some ? in windows register

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Ciao,
in my winXP sp2 register, I have found some commands with a "?" after the
disk letter "c", as for example:
c?\windows\microsoft.net\framework\v2.0.50727\Microsfot.Common.tasks .
In other word "?" replaces ":" .
Is there a possible reason or maybe I should correct all of them?
Let you observe in addition that to solve (I hope) a strange problem
(ntvdm.exe started after adsl connection occupying the whole cpu), I found
and removed in HKLM\software\microsoft\user media\tool user, the comand
c:\windows\tasks\ipfqykg\crfyNpnoo.dat (I checked that this occurred each
time before ntvdm.exe). I do not know if there is some correlation, but I
suspect some problem with microsoft.net or asp.net. I have not found any
virus or malware.. Thank you in advance for your help.
 
c:\windows\tasks is where .job files are located. .Job files are Windows
Task Scheduler Task Objects. .Job files are created when you use the Task
Schedule to Schedule something.

c:\windows\tasks is where you can find Add Scheduled Task.

c:\windows\tasks is where malware sometimes likes to hide.

c:\windows\tasks\ipfqykg\crfyNpnoo.dat is probably related to some kind of
malware.

wowexec.exe is used in conjunction with ntvdm.exe to run old MS-DOS
16-bit applications. ntvdm.exe is NTVirtualDOSMahine. NT is New
Technology. Windows XP is really windows NT 5.1.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
And I've checked all our systems here and cannot find:

HKLM\software\microsoft\user media\tool user

in the registry on any of them.
 
Thank you very much for your answers:
As I said, using a lot of antivirus/antispy it was not possible to find any
malware. However, in the windows directory I found also a ".exe" with random
name (like dtyxw..exe) that was referring to the register key "video
streaming", present at the same level of "user media". In "video streaming" a
numerical value was settled to the string "license expire data" and I removed
also this value. Initially I suspected of some troubles caused by Windows
Desktop Live that was located in c:\windows\tasks as well, and I removed it
too. By using Norton GoBack I have seen that ntvdm.exe started after the adsl
connection (rasphone.exe): then a ping to the google site occurs, and some
"random" .exe are launched up to the final one
"c:\windows\tasks\ipfqykg\crfyNpnoo.dat": then ntvdm.exe started.
Yesterday, I found that c:\windows\tasks\ipfqykg\crfyNpnoo.dat was present
in "HKLM\software\microsoft\user media\tool user" and I removed this command.
For the moment, it seems that ntvdm.exe does not start more, but it is not
clear what caused the problem and if it is really solved.
Do you think I should delete "user media" and "video streaming" in the
windows register? Thank you for your additional comments.
 
An additional comment to Wes: are you sure that c?\ is comparable to \\?\ ,
as indicated in the Microsoft link you suggested, for cases >260 characters?
And why to use this setting for command as
c?\windows\microsoft.net\framework\ v2.0.50727 , where the characters are no
more than 20 or 30..?
Thank you.
 
The three people you cited are always my self (!)
It is time that I am searching a solution..
What about the other question? (i.e. c?\..)
 
giordi,

dtyxw.exe is probably some sort of malware. I would delete it, but first...

In your Windows folder, right click dtyxw.exe | Properties | Version tab

There should be a description on both General and Version tabs.

This info is part of the file and not all files have real good info.
Especially if it is spyware or a virus. Or whoever put it together was lazy
or secretive.

On the Version tab.

Click a category on the left to display the information on the right.

Other version information
Item Name:
Company
File Version
Internal Name
Language
Original File Name
Product Name
Product Version

Sometimes, if someone was really industrious, there is info under the
Summary tab also.

16-bit programs do not have a Version tab.
-----

rasphone.exe is Remote Access Phonebook and is a 32 bit program on my
machine.

rasphone.exe should not start ntvdm.exe.

rasphone.exe is related to the Remote Access Connection Manager service.
rasphone.exe will not start if the Remote Access Connection Manager service
is not running.

My GUESS is that you got some kind of malware that might have installed a
dialer.

See Fraudulent dialers
http://en.wikipedia.org/wiki/Dialer#Fraudulent_dialers
-----

c:\windows\tasks\ipfqykg\crfyNpnoo.dat

I would delete the ipfqykg folder.

Apparently you have posted before.
ping to google
http://www.microsoft.com/communitie...&tid=818c9022-3d36-4e91-b005-3b4833808543&p=1

From that post...

ntdvm.exe -f -i1

Ntdvm.exe is a Trojan. Ntvdm.exe is a legit XP file.

Unless Ntdvm.exe was a typo, do a Search on your machine for Ntdvm.exe.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
I see that now.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Cant register ASPX with IIS 7 on my Vista (I'm running .NET 3.5 Framework) 4
What are the files in folder Temporary ASP.NET Files 3
Registering ASP.NET File Mapping on Vista for IIS 7 1
Calling web service from activex 2
Problem registering a component. 3
what have I broke? 8
.NET Error running Application from IIS on Vista 6
Version Conflict! :( 6

Back
Top