no msconfig.exe & Spybotsd.exe

Discussion in 'Malware Help (A Specialist Will Reply)' started by Gyniolatry, May 11, 2005.

  1. Gyniolatry

    Gyniolatry Private E-2

    Something is messing with msconfig&spybot
    intel p4, 2.4, 512, nvid.mx 400, XPHome
    i DID have SP1.

    history-
    Realizing the auto-update was downloading SP2 on my 56k dial up modem, and canceling it, i rebooted to find 16 colors and all process disabled and no sp1. Performed a system restore only to find that i had turned it off some months ago in my last spyware removal frenzy.
    After reading posts on various issues, i have been able to return to a reasonable level of functionality although still having Dial up & video hassles (stuttering video/gameplay on previously ok games)


    I have tried all of the READ FIRST...steps except the online scans due to connection issue and lack of security patches.
    i sneakered the lastest versions & definitions from work and found
    Adaware-Clean
    Stinger- found and removed win32.spybot.gen.worm
    AVG-clean
    Spybotsd-found and removed huntbar variant (older definitions hadn't found it)

    i would like to install SP2 (CD arrived yesterday thanks Bill!)
    but get the error can't find msconfig ect.

    i have a renamed version that works- msconfid.exe- but if i try to expand a clean version from oem cd , it seems to work but then the file dissapears.
    if i try CMD>rename it seems to work since both dissapear and another atempt causes a duplicate file error.
    still no msconfig.exe though...

    SPybot is affected as well. All the files are there except the .exe...
    No spybot listed in the start menu either.
    i have to run the installer to the end, run the update installers, and check the run box, finish. to start it

    whatever it is doesn't like sysinternals "process explorer" either as this dissapears from cd's, floppy's as well.

    Explorer crashes if i right click (or choose file/properties) on EXE files.
    this maybe related or another context related issue (not winace...tried that)

    If there is some badware that someone recognizes as causing these symptoms, maybe a direct assault on that may help..
    All the same in safe and hazardous modes.
    hijack auto checker came up fine.

    Any Advice would be appreciated.


    My Advice: "A little Knowledge can be very dangerous"
     
    Gyniolatry, May 11, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds like you may have messed yourself up during the download of SP2 and that would be an issue best covered in the Software Forum. However if you want to check for malware, follow the steps below.


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, May 11, 2005
    #2
  3. Gyniolatry

    Gyniolatry Private E-2

    Chaslang,
    i played around with a process manager and managed to make msconfig stay put - long enough for SP2 to install successfully.

    Not being able to do the recomended online scans, i tried a variety of different AV and Trojan scanners/removers and found that my hxdefdrv.sys was infected with a BDS/hacdef.
    Now MSconfig & spybot (and hijack logs) are no longer hidden.

    i'm not convinced it has been removed entirlely as i still have these lines in my hijack log

    O15 - Trusted IP range: 213.159.118.228
    O23 - Service: Windows System Uninstaller (HackerDefender100) - Unknown owner - C:\WINDOWS\winunins.exe (file missing)

    having had a look around, this ip address is a result of hacdef.

    i'm looking at trying either a manual fix that i have seen or trying moosoft's cleaner (refered to in another post by majour security)

    Please Advise
     

    Attached Files:

    Gyniolatry, May 15, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must not have more than one antivirus applications installed. You currently have AVPersonal and Avast. Pick which one you want and uninstall the other.

    You have entered the below restrictions using a program like SpywareBlaster or similar:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    The may possible block some of the changes you need to make. If the fixes do not work, you will have to remove these restrictions.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    On the page that opens, scroll down to Windows System Uninstaller or HackerDefender100 ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    Windows System Uninstaller

    If that does not work, try the short name: HackerDefender100

    Now exit HijackThis (or use the back button to get back to the scan screen).

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O15 - Trusted IP range: 213.159.118.228
    O23 - Service: Windows System Uninstaller (HackerDefender100) - Unknown owner - C:\WINDOWS\winunins.exe (file missing)

    After clicking Fix, exit HJT.
    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, May 15, 2005
    #4
  5. Gyniolatry

    Gyniolatry Private E-2

    Chaslang,

    Looking good ;)

    All is working well

    my dial up connection even works now as well.

    Thanks for your help & the amazing speed of your replies
     

    Attached Files:

    Gyniolatry, May 16, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, May 16, 2005
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds