# Msconfd Rundll Error



## landrews (Dec 5, 2003)

Hi - I am a first time poster. I am not a computer person at all and I am hoping someone out there can help a non-technical person! I have read several posts regarding the MSCONFD RUNDLL error and have seen where it tells you to go into msconfig, etc... My pc freezes as Windows is loading and I can't get to anything. How do I get to these files or do any of the things people are suggesting in other posts? Thanks!! : )


----------



## amthmi (Mar 23, 2002)

Try it in safe mode , hold control key down while booting and 
select safe mode from the list that appears.
Of course since you are online now you need to get Coolwebshredder
to rid yourself of that spyware.
Read this
http://forums.techguy.org/t182797/s933693d35a023152a038fa880b500cb8.html

CWShredder
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
It will fit on a floppy if you have one, then take to the pc boot to safe mode
and run cwshredder.


----------



## landrews (Dec 5, 2003)

Thanks for the advise! Unfortunately I can't get that to work. Got into Safe Mode and the screen is just blank and I don't have the start button or anything. Then tried the command prompt option at start up but didn't know what to type. Since the CWShredder is zipped, wasn't sure how to unzip it from this point. I totally understand how this happened by reading all the other posts but my Windows problem won't let me get past the DLL error message. All the other posts say they click ok and then are into Windows and mine locks at that point to the blank desktop with no start or icons, etc... If you have any other ideas, I'd really appreciate it. Thanks for getting me to this point!! : )


----------



## amthmi (Mar 23, 2002)

I have one other suggestion but hesitate in advising because I don't really
know if it will solve the problem.
Are you using win98 ?

If so and this problem just started recently and you have successfully started
your pc from a cold boot (pc was turned off) recently , last 5 days or so and you had
scanregistry in your startups then you can try a restore.

Reboot the pc, hold down control key and select command prompt.
At C: type scanreg /restore
Note the space after scanreg

Press enter

Choose a date just prior to your problem by using your arrow keys , press enter

Thing is I don't know how this particular hijack works so I'm not really sure a restore would work.

You can also wait before doing anything to see if someone comes up
with a solution. I will continue to research this and try and come up with a solution.
If were a matter of just deleting a file in dos then that wouldn't be a problem
but I think its deeper than that.


----------



## landrews (Dec 5, 2003)

Thanks! The problem started this morning. What is the risk in doing the restore? Even if it doesn't solve the problem can it make things any worse? I really appreciate your time and expertise!


----------



## amthmi (Mar 23, 2002)

I wish I could give you a yes or no answer as to whether it can make things worse.
Based on the copy/paste which I will post below this it seems that this hijacker
alters registry keys and drops a file "msconfd.dll" probably in the windows folder.
So by restoring the registry back prior to today, as long as the date you use to restore
isn't more than a few days old then then it should be ok.
Logic tells me that those altered keys won't be there anymore so the error
message should go away. Then just locate the msconfd.dll and delete it.
Thing is I haven't read any post suggesting the scanreg /restore as a solution
if a person could not boot their pc.

Would I do it....yes...why...because I have my hard drive backed up on two
other hard drives. You only have to have your hard drive fail once (hard crash..clicking etc..)
before you make it a habit to clone your hard drive.

the copy/paste...

Variant 22: CWS.Msconfd - Finally using rundll32
Approx date first sighted: November 26, 2003
Log reference: none, local test

Symptoms: IE pages being changed to webcoolsearch.com, bogus error message about msconfd.dll at startup, porn bookmarks added
to Favorites (some possibly childporn)
Cleverness: 7/10
Manual removal difficulty: Involves quite some Registry editing and deleting porn bookmarks
Identifying lines in HijackThis log:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://webcoolsearch.com/
O4 - HKLM\..\RunServices: [Desktop] rundll32.exe msconfd,Restore ControlPanel

Additional line from StartupList log:

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=msconfd.dll

This is the first variant to use a dll file together with the Windows rundll32 file. This makes it a little harder to find the culprit
msconfd.dll, responsible for hijacking IE to webcoolsearch.com and adding 11 adult bookmarks to IE, of which 4 are possibly child
porn sites.

Deleting the autorun entry, resetting IE, deleting msconfd.dll and the porn bookmarks fixes this hijack.


----------



## landrews (Dec 5, 2003)

Thanks again. I restored twice now back to two different dates and it has made no difference. I don't get the error message anymore but it just hangs at the blue desktop background. When I go Ctrl-alt-delete I see MSgloop, Hidserv and msg32. I've tried ending each task and that doesn't do anything. Msgloop and Msg32 are hung and have to be ended. Not sure if this give anymore clues. I appreciate your help again and for sticking with this. It's a challenge for sure. I'll keep looking to see what I can find. Found some similar posts in google groups and one person had a similar problem with no resolution. Oh well, I'll keep looking. Thanks again!


----------



## amthmi (Mar 23, 2002)

Darn...I see similar post related to msgloop msg32 and hidserv in google groups also.
Most of them dealt with people wondering what they were.

Did you try safe mode ?

Any members reading this thread have any ideas how to resolve this problem ?
I hope the restore didn't make it more difficult.


----------



## Rollin' Rog (Dec 9, 2000)

Oops, sorry, I didn't realize you had tried a scanreg /restore and had problems restarting.

You may be forced to do a reinstall on this if scanreg /restore is not working.

Do you have a Windows CD with the product key?


----------



## landrews (Dec 5, 2003)

I was thinking I'd probably have to do a reinstall of Windows. Unfortunately I think I only have the disk that was sold with the PC that re-installs everything. I'll see if I dig through all my software to see. If I do get Windows reinstalled, what should I then do to prevent this whole mess again? Run that CWShredder and what else? It is definitely a hijack victim based on the changing home page and unsolicitated desktop links, etc. You all have been a tremendous help and it's been a great experience posting here. THANKS!!!


----------



## Rollin' Rog (Dec 9, 2000)

Well if it's a wipe everything reinstall, the shredder will be irrelevant. You are either going to have to keep up with all the latest IE and other updates or generally switch to a more secure browser such as Opera7.

Try this as a test and let me know how it goes. Start to a command prompt by selecting it from the boot menu instead of "safe mode"

At the prompt enter:

*cd windows
edit system.ini*

Look for a line that says *shell=explorer.exe* under the [boot] tab.

Change it to read: *shell=winfile.exe*

Save the file and reboot. Do you get to the "winfile" shell? If so then the problem is likely with shared IE/Explorer "shell files".

Often removing or reinstalling IE can fix this. You can try removing it (if it has been updated) by running (File > Run)

*control appwiz.cpl*

which brings up Add/Remove programs. There you can find IE and Removing or repairing it.

It is also possible some times to get an internet connection in Winfile by finding the IExplore.exe file in the IE programs folder (c:
Progra~1\Intern~1\iexplore.exe and running that.

You may also find a setup.exe file there that could be run to reinstall.

Your problem sounds somwhat similar to that described here:

http://support.microsoft.com/defaul...port/kb/articles/Q249/1/91.ASP&NoWebContent=1

To reboot, or try to reboot, to the normal explorer shell, while still in winfile, run *system.ini* and change the shell= entry back to explorer.exe before exiting Winfile.

There is yet another alternative for reinstalling windows if you cannot do it with your "recovery" software.

If you have cab files: c:\windows\options\cabs there should be a setup.exe file there that can be run

You will need your productkey

You can probably retrieve this while in Winfile by running regedit and navigating to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

look for it in the Right Pane. Or in regedit, click Edit > Find and enter ProductKey (one word)

You may also get it from a DOS prompt by entering:

*C:\Windows\Command\Find /I "ProductKey" C:\Windows\System.dat*

It is a 25 character key


----------



## amthmi (Mar 23, 2002)

Thanks for jumping in Rollin'Rog.
I had hoped that scanreg /restore would have worked but as you see it didn't.
landrews..did you have the same issue with safe mode after the restore ?
Thinking out loud here....
Those files running that are hung look like there related to audio drivers possibly
Brooktree WaveStream . Do you have an HP or Compaq ?
If you can get into windows via safe mode and remove the audio devices
in device manager and any other duplicate (ghost devices) then reboot.
Windows will try and reinstall the drivers which may solve the problem.
They would be under Sound, Video & game controllers
Does this sound plausible Rollin'Rog ?
landrews..this problem has gone beyond my abilities to help ,but you are
in very good hands with Rollin'Rog , I consider him one of the best here at techguy.
I will continue to follow this thread to see how it develops.
Good luck..


----------



## Rollin' Rog (Dec 9, 2000)

I think it's probably what you *don't* see in the tasks window that is the culprit. What you do see there has managed to load successfully.

The shell files that cause the blank desktop problem never show there anyway, but if you can do an end-run around Explorer, then it's a pretty good bet that is the problem. 

The key here is whether the same problem occurs in Safe Mode; it is typical that Safe Mode produces the same blank desktop because it too is trying to load Explorer.exe, although none of your modem and sound hardware would be loaded.


----------



## arshield (Jan 6, 2004)

I have a friend who has the same problem since yesterday. I was over there working on the computer today and I couldn't do anything. Safe mode doesn't work. (Just a blank screen). Any ideas are helpful. 

(win 98 SE, HP computer)


----------



## shadeybeep (Jan 7, 2004)

Did anyone ever figure out this problem? I have a neighbor with the same exact problem, as of this morning (1/06/03). Same files are running in the backgroun (msgloop and msg32), although "hidserv" isn't there. I have no idea what to tell him. 

thanks!


----------



## bandit429 (Feb 12, 2002)

Here are a couple of links which may help you.. as you will read in the last link you will need someone to do some looking,,,since individual computers have individual problems I suggest you start a thread and ask for help, copy and paste these two links if you think they apply to give the person who helps you a headstart. good luck.

http://forums.techguy.org/showthread.php?threadid=188257&highlight=peper

http://forums.techguy.org/showthread.php?threadid=176907&highlight=peper


----------



## Rollin' Rog (Dec 9, 2000)

Anyone who thinks they have a "similar" problem should post a HijackThis Scanlog in the Security forum. Going to close this thread.

http://mjc1.com/mirror/hjt/


----------

