangerous place for truth, is the web], and I am careful of the trust of the thread owner, the guinea pig. But I make mistakes.
Mistakes?! Oh, gawd, you are hereby banned from researching my past. It embarasses me. But I did learn to carefully choose my information sources on the web.
As an aside... I think in that post I gave to WFPS too high a pedestal, assuming that it would pick up changes to protected files. …

Sorry, but I am in no way an expert on interpreting minidumps. I was just hoping that if you dragged this file, Mini101008-02.dmp into a fresh notepad you might get a clue as to your problem. This one, sysdata.xml, will open in Internet Explorer. But the problem could derive from a hardware issue as vhex suggested. An easy check to make is to turn off the puter, unplug the power, open the sides and unplug/replug everything in sight, including the RAM sticks but excepting the heatsink and processor. If you have multiple RAM modules try with just one.
High CPU usage should not cause the sys to restart, just delay the processing of non-urgent interrupts. Could easily be a malware issue. Try this as a shot in the dark:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application, then ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything found is checked, and click Remove Selected. Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
And then follow up with this scan:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a …

Have I trodden on your toes somehow, Bob?
Did I ever say anything to you that called for that attitude of yours?
"then my guess" is not the wording of choice of an "expert".
I bought my first computer just over two years ago and loaded XP-SP2 onto it. That was the beginning of my exposure to the gubbins of Windows. I had used it before, but only a guest to play games on someone else's machine. I have never used an earlier version as I often mention in my posts concerning those. So I don't don the mantle of "expert". Never have pretended to. I'm a puddleduck, jus having fun learning. If you were to search back to may and june of 2005 you would see that I was in here asking the most basic of questions of one of the then room experts, catweazle.

System Restore is limited in the amount of system file repair it can do .
If you have different icons in explorer then your shell32.dll has likely been modified along with some other changes to make the File Protection System ignore it. To restore that file you would have to copy in a fresh file both to system32 and the dllcache, plus fix any reg mods.
If WFPS has been modified then my guess is that sfc would not fix that issue, it certainly would not fix WFPS. And shell32.dll is not the only source of icons for explorer, which itself contains icons.
You could of course slave the drive and copy in replacements to system32 and dllcache, cos shell32.dll is used all the time [under winlogon.exe]. But that would not repair WFPS.
The other changes I have not a clue about, except that if the Start button has been modded then explorer.exe itself has been changed... so I am thinking that you will need to do a lot of careful, time-consuming excisions and replacements [once you track them all down], else a Windows Repair.
With the latter you won't lose any data or personal settings, you may need to reinstall a few apps, or none if you are lucky, you will have to dl all the Windows Security Updates again. It'a a price to pay....
This link will give you an idea of what is involved to mod that Start button alone, but …

Sounds like something that was hidden was working very hard. Windows Firewall - it lets anything run, and it lets anything go out onto the web. Therein lies the real beauty of WF: it aint in itself a real drain on your sys because it simply is not doing much to protect you.

Hey, that's nice, John. So pinki and I got you there.
Cheers.

I really dunno networking, but... if a client was setting his own background he would not need ActiveDesktop - it's just a picture the OS picks up, a reg key read. If you wish to force one over a network then surely that implies ActiveDesktop be enabled as it is a network control. That's possibly gibberish. One day I'll buy a spare puter just so's I can introduce myself to networking. But i may walk on the moon first.

If you drag the dump file into notepad, or open the xml file and slide yur eyeballs over them you may see a clue as to what is going on, ...or off, actually. A process name will be reported somewhere in there as failing, or a service, driver.. I dunno.

The Support tools package is also on the XP installation cd, and it will install to the folder you point it at. To find it, go Start, All Programs, Windows Support Tools and open the command prompt. It will have as a starting directory the folder of Support Tools. Or try a search for.. oh, I dunno, apimon.exe or bitsadmin.exe.
The Run command will not work unless the path to the command is included in your Environment, or you type the pathname.

I have a cleaned-up ErrorNuker and RegistryFix both of which I occasionally run, but pretty much for entertainment. Your registry may be 25 or 30 Megs in size, if you remove only a couple of entries it's pretty much like plucking a couple of blades of grass from a tennis court.
Most entries picked up by those scans are ones which pass out of the system eventually in an overflow or last in-first out process eg MRU lists.
A messy uninstallation by a poor uninstaller may leave a few orphans but if those keys are not called they just will not be read. In the 4 or 5 secs that explorer.ex takes to load it does [tens of] thousands of key reads, plus a mass of hdd operations to see what it should be doing, displaying, and know. As an example, if I'm on the net but with no extraneous open windows explorer does 140,000 key operations in that time, with the net disconnected it does 90,000 key operations as it loads.
I have CCLeaner also.

Of course BIOS does not "go" to the boot menu... ntldr loads and parses it. And from there everything is fine.
Cliff, enter BIOS Setup [instruction is on the first POST screen [Pause key will hold the screen for you, Enter to continue]. Set your boot order to have your System drive [the one with ntldr, boot.ini etc] at the top. It could be that you have something like a network boot device at the top, having a CD/dvd combo there would not be a problem if no boot disk was in it]. By the way, does C:\ntdetect.com exist?
As for the bluescreen issue... just guessing here, but it could be that Setup loaded the wrong HAL for your motherboard during installation. Tell us the make, model of your mb, plus the HAL original name:
Go system32, rclick hal.dll, properties, version tab and select Original Name; post it here.

Would be interesting to see a rootkit scan result. You could do it yourself with IceSword, RKR or Blacklight or run this which includes GMER:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

There is a good collection there. As Bob said, run MBAM and post that log plus the log of a hijackthis scan run afterward.

You'll soon see.

Weasel, if things are okay then to clean up you should:
-uninstall MBAM.
-delete C:\SDFix
-Run combofix /u
Then reset folder options to your preferences.

Right. For techs they must be pretty convenient. For puddleducks like me, well, they beat cds for a lot of temp stuff.
I've never felt like taking apps on holiday with me.

Looks sweet. Just do a manual check that this thing is really gone:
C:\DOCUMENTS and SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\Temp\catchme.sys
And if all seems fine, then... all is fine. Cheers.

I was being serious, Bob.. I rarely use the lil fellows... maybe to take some photos etc over to some other puter or to get a special printing job done, and I format them with FAT32. And whenever I click the lil tray icon it always says Cleared to Pull or similar immediately, so I don't check anymore, just whip em out. The sys seems to understand...
With FAT32 file transfers appear to be not cached, so when the hourglass is gone the file is there. I did try NTFS for a bit, but with that format copying may not be done immediately, hence you have to advise the sys that you wish to unplug.
Heck, when I bought my first I thought this will come in handy, an sure enough, at least 3 months later, it did.
I shall have to play with making one bootable, and if I can sort out keeping my BIOS files on one for reloading, then my floppy drive is so gone.

"After a recent Senior Moment, I re-installed XP and have since encountered countless problems. The latest being that I have to press F11 on start-up and arrow down to HDD."
Why does he have to use the F11 one-shot boot device selection? BIOS should not go there by itself unless there is an interrupt? There is a boot problem.. somewhere...
Separately, and yes, a BSOD occurs when there is a driver loading issue, way after boot.ini is finished with. So a driver or service is bad, even one from LKG.

Weasel, could you post the combofix log also? C:\combofix.txt
And the SDFix log; it's saved into the SDFix folder as Report.txt.

Hello, cliff... most of us will suffer senior moments if we are lucky enough. Could I have a look at your boot.ini file, please? It is C:\boot.ini [you must set to show protected op sys files].
Else this will retrieve it for you - go Start, and paste into the Run box:
control sysdm.cpl,,3
...press the Startup n Rec Settings button, then the Edit button.

Weasel, don't use that previous script - I missed one file to delete, so use this modified version instead. The vundo infection there appears to have rootkit capabilities. I should also point out that your friend has had a keylogger trojan on his sys and so it is important that he changes important passwords and bank accounts that he may have accessed from the computer.
The new CFScript.txt:

Killall::

File::
C:\WINDOWS\system32\aKUBdMoq.ini2
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\xxyvuutq.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\DOCUMENTS and SETTINGS\ADMINI~1\LOCALS~1\Temp\catchme.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= -

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00

Ah, nice, weasel.
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

File::
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\xxyvuutq.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= -

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00

Good. Now drag the CFScript.txt icon onto the Combofix icon [mycmbfx.exe] on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
Please now run sfc /scannow
You should now be able to update MBAM and run it also; post the log.
There should be no need to run the other scans.

Just a query... I guess I under-utilise thumbdrives cos I only use them for file transport, but... all this only applies if you've formatted them to NTFS, right? Or running apps from them?

Those addies given for the dls seem to jam on the actual dl. I did use that page succwssfully a week back, so it looks like M$ has a glitch in their own system.
I switched to Comodo Firewall Pro a month or more ago. It is comprehensive in its guarding of your sys, definitely not one for thoose who like to install a firewall/defence and forget about it. To live best with it you must interact thoughtfully with its popup permissions windows, but it is on the job. I like it.

In the Recovery Console you can use this command:
type c:\boot.ini ... to but view the file.
bootcfg /rebuild will give you the opportunity to set the correct boot.ini, though.

Ed, disconnect from the web, shut down your AV and firewall, any other resident protection so that you have only Windows' native processes running, and check again.
http://technet.microsoft.com/en-us/sysinternals/default.aspx is the addie you want.

There are tools out there, so far not free afaik, that will run a scan of a pendrive whenever you insert one. Try a search, "antivirus pendrive thumbdrive". Of their efficacy I have not a clue. You can also configure a decent firewall so that such files are detected and blocked. Comodo Firewall Pro is such a one, but it is not to everyone's taste because it is so thorough. I like it.

Main problem, caper, is to get any exes to run. Most sys ones do, but not sfc.exe, and not so far any tool exes I have suggested. It's fun.... may be a simple blacklist at work, but it is not started via the methods that hijackthis lists.
Weasel.. combofix: rename the desktop icon to MyCF55.exe, then dclick it. Remember to turn off net connection, firewall, system defence and AV first. If it runs you may find that it has timed out, in which case it will tell you so & delete itself, > dl a fresh copy.
[system defence? the sort of thing that comes with, say, Comodo - it would drive you nuts as CF tries to install and run]

VIRUS ALERT!... yeah, weasel, I did notice that the header of your Hijackthis log was modified to include that [your sys clock has been affected]. Virus Alert! is relatively easy to fix, our problem is something that came in alongside it and appears to have blacklisted a lot of removal tools which would remove Virus Alert and perhaps this other infection.
Let's try this now:
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Immediately rename the file to SMFix.zip, then extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and rename smitfraudfix.cmd to SMFix.cmd; double-click SMFix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ ..
Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
or here: http://www.bleepingcomputer.com/resources/link252.html
and save it to your desktop. Rename SDFix.exe to MySD.exe; dclick MySD.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
=Please clean with CCleaner.
=You MUST restart your computer in Safe Mode.
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will …

"I wouldnt mind at all but i cant get to the login screen." Even in Safe Mode? Then use Recovery Console to get boot.ini. It is C:\boot.ini

Yep, the file has a corruption...it's from google. And even when it runs....

In safe mode.. would you mind giving us a copy of your boot.ini?
Paste into the Run window: control sysdm.cpl,,3
Startup n Recovery, Settings, press the Edit button.

My sys, clean as, with no apps running, jus os processes and no page faulting [not accessing page file...], and not sitting long enough for windows file reorg to kick in, flicks the hdd light bout once a sec. No head movement though. I'm happy.

First one is easy: Go Start, Run, enter regedit
Navigate to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Change [rclick and use Modify] RegisteredOwner to MyLilBunnykins
Or if you prefer this will do it for you:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"RegisteredOwner" ="MyLilBunnykins"

Aw, heck, pinki, you always had Panda as your resident AV...! So I guess no result from the online scan then, or at least no need to do it.
Fix these orphans with hijackthis. You will need to turn off Spybot's teatimer temporarily while you do it.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4C0EEB64-9B1C-4A1E-B000-2B0701E8E9CA} - (no file) - a trace of your pest...
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
And if all is working well for you.. you're fine to go.
Cheers.

It cannot be policy blocking the exes from running because you would get a warning about it, although you could check in the Event Viewer [under admin tools], Software, to see if there have been any block events. I cannot figure what could block some system exes like sfc.exe, but not regedit.exe; still allow you to run some third party software app exes, eg.? CCleaner, Unlocker but not others such as those I have requested or activeX's. How did Clam get by it? There must be a blacklist file of exes in your sys in some malware....
In the zipped file is a list of "cohort" files that are associated with the trojans you had. Just open a cmd window and paste in each of the two lines, making sure wordwrap is not checked in notepad.
And if that does not help then perhaps there is nothing for it but to follow one of two restoration plans depending on whether the pc has valuable data/files/applications.
If it does then the aim would be to Repair windows, which would keep all data and most applications intact, including any malware which could simply break the new installation.
Copying off data is an option, with fingers crossed that the problem is not due to a worm or virus.
Reinstalling windows without a formatting of the partition would expose the new OS to the same risk.
Personally, I'd go for the Repair cos it takes but an hour …

Hello weasel... Okay, thanks...lessee, do you have this file by any chance?:
C:\Windows\System32\Drivers\tdssserv.sys
-delete it. There may be others like this:
C:\Windows\System32\tdsss?.dll ..where the ? represents other letters.
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
=You must restart your computer in Safe Mode:
- Log in by using the Administrator account.
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.

More, weasel... fix your exe associations keys in registry with this reg file:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

What happens if you use TM to stop the explorer.exe process, and then use it to start one of your problem .exe pgms? You can try this in Safe mode.

Heya, Bob.
Ports for TCP\IP.... Port 80 is used for HTTP by convention, and Windows has basically facilitated apps using it to communicate to distinguish their respective transfers. Not so with other ports - problems arise cos sware writers set specific ports into their apps instead o letting the OS hand them a free one. Which is where SMSvchost comes in - it allows pgms to share ports. SMSvchost is mostly used, no specifically used, by .NET apps. Seeing any connection here? I think you have a "dud" .net app from a month ago.
Their was a request to start the service, which failed. Unfortunately there is no indication of what process initiated the request, but it would be from a .NET app. Is your >NET Framework up to date? I use vsn 1.1 with a hotfix kb928366, but there is a later version...

"net accounts" is the cmd you are looking for.. you run it in a cmd window. It is one of the net services commands, and help is here...
Paste this into a run window: %windir%\hh.exe ms-its:%windir%\Help\ntcmds.chm::/ntcmds.htm
or on the net here: http://www.ss64.com/nt/net_useradmin.html
Of course, that method treats your wife as an equal.. that may not suit your religion, or you may just wish to keep that little bit of extra control over her... so in that case use "net user"
Help is in pretty much the same places.

Listed for startup.. you want these pgms to be running when [or as] Windows starts? So you set this up using the Task Scheduler? And have you tried reinstalling those pgms? Still fail to start automatically? Personally, I prefer commonly used items to lie in the QuickLaunch bar, less frequently started ones are pinned in the Start menu. But that is all about me, not you. So okay, it could be that your task scheduler is losing the plot, so lets take a spanner to it. Grab your XP installation cd; search down in C:\Windows\inf for mstask.inf. Rclick it, choose Install and follow on from there. You will be told what to do with the cd. Or it may be that you have the I386 directory already in the C: root.

With a description of the symptom such as that [brief, no detail] I'll aim for one or more of four things: software problem, power supply problem, poorly seated heatsink, or other hardware problem.
Power off, unplug and get in the side, unplug n replug everything you can see including RAM, check the heatsink is clipped down.... on it goes. Disconnect all drives and try to start....

taskkill is the command you want, and if you write your own batch file you will be so proud. Here is all the help you need for that: go Start, and paste into the Run window...
%windir%\hh.exe ms-its:%windir%\Help\ntcmds.chm::/ntcmds.htm
Enjoy.