Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

CWS.msconfig[RESOLVED]


  • This topic is locked This topic is locked

#1
Wafna

Wafna

    Member

  • Member
  • PipPip
  • 54 posts
I've run the trend housecall scanner on the system, found 8 items which it removed, ran an ad-aware scan which came up clean except for the negligible results.

CWshredder found CWS.msconfig on my system, and hasn't been doing anything about it.

Spybot-search and destroy found about 13 items, but in the process of creating a system restore point, it's stopped responding. (something called 'program 1' had started, which might be related to MSN messanger issues, which are described below.) After a second scan using spybot, it again found the 13 items, (listed are titles and number of entries: 1 SearchMiracle, 1 Alexa Related, 3 DyFuCA, 1 Hellz Little Spy, 1 ISearchTech.PowerScan, 3 ISearchTech.SideFind, 2 Targetsaver, and 1 WebRebates.TopRebates ) again it stopped responding, though no new processes.

I've had several problems over the last couple weeks, primarily a bit of malware that pops up fake messenger warnings about vital/imminent crashes that will result in data loss, click here to DL this program for a free scan. (which scans, finds a couple viruses, but then asks you to pay $70 to register and remove them... sounds like a scam to me.) checking the processes when a popup arrives shows it's attached itself to csrss.exe

The other, recently arrived problem came after another user on this computer clicked a link through MSN messenger, which then replicated itself to other contacts. I've seen stuff like that before where it deletes itself after replicating, but this one has stayed active and re-sends any time any user opens messenger. (so I'm not gonna open it again until this is all fixed.) "program1" seems to be running attached to msn.exe, I think I've read in other threads that it could be related to the messenger problems.

Hijackthis Logfile as follows...

Logfile of HijackThis v1.99.1
Scan saved at 1:34:45 PM, on 10/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\VetTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINDOWS\System32\system.exe
C:\Program Files\iolo\System Mechanic\Scheduled_Maintenance.exe
C:\Program Files\Plaxo\2.2.4.1\InstallStub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [Windows] system.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Windows] system.exe
O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /CompleteCache
O4 - HKCU\..\Run: [Scheduled Maintenance] C:\Program Files\iolo\System Mechanic\Scheduled_Maintenance.exe
O4 - HKCU\..\Run: [Erase History at StartUp] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /CleanHistory
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.2.4.1\InstallStub.exe -a
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [start uploading] crsss.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.hotmail.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: ImageUploader - http://www.zorpia.co...ageUploader.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103159682203
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.249...hm::/update.exe
O21 - SSODL: SecurityUpdate - {D68307F9-0258-4462-89C4-61083204E5B3} - C:\WINDOWS\System32\kbdltr10.exe
O21 - SSODL: IntegrityChecker - {D1F01D31-476D-4CE3-B17C-E4971C45396A} - C:\WINDOWS\System32\webhdcom.nls
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Speed Disk service - Sony Corporation - (no file)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe


Thanks for the help already provided by the site!
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [Windows] system.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Windows] system.exe

O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [start uploading] crsss.exe

O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.249...hm::/update.exe
O21 - SSODL: SecurityUpdate - {D68307F9-0258-4462-89C4-61083204E5B3} - C:\WINDOWS\System32\kbdltr10.exe

Reboot into safe mode and delete:
C:\WINDOWS\System32\system.exe

Post back with a new log when you are done.

Regards,
  • 0

#3
Wafna

Wafna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
hum. looked for those items, didn't see them. new logfile as follows.

<edit>spotted a couple of them on a second look through the new one... will post in about ten minutes when I've followed the rest of the directions. </edit>

Logfile of HijackThis v1.99.1
Scan saved at 11:34:27 PM, on 26/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\VetTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\iolo\System Mechanic\Scheduled_Maintenance.exe
C:\Program Files\Plaxo\2.2.4.1\InstallStub.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chris\Desktop\virus&adware scanners\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /CompleteCache
O4 - HKCU\..\Run: [Scheduled Maintenance] C:\Program Files\iolo\System Mechanic\Scheduled_Maintenance.exe
O4 - HKCU\..\Run: [Erase History at StartUp] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /CleanHistory
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.2.4.1\InstallStub.exe -a
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [start uploading] crsss.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.hotmail.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: ImageUploader - http://www.zorpia.co...ageUploader.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103159682203
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.249...hm::/update.exe
O21 - SSODL: SecurityUpdate - {D68307F9-0258-4462-89C4-61083204E5B3} - C:\WINDOWS\System32\kbdltr10.exe
O21 - SSODL: IntegrityChecker - {D1F01D31-476D-4CE3-B17C-E4971C45396A} - C:\WINDOWS\System32\webhdcom.nls
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Speed Disk service - Sony Corporation - (no file)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

Edited by Wafna, 26 May 2005 - 09:38 AM.

  • 0

#4
Wafna

Wafna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
couldn't find system.exe in windows/system32/ and all hidden files should be shown. New logfile as follows.



Logfile of HijackThis v1.99.1
Scan saved at 11:50:10 PM, on 26/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Documents and Settings\Chris\Desktop\virus&adware scanners\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /CompleteCache
O4 - HKCU\..\Run: [Scheduled Maintenance] C:\Program Files\iolo\System Mechanic\Scheduled_Maintenance.exe
O4 - HKCU\..\Run: [Erase History at StartUp] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /CleanHistory
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.2.4.1\InstallStub.exe -a
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.hotmail.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: ImageUploader - http://www.zorpia.co...ageUploader.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103159682203
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O21 - SSODL: IntegrityChecker - {D1F01D31-476D-4CE3-B17C-E4971C45396A} - C:\WINDOWS\System32\webhdcom.nls
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Speed Disk service - Sony Corporation - (no file)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe


Thanks again for your help, Metallica.
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
That last log looks clean to me. :tazz:

Is your computer behaving now?

Regards,
  • 0

#6
Wafna

Wafna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
yeah, it was behaving before, but I wanted that all-clear from one of you folks. :tazz:

thanks for all the help, both in the 'do this before bothering us' segment and here in thread.

I think we can set this one to resolved. Mouchos Gracias.

Yours In Service,
Wafna

Edited by Wafna, 26 May 2005 - 08:27 PM.

  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

Please have a look at my site for some tips on how to remove and prevent spyware.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP