# msconfig won't stay visible but for 2 seconds



## Edmond4 (Jun 13, 2003)

I have had a big problem lately with a room mate using my computer. I think he's downloaded some things that are fishy, plus he doesn't know how to use computers too well. I also think he might be trying to cover his tracks of where he's been, and in doing so has screwed up my computer.

First, had a junky thing added to my IE toolbar, it was a dang "search" piece of crap. I found the files and deleted them, but somewhere there is something remaining, I have just taken it off of the "view" part in IE toolbar options, don't seem to be able to get rid of it.

When running msconfig so that I can see what "startup menu" programs are now running, the window is brought up for just one or two seconds and disapears. I can't even get in that way to see and perhaps disable added start up junk that might be running. I have Norton anti-virus which detected two viruses three days ago, and found an exe file yesterday that was a "trojan horse" It has deleted all of this, but still, I can't see my startup menu. Any ideas what I an do?


----------



## IMM (Feb 1, 2002)

Post the results of the Scan log from HijackThis http://www.tomcoyote.org/hjt/ and we'll see if the startup list can be cleaned that way. (Don't delete anything you're not sure of)

It would help if you could look through the log files of Norton and come up with the names of the virii and the trojan.


----------



## Edmond4 (Jun 13, 2003)

This is great. Following is the log, I see it has listed two toolbar menu items that I mentioned but couldn't see to get rid of.

Logfile of HijackThis v1.94.0
Scan saved at 3:10:06 AM, on 6/13/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://sbvr.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.splor.com/slc
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://sbvr.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://sbvr.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {69fe4840-5478-11d7-8779-00104c127ee0} - C:\WINDOWS\APPLICATION DATA\MXLSTKFOO.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: brhoastealy - {69fe4841-5478-11d7-8779-00104c127ee0} - C:\WINDOWS\APPLICATION DATA\MXLSTKFOO.DLL (file missing)
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - C:\WINDOWS\SYSTEM\shdocvw.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [syslog lptt01] "c:\program files\syslog\syslog.exe"
O4 - HKLM\..\Run: [ServiceConfig] "C:\Program Files\Comcast\MigCfg\programs\ispbeg.exe"
O4 - HKLM\..\Run: [Windows Decryption Manager] WINDOWS UPDATE MANAGER.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} (IEDial Class) - http://download.nocreditcardgay.com/download/Object/ieaccess2.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {010F6167-2C09-11D4-8738-0050DABC30E3} (AxEyematicPlayer Class) - http://www.eyematic.com/players/english/EyematicPlayerAxWin.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://216.65.38.226/Download_Plugin.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB


----------



## IMM (Feb 1, 2002)

This one:
O4 - HKLM\..\Run: [syslog lptt01] "c:\program files\syslog\syslog.exe"
represents Rapid Blaster - The first thing to do is download and run rbkiller
http://www.wilderssecurity.net/specialinfo/rapidblaster.html

After you've done the rapid blaster removal - Close all browser windows and run HijackThis and scan.
Place a check mark beside the following entries if they still remain and choose FIX - then reboot (a must!)

*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http//sbvr.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http//sbvr.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http//sbvr.com/searchbar.html
O2 - BHO: (no name) - {69fe4840-5478-11d7-8779-00104c127ee0} - C:\WINDOWS\APPLICATION
DATA\MXLSTKFOO.DLL (file missing)
O3 - Toolbar: brhoastealy - {69fe4841-5478-11d7-8779-00104c127ee0} - C:\WINDOWS\APPLICATION
DATA\MXLSTKFOO.DLL (file missing)
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} -
C:\WINDOWS\SYSTEM\shdocvw.dll
O4 - HKLM\..\Run: [syslog lptt01] "c:\program files\syslog\syslog.exe"
O4 - HKLM\..\Run: [Windows Decryption Manager] WINDOWS UPDATE MANAGER.EXE
O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} (IEDial Class) -
http//download.nocreditcardgay.com...t/ieaccess2.cab
O16 - DPF: {010F6167-2C09-11D4-8738-0050DABC30E3} (AxEyematicPlayer Class) -
http//www.eyematic.com/players/eng...PlayerAxWin.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http//216.65.38.226/Download_Plugin.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) -
http//216.249.24.143/code/PWActiveXImgCtl.CAB
*

Note that I don't understand this one:
O4 - HKLM\..\Run: [Windows Decryption Manager] WINDOWS UPDATE MANAGER.EXE
and am very suspicious of it.

This one:
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} -
C:\WINDOWS\SYSTEM\shdocvw.dll
represents TinyBar (see http://www.doxdesk.com/parasite/TinyBar.html for further info on it)

If you know what the eyematic one is - perhaps you could leave it unchecked?

-------
It would still be nice to know what it was that Norton found.

-----
After rebooting - if things seem to be going well - download - install - Update online (check all updates except skins or languages) and then run SpyBotSD http://www.tomcoyote.org/SPYBOT/ (make sure all browssers are closed while running it and if it wants a reboot - let it)


----------



## IMM (Feb 1, 2002)

I think I may have seen 6B4788E2-BAE8-11D2-A1B4-00400512739B before.
Did the trojan Norton find involve *pipecmdsrv* or a similar name?


----------



## Edmond4 (Jun 13, 2003)

Rapid Blaster didn't find anything.

I then ran the other files on Hijackthis.

SpyBot found a ton of crap, dial up porn etc and internet tracking stuff.

I don't remember what Norton found, but I think it said that it was "backdoor trojan" or something. the specific file that it said needed to be replaced was c:\recylced\dc553.exe.

One other thing that has been screwing things up, freezing the computer. When I have done a Cntr+Alt+DEL I have found a "Msgsrv32 Not Responding" What the heck is that?

Thanks a ton, you have been so helpful.


----------



## IMM (Feb 1, 2002)

For the file in Recycled - boot to DOS and use

deltree recycled

to remove the recycle bin - it will be recreated.

Is msconfig working correctly now? If it is, try unchecking
[USBDetector] C:\USBStorage\USBDetector.exe
and rebooting to see if your msgsrv32 error will go away. Do you know what hardware or program installed USBDetector?
Here's some info on the function of msgsrv32 http://support.microsoft.com/?kbid=138708

------
Before you do any of that, can you run HijackThis and hit the Config button, then the Misc. Tools button, and Generate a StartupList log - then post it here?

---
I'm surprised that rbkiller.exe failed to find RapidBlaster. Does the folder c:\program files\syslog\ exist ??
I wonder if it's 'morphed' again?


----------



## Sirgets (May 21, 2003)

If msconfig is not staying up it is a virus. Take the hard drive out of the machine and put it in a seperate machine if possibe as a slave and scan for a virus. Viruses that come to mind that do this is KLEZ,SIRCAM,BUGBEAR,OPASERV. I am certain all of them mess around with exe settings


----------



## Edmond4 (Jun 13, 2003)

I thought I had the problem fixed, but then I had forgotten to try msconfig, and sure enough, it still will not stay up on the screen, but quickly closes before it can even be looked through.

Will Norton be the best stuff to scan this drive? Will it need to be a slave to find results?

Much appreciated.


----------



## Rollin' Rog (Dec 9, 2000)

Post another copy of the ScanLog and the StartupList as well (config > Miscl Tools > Generate Startuplist).

After that, try booting in Safe Mode and see if the same behavior occurs with msconfig. To boot in Safe Mode press and hold the ctrl key as soon as the system begins booting, then choose Safe Mode from the numbered 'startup' menu.


----------



## Edmond4 (Jun 13, 2003)

Here is the scan again or resulting log file of a scan

Logfile of HijackThis v1.94.0
Scan saved at 4:08:51 AM, on 6/14/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.splor.com/slc
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ServiceConfig] "C:\Program Files\Comcast\MigCfg\programs\ispbeg.exe"
O4 - HKLM\..\Run: [Windows Decryption Manager] WINDOWS UPDATE MANAGER.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab


----------



## IMM (Feb 1, 2002)

One of the things some virii do is append to the beginning or the end of files. Msconfig is among the files which are sometimes affected. Even if the virus is gone after repairing it - it's possible the file is damaged. The first thing I would try is to extract a fresh copy of msconfig.exe. Use SFC to extract one file from your cab files or the Windows CD (it goes in C:\Windows\System as a destination). It also has several help files in c:\windows\help.

If you think the file association for exe files is damaged - it won't hurt to run exefix08 on the machine. http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html or at http://home.earthlink.net/~rmbox/Reticulated/Toys.html for the zipped version

There really *should* be a log file of what norton has done as a history somewhere. Perhaps in a directory such as C:\Program Files\Norton..... etc, or in some sub-folder of C:\WINDOWS\Application Data with a name like Norton or Symantec, or perhaps you can view a history from within the virus program itself.

The O4 - HKLM\..\Run: [Windows Decryption Manager] WINDOWS UPDATE MANAGER.EXE startup is still there - did you not check it - or do you know something about it's function?

I also notice that [USBDetector] C:\USBStorage\USBDetector.exe is still in your startups. This is a program I can find no reference to on the net. I think that you should perhaps remove it temporarily.
You can find it's startup by running regedit and looking in the 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
key. What msconfig will do if you uncheck an item in that location is simply move the reference to the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-
key (note the minus sign on the end of it) so that it doesn't start. You could try this manually if you like - or you could simply rename the file to USBDetector.xee for a while if you're uncomfortable in the registry (and name it back later if it's determined to be OK)

One of the reasons I wanted the StartupList (rather than the Scan log) is that it shows running processes and some file associaations (and you had mentioned a trojan).


----------



## Edmond4 (Jun 13, 2003)

I don't know what the SFC is to extract the files from Windows CD.

A find files or folders doesn't work.

I did look at the C drive for this and the result was that it found two msconfig.exe files on the c drive

one was in C\WINDOWS\SYSTEM
THE OTHER C\WINDOWS\VCM

The usb detector was intalled to read an external hard drive.

What does this one mean?

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Actually, the file that norton found as a trojan, I just remembered, was called plugin1 or something similar to that.


----------



## Edmond4 (Jun 13, 2003)

also the other report said the following:


---------- c:\windows\desktop\EXEfix08.txt 

======================================================= 
EXEfix08 for Windows 95/98 - Freeware by rmbox 
======================================================= 

Program Report: 

Complete "EXE" Input Entered at 06-14-2003 12:03:49.36p 

The correct "EXE" Registry Data has been restored.
All programs with the "EXE" extension should operate 
normally now. 

Please test one of your programs to confirm this. 


Additional Information: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

NO TANGIBLE PROBLEMS WERE ENCOUNTERED... 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

(End of report)


----------



## Edmond4 (Jun 13, 2003)

Here is a report of Norton's Activities in the last week or so:

Date: 6/9/03, Time: 21:45:48, none on BX-98SE
The file
C:\nuopaj.exe
was infected with the W32.Spybot.Worm virus.
The file was deleted.

Date: 6/9/03, Time: 21:57:34, none on BX-98SE
The file
C:\nuopaj.exe
was infected with the W32.Spybot.Worm virus.
The file was deleted.

Date: 6/12/03, Time: 2:38:10, none on BX-98SE
The file
C:\RECYCLED\DC553.exe
was infected with the Backdoor.Trojan virus.
The file was deleted.

Date: 6/12/03, Time: 8:22:06, none on BX-98SE
Virus scanning started.

Date: 6/12/03, Time: 12:44:08, none on BX-98SE
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\K9WN47KF\plugin[1].exe
was infected with the Backdoor.Trojan virus.
The file was deleted.

Date: 6/12/03, Time: 12:44:08, none on BX-98SE
Virus scanning completed.
Items scanned: C:-E: 
Master boot records:
Scanned: 3
Infected: 0
Repaired: 0
Boot records:
Scanned: 3
Infected: 0
Repaired: 0
Files:
Scanned: 54381
Infected: 1
Repaired: 0
Quar'ed: 0
Deleted: 1

Date: 6/13/03, Time: 12:29:08, none on BX-98SE
Virus scanning started.

Date: 6/13/03, Time: 12:29:20, none on BX-98SE
Virus scanning interrupted while scanning: C:-E:

Date: 6/14/03, Time: 1:46:30, none on BX-98SE
Virus scanning started.

Date: 6/14/03, Time: 2:46:28, none on BX-98SE
Virus scanning completed.
Items scanned: C: 
Master boot records:
Scanned: 4
Infected: 0
Repaired: 0
Boot records:
Scanned: 1
Infected: 0
Repaired: 0
Files:
Scanned: 38740
Infected: 0
Repaired: 0
Quar'ed: 0
Deleted: 0


----------



## Edmond4 (Jun 13, 2003)

The The O4 - HKLM\..\Run: [Windows Decryption Manager] WINDOWS UPDATE MANAGER.EXE is one that I've now deleted now 4 times in the Hijackthis program, but it always re-appears.


----------



## Edmond4 (Jun 13, 2003)

the C\PROGRAM FILES\SYSLOG folder is empty, nothing there. Should it have something there?


----------



## IMM (Feb 1, 2002)

_C\PROGRAM FILES\SYSLOG is empty_ - it's fine to delete the syslog folder. It may have been emptied by SpybotSD - or the RapidBlaster may have morphed elsewhere.

Use find to locate the WINDOWS UPDATE MANAGER.EXE file on your system.

_I don't know what the SFC is to extract the files from Windows CD._
The VCM directory is a version control manager which contains backups of programs which have been updated. The problem here is that I don't know of an update to msconfig.

Delete both of them you've found and extract a new one.
Here are instructions on using C:\Windows\System\SFC.exe for the purpose. After extracting the msconfig.exe file to c:\windows\system - restart in DOS mode and rename WINDOWS UPDATE MANAGER.EXE to holding.xee (can u use DOS well enough for that ? )

------ Notes on SFC -------
To extract files in Windows 98 or Windows 98 Second Edition, use the System File Checker
tool:

1.Quit all running programs.
2.Click Start, and then click Run.
3.Type sfc, and then press ENTER.
4.In System File Checker, click Extract one file from installation disk.
5.In the Specify the system file you would like to restore box, type msconfig.exe, and then click Start.
6.In the Extract File dialog box, type drive:\Win98 in the Restore from box, where drive is the drive letter of the CD-ROM or DVD-ROM drive that contains your Windows 98 CD-ROM, and then click OK. ( the destination here is c:\windows\system)
7.In the Backup File dialog box, click OK. If a The backup folder does not exist. Do you want to create it message appears, click Yes.
8.When you receive an "Extract File" message, click Yes to restart the computer.
----------------

We'll have to figure out how that is starting.
I'd still like the StartupList I mentioned earlier so I could see the running processes.
Additionally - have a look to see if c:\Winstart.bat is present or if a c:\windows\Wininit.ini file is present.


----------



## IMM (Feb 1, 2002)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll is usually nothing to worry about.
see http://www.adobe.com/support/techdocs/29fea.htm for 'some' info on NPDocBox.dll
I think you shoudl be able to remove it using the Acrobat Reader program's settings if you wish.

Looking at the report from exefix08 - it seems that there wasn't any problem there.
It fixes the *HKEY_CLASSES_ROOT\exefile\shell\open\command* key

--------Some reference on the Norton finds for reference
Backdoor.Trojan is generic I guess
http://www.sarc.com/avcenter/venc/data/backdoor.trojan.html

SpyBot worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

----------------------
If you need a process viewer (and killer) you can download Process Explorer
http://sysinternals.com/ntw2k/freeware/procexp.shtml

I think you should delete the entire contents of c:\windows\temp (including folders) and empty your Temporary Internet Files (incl. offline) at this point as well.


----------



## Edmond4 (Jun 13, 2003)

I just deleted the TEmp file as well as the Temporary Internet folder as well

in the c\windows folder there is something called ".plugin141_01.trace"

What do you think of it? is it dangerous?


----------



## Edmond4 (Jun 13, 2003)

I downloaded a new "msconfig.exe" and put it in the c\windows\system folder and it still disapears.

I think perhaps the windows update thing might be what is giving me crap. I can't get rid of it.


----------



## Edmond4 (Jun 13, 2003)

Also, my Norton Anti-virus after this last reboot has been disabled and does not show in the task bar.


----------



## IMM (Feb 1, 2002)

You can email me the plugin141_01.trace file and I'll look.

Did you produce a StartList ?

Did you find the location of WINDOWS UPDATE MANAGER.EXE on your machine?

I notice that Norton's log at one point changed from scanning 3 MBR's to scanning 4 - Do you think there was a floppy disk in at the time?


----------



## Rollin' Rog (Dec 9, 2000)

Project numero uno has to be to get rid of:

WINDOWS UPDATE MANAGER.EXE

as it is probably responsible for all these ills.

You still haven't posted a copy of the StartupList, which is different from the ScanLog, and would be helpful. To do so, run HijackThis and click Config > Miscl Tools > Generate StartupList. Paste that here.

If you do a ctrl-alt-del, does WINDOWS UPDATE MANAGER.EXE show in the Close Programs Window? Try End tasking it and then using HijackThis to delete the entry. Next do a search for *manager.exe* and try to delete that. Make sure you get the right file.

If you cannot delete the file from within Windows, reboot to Safe Mode and try there.


----------



## IMM (Feb 1, 2002)

*Rog* - Lack of the startlist is getting to me too. I always wish I could get my hands on the keyboard


----------



## Edmond4 (Jun 13, 2003)

I have done a search for the Windows UPdate Manager.exe and it shows nothing, or nothing is found. I delete it over and over in Hijackthis and it comes back. I have re-installed msconfig.exe as mentioned before, with no success.

There is no sign of WINDOWS UPDATE.EXE when I do the cntl+alt+del. I've never seen it listed.

Thanks for the clarification on how to make a startup list, it's below. You guys are great. I will submit this and begin a search for SYSTEM.EXE

StartupList report, 6/14/03, 8:13:47 PM
StartupList version: 1.52
Started from : C:\MY DOCUMENTS\MY DOWNLOAD FILES\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\WINDOWS UPDATE MANAGER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\MY DOWNLOAD FILES\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
NAV DefAlert = C:\PROGRA~1\NORTON~1\DEFALERT.EXE
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
Norton eMail Protect = C:\Program Files\Norton AntiVirus\POPROXY.EXE
USBDetector = C:\USBStorage\USBDetector.exe
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
ServiceConfig = "C:\Program Files\Comcast\MigCfg\programs\ispbeg.exe"
SystemTray = SysTray.Exe
Windows Decryption Manager = WINDOWS UPDATE MANAGER.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SchedulingAgent = mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Windows Decryption Manager = WINDOWS UPDATE MANAGER.EXE

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 2/6/2003, 1:41:38)

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Symantec NetDetect.job
Scan for Viruses.job
Live update.job
Daily scan.job

--------------------------------------------------

Enumerating Download Program Files:

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1080/V31Controls/x86/w98/en/actsetup.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[iPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IPIXX.OCX
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 4,987 bytes
Report generated in 0.075 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Rollin' Rog (Dec 9, 2000)

It's in C:\WINDOWS\SYSTEM

someplace, but it may be a 'hidden' file. go to Folder Options > View and make sure "show all files" is ticked.

Then see if it shows up in the c:\windows\system directory.

Also do a file search for:

*manager.exe* and see what you come up with. Make sure "include subfolders" is checked in the search engine.

Also, the problem may be that the ScanLog is only showing one startup location for it, but the StartupList shows two.

You will need to do some manual registry editing. Follow these directions FIRST:

Go to Start>Run and enter *regedit*

Click in order:

*+Hkey_Current_User
+Software
+Microsoft
+Windows
+CurrentVersion
RUNONCE*

>> With the RunOnce folder highlighed on the left, right click on and delete the Windows Update Manager.exe entry on the right.

>> Next, navigate to....

*+Hkey_Local_Machine
+Software
+Microsoft
+Windows
+CurrentVersion
RUN*

>> witht the RUN folder highlighted on the left, right click on Windows Update Manager.exe in the Right Hand pane and select "delete"

Reboot and try to find and delete the file as suggested above.

If this doesn't work, you will have to do the process in Safe Mode. Shutdown and wait 30 seconds to restart. Press and hold the ctrl key starting up to get to the startup meny where you can choose Safe Mode.

I suggest you print or carefully copy the directions before proceeding to start in Safe Mode. You can also save them to a Notepad file.

*edit*

I think we also haven't focussed enough on:

USBDetector = C:\USBStorage\USBDetector.exe

which is equally suspicious and may be causing the other file to reload.

While your in the registry, you should see that also in the RUN folder pane. Delete it too.


----------



## Edmond4 (Jun 13, 2003)

It's there, just where you said it was in WINDOWS\SYSTEM and is a hidden file. I deleted it, but it refuses to be deleted, says "access denied" Make sure disk is not in use or write protected" or whatever it says.

If I begin to do a run<REGEDIT, it pulls it up and then disapears just like the msconfig does.


----------



## Rollin' Rog (Dec 9, 2000)

Ok, as long as you've found it, there's hope.

You must follow the instructions I gave for removing the registry entries, be sure to get that other one as well. You should do this in Safe Mode. In Safe Mode the file should not be in use and you may be able to delete it.

Do this first though, so if we need to have you go to DOS, we have the correct DOS short name for it.

Right Click on the file and select "Properties". You should see the DOS shortname for it there, it should be *window~n* -- where the 'n' is a number. We will need to know that to get at it in DOS if necessary.


----------



## IMM (Feb 1, 2002)

I hope I don't confuse things here - but another possibility is to run process explorer (if you downloaded it) - right click the WINDOWS UPDATE MANAGER process and choose KILL. If it kills (vanishes from the task list) then you may be able to delete the file.
Empty the recycle bin if you succeed.

If at all possible (and you're comfortable doing it) zip a copy and email it to me (reply to the email I sent you) - that way we could figure out what we're dealing with.

(don't worry about the plugin trace file you sent me - it's just a log regarding the plugin for chatting with someone on this board)


----------



## Edmond4 (Jun 13, 2003)

I just realized that one of my last messages didn't go through all the way. When I have tried to do a "run" command and a regedit, I have the same issue as with the msconfig, it just disapears after about a second, so I can't do anything that way.

So, now should I reboot into safe mode and now delete the program in the c:\windows\system folder?

Was there another file you were telling me to seek after as well as the windows update manager?


----------



## Rollin' Rog (Dec 9, 2000)

I'm not surprised, that's consistant with certain virus files.

You may be able to get it to run in Safe Mode.

But if not, I also like IMM's idea about using Process Explorer to terminate running processes. You will see things there that don't show up in the Close Programs window.

http://www.sysinternals.com/

When you run it, right click on the task you want to kill and and select "kill process". You may have to kill the usbdetector.exe as well. I consider that as equally suspicious as the other and the file should be sent to the recycle bin as well.


----------



## Edmond4 (Jun 13, 2003)

Hurray,

THat program killed the process, then I was able to go in and delete it. I then emptied the recycle bin.

Now, what are the other critical steps to take? I should defrag the hard drive, right? I can now bring up msconfig. There is a lot of crap in there. Even if most of it is now unchecked, can I go delete un-necessary crap that is there? I will now list what is there, see if you think there is any of it that I should rid myself of.

StartupList report, 6/14/03, 10:41:08 PM
StartupList version: 1.52
Started from : C:\MY DOCUMENTS\MY DOWNLOAD FILES\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\INTERVIDEO\COMMON\BIN\WINCINEMAMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\MY DOWNLOAD FILES\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
NAV DefAlert = C:\PROGRA~1\NORTON~1\DEFALERT.EXE
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
Norton eMail Protect = C:\Program Files\Norton AntiVirus\POPROXY.EXE
USBDetector = C:\USBStorage\USBDetector.exe
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
ServiceConfig = "C:\Program Files\Comcast\MigCfg\programs\ispbeg.exe"
SystemTray = SysTray.Exe

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 2/6/2003, 1:41:38)

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Symantec NetDetect.job
Scan for Viruses.job
Live update.job
Daily scan.job

--------------------------------------------------

Enumerating Download Program Files:

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1080/V31Controls/x86/w98/en/actsetup.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[iPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IPIXX.OCX
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 4,501 bytes
Report generated in 0.088 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Edmond4 (Jun 13, 2003)

Oh,

the USBDETECT is for detecting an external firewire drive that has a USB hookup as well.

That is another issue, I have a firewire drive, recently installed the firewire . . . .

I just tried my firewire drive via firewire cable connection, and for the first time, it works. That damn virus was screwing up a lot of things. I was on tech support last night trying to figure that one out as well.

You guys are great. I also bought a NetGear brand Cable web safe router yesterday. I have it hooked up as of last night, hopefully it will work to firewall things a bit better. That is a whole other issue to educate myself in. 

I appreciate very much the great help you guys have been with this whole thing. What an unbelievable nightmare. I can also now delete the USB detector, since I don't care to use it now that my firewire works. The USB detect seems to take up a ton of system resources as well.


----------



## Rollin' Rog (Dec 9, 2000)

Ok, great. Like IMM I couldn't find any hits on usbdetector.exe so it's something relatively new.

There are a couple of ways you can get rid of the unchecked msconfig entries. One would be to temporarily enable them and use Hijackthis to delete them. If the files are no longer there you may get some error messages on startup.

The other is to run regedit and look for them in the Run- and RunServices- (that's minus) folders in the keys I indicated. Most will probably be in the Hkey_Local_Machine tree, but you should look at both.

You only want to remove what is UNchecked and you are sure you have no need for. There is no harm in just leaving them that way if you have doubts. Others such "intervideo" you may want to disable.

No harm in defragging the drive, I don't do it very often my self, (every few months) but if you've uninstalled a lot of programs its probably a good idea.


----------



## Edmond4 (Jun 13, 2003)

Thanks man, your great.

I will enable all of that startup stuff and then get rid of it. I can't believe how much better things are running now too. Having my firewire now work for the first time is also amazing.


----------



## Rollin' Rog (Dec 9, 2000)

If you have questions about whether to remove something, just ask.

This is a good site to review what they are and whether they are needed:

http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM


----------



## Edmond4 (Jun 13, 2003)

I do have questions.

I don't want to delete anything that is necessary.

The new log is as follows

Logfile of HijackThis v1.94.0
Scan saved at 11:18:13 PM, on 6/14/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.splor.com/slc
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
F1 - win.ini: run=hpfsched hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ServiceConfig] "C:\Program Files\Comcast\MigCfg\programs\ispbeg.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ProDsl] C:\WINDOWS\ProDsl.exe /P
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Decryption Manager] WINDOWS UPDATE MANAGER.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 710C Series\ereg\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab


----------



## Edmond4 (Jun 13, 2003)

Oh crap,

I just got a "Microsoft udates available telling me it is strongly recommended that I look for critical updates." Is that suspicious?

Anyway, I would really like some additional help knowing what to delete from the list above.

I will look at the list you provided as well. Thanks


----------



## Rollin' Rog (Dec 9, 2000)

You did re-enable the legitimate windows critical update checker:

O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup

So it's not surprising you got that message. Personally I avoid MS updates and I find it very difficult to make recommendations for others. There is a thread in the Security Forum, stuck to the top, which covers many and some of the problems which may be associated with them.

I'm including another link to help you review startups.

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

You definitely want to leave enabled your Symantec/antivirus stuff, scanregistry, systray, usbdetector (now that we know what it is), loadpowerprofiles (if you are using power mangement options), stimon.exe (required for scanner use, but a shortcut can be substituted),

mstask.exe and windows critical update go together, the first will be recreated as long as critical update is enabled.

Others are pretty much optional, I leave DirectCD unchecked in msconfig and only run it from the start menu when needed.

You had this hiding in there, did you get an error message on startup:

O4 - HKLM\..\Run: [Windows Decryption Manager] WINDOWS UPDATE MANAGER.EXE

make sure it hasn't returned.


----------



## Edmond4 (Jun 13, 2003)

Excellent. I have looked, and the virus has not returned. I am pleased to have that problem hopefully out of the way. Thanks for the page with the many definitions of what things are.


----------



## IMM (Feb 1, 2002)

Re: your email - I got the file - thanx
The process explorer I referred to is linked earlier in this post.
-----------
I was playing with it and it got away from me.
Here's what I can tell you so far (I'm still cleaning up a bit  )
It is a cutie with a 'perturbed' import table etc.

It is very network aware and is a keylogger
It will create a directory called 
C:\WINDOWS\SYSTEM\mediacloned\
which contains multiple copies of itself with quite a few cute names.
DELETE this entire directory

It will add a section called [TTFontDimenCache] to c:\windows\system.ini.
You should remove the section by editing this with notepad or sysedit.exe

It will add the key (and subkeys of it)
HKEY_CURRENT_USER\Software\KAZAA
to the registry
You can delete those

I may know more in a while. I tried scanning the file at Trend's housecall and it gave it a clean bill of health ??

It's a bit smaller than kbot.f - it might be along the lines of W32.HLLW.Togod - I'm still looking at it (more carefully this time  )


----------



## Rollin' Rog (Dec 9, 2000)

Considering what IMM has found, it would be wise to change any critical passwords, especially for financial accounts which you have used over the internet.


----------



## Edmond4 (Jun 13, 2003)

That is amazing stuff. I have gone in and now deleted teh MEDIACLONED folder and edited out the recommended part of system.ini.

I don't know where HKEY_CURRENT_USER\Software\KAZAA is located, or what they are?

It will be interesting to see what other things you might find out. Would it also be smart to change my e-mail account passwords? If I've ever logged on to my bank here, will I be wanting to change those passwords, even if I haven't stored them on the computer?

Thanks for your help these last few days guys.


----------



## Edmond4 (Jun 13, 2003)

OH, I noticed in the windows.ini file, there was a brother and sister-in-law's names mentioned under passwords. Should this be deleted. Would the appreciate me deleting them?

Actually, I just checked, they are no longer there? How odd.

Would this virus have been here because of an install of KAZAA?


----------



## Rollin' Rog (Dec 9, 2000)

I'll let IMM respond to your questions in detail. I have no doubt that the trojan was acquired through the file sharing utility though. It's one of the hazards of any file sharing system, but kazaa in particular seems to be a vehicle for these.

Not using Kazaa myself, I don't know what registry entries for Kazaa would be legitimate Kazaa ones and what ones would be illegitimate add-ons.

The passwords in Win.ini are a legacy thing Windows does, I don't know why. It's strange they disappared without your deleting them. I don't think they would be used for anything but logon purposes and that's easily bypassed anyway.

And yes, you should change all those passwords, as this was a "keylogging" trojan, so anything you typed might have been transmitted or made available in unencrypted form to a hacker.


----------



## Edmond4 (Jun 13, 2003)

Hey, one thing that I had a problem with this last week that made me suspicious of a virus was that all of my icons changed. I had folder icons on media files, and jpeg pictures as windows media files and other such things.

It just happened again in a media folder of mp3's. Half of the folder just changed icon to the IE icon? Any thoughts on how this is happening or if it virus related?


----------



## Rollin' Rog (Dec 9, 2000)

That occasionally happens without any external cause. It is usually corruption of the ShellIconCache, a "hidden" file in c:\windows.

There are two ways to fix it. One is just to restart in Safe Mode and then return to normal. The other is to delete the ShellIconCache and reboot.

You will have to have 'show all files' checked to see it.

It gets rebuilt either way.

If the problem repeats, there is a registry tweak that might help; it enlarges the cache.

However, one other possibiity, if this just occured with mp3 files, is that the file association changed.

What you can do there is just select (highlight) one of the files, then shift+Right click on it. Select "open with" from the dialog window, and then select the media player you normally play mp3's with from the choices. You may have to click 'other' and browse. Then check the 'always use' box and OK. The icon will probably then change to one associated with the media player.


----------



## IMM (Feb 1, 2002)

Between yardwork and painting and the Formula1, I really haven't had any time to disassemble it - but I did fire off a copy to a couple of AV outfits.

In addition to shelli~1 (Shelliconcache), I'd also delete c:\windows\ttfcache and use TweakUI at some point to repair the Font folder. 

Regarding users:
In win.ini were the references to other PWL files for different users?
You should remove those entries (adn delete all files with the pwl extension in c:\windows (DOS is probably easiest)
Check your settings in control Panel to see that all users have the same preferences as well.

I did a fairly extensive delete after it got loose on me - but most of it was probably unnecessary.

Will you look for me in your c:\windows folder (perhaps also c:\windows\system) for a file? I only have a partial name on it.
It should start with KEYL I think (tho' the name is probably longer) and have the extension .txt
If you find it - zip an email me a copy.


----------



## Edmond4 (Jun 13, 2003)

This is called keylog.txt and is most incriminating. It indeed lists all internet activity since June 5, the day the virus was installed. It looks as if there is some reconing with someone for the poor choice of sites and entertainment they've been accessing on-line. It's all there, including my passwords and usernames to differnt accounts. I'm glad I didn't do any on-line banking this past week. It's scary to know that I had two E-bay car auctions close just in the last 72 hours. Someone could have screwed me on this one. Heck, someone could have bid on all sorts of crap as well.

I think my room mate will have a fearful and rude awakening when he sees the note I leave for him with the text document up listing all of his internet activity. Poor fellow.


----------



## Edmond4 (Jun 13, 2003)

IMM,

How do I do a tweak UI? I did a search and found it downloadable from

http://www.microsoft.com/ntworkstation/downloads/PowerToys/Networking/NTTweakUI.asp

It unzipped and installed four files in c:\windows\temp folder. Does that do it? Should there be an executable file involved? There isn't an executable.

Anyway, thanks for the help.


----------



## Edmond4 (Jun 13, 2003)

By the way, I couldn't find the shelliconcache, so hopefully it's not an issue. Right now I don't have any percieved icons screwed up. They must have repaired themselves.


----------



## Rollin' Rog (Dec 9, 2000)

The shelliconcache is there, but it is a hidden file and you must have "show all files" checked in Folder Options > View to see it.

One of the TweakUI files will have a .inf extension. Right click on that and select "install". Once installed you should find an icon for it in the Control Panel.


----------



## IMM (Feb 1, 2002)

It turns out to be a newer variant of w32.Spybot worm. I'm told (by Symantec) that their beta definitions now identify it - so it should show up in the released virus defs soon.

http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html


----------



## Edmond4 (Jun 13, 2003)

I currently have a PDF document that is showing a nero icon. There may be other things as well. I've never seen that before this past week.

I can only find a C:\WINDOWS folder that says ShellNew. Then in the C:WINDOWS\SYSTEM I find a Shellext folder. nowwhere can I locate a shelliconcache however.

Oh, I just found it in a search. I was looking for a folder, but it was not a folder. DUMB of me.

Thanks

All files are showing.

Thanks for all the help you guys.


----------



## Edmond4 (Jun 13, 2003)

IMM,

How do I do a tweak UI? I did a search and found it downloadable from

http://www.microsoft.com/ntworkstat...g/NTTweakUI.asp

It unzipped and installed four files in c:\windows\temp folder. Does that do it? Should there be an executable file involved? There isn't an executable.

Anyway, thanks for the help.


----------



## Rollin' Rog (Dec 9, 2000)

One of those files will have a .inf extension. 

That is the install file. You must right click on it and select "install" from the right click menu. After the process completes TweakUI should be in your Control Panel.


----------



## Edmond4 (Jun 13, 2003)

One other question: I've just noticed in the control panel two things I've never seen before.

They are: 

1) BDE Administrator

and 

2) ODBC Data Sources (32bit)

are these database something or other applications remnants of the virus I had? I never installed them unless they were a part of what you guys had me install to check my system. Any thoughts of what I should do to them?


----------



## Rollin' Rog (Dec 9, 2000)

It stands for Borland DataBase Engine, and it's nothing we've had you install. It would normally be a package a programmer, developer or someone using specialized office programs might use for data base handling.

I'm wondering if it might have come with:

ServiceConfig = "C:\Program Files\Comcast\MigCfg\programs\ispbeg.exe" .....




ServiceConfig
ispbeg.exe
Comcast Transition Wizard. On June 30th, 2003 it will migrate E-mail and web pages from AT&T Broadband Internet to Comcast High-Speed Internet. Until then it will run at startup and then terminate - hence the U recommendation


----------



## Edmond4 (Jun 13, 2003)

OH,

very smart of you. Indeed, I downloaded it for that transition. Is comcast who your provider is?


----------



## Rollin' Rog (Dec 9, 2000)

No, but I've been seeing it in startups for others lately, so had to identify it. Since it's a data base program of somekind, I figured that would be the connection.


----------

