HELP---I cannot get into msconfig or Add/Delete Programs

Welcome to Majorgeeks!

Please read the sticky thread and do not post any logs (especially HJT) inline.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

Then run this: SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal




After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

 

You have a bunch of issues. But first, a few major observations/problems with your system setup:

1. Your OS & IE versions are way out of date and represent a mahor security risk to you. After we fix any current problems you must get updated or you will remain very susceptible to a ton of malware problems.
2. You have no antivirus application.
3. You have no firewall application.

We will first make a few fixes to what is visible in your HJT log and then I will need to have you run a few other cleaning tools.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Local Security Authority Subsystem Service (or if not found look for the short name: lsass) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Local Security Authority Subsystem Service

If that does not work try entering the short name: lsass

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\SYSTEM32\?ttrib.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\anv8t.dll
O2 - BHO: (no name) - {FB261B73-85B8-F54D-9C1F-8EBADE4315B2} - C:\WINDOWS\System32\jvj.dll
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c356.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\SYSTEM32\cards.ico
C:\WINDOWS\SYSTEM32\exactsetup.dll
C:\WINDOWS\SYSTEM32\Xcite.dll
C:\WINDOWS\SYSTEM32\Xcite.exe
C:\WINDOWS\kwv2.dat
C:\PROGRAM FILES\DelFin
C:\WINDOWS\9ui.sys
C:\WINDOWS\SYSTEM32\a78wbn.dll
C:\WINDOWS\SYSTEM32\cm1.dll
C:\WINDOWS\SYSTEM32\fly.dll
C:\WINDOWS\SYSTEM32\httppost.exe
C:\WINDOWS\SYSTEM32\lwr2.dll
C:\WINDOWS\SYSTEM32\msfdje.gif
C:\WINDOWS\SYSTEM32\msglji.gif
C:\WINDOWS\SYSTEM32\msshed32.exe
C:\WINDOWS\SYSTEM32\ncase.dll
C:\WINDOWS\SYSTEM32\ncase2.dll
C:\WINDOWS\SYSTEM32\nostalgia.dlltmp
C:\WINDOWS\SYSTEM32\OMsetup.exe
C:\WINDOWS\SYSTEM32\pxcpya64.exe
C:\WINDOWS\SYSTEM32\pxcpyi64.exe
C:\WINDOWS\SYSTEM32\pxinsa64.exe
C:\WINDOWS\SYSTEM32\pxinsi64.exe
C:\WINDOWS\SYSTEM32\x4zpu.exe
C:\WINDOWS\SYSTEM32\anv8t.dll
C:\WINDOWS\System32\jvj.dll
C:\WINDOWS\scvhost.exe
C:\WINDOWS\SYSTEM32\?ttrib.exe <--- do not delete attrib.exe which is valid. This file with ?ttrib.exe may look like attrib.exe but it is not. Sort the folder alphabetically and you will probably see two attrib.exe. The one that is out of order is that bad one and it is probably much larger in size than the valid attrib.exe. The valid file is about 10 to 15 kbytes in size. The non-valid one can be anything (maybe a few hundred kbytes).

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Now run the steps in the following link and attach the requested logs: SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

Make sure you tell me how things are working!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You did not complete the rest of the steps in my message.

 

It would be a good idea to login to both the owner and LocalService accounts and cleanup cookies and Temporary Internet Files. You can do this using Ccleaner on each account. How are you using & what for are you the LocalService account anyway. This is not normally accessible. It defaults to having no password which it not secure either. Normally this account is not even visible for normal login. Did you initiate some kind of service to run using the LocalService Account. Seems strange to see cookies in this account.

Look in Add/Remove programs for the below and uninstall if found:
MediaTickets
BrowserPal

Run Windows Explorer and locat the below files and delete them.
C:\WINDOWS\SYSTEM32\fiz1
C:\WINDOWS\SYSTEM32\downloader_mind_silent.exe
C:\WINDOWS\salm_kyf.dat

Use Windows Exlorer to open the C:\WINDOWS\Downloaded Program Files folder. Right-click and remove any of the below entries if found:

• MediaTicketsInstaller Control
• {16556DE0-D692-494C-A8E7-7FAD0E2931D9}
• ShellInstaller Control’ (BuddyLinks variant)

Additional step to delete UWFX5_0001_N57M2811NetInstaller.exe
- Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s UWFX5_0001_N57M2811NetInstaller.exe
del UWFX5_0001_N57M2811NetInstaller.exe
exit

Then get yourself start on the below ASAP before you get infected again. In fact, due to you lack of antivirus and firewall, I recommend you perform the steps in a different order. Do steps 3, then 2, then 1. And then complete the rest.

How to Protect yourself from malware!

 

Does this mean you only did steps 3 & 2?

I was just waiting until all malware problems are resolved before worring about msconfig.

Click Start, Run and enter the following in the run box Notepad C:\boot.ini then click OK.

Copy and paste the contents of your boot.ini file back here.

 

Are you using MS Windows Whistler Personal? This was the preliminary version of Windows XP? I do not think you got your system updated.

Please attach a new HJT log?

 

Whatever you are doing, you are not getting updated. You still have exactly the same OS as before. Windows XP (WinNT 5.01.2600)

Did Windows Update ask you to verify the authenticity of your OS? They talk about Windows Genuine Advantage. Also you would need to install a new Windows installer and maybe a few other things before you can even get updated. Connect to Windows Update again and check your History of downloads and look for errors. I can tell from your log that your system has not been verified by Microsoft to be valid. Without doing this you will not be able to get all of the require updates. You will only be able to get a few critical updates for your particular OS. And in your case, your OS is too old and not secure. You need to get fully update to Win XP SP2.



At this point I'm not sure whether Whistler can be updated or not? You may need to ask about that over in the Software Forum.

 

Yes! This would be a topic better suited for the Software Forum. Perhaps Whistler does not have an upgrade path to full XP. It may require that you buy WIndows XP and install it (much like going from Windows 2000 to XP would require).