MSConfig Has Entries Pointing to Non-Existent Files

I am trying to follow the "READ & RUN ME FIRST. Malware Removal Guide" procedures, but I am having a problem getting free of MSConfig. I have half a dozen startups that I have unchecked in MSConfig, but now I find that those stopped startups point to registry entries that do not exist. What should I do? Can I continue without "cleaning up" MSConfig? If not, then how do I clean up MSConfig?

 

TimW,

Thanks for straightening me out on that.

When I received your reply, I had just found Startup Inspector and was using it to clean up the dead entries in MSConfig, so now I booting in normal startup mode with a clean MSConfig.

I will open a new thread when I have the logs ready.

QuidErgo

 

Okay, I will stay in this thread. Three of my logs are attached. Here is why I am doing this:

On 18 Feb, Avira AntiVir Personal found TR/Crypt.XPACK.Gen and SpyBot Search & Destroy found Win32.Bitar.a. They were removed.

On 5 March, Malwarebytes Anti-Malware found Trojan.Vundo. One of the files that it was in was C:\Windows\System32\wextract.exe. I had an XPSP2 stream CD (a couple of years od) containing of wextract.exe I copied it to my hard drive, and MAM found Vundo in that file also. I have run MAM in the past and it never found Vundo in anything, so I can't help wondering if it was a false positive.

I ran later scans and Vundo appeared again on 10 Mar on a backup disk in the following:
Y:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP900\A0355575.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
Y:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP900\A0355576.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
Y:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP900\A0355577.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
Y:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP900\A0355578.EXE (Trojan.Vundo) -> Quarantined and deleted successfully.
Y:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP900\A0355579.EXE (Trojan.Vundo) -> Quarantined and deleted successfully.
Y:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP900\A0355580.EXE (Trojan.Vundo) -> Quarantined and deleted successfully.
Y:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP900\A0355581.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
Y:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP900\A0355582.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
Y:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP900\A0355583.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
Y:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP900\A0355584.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

Similar occurrence on 6 March, but mostly on the C drive.

What's happening here? Logs are attached and fourth log will follow. Am I okay now?

 

See my previous post. SAS log is attached.

 

TimW,

Thanks for analyzing my logs and for sending me final instructions. One problem is that c:\documents and settings\roy\LOCAL settings\Temp does not now contain JMUAZT.exe, so I cannot delete it. I am showing hidden files and am not hiding protected OS files.

JMUAZT is not running, although it is listed as "Manual" in Administrative Tools - Services. It is in three locations in the Registry:
HKLM\System\ControlSet001\Services
HKLM\System\ControlSet005\Services
HKLM\System\CurrentControlSet\Services

Is this something that I should be worried about? I will hold off on doing the final instructions until I hear back from you.

 

It appears in Services as JMUAZT. It is not started and has "Startup Type" listed as "Manual" with "Log On As" listed as "Local System." When I look at its Properties, "Path to executable" is "C:\DOCUME~1\roy\LOCALS~1\Temp\JMUAZT.exe" and "Service status" is "Stopped." "Dependencies" tab shows nothing.

Full Reg key paths are:
HKLM\System\ControlSet001\Services\JMUAZT
HKLM\System\ControlSet005\Services\JMUAZT
HKLM\System\CurrentControlSet\Services\JMUAZT

Although JMUAZT.exe has disappeared from my hard drive, it is still in c:\documents and settings\roy\LOCAL settings\Temp on a backup drive.

 

The backup drive is an external USB hard drive containing a full C drive backup updated by Retrospect. I can easily delete the file using Windows Explorer.

I created the fixME.reg file, but when I double-clicked, it opened in Notepad. I then realized that I had probably changed the association of reg files to open in Notepad so that I had to make a conscious effort to run one. I thought I made this change using the PC Magazine Registry Robot utility, but when I when I went into Registry Robot, I got a message that the specific Registry location was not found.

Here is the information from Registry Robot about the key: "In Registry key HKCR\[VAR]\shell (where [VAR] is replaced by "", found at HKCR\.reg\\), add or change the value named (Default), changing its current data of (none) to edit,merge,print."

I believe that I can still run fixMe.reg by right-clicking on it and selecting Open With and then Registry Editor.

Should I go ahead and do this and also delete JMUAZT.exe from the backup HD?

Also, I want to delete the old system restore points on that backup drive. Where are they located so that I can manually delete them?

 

OK. I completed everything, and I turned off System Restore, rebooted, and turned it back on.

One last question. After running the JMUAZT.EXE registry cleanup I did another search in Regedit and found the following:

HKLM\SYSTEM\ControlSet005\Enum\Root\LEGACY_JMUAZT contains the following:
(Default) REG_SZ (value not set)
NextInstance REG_DWORD 0x00000001 (1)

HKLM\SYSTEM\ControlSet005\Enum\Root\LEGACY_JMUAZT\0000 contains the following:
(Default) REG_SZ (value not set)
Class REG_SZ LegacyDriver
ClassGUID REG_SZ {8ECC055D-047F-11D1-A537-0000F8753ED1}
ConfigFlags REG_DWORD 0x00000000 (0)
DeviceDesc REG_SZ JMUAZT
Legacy REG_DWORD 0x00000001 (1)
Service REG_SZ JMUAZT

I think I missed this the first time because I searched for JMUAZT.EXE. This time I only searched for JMUAZT. I would like to delete these two Registry keys in Regedit. Should I?

 

I had to download ComboFix and MGTools again.

I stopped my antivirus and antispyware before running ComboFix, but I forgot about TeaTimer and did not stop that until just before running MGTools. I used Process Explorer to kill TeaTimer. I hope that did not invalidate the process.

I installed MGTools after running ComboFix. Then I ran GetLogs.bat after that. I think there may have been some redundancy there. Again, I hope that was not a screwup on my part.

I have attached both combofix.txt and mglogs.zip.

The Registry does not contain any more references to JMUAZT.

Do I need to do anything else, or am I ok now?

By the way, what exactly, is a LEGACY key?