way too many things in msconfig startup

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Zambesi, Oct 12, 2006.

  1. Zambesi

    Zambesi Private E-2

    Greetings,

    I've followed all the instructions in the primer and read through many of these threads. Some things were fixed, like I cleared the auto-launch of an iexplorer window looking in vain for www.63.246.131.130. That was progress. I inherited this emachine (Intel Celeron 2.6 GHz; Win XP home, version 2002, SP2, fully updated) I get the web through the UK's Blueyonder cable-based broadband and use the PCGuard suite, including firewall, spyware and virus protection. BUT this PC was elsewhere before, out of my control, and was massively infected. I cleaned and cleaned and cleaned, Nevertheless I can recognise that there are many programs appearing in msconfig startup that just should not be there. I am a little uncertain of how exactly to delete them all and get this uncared for PC back up to fighting weight. If you guys can help I'll be much oblidged. Here's my logs:
     

    Attached Files:

    Zambesi, Oct 12, 2006
    #1
  2. Zambesi

    Zambesi Private E-2

    and the rest of the logs:

    Cheers mate!
     

    Attached Files:

    Zambesi, Oct 12, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are still logged in, hang in here for awhile. I'm working up a fix for you now!
     
    chaslang, Oct 13, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is the below setting in the R1 line from HJT something that you recognize?
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://63.246.131.130/secur.html

    Goto Add/Remove Programs and uninstall the below:
    Viewpoint Media Player (Remove Only)
    Now continue by downloading a tool we will need- Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [MP Services] mpsvc.exe
    O4 - HKLM\..\Run: [Windows Lmhost Util] lmhost.exe
    O4 - HKLM\..\Run: [taskmgr.exe] C:\WINDOWS\secure.exe
    O4 - HKLM\..\Run: [System Stats] SystemStat.exe
    O4 - HKLM\..\Run: [winlogin.exe] C:\WINDOWS\dllmanger.exe
    O4 - HKLM\..\Run: [notepad.exe] C:\WINDOWS\site.exe
    O4 - HKLM\..\Run: [McAfee AntiVirus] McAffee.exe
    O4 - HKLM\..\Run: [Personal Firewall] CCplus.exe
    O4 - HKLM\..\Run: [Windows Taskbar System] tasksys.exe
    O4 - HKLM\..\Run: [Windows Sound Manager] SndMon32.exe
    O4 - HKLM\..\Run: [Windows DNS Daemon] windnsd.exe
    O4 - HKLM\..\Run: [outlook] outlook.exe
    O4 - HKLM\..\Run: [nternet Explorer] iexplore.exe
    O4 - HKLM\..\Run: [Norton Guard 32] ntguard32.exe
    O4 - HKLM\..\Run: [Networks Configurator] NetConfs.exe
    O4 - HKLM\..\Run: [Microsoft Windows Update] svmhost.exe
    O4 - HKLM\..\Run: [Microsoft Windows Explorer] iexplorer.exe
    O4 - HKLM\..\Run: [Flashget Download Manager] Flashget.exe
    O4 - HKLM\..\RunServices: [Networks Configurator] NetConfs.exe
    O4 - HKLM\..\RunServices: [Windows DNS Daemon] windnsd.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows Update] svmhost.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows Explorer] iexplorer.exe
    O4 - HKLM\..\RunServices: [MP Services] mpsvc.exe
    O4 - HKLM\..\RunServices: [Norton Guard 32] ntguard32.exe
    O4 - HKLM\..\RunServices: [Windows Sound Manager] SndMon32.exe
    O4 - HKLM\..\RunServices: [Windows Lmhost Util] lmhost.exe
    O4 - HKLM\..\RunServices: [nternet Explorer] iexplore.exe
    O4 - HKLM\..\RunServices: [System Stats] SystemStat.exe
    O4 - HKLM\..\RunServices: [dlite] dllmanager.exe
    O4 - HKLM\..\RunServices: [McAfee AntiVirus] McAffee.exe
    O4 - HKLM\..\RunServices: [Flashget Download Manager] Flashget.exe
    O4 - HKLM\..\RunServices: [Windows Taskbar System] tasksys.exe
    O4 - HKLM\..\RunServices: [Personal Firewall] CCplus.exe
    O4 - HKCU\..\Run: [MP Services] mpsvc.exe
    O4 - HKCU\..\Run: [System Stats] SystemStat.exe
    O4 - HKCU\..\Run: [McAfee AntiVirus] McAffee.exe
    O4 - HKCU\..\Run: [Personal Firewall] CCplus.exe
    O4 - HKCU\..\Run: [dlite] dllmanager.exe
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
    O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
    O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I7S5ITC5\secur[1].html
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4TMDPQ5E\MediaTicketsInstaller[1].cab
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YPI52X6T\bridge-c46[1].cab
    C:\WINDOWS\Downloaded Program Files\WinAdServX.dll
    C:\WINDOWS\Downloaded Program Files\WinAdCtlX.dll
    C:\WINDOWS\Downloaded Program Files\WinTaskAdX.dll
    C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
    C:\Windows\System32\CCplus.exe
    C:\Windows\System32\dllmanager.exe
    C:\Windows\System32\Flashget.exe
    C:\Windows\System32\iexplore.exe
    C:\Windows\System32\iexplorer.exe
    C:\Windows\System32\lmhost.exe
    C:\Windows\System32\McAffee.exe
    C:\Windows\System32\mpsvc.exe
    C:\Windows\System32\NetConfs.exe
    C:\Windows\System32\ntguard32.exe
    C:\WINDOWS\System32\objsafe.tlb
    C:\Windows\System32\outlook.exe
    C:\Windows\System32\SndMon32.exe
    C:\Windows\System32\svmhost.exe
    C:\Windows\System32\SystemStat.exe
    C:\Windows\System32\tasksys.exe
    C:\Windows\System32\windnsd.exe
    C:\WINDOWS\secure.exe
    C:\WINDOWS\dllmanger.exe
    C:\WINDOWS\site.exe
    C:\WINDOWS\t00lz4.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    Also after reboot, delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\temp
    C:\Windows\temp
    C:\Documents and Settings\Marchmont\Local Settings\Temp
    Now attach a the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT

    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Oct 13, 2006
    #4
  5. Zambesi

    Zambesi Private E-2

    Nice one, really great stuff. I've been through all that (sorry i missed you, I went to bed since I am in Scotland and we're five hours ahead of you guys). Also been learning alot from that German site that analyses HJT logs and the other process list and startup list analysis sites.

    I can report that: No more explorer windows open on startup, neither does Outlook, thank heavens for that. So that seems fixed. There's a MS critical update warning in my system tray, just popped up. I'll install that after this post

    One worry/query. There are two other User logins set on this computer,both are set to Admin. and the Guest of course. Am I cleaning all of them? or will I need to go into each and sort it all out? As they belong to the old owners, who are away travelling, I can set them to non-Admin if need be, this would probably be safer anyway. Passwords are set for all. Apologies if I should have mentioned this before

    the PendingFileRenameOperations prompt DID NOT appear.

    Again, cheers for everything!
     

    Attached Files:

    Zambesi, Oct 14, 2006
    #5
  6. Zambesi

    Zambesi Private E-2

    One more thing. I deleted all the old files that were in C:\Documents and Settings\Marchmont\Local Settings\Temp, BUT I wasn't sure about going into the subfolders within that file. So I did not delete any files in those folders. Should I?
     
    Zambesi, Oct 14, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not answer my previous question. I asked the below:

    You should clean all user accounts to be safe. After the first is clean the others should be easier since many of the bad files will already be gone. The Guest account should be disabled!!! You will be better off leaving the other accounts with admin priviledges while you remove any malware. After finishing the cleanup, you should then decide whether the account require admin priviledges or not.

    You still have some registry entries related to the infection that we need to clean!

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop (yes overwrite the previous copy). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Then attach a new log from GetRunKey! How are things working now?
     
    Last edited: Oct 14, 2006
    chaslang, Oct 14, 2006
    #7
  8. Zambesi

    Zambesi Private E-2

    Hey there,

    Sorry about not anwering that question. When I first got this computer a IE window would open to an Italian porn site on startup. That was when I was installing my broadband service, Blueyonder. Quickly, their security suite software that comes with the broadband service (PCGuard) fixed a lot of stuff on installation and one of the things that changed was that the IE window opened, but could not find a server. The site it was trying to find was the same as that in your post http://63.246.131.130/secur.html I would not go there (and I'm a little worried that these appear as hyperlinks on the posts, no body click them!).

    Now after our efforts, the window does not try to launch at all but I see that the site is still in there somewhere, as you have noticed. I've found many different forum posts discussing the same problem. Finding one on MajorGeeks was how I found you guys!

    I'll clean the other users and disable guests now. Here's my logs after running the new REGEDIT. Thanks a bunch.
     

    Attached Files:

    Zambesi, Oct 15, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since the R1 line appears to be something you do not want, do the below.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://63.246.131.130/secur.html

    After clicking Fix, exit HJT.:

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!


    Now if you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    3. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and enable System Restore to create a new clean Restore Point.
    4. After doing the above, you should work thru the below link:
     
    chaslang, Oct 17, 2006
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds