Tom's Guide | Tom's Hardware | Tom's Games | PC Safety Suite
 |
 |
 |
Comment:
I am pretty sure I have a variation of the W32.Spybot.Worm that infects the task manager and other system tools such as msconfig and regedit, causing them to close automatically. I have all of the same symptoms of this worm (I hit ctrl, alt, delete and it closes by itself no matter what) but Norton DOES NOT detect any viruses. I have done a full system scan twice in safe mode with Norton 2003 completely updated with the latest definitions, and it does not detect anything.
When I looked further into the issue, I noticed when I took a screenshot of my task manager, it shows an odd EXE running called "msconfig35.exe". I also did a search for this file, and found it in the windows prefetch folder and deleted it, but my problems still continue whenever I come out of safe mode and reboot into windows.
I have followed the instructions that were posted on this message board and deleted the registry keys that it instructed but the problem still persists. I have already been to the Symantec removal instruction page for the W32.Spybot.Worm but seeing as Norton cannot find the infection, it doesn't help me.
Does anyone have any information on a possible variation to this infection, and what I can do to get rid of it?
I would appreciate ANY help right now.
+1 |   |
Something to try.
For Non-Users of Trend Micro Products please download the Trend Micro System Cleaner Package.
+1 | |
I tried the Microtrend program and it found 3 viruses but didn't give me the option to clean them..
Can anyone else help me out?
+1 | |
"I would appreciate ANY help right now."
"Can anyone else help me out?"
Sorry I wasted my time on your
Kazaa related problem.
+1 | |
W32.Spybot.Worm automatically stops task manager and regedit. Use Process Explorer to stop the program but it can have other names besides msconfig35.exe.
Get Process Explorer here:
http://www.sysinternals.com/ntw2k/freeware/procexp.shtmlOnce you reboot it puts everything back into place. Still tracking it down.
+1 | |
I found this site via googling "msconfig25.exe". I have SpyBot and can't seem to delete or affect that file. Regedit flashes and closes, task manager flashes and closes. Norton can find the infected file but can't affect it. Found this worm AFTER I removed msblast (can't finish that fix because I can't edit the registry etc.) Can't get XP to start in Safe mode. Wit's end. Hey, it helps even to read that someone has the same SYMPTOMS. All advice welcome. I do not use Kazaa or any other file-sharing app EXCEPT I do run ICQ.
Today I would rather like to get my itchin pacifist hands around a worm-writer's..ummm...neck.
Thanks in advance -
+1 | |
I have the exact same problem ... fortunately it was on a honey-pot. I cannot help your problem right now ... but am working on a fix. I have the guy tracked by doing nslookup -a ... have 3 of his four addresses, his email address, and am working on the rest.
I will let you know what I figure out tomorrow.
Sorry I couldn't be more help ...
+1 | |
Download the program HijackThis from http://www.tomcoyote.org/hjt/ then scan and save the log, then post your logfile here.
At the very least you should be able to fix the start-up entry msconfigXX.exe and then delete the .exe file after reboot.
+1 | |
Here's what worked for me so far:
As Paul Smolens said, Process Explorer here:
http://www.sysinternals.com/ntw2k/freeware/procexp.shtmlRun it, find the msconfig35.exe and kill the process.
Now you can run regedit and get rid of the call to msconfig35.exe.
You can also delete the file under windows/system32/msconfig35.exe.
I rebooted and see no signs of Spybot now.
+1 | |
OS= Win XP Pro
I am having the same problem and read this thread which I found by searching on "msconfig35.exe".
I followed KMcCall's instructions to the letter:
1) Downloaded process explorer
2) Killed the msconfig35.exe process
3) opened regedit, searched for and found a reference to msconfig35.exe...deleted it;
4) Went into windows/system32, searched for and found the msconfig35.exe file...deleted itBUT when I rebooted msconfig35.exe was alive and well in my startup file.
any thoughts? Thanks!
+1 | |
Make sure when you open regedit that you go to the edit tab and search for MSCONFIG35 or MSCONFIG45 depending on your problem. Don't add the .exe extension.
There are more than one registry entry for this. After you find the fist one and delete it, go back to the "edit" tab and hit "find next". It will search for it again, and believe me, it will find another and another. Continue to do this until you get a message that it has searched the registry but couldn't find it. Make sure you start your search in "My Computer" each time, to make sure you are searching the entire registry and not just a folder.
Don't forget to delete it in your Windows/System32 folder.
That should handle it.
In Reason,
+1 | |
when I search "My Computer" with regedit, should I delete all files that come up or just the ones that contain msconfig
+1 | |
This is a nasty one. Last night, after FINALLY ridding myself of all msconfig35's in system32, msconfig and regedit, new "gibberish" exe's took over after Restart. I have put a copy of taskmgr.exe on my XP desktop and changed the name (to task.exe) so at least I can immediately run it and stop the *&%^% virus or whatever it is. Gave up and went to bed. This morning, msconfig35.exe was back.....
+1 | |
Yesterday after removing mblast.exe with fixblast.exe from symantec, I started noticing the task manager disappearing problem.
I then fixed this problem with the above advice. I used what I like to call the "quick fingers" solution described by crimperx on this discussion board: http://forums.techguy.org/t141389/sab1c8d31f55e7d8d16c7a18bb25f1ce0.html
You have to hit CTRL_AKT_DEL, right click MSCONFIG35.exe, select END PROCESS, and hit enter, in less than 1 second. If it works, task manager will stay up and msconfig35.exe will be gone. Then I searched and deleted msconfig35 with regedit, and searched HD C: and deleted it.
So far, after rebooting everything still seems fine. I like the task.exe on the desktop solution too. But you have to keep your fingers in shape somehow!
One last bit that might help is to make sure you have gotten the windows security update to protect from getting reinfected once you do the above solutions.
+1 | |
If you rename the files msconfig.exe, taskmgr.exe regedit.exe to something else, such as task.exe you will be able to run the programs.
Go to windows(winnt)\system32 folder. Make sure you have show all files and show system files enabled in your folder view options.
You can either sort by type (application) or by size (24k) and find the problem files. The msconfig35.exe is marked as hidden (most times). You may also find some bogus named files xxxyyqqaaa.exe that are 24k and marked as hidden. You will need to delete all of these. If you don't feel comfortable doing this move them out of the system32 folder into a different one until you feel it is safe to delete them.
After you renamed taskmgr.exe to something different run this and kill the msconfig35.exe process. Rename regedit.exe and run that, go to hkey_local_machine/software/microsoft/windows/currentversion/run and delete the key that loads msconfig35.exe.
Now, you've gotten rid of the darn thing for at least a few minutes. I've had the problem of my XP machine not booting once in a while and then reverting back to the old config with this running. I've submitted copies of the files to all the virus labs and have yet to have a response.
Good luck and let me know if you find anything else.
J
+1 | |
I had the same problems as above, but have found one extra step. There is a file in C:\documents and settings\all users\start menu\programs\start up\webdav.exe. This is the file that reloads msconfig35.exe into your system every time you restart. After removing this file and cleaning the registry of msconfig35 and deleting the file from system32, I am finally able to boot up normally without msconfig35 coming back. I hope this helps someone.
 |
 norton liveupdate list in...
|
kazaa lite is spyware and...
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
