Autoruns - File Not Found

Comodo Cleaning Essentials + KillSwitch & Auto Help - CCE
1

I run CCE every now and again on top of my normal scanning routine, and decided to go down Autorun’s list and realized there were several file not found errors on it. A quick Google search on most revealed them to be debris of things I’d uninstalled in the past (and a couple of missing codecs, somehow), and after a back up I cleared the entries from the registry. There are two, however, that are particularly worrying for me, as I can’t find much about them on Google.

There’s an entry for a SysInfo.sys, supposedly that had once resided in System32/drivers, and a Winsock.sys, in the same folder. Neither file is on the PC anymore and I’ve never had any malware problems or strange behavior to speak of from the PC. I can find next to nothing pertinent on SysInfo.sys, and what little I can find on Winsock.sys is troubling, but still sparse.

I’m not so certain these are Microsoft drivers that I’ve some how lost, though I suppose they could be, but I also can’t find enough information to write off the remnants of their existence as nothing to worry about. Are these traces of some malware that I never found, or just some really poorly chosen names for the (safe, legitimate) drivers to something I’ve uninstalled in the past? The only things I can recall offhand installing and then uninstalling would have been iPod related, Motorola smartphone related, and I tried those MotioninJoy drivers for the PS3 controllers a while back but ripped them out of my rig in annoyance.

2

Hi Kynera,
I would speculate that they are nothing to worry about.
Just a guess, maybe a temporary associated file is created when using certain Windows applications.

I have ‘winsock.sys’ autorun entry on two systems without any associated file (Screenshot of the registry entry).

Use caution in Windows registry.
You can right click on an autorun entry and select Jump To Entry to view the corresponding registry entry.
That might help shed some light on the ‘sysinfo.sys’ autorun entry.

[attachment deleted by admin]

3

I did jump to the SysInfo entry, but there’s little in it to give any indication to what it once was. I haven’t messed with either entry, though, and when I do mess with the registry I make sure to keep back ups. Most of what I’ve cleared out recently were things I knew I’d uninstalled and the programs were just abysmal at cleaning up after themselves.

I’ll attach my juryrigged Paint Screenshot of the Sysinfo entry, but I suppose I’ll just leave it be. Especially seeing as whatever created it is gone and never caused any problems to speak of. I did go and check my Laptop with Autoruns for a control group of sorts. It was reformatted not too long ago and hasn’t had much put on it but an AV program, Steam, and my MMOs. :stuck_out_tongue: It, too, has the Winsock entry so I’ll write that off as a Windows oddity.

I really need to stop being paranoid about my PC, basically.

[attachment deleted by admin]

4

Hi Kynera,
Agreed the registry information did not give a lot away.
IMO I think it would be a benign entry and I would just leave it sit in peace.
Edit: Corrected typo.

5

Winsock.sys may look like a Windows XP system file. But the name of that system file is winsock.dll which resides in the system32 folder. Google does not give a clear cut picture about the file.

Sysinfo.sys is also not very clear where it originates from. I suggest to disable the two autostart entries and see if that makes a difference or not. Most likely not would be my best guestimation.

6

hello. i also have some “file not found” entries in comodo autorun analyzer, but i found almost all of them on a windows xp pro sp2 cd. i’m presently running win xp pro sp3. should i copy them where comodo says they should be? i made a screenshot. and secondly, someone said that comodo autorun can be update. my version is 6.1. thanks.

[attachment deleted by admin]

7

When the Windows logs (Control Panel → Administrative Tools → Event Viewer) don’t show warnings it is missing those drivers then don’t worry.

When you want to know what the drivers are for try a Google search for them. The first three of them are for Adaptec scsi adapter. The fourth one appears to be a chipset driver for Ali chipset when looking at the name. When not using a motherboard with Ali chipset or using an Adaptec SCSI driver it’s nothing to worry about.

8

oh, but it shows errors. here are a few.

Event Type: Error
Event Source: sr
Event Category: None
Event ID: 1
Date: 5/31/2013
Time: 2:04:08 AM
User: N/A
Computer: CATALPT
Description:
The System Restore filter encountered the unexpected error ‘0xC0000056’ while processing the file ‘mshtml.dll.new’ on the volume ‘HarddiskVolume1’. It has stopped monitoring the volume.

For more information, see Help and Support Center at Microsoft Support.
Data:
0000: 04 00 00 00 04 00 4e 00 …N.
0008: 00 00 00 00 01 00 00 c0 …À
0010: 00 00 00 00 00 00 00 00 …
0018: 00 00 00 00 00 00 00 00 …
0020: 00 00 00 00 00 00 00 00 …

end

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 5/31/2013
Time: 1:41:35 AM
User: N/A
Computer: CATALPT
Description:
The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at Microsoft Support.
end

Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 5/31/2013
Time: 12:53:23 AM
User: N/A
Computer: CATALPT
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

For more information, see Help and Support Center at Microsoft Support.
Data:
0000: 00 00 00 00 01 00 54 00 …T.
0008: 00 00 00 00 82 10 00 80 …‚…€
0010: 01 00 00 00 00 00 00 00 …
0018: 00 00 00 00 00 00 00 00 …
0020: 00 00 00 00 00 00 00 00 …
end

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 5/31/2013
Time: 12:33:16 AM
User: N/A
Computer: CATALPT
Description:
The following boot-start or system-start driver(s) failed to load:
CFRMD

For more information, see Help and Support Center at Microsoft Support.
end – this one appears most often.

9

It is missing cfrmd driver. This one belongs to Comodo Sy
stem Utilities. Did you have it installed in the past then remove the entry. Or when it is installed follow the advice in CFRMD error.

A missing driver shown in Autoruns is not necessarily a problem. By default Autorun programs may show 6 missing on XP. Explanation here under point 12: http://forum.sysinternals.com/faq-common-autoruns-issues_topic4719.html .

Event ID 4226 simply says the internet connection reached it’s limit of how many concurrent connections Windows will handle by default. This is a bit conservative and the limit was set with XP2 after malware had hit the XP platform pretty badly back in the days. Are you running a p2p client with enthusiast network settings. Nothing to worry about. There is a hack to change this limit: www.LvlLord.de - Tipps, Tricks & Utilities - News .

The events where the IMAPI and System restore filter are crashing worry me a bit more. Please run checkdisk on your system partition, and other partitions while at it, to make sure the file system is intact: http://www.ehow.com/how_6768694_run-chkdsk-cmd.html .

Then run system file checker to make sure your Windows installation is intact: How To Use Sfc.exe To Repair System Files - Microsoft Windows Mini-Guides .

As stated before, the file not found entries are not in themselves indicative of a problem. Only when the driver is needed and cannot get loaded there is a problem.

The rest that we find is just the result of diverting a bit.

10

ok. thanks for your reply/advices.

11

Can you post back if checking the file system and running system file checker made some changes and whether the events 1 and 7034 reoccurred or not.

12

hello. first, i forgot to say that YES, i had installed comodo system utility and uninstalled it with the tool pointed in this forum, somewhere.
second, this is the log from sfc:
Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64017
Date: 6/2/2013
Time: 12:21:18 AM
User: N/A
Computer: CATALPT
Description:
Windows File Protection file scan completed successfully.

For more information, see Help and Support Center at Microsoft Support.

those are from the 2/2 local disk check:

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 6/1/2013
Time: 11:58:38 PM
User: N/A
Computer: CATALPT
Description:
Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 241 unused index entries from index $SII of file 0x9.
Cleaning up 241 unused index entries from index $SDH of file 0x9.
Cleaning up 241 unused security descriptors.
CHKDSK is verifying Usn Journal…
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)…
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)…
Free space verification is complete.

40957685 KB total disk space.
34542636 KB in 49402 files.
18788 KB in 8402 indexes.
16 KB in bad sectors.
294689 KB in use by the system.
65536 KB occupied by the log file.
6101556 KB available on disk.

  4096 bytes in each allocation unit.

10239421 total allocation units on disk.
1525389 allocation units available on disk.

Internal Info:
50 c1 02 00 d8 e1 00 00 f4 15 01 00 00 00 00 00 P…
17 01 00 00 03 00 00 00 99 07 00 00 00 00 00 00 …
3c 64 2f 03 00 00 00 00 92 ac 6b 2d 00 00 00 00 <d/…k-…
3c da df 13 00 00 00 00 4a 04 2a 93 03 00 00 00 <…J.*…
88 7f 9b 75 00 00 00 00 da 72 40 55 04 00 00 00 …u…r[at]U…
99 9e 36 00 00 00 00 00 a0 39 07 00 fa c0 00 00 …6…9…
00 00 00 00 00 b0 50 3c 08 00 00 00 d2 20 00 00 …P<… …

Windows has finished checking your disk.
Please wait while your computer restarts.

For more information, see Help and Support Center at Microsoft Support.

AND

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 6/1/2013
Time: 11:11:59 PM
User: N/A
Computer: CATALPT
Description:
Checking file system on D:
The type of the file system is NTFS.
Volume label is Local Disk.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up 4 unused index entries from index $SII of file 0x9.
Cleaning up 4 unused index entries from index $SDH of file 0x9.
Cleaning up 4 unused security descriptors.
CHKDSK is verifying Usn Journal…
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)…
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)…
Free space verification is complete.

76252490 KB total disk space.
57810008 KB in 14482 files.
3384 KB in 242 indexes.
0 KB in bad sectors.
99502 KB in use by the system.
65536 KB occupied by the log file.
18339596 KB available on disk.

  4096 bytes in each allocation unit.

19063122 total allocation units on disk.
4584899 allocation units available on disk.

Internal Info:
e0 51 00 00 90 39 00 00 b4 44 00 00 00 00 00 00 .Q…9…D…
33 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 3…
34 5b 9d 00 00 00 00 00 c4 8a ed 09 00 00 00 00 4[…
48 fa 7b 00 00 00 00 00 c4 58 7d 89 04 00 00 00 H.{…X}…
1a 44 14 32 01 00 00 00 fc 6a 77 cb 05 00 00 00 .D.2…jw…
99 9e 36 00 00 00 00 00 a0 39 07 00 92 38 00 00 …6…9…8…
00 00 00 00 00 60 71 c8 0d 00 00 00 f2 00 00 00 …`q…

For more information, see Help and Support Center at Microsoft Support.

the two events you were interested in haven’t been occuring, at least for now. thank you for your help and i wish you not to have a hardware/software/virus/malware issue EVER !!

13

Good to see that checkdisk made corrections.

Did you also run system file checker?

14

yes. this one is the log from SFC.
Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64017
Date: 6/2/2013
Time: 12:21:18 AM
User: N/A
Computer: CATALPT
Description:
Windows File Protection file scan completed successfully.

For more information, see Help and Support Center at Microsoft Support.

15

Did the reported events return or did they no longer show up until now?

16

the error with the system restore is the only one that appeared again today. i was scanning with CCE just now, and after the pc rebooted, i got a message saying that windows can’t access the specified device/file/path. i’ve made a screenshot.

[attachment deleted by admin]

17

That sounds like a problem with access rights to cce.exe. Can you show the Security tab of the Properties of CCE?

18

ok. here it is.

[attachment deleted by admin]

19

Can you see if System and Administrators have Full Control?

20

yes, they have.