PDA

View Full Version : how to restore "system.ini crypt32chain crypt32.dll" etc



torchw
2007-05-29, 10:29
When in Spybot-S&D > Tools > System Startup screen, I was too quick to delete the entries related to:

System.ini, crypt32chain crypt32.dll
System.ini, cryptnet cryptnet.dll
System.ini, cscdll cscdll.dll
System.ini, ScCertProp wlnotify.dll
System.ini, Schedule wlnotify.dll
System.ini, sclgntfy sclgntfy.dll
System.ini, SensLogn WlNotify.dll
System.ini, termsrv wlnotify.dll
System.ini, wlballoon wlnotify.dll

Now I think these are legit and necessary. I would appreciate any advise on how to restore these entries. Thanks.

md usa spybot fan
2007-05-29, 13:26
Try a System Restore to a Restore Point taken prior to when you deleted the entries.

torchw
2007-05-31, 19:14
Here is a more complete story, perhaps it would be of help to someone with similar issues.

Quite a while ago, probably when after upgraded to spybot 1.4, these entries popped up. Some searching of some of the words, such as crypt32chain, showed that crypt32chain.dll was a known virus. But I didn't recognize that while crypt32chain.dll was a virus, crypt32chain as a tag in the registry was legitimate. So I disabled and removed these entries, with no apparent ill effect.

Fast forward to a few days ago, a fresh install of Windows XP also had these entries detected. Some more searching this time led me to think these are legit. But I could not use System Restore to restore these on the older computer because they were removed long ago.

The solution was to use regedit (for the first time), exported "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" from the new computer and imported them to the older computer.

For a while, I could not do Windows Update on the older computer. I mistakenly blamed it on some online game software. But after these entries are restored, Windows Update works again. So after using the computer with these removed for a year, the only ill effect I know of is Windows Update would not work without them.

md usa spybot fan
2007-05-31, 20:40
You're not the first one to have deleted the entries and probably won't be the last. At least you didn't cast blame on Spybot for even listing them in their System Startup Tool so that they could be delete and then want to know "…the individual(s) who is(are) responsible …" as was done in the following post:
Why are System.ini entries even identified at Startup?
http://forums.spybot.info/showthread.php?t=3931
__________________

The following registry key is use by other processes besides Windows Update (SUPERAntiSpyware for example) and can be used by malware:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
Most anti-malware products do not identify these entries as startup entries and therefore leave an exposure for malware startup entries. However, as you learned extreme caution must be used when modifying startup entries.