1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] cant open msconfig

Discussion in 'Virus & Other Malware Removal' started by knowitall, Sep 10, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. knowitall

    knowitall Thread Starter

    Joined:
    Sep 10, 2004
    Messages:
    7
    hi, i'm a new member
    and i think this site is very good for techs and geeks
    my question is

    any body knows a short way to get rid of the blank virus
    i cant seem to open MSCONFIG, REGEDIT or TASK MANAGER
    i used HJT and i almost cleaned everything, am i missing something here ??
    or anybody knows a sure way to do this ???
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  3. knowitall

    knowitall Thread Starter

    Joined:
    Sep 10, 2004
    Messages:
    7
    this is what i found with HJT

    Logfile of HijackThis v1.98.2
    Scan saved at 2:17:16 AM, on 9/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\mswinc.exe
    C:\Palm\hotsync.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Documents and Settings\Anne\Desktop\HijackThis19802.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Remote Procedure Calls] mswinc.exe
    O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinc.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Remote Procedure Calls] mswinc.exe
    O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinc.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
    O4 - Global Startup: Sympatico1.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7AC90C04-B930-4CF4-87DA-7056EBEEBE28}: Domain = sympatico.ca
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7AC90C04-B930-4CF4-87DA-7056EBEEBE28}: NameServer = 192.168.2.1


    i tried to delete MSWINC but it keeps coming back ?? so i think it could be the one
    dont you agree
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Reboot in Safe Mode to do it.

    Print or save these instructions to a text file so you don't miss anything.

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039

    In Safe Mode run HijackThis, and check and fix all these entries:

    O4 - HKLM\..\Run: [Remote Procedure Calls] mswinc.exe
    O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinc.exe
    O4 - HKCU\..\Run: [Remote Procedure Calls] mswinc.exe
    O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinc.exe

    Then go to Start > Run, enter cmd and a command shell will open. Type and enter:

    del C:\WINDOWS\System32\mswinc.exe

    Let me know if you get an error such as "access denied" doing that.

    Also while you are in Safe Mode, run a full drive, updated, NAV scan.


    Then reboot and post new HijackThis Scanlog.

    By the way if the computer is on a network, that could be the source of the reinfection. You will have to clean all networked computers independently or they will cross infect each other.

    http://www.sophos.com/virusinfo/analyses/w32rbotit.html
     
  5. knowitall

    knowitall Thread Starter

    Joined:
    Sep 10, 2004
    Messages:
    7

    i went to safe mode
    deleted them all and went to command mode and couldnt find the file because i already deleted it before

    but when i restart the computer
    i found it again

    this is the log
    Logfile of HijackThis v1.98.2
    Scan saved at 2:53:31 AM, on 9/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\mswinc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Documents and Settings\Anne\Desktop\HijackThis19802.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
    O4 - HKLM\..\Run: [Remote Procedure Calls] mswinc.exe
    O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinc.exe
    O4 - HKCU\..\Run: [Remote Procedure Calls] mswinc.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinc.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7AC90C04-B930-4CF4-87DA-7056EBEEBE28}: Domain = sympatico.ca
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7AC90C04-B930-4CF4-87DA-7056EBEEBE28}: NameServer = 192.168.2.1

    tough file
    it was in system32 this is where i deleted from

    now what ???
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The file is showing as a running process, so we know its there. I suspect it is starting as a "service" as well. I don't know why you couldn't find the file in Safe Mode. If you tried to delete it BEFORE going to Safe Mode, the process already in memory may have recreated it on reboot. Also this trojan is "network aware". That means if you are networked you can get cross infected from another computer on the network. You must isolate each computer before proceeding.

    You can repeat the same instructions, first, disconnect from the net or any network configuration the computer is linked to. If you have broadband, disconnect the modem. Follow that by doing a ctrl-alt-del and terminating the running process, then rebooting to Safe Mode, manually deleting it and the HijackThis related entries.

    But one way or another I want to see a "service profile". Download and unzip the following file to its own folder. Then run "runme.bat" and upload as an attachment the text file it creates:

    http://forums.techguy.org/attachment.php?attachmentid=38367


    Also post a new HijackThis Scanlog.
     
  7. knowitall

    knowitall Thread Starter

    Joined:
    Sep 10, 2004
    Messages:
    7
    i downloded avanst antivirus and ran it on the system and found the virus.

    also run panda after reboot and found 2 more viruses

    the problem is that i couldnt get the virus names.

    also went to file options and uncheked "hide system file ...."
    and i manages to see mswinc in system32 folder and deleted it
    reboot and the system running fine

    the only thing missing is that we come up with a remeady so this mess wont happen again.

    it seems that we all know the symptoms but we dont know the cause or the cure.

    anyway, i thank you very much for your quick replies and support. (y)
    they always say 2 brains better than one. :) ;)
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Great -- it's not so much the virus name that was the problem, we pretty much knew what that was.

    But this was probably an issue:
    Normally these things don't get installed as "system" files, just "hidden" ones, so I don't include that in the instructions. But I probably should have after the first failure.

    Anyway we'll take any fix we can get!

    You're most welcome for the help.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272617

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice