Articles

Setup program won't go away!

May 6, 2005 at 10:28:19
Specs: Win XP Pro SP1, 3.0GHz P4 HT, 512MB DDR

I'm trying to get rid of an installation program that keeps starting up every time I boot into Windows.

When this program comes up, it stops me from using Ctrl+Alt+Del and some important system applets (like regedit and stuff like that).

Any fix for this?


See More: Setup program wont go away!

Report •


#1
May 6, 2005 at 10:31:14

Can you run a spyware scan? I wonder if you could have a trojan.

Report •

#2
May 6, 2005 at 10:55:19

I ran a spyware scan with Ad-Aware SE Personal Edition. I also have Spyware Blaster 3.3 installed on my computer. I also have Norton Internet Security, and ran its antivirus scan. I wasn't able to find any trojan, spyware or adware though...


Report •

#3
May 6, 2005 at 11:11:24

Does it launch when you start in safe mode?

Report •

Related Solutions

#4
May 6, 2005 at 12:03:06

It didn't start in safe mode, but when I came back into Windows, it gave me a window saying that the installation program performed an illegal operation, and I was given the option of debugging it (I have Visual Studio), which I pressed, and found that the program was actually called msconfigs.exe. So, I looked for it on the computer and it was under Program Files/Msconfigs/. So, I moved it to another location. Now, the program doesn't come up anymore.

However, now, when I start "cmd" or "regedit" and some other programs from Windows/System32/, I get this error message:

C:\WINDOWS\System32\cmd.com
The NTVDM CPU has encountered an illegal instruction.
CS:00cf IP:0656 OP:fe b4 06 db 02 Choose 'Close' to terminate the application

What could that be (it only started after the first problem with the installer came up)?


Report •

#5
May 6, 2005 at 13:24:53

Can you uninstall and then reinstall Visual Studio?

Report •

#6
May 6, 2005 at 16:43:01

What I meant by referring to Visual Studio was that is gives you an "unassembly" (gives an assembly instruction code dump of what the program's doing) of the program that's having a hard time running - it wasn't the cause of the problem.

Report •

#7
May 9, 2005 at 00:46:03

just got rid of same problem... go into C/windows/regedit then search for configs.exe it will find the registry keys for it. Delete those then reboot and manually delete the main program in mine it was under program files. I also had temp.zip that I had to do the same thing with that was where the msconfigs came from. If you have that get rid of it. I rebooted then ctrl+alt+del worked again. Also may need to disable from start up in msconfig.exe. Make sure you only delete the one with s at the end.


Report •

#8
May 9, 2005 at 08:00:22

I just used system restore and it's gone!!!

Report •

#9
May 11, 2005 at 14:02:02

Just a quick note to thank "jen (by j4bs4209333)" for her post as it helped me to fix the error. However, after I removed all files from the setup.exe, I was still getting errors when trying to start Regedit or CMD from the run command. It took me 4 hours to fix this but it now works OK. Here is what I did - maybe it will work for you too.

- Make sure that you View all HIDDEN files in explorer (Folder options/view settings)

- See in C:\windows\system32 if you have the files cmd.com and regedit.com

- the original files from Windows are cmd.exe and regedit.exe not .com but I think that the old DOS priority executed the .com before the .exe and this is why you still get the error

- delete cmd.com and regedit.com files as they are not required

- make sure that you have the .exe files.

- if the cmd.exe and regedit.exe files are no longer in the windows\system32 directory then you will have to restore them from the CD - follow the instructions at the microsft support website:

http://support.microsoft.com/default.aspx?scid=kb;en-us;324767

Hope this helps,
jeff


Cheers!


Report •

#10
May 12, 2005 at 10:47:28

Hi Jeff,

Like others I had to remove msconfigs (still not sure what it does) and when I came across your reply I found out that like you I couldn't launch regedit. Your advice saved me time and gray hair, and by simply deleting regedit.com I was back in business.

Just a note - I use Win98 and I did find cmd.com although (apparently) there is no cmd.exe in Win98.

Thanks for your reply.


Report •

#11
May 12, 2005 at 16:31:51

Hey guys, i think you are experiencing the same problem as me. it seems to be a virus/trojan. The other file associated with it is p2pnetwork.exe that sits in c:\windows\system32. This file is a virus / trojan and is a nastly little one at that. I had to boot into safe mode, open regedit from explorer and search and delete any refrences to p2pnetwork.exe. That stopped the virus loading at boot time and re-enabled taskmanager. However it still looks for cmd.com and regedit.com instead of .exe. also I cant see the p2pnetwork or .com files in the system32 folder even if explorer is set to display hidden/sys files. the only way i found to delete these files was to boot into linux and use Captive to access the ntfs partition.

Linux saves the day :)

good luck
Mike


Report •

#12
boardtc May 12, 2005 at 17:10:27

Good to read, thanks.
also
http://www.geekstogo.com/forum/Hijack_This_LogHelp_-t21535.html
was extremely useful

well worth installing the evido suite mentioned at the above link, it found 14 infected files, inlcuding malwares bt.exe, bin02nwv.exe, nsd39.dll, nsw3e.dll, worm.alcan.a, backdoor.robt.d & temp.zip for me. 7 of them gave errors during cleaning for Worm.Alcan.a / Backdoor.Rbot.pd /Spyware.Sahat.o / pyware.Beginto.c

this trashed trillian for me too...

cleanup is ongoing....


Report •

#13
boardtc May 12, 2005 at 17:19:51

mike your mention of linux triggered an idea. i ran c:\windows\system32\cmd.exe and did a dir /a:sh regedit.*. This found regeedit.com. I then did a del /a:sh regedit.com. The same worked for cmd.com :-)

Report •

#14
May 16, 2005 at 03:32:04

This time, it was a case of msconfigs.exe. So, I removed it and the setup program disappeared.

Report •

#15
May 25, 2005 at 07:52:38

Hello, all. I too was infected with this trojan. It really
SUCKED to get rid of. But don't let that deter you. I booted
in safe mode (WIN XP PRO SP2) and edited the registry.
Search for msconfigs first, and delete the keys ( i only
found one, but there may be more). Then, search for
p2pnetwork and delete all keys with that string. Then,
search for temp.zip. You may find it or not, I just thought
it would be a good idea. Delete those if you find them.
Then, go to C:\WINDOWS\system32, and delete
p2pnetwork.exe. Then, go to C:\ProgramFiles and delete
the msconfigs directory, with everything in it. Then, goto
C:\ and delete temp.zip. Reboot and you should be
golden. Hope this helps someone out there. I had a hell of
a time figuring it out. Of course, you could buy a Mac
and.......oh well. Windows still does alot of things better.
It's worth it.

Report •

#16
June 4, 2005 at 07:47:46

Ho guys--Ive done this all and still no dice. was on w/ micorsoft support and they are dumbfounded. its definitely a virus of some sort. i cant seem to even locate agreat deal of the files you all mentioned to delete. i have adaware and micorsoft ant-spyware and they killed a great deal of malware but it keep regenerating itself when i boot up. i get the ms-dos error messges which are annoying the hell out of me! been working on this for over 5 hours now. i have windows xp home edition service pack 2.0



Report •

#17
June 11, 2005 at 07:34:30

Hey there everybody!

I got infected with the exact same thing... regedit didn't work, Ctrl+Alt+Del didn't work etc... I hadn't updated my Norton AntiVirus definitions since November 2004, when my subscription expired, but now I did and the virus was removed...

It is called W32.Alcra.A. You can find more info about this crap at


http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html


I (apparently) got it this morning when I downloaded a NoCD crack using Morpheus, when I got a zip file containing the Setup file, which I ran. That's how it all started.


I encourage you all to READ THE ABOVE PAGE and REMOVE THE VIRUS! These things are no pleasure to have, I'm sure as hell glad to be rid of it... Hope this helps y'all, just thought I'd share my knowledge...


Report •

#18
June 12, 2005 at 00:52:52

Hi All,
I think this is a new virus which has reared its ugly head. I recently got either about 12:45 this morning and have been working on it all night (morning), it's now 08:37 and is proving a pain to remove. I'm following your guides and guides from other website and are trying to clean everything up. I believe I got it from trying to download a CD crack from limewire, I recommend (as I have a laptop) that you backup and cleaning everything monthly. I have my laptop divided into two drives, C for programs, and D for files (and Visual Studio beta 2.0), I also have a external 40GB hard drive (really slim, small and portable by Freecom) which I back all my files upon and us as I device to transfer my files between computers. I run antivirus on all drives, defragment all drives, backup the system registry, take screenshots of all my installed programs and layout of my laptop, run diskcleanup, restart and then make a system restore. I advise this so as if the worst comes to the worse you have a backup up of all your files, you know what you had installed on the computer, you have a backup of the registry if you need to edit it and something goes wrong plus if keeps your PC/Laptop clean and organised. But back to the problem, I couldn't delete the file as it keeps/kept saying other programs were using it so I had to end the process "explorer.exe" in Task manager, then run "cmd.exe", delete the directory, and then run "explorer.exe" again. I managed to delete the file but I think I have other files related to it or/and running from it which shouldn't be there.


Report •

#19
June 12, 2005 at 09:54:00

Yeah, when I (supposedly) removed it with Norton AntiVirus (not sure I completely succeeded), it found roughly 380 different files associated with the above virus (W32.Alcra.A). It seems though that the files have stopped "respawning", which according to me is a pretty good sign.

But I agree completely with you, Ashley, on the matter that one should backup one's documents regularly. I also use a laptop but it only has one drive, C, which makes backing files up a little harder when you can't move them to another drive.

Anecdote: I yesterday spoke to my brother about computer viruses, and he had heard about some new viruses that encrypt every single file in the users' My Documents-directory. These will not be possible to open without the correct encryption/decryption key... After the files have been encrypted, the user gets an email stating that, in exchange for some money (like $200), he/she will recieve the key to restore the files to usable shape.

What do we learn from this? Get an antivirus program and keep it updated. I didn't and I sure regret it now.


Report •

#20
June 16, 2005 at 06:57:46

Hiya all again...

About the p2pnetwork.exe-file mentioned by guitarlord72, it's heavily associated with the ALCAN.A worm... check this out:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A


Report •

#21
June 21, 2005 at 17:18:36

We had this same issue but the virus didn't run because Panda Anti Virus caught it, they were the first to catch it and they are always the first to catch new viruses because of their patented technology (True Prevent). Down an eval copy from Pandasoftware.com and scan the computer. Make sure to go through all the options in the program and select all options. Norton, Mcafee, PcCillin, and AVG can't touch Panda!!!!!!!!!!!!!!!!!!!!


Report •

#22
June 22, 2005 at 20:30:24

This was a great thread. Kept me up all night trying each and every scenario yet everytime I reboot, I get the cmd.com, regedit.com, netstat.com, ping .com etx in my system 32 folder. Simply deleting these files tend to get me a few steps forward until the reboot.

I have been through the registry, used hijack this, killbox, Stinger by Avert and several other recommended fixes.

There just must be more to this worm and we have all experienced a little bit of it.


Report •

#23
June 22, 2005 at 21:27:59

I stayed up pondering for a few more hours tonight and found that my worm was "rebirthing" on startup from C:\program files\winupdates.

I deleted this folder, scrubbed the regisrty for winupdates and restarted several times.

All functions normal, now if I can just get my system32 folder out of it's current 'hidden' state...


Thanks to all, someone or something from this thread put me on the right track.


Report •

#24
June 25, 2005 at 15:05:43

I have this same worm (Alcar.a) and can't get rid of it. It's a variant of the spybot worm. When I run Adaware it picks it up and cleans some of the files out but it comes back at startup. Also have Norton systemworks 2005 which did not pick it up and still wont. Everything is hidden. AFter I run adaware I can access regedit and msconfig but still no task manager. After adaware I can also delete the registry entry with msconfig.exe in it but it also comes back on reboot. I looked for a winupdates folder in programs and haven't found any such folder on my system. I've also tried Killbox. I'm going to try downloading the Panda antivirus and see if that works. But I'm at my witts end! This is a nasty little SOB worm!!


Report •

#25
June 26, 2005 at 12:43:24

Tammie: I agree it is nasty ans has quite a few variants. It took me countless hours to get to some type of normalcy. I tried Malware bouncer from Emco and it helped.

Report •


Ask Question