# Deleted SysTray.exe and Both Rundll32.exe's from "SCU"



## knismo (Jul 11, 2003)

Hello, 
I was doing some cleaning in Windows98 SE when I accidently deleted SystemTray (SysTray.exe) and BOTH LoadPowerProfiles (Rundll32.exe). My story goes like this:

I am running Windows98 SE Developers Edition using an Intel Pentium III Motherboard w/a 1.0 GHz Celeron Processor and 512MB RAM. I had this box running so smooth after reconfiguring, tweaking and cleaning. I haven't recieve an error message in well
over a year and a half. I mean NO issues what so ever.

I have been using Selective Startup for quite some time and noticed several entries in the "System Configuration Utility" that I wanted to get rid of. Being adventurous I set out to divide an conquer. My first step was to make sure I had the full working 
program installed and running before uninstalling them. Thinking this would be the best way to go I started off like this:

I Downloaded and/or or Re-Installed these seven programs:

1.) AWS WeatherBug (remnants of/Re-Downloaded)
2.) BMLauncher (already installed)
3.) Eraser (already installed)
4.) Evidence Eliminator (remnants of/Re-Installed)
5.) PopUpKiller (already installed)
6.) ScriptSentry (remnants of/Re-Installed)
7.) The Cleaner (remnants of/Re-Installed)

Now I have all seven of the Full Programs up and running without a hitch. I then went under "Ctrl+Alt+Delete" and "End Task" making sure that ONLY the target program, "LoadPowerProfiles" and "System Tray" were the only items selected under "Normal startup".

I then uninstalled each program one at a time using either the Add/Remove Programs or the Un-install.exe that came bundled with the program. I did this for each of the seven programs and "Shut Down" waiting 30 seconds before starting the process 
with the next targeted program. All went well, I didn't have a single problem.

I switched back to "Selective startup" making sure ONLY "System Tray" and BOTH of the "LoadPowerProfiles" were selected. Again I shut down, waited 30 seconds before starting the computer again. Viewing the "Selective startup" I noticed that a few remnants of the above mentioned programs were left behind. If they are here they are also probably in the registry somewhere so I'll just remove them.

Wanting to rid these annoying strings and thinking I already had my Registry backed up I ran "PCForrest StartMan" for the first time. Sure enough it picked up on the strings so I proceeded to "delete" them and here is where my trouble began. Not 
paying attention to what I was doing "StartMan" was showing 
"SysTray.exe" and both "Rundll32.exe" highlighted in red: 
"This item is orphaned; that is, the target file..."
so I deleted them. Realizing what I did and not wanting to save these changes I clicked "Cancel". Whats this? The changes were made, appearently the "Cancel" didn't work. OK, not a problem, I'll just "Restore" the registry back to the way it was when I first started all of this. Sure enough, no recent Registry backup either. OK, so I will go find the "backup copy" of the StartMan secession...no luck, I can't find it does it even exist? 
OK, just replace the SysTray.exe and the Rundll32.exe's using "System File Checker" "Extract and Restore". It didn't work either...Strike three.

Now here's the good part, the .exe's still do NOT show up in the "SCU" but yet this computer is still able to run programs, download, run scans etc. and it will restart without a problem. I did recieve an error while "Norton System Works" was being 
updated but it was an error message about an interupted download. I do allow NSW to run in the background, disabling it didn't seem to help matters. I am still trying to learn how every thing works. Is it buggy? I will find out soon enough.

Now that everything still seems to be ok I am really confused. I don't want to take the chance on digging around adding, scanning, deleting or shutting the computer down all together with out trying to find more information. Can I get online to see 
if I can find the answers I am looking for? Yes! (another bonus) I browse your site but didn't find a similiar issue. I notice others using "HighJackThis" so I download and run it without a problem. I copied the information it found to notepad and save it. It does NOT have the SysTray.exe nor either of the Rundll32.exe's. Is there really an issue? Should I be concerned? Don't I need to add those .exe entries back into the registry, How do I add those exe's back into the registry? Just what exactly should I do? This is the first time I tried working with the registry so I am NOT very familiar with everything involved. Aw hell, who am I trying to kid here? I have no clue...I could definately use some help. 
Beuhler? Beuhler? Anyone? Anyone?

****************************************************

Logfile of HijackThis v1.95.0
Scan saved at 2:51:39 AM, on 7/11/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIGHJACKTHIS\HIGH JACK THIS ZIP\HIJACKTHIS.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://my.msn.com/default.armx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] "C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe"
O4 - HKLM\..\Run: [NPROTECT] "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE"
O4 - HKLM\..\Run: [bpcpost.exe] "C:\WINDOWS\SYSTEM\bpcpost.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [CSINJECT.EXE] "C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [GhostStartService] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE"
O4 - HKLM\..\RunServices: [NPROTECT] "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE"
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] "C:\Program Files\Common Files\Symantec Shared\SymTray.exe " "Norton SystemWorks"
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O8 - Extra context menu item: &NeoTrace It! - C:\Program Files\NeoTracePro\NTXcontext.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - 
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37779.3132407407
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=

*****************************************************************

StartupList report, 7/11/03, 2:57:55 AM
StartupList version: 1.52
Started from : C:\WINDOWS\DESKTOP\HIGHJACKTHIS\HIGH JACK THIS ZIP\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIGHJACKTHIS\HIGH JACK THIS ZIP\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LoadQM = loadqm.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
GhostStartTrayApp = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe"
NPROTECT = "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE"
bpcpost.exe = "C:\WINDOWS\SYSTEM\bpcpost.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
CSINJECT.EXE = "C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE"
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
GhostStartService = "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE"
NPROTECT = "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE"
SymTray - Norton SystemWorks = "C:\Program Files\Common Files\Symantec Shared\SymTray.exe " "Norton SystemWorks"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 10/7/2003, 18:56:16)

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE
NUL=C:\PROGRA~1\EVIDEN~1\\UNWISE.EXE
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET Path=%Path%;"C:\Program Files\Norton SystemWorks\Norton Ghost\"

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL - {EA7F9A52-0A05-11D2-98C5-00104B7229C2}
NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
My Search BHO - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL - {014DA6C1-189F-421a-88CD-07CFE51CFF10}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Symantec NetDetect.job
Norton SystemWorks One Button Checkup.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}]

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37779.3132407407

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[MSN File Upload Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\MSNUPLD.DLL
CODEBASE = http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab

[MiniBugTransporterX Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MINIBUGTRANSPORTER.DLL
CODEBASE = http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 6,156 bytes
Report generated in 0.021 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

****************************************************

Thank you in advance for any help you may be able to give me...

~knismo~


----------



## knismo (Jul 11, 2003)

A little more searching and the answer was found...a bit surprized no one here had the answer...


----------



## gmh (Mar 29, 2003)

Since you have been enlightened, why not share your new knowledge with the rest of the community?


----------



## z13w1z (May 9, 2003)

yeah let us know your solution!!!!
unfortunately due to he size of these boards you cant always get an answer straight away!!
but it does encourage users to try and sort out their own problems.... so dont be closedmouthed about the sol it may help someone else a lot quicker than it took you to sort i out.

thats what the boards are for


----------



## knismo (Jul 11, 2003)

Enlightened...yeah let us know your solution...closedmouthed?

LOL, ok boys and girls, ladies and gents...Now remember this is the 1st time I ever touched the registry, let's keep that in mind. I searched for specifics on the subject at hand and I found exactly where the systray.exe and both rundll32.exe's are in the registry and how to create/edit/insert the information. I already had everything I needed and chances are good that you do too. Here is the information we need:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

Now all we need to do is create a .reg file with the info above, Double click the .reg file and the information will be installed right where it belongs. Simple, short and od so sweet...

Hmmmmmmm, so how do you make that .reg file anyway?

Copy this in to Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

Then: Save as... (pick a word).reg

I have learned that many times there isn't a need to dig deep into Windows to fix an issue...remember KISS, read, search, read some more and be patient. You will find what you are looking for. This is the only way to learn or be "enlightend". LOL

You welcome.

Take care...

~knismo~


----------

