1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

msconfig, task manager, regedit woes

Discussion in 'Virus & Other Malware Removal' started by reckoner, Oct 1, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. reckoner

    reckoner Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    5
    ok i'm sure you've all seen the problem where task manager opens up then closes really fast. yes it could be a worm and all that, tried to remove the worm and all but it wasn't that. here's what i think it is. in my registry there's a thing running called LBZSFQHAKJ.EXE you try to rename it back to msconfig.exe and it just changes back. you can delete it, end the process through taskmanager.com (ug!) but it will just reload upon a reboot. how do i get rid of this stupid thing?! also now that i deleted it one time when i reboot i get like a windows error message that says "hole has encountered a problem and needs to close. We are sorry for the inconvenience." how do i fix this as well? any help is appreciated! thank you!
     
  2. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    update your anti virus, temporaily disable system restore and run a FULL scan

    Then go to this site, and download 'Hijack This!'.

    Unzip it, launch Hijack This, then press Scan, and press Save Log

    This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    open that file
    Go to Edit | Select all
    Now click Edit | copy to copy it
    Come back to TSG, Right Click and paste its contents here
     
  3. reckoner

    reckoner Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    5
    here's my hijackthis log


    Logfile of HijackThis v1.97.2
    Scan saved at 8:13:04 PM, on 10/1/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\msrexe.exe
    C:\WINDOWS\System32\mshta.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Winamp\Winamp.exe
    C:\Program Files\MarinAccess\Bluelight.com\spinwin.exe
    C:\Program Files\MarinAccess\Bluelight.com\SpinHelp.exe
    C:\WINDOWS\sllights.exe
    C:\Documents and Settings\Owner\Start Menu\Programs\msnmsgr.exe
    C:\Program Files\Portal\Portal.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://193.125.201.50
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\x3mdlmux.slt\prefs.js)
    O1 - Hosts: 193.125.201.50 ie.search.msn.com
    O1 - Hosts: 193.125.201.50 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\winshow.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [VB_run] C:\WINDOWS\comctl_32.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [MSConfig] LBZSFQHAKJ.EXE
    O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe
    O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: ChatSpace Java Client 2.1.0.95L - http://69.20.131.251:8569/Java/cs4msl095.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
    O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50027/QDow.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1B7C57D3-D0A3-411F-987F-92ADB32D7A8A}: NameServer = 205.199.193.2 204.157.3.13
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1B7C57D3-D0A3-411F-987F-92ADB32D7A8A}: NameServer = 205.199.193.2 204.157.3.13
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You have quite a bit to deal with there.

    First download and run the Rapidblaster killer program:

    http://www.wilderssecurity.net/specialinfo/rapidblaster.html

    Then follow these directions to clean the trojan:

    Have a copy of these directions, and HijackThis in a convenient folder. Make sure "show hidden files" is checked in Folder Options > View (available from the control panel or any Explorer tools menu).

    1 -- Shut down completely and wait about 20 seconds. Press F8 promptly during restart to get the Boot Menu and select "Safe Mode"

    2 -- in Safe Mode find and delete the following files:

    C:\WINDOWS\System32\msrexe.exe
    C:\WINDOWS\comctl_32.exe
    LBZSFQHAKJ.EXE (you may have to search for this, as it may not be in the system32 folder

    3 -- Run HijackThis and check and "fix" all entries that are still present:

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://193.125.201.50

    O1 - Hosts: 193.125.201.50 ie.search.msn.com
    O1 - Hosts: 193.125.201.50 sitefinder.verisign.com

    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\winshow.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL

    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [VB_run] C:\WINDOWS\comctl_32.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [MSConfig] LBZSFQHAKJ.EXE
    O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe
    O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe

    4 -- reboot and post another Scanlog.

    We will probably also want you to installl, UPDATE, and run either Spybot or Ad-Aware after this.

    Spybot Instructions and Download
    Ad-Aware Home Page and Ad-Aware 6: Reference Guide by Winchester73
     
  5. reckoner

    reckoner Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    5
    C:\WINDOWS\System32\mshta.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\MarinAccess\Bluelight.com\spinwin.exe
    C:\Program Files\MarinAccess\Bluelight.com\SpinHelp.exe
    C:\WINDOWS\sllights.exe
    C:\Program Files\Winamp\Winamp.exe
    C:\Documents and Settings\Owner\Start Menu\Programs\msnmsgr.exe
    c:\program files\internet explorer\iexplore.exe
    C:\Program Files\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\x3mdlmux.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKCU\..\Run: [msconfig] c:\WINDOWS\msconfig.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: ChatSpace Java Client 2.1.0.95L - http://69.20.131.251:8569/Java/cs4msl095.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
    O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50027/QDow.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1B7C57D3-D0A3-411F-987F-92ADB32D7A8A}: NameServer = 205.199.193.2 204.157.3.13
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1B7C57D3-D0A3-411F-987F-92ADB32D7A8A}: NameServer = 205.199.193.2 204.157.3.13




    it looks like my task manager stays up when it opens now. but when i restart i have that "hole has encountered an error, must shut down sorry" type message thing. what's that all about?
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It looks like you clipped the top part of the Scanlog so I'm not seeing all the running processes.

    I don't like seeing this:

    C:\WINDOWS\System32\mshta.exe

    It is not "illegit" but a symptom of something else malicious.

    Also we need to get rid of:

    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

    Delete that entry and on rebooting delete the ClearSearch folder

    Also would you verify the file properties for msconfig in c:\windows?

    Find it, right click on it and select "properties" > version. Is it a Microsoft file 142 mb in size. Msconfig normally runs from c:\windows\pchealth\helpctr\binaries

    Are you using "selective startup"? If you are you can check the "don't show this reminder" box when prompted. That way msconfig should not be starting up each boot.

    And, you are most certainly a victim of the mshta exploit, so I would install htastop from this site:

    http://www.nsclean.com/psc-htas.html

    I don't see anything named "hole" in your startups, if you get that error again, give me a post of a HijackThis Startuplist following these directions:

    Click Config, then Misc Tools. Put a check in "list minor sections", then click Generate Startuplist -- and copy/paste that here.
     
  7. reckoner

    reckoner Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    5
    yeah still getting the weird hole error on startup. so as you requested, here's the log of that stuff. it's quite a mouthful. and may i say you've been quite helpful thus far : ) thank you


    StartupList report, 10/2/2003, 2:20:29 AM
    StartupList version: 1.52
    Started from : C:\Program Files\HijackThis.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\mshta.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\MarinAccess\Bluelight.com\spinwin.exe
    C:\Program Files\MarinAccess\Bluelight.com\SpinHelp.exe
    C:\WINDOWS\sllights.exe
    C:\Documents and Settings\Owner\Start Menu\Programs\msnmsgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
    KAZAA = C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    IntelliType = "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    msconfig = c:\WINDOWS\msconfig.exe

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
    StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [{26E8361F-BCE7-4F75-A347-98C88B418322}]
    CODEBASE = http://dst.trafficsyndicate.com/Dnl/T_50027/QDow.cab

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe

    [{486E48B5-ABF2-42BB-A327-2679DF3FB822}]
    InProcServer32 = C:\WINDOWS\System32\ia.dll
    CODEBASE = http://akamai.downloadv3.com/binaries/IA/ia_XP.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Hotmail Attachments Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
    CODEBASE = http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SmartLinkService: slserv.exe (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    BlueSpruce, can you point me to where you are seeing new.net?

    Reckoner could you respond regarding msconfig? Do you have a copy BOTH in c:\windows AND in c:\windows\pchealth\helpctr\binaries ??

    Are they the same?

    If not please rename the one in c:\windows and check and fix the entry in the Scanlog.

    Also, have you installed the htastop fix?
     
  9. reckoner

    reckoner Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    5
    yeah my msconfig stuff is straightened out and also i did get that htastop fix. i've also got a strange lookin msconfig in c:\windows\I386 is that normal?
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    By strange looking what do you mean? You may see two files there, one being a compressed file will have its extension as:

    ex_

    the other is a normal .exe and should be 142 mb. It has its own icon looking like an old computer with a lid open. It should say Microsoft System Configuration utility.

    The one we are concerened about is what you see loading from c:\windows.

    Msconfig is normally not found there and not seen as a startup file. I think you may have inadvertantly renamed the virus file msconfig.

    Your "real" msconfig.exe should be in c:\windows\pchealth\helpctr\binaries
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168884

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice