Sorry for delay first of all, & missing this thread period - I was not online for nearly a week, due to holiday travels/vacation:
Secondly - Humor me, & READ THIS CLOSELY + pay attention to its details (we are going to go @ this from the 'basics', onwards):
1.) Turn the services you disabled ON again... whatever ones those are, first. You mentioned doing that above.
2.) THEN, get out MSConfig & run it...
(Leave MsConfig's services sections ALONE above all else @ this point - by that I mean, do NOT disable services now, & re-enable ANY you turned off, again, since you mention having done that above...)
3.) LASTLY, when the above 2 are done? Then, go after ANY of the registry "RUN" & startup group areas possible!
(I am NOT sure if MsConfig covers ALL of them possible is why I state that, & if you look @ the lists below? It may not, but I am FAIRLY SURE the list below IS absolutely comprehensive!)
* For your reference, for using regedit.exe, to prune the registry "RUN" areas, they are as follows:
========================
<Prior to Logon Prompt>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
-------------------------------
<Logon Prompt>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
StartUp Folders (BOTH the COMMON TO ALL USERS type & CURRENT USER only folder type)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
========================
<SPECIAL STARTUP POSSIBLE AREAS NOT LISTED ABOVE>
A.) Explorer.exe app launching (not a lot of folks know this one)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe EXAMPLE OF A MALICIOUS SPYWAREMALWARE STARTED BY EXPLORER.exe"
(This last one above, with the SHELL line? It is an example of apps that can be 'kicked off' by EXPLORER.EXE itself as it starts... it IS a possibility & an area spyware/malware CAN hide in - ALL THAT SHOULD BE THERE IS EXPLORER.EXE & NO OTHER APPNAMES AFTER THAT!)
B.) There is also an area in the registry that has an entry called UserInit.exe that can also startup apps & scripts also EDIT PART - It IS the same as the last area (winlogon) that I noted above:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
PAY ATTENTION TO THE USERINIT VALUE for this one!
C.) Also, be aware that C:\autoexec.bat can be parsed as well during startups, & may contain launch of program information, plus on networks logon scripts can do the same & are often housed in .bat or .cmd files...
D.) It may be in the System.INI OR Win.INI files in the Windows section in a Run= or
Load= lines they may have (win.ini only iirc but check both anyhow), but doubtful... still, do LOOK there as well, IF this is a spyware/malware thing!
APK
P.S.=> A good antivirus & antispyware scan cannot hurt (make SURE both have their "signatures" updated current) as well!
Now, I am not "110% absolutely sure" if you can run many of these WITHOUT being in "normal mode"... resident scanning I am fairly certain you can't, but manual scans MAY be possible (especially w/ antivir programs, antispyware progs SHOULD run in safe or normal mode no problem)... apk