[Resolved] cant open msconfig

[knowitall]

hi, i'm a new member
and i think this site is very good for techs and geeks
my question is

any body knows a short way to get rid of the blank virus
i cant seem to open MSCONFIG, REGEDIT or TASK MANAGER
i used HJT and i almost cleaned everything, am i missing something here ??
or anybody knows a sure way to do this ???

 

[Rollin' Rog]

Let us see your HijackThis Scanlog. Make sure you use the latest version (1.98.2) available here:

http://www.net-integration.net/tools/hijackthis.html

 

[knowitall]

Let us see your HijackThis Scanlog. Make sure you use the latest version (1.98.2) available here:

http://www.net-integration.net/tools/hijackthis.html

this is what i found with HJT

Logfile of HijackThis v1.98.2
Scan saved at 2:17:16 AM, on 9/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\mswinc.exe
C:\Palm\hotsync.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Anne\Desktop\HijackThis19802.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Remote Procedure Calls] mswinc.exe
O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Remote Procedure Calls] mswinc.exe
O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinc.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Sympatico1.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AC90C04-B930-4CF4-87DA-7056EBEEBE28}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AC90C04-B930-4CF4-87DA-7056EBEEBE28}: NameServer = 192.168.2.1


i tried to delete MSWINC but it keeps coming back ?? so i think it could be the one
dont you agree

 

[Rollin' Rog]

Reboot in Safe Mode to do it.

Print or save these instructions to a text file so you don't miss anything.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039

In Safe Mode run HijackThis, and check and fix all these entries:

O4 - HKLM\..\Run: [Remote Procedure Calls] mswinc.exe
O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinc.exe
O4 - HKCU\..\Run: [Remote Procedure Calls] mswinc.exe
O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinc.exe

Then go to Start > Run, enter cmd and a command shell will open. Type and enter:

del C:\WINDOWS\System32\mswinc.exe

Let me know if you get an error such as "access denied" doing that.

Also while you are in Safe Mode, run a full drive, updated, NAV scan.


Then reboot and post new HijackThis Scanlog.

By the way if the computer is on a network, that could be the source of the reinfection. You will have to clean all networked computers independently or they will cross infect each other.

http://www.sophos.com/virusinfo/analyses/w32rbotit.html

 

[knowitall]

Reboot in Safe Mode to do it.

Print or save these instructions to a text file so you don't miss anything.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039

In Safe Mode run HijackThis, and check and fix all these entries:

O4 - HKLM\..\Run: [Remote Procedure Calls] mswinc.exe
O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinc.exe
O4 - HKCU\..\Run: [Remote Procedure Calls] mswinc.exe
O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinc.exe

Then go to Start > Run, enter cmd and a command shell will open. Type and enter:

del C:\WINDOWS\System32\mswinc.exe

Let me know if you get an error such as "access denied" doing that.

Also while you are in Safe Mode, run a full drive, updated, NAV scan.


Then reboot and post new HijackThis Scanlog.

By the way if the computer is on a network, that could be the source of the reinfection. You will have to clean all networked computers independently or they will cross infect each other.

http://www.sophos.com/virusinfo/analyses/w32rbotit.html

i went to safe mode
deleted them all and went to command mode and couldnt find the file because i already deleted it before

but when i restart the computer
i found it again

this is the log
Logfile of HijackThis v1.98.2
Scan saved at 2:53:31 AM, on 9/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mswinc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Anne\Desktop\HijackThis19802.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
O4 - HKLM\..\Run: [Remote Procedure Calls] mswinc.exe
O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinc.exe
O4 - HKCU\..\Run: [Remote Procedure Calls] mswinc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinc.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AC90C04-B930-4CF4-87DA-7056EBEEBE28}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AC90C04-B930-4CF4-87DA-7056EBEEBE28}: NameServer = 192.168.2.1

tough file
it was in system32 this is where i deleted from

now what ???

 

[Rollin' Rog]

The file is showing as a running process, so we know its there. I suspect it is starting as a "service" as well. I don't know why you couldn't find the file in Safe Mode. If you tried to delete it BEFORE going to Safe Mode, the process already in memory may have recreated it on reboot. Also this trojan is "network aware". That means if you are networked you can get cross infected from another computer on the network. You must isolate each computer before proceeding.

You can repeat the same instructions, first, disconnect from the net or any network configuration the computer is linked to. If you have broadband, disconnect the modem. Follow that by doing a ctrl-alt-del and terminating the running process, then rebooting to Safe Mode, manually deleting it and the HijackThis related entries.

But one way or another I want to see a "service profile". Download and unzip the following file to its own folder. Then run "runme.bat" and upload as an attachment the text file it creates:

http://forums.techguy.org/attachment.php?attachmentid=38367


Also post a new HijackThis Scanlog.

 

[knowitall]

i downloded avanst antivirus and ran it on the system and found the virus.

also run panda after reboot and found 2 more viruses

the problem is that i couldnt get the virus names.

also went to file options and uncheked "hide system file ...."
and i manages to see mswinc in system32 folder and deleted it
reboot and the system running fine

the only thing missing is that we come up with a remeady so this mess wont happen again.

it seems that we all know the symptoms but we dont know the cause or the cure.

anyway, i thank you very much for your quick replies and support.
they always say 2 brains better than one.

 

[Rollin' Rog]

Great -- it's not so much the virus name that was the problem, we pretty much knew what that was.

But this was probably an issue:

also went to file options and uncheked "hide system file ...."

Normally these things don't get installed as "system" files, just "hidden" ones, so I don't include that in the instructions. But I probably should have after the first failure.

Anyway we'll take any fix we can get!

You're most welcome for the help.