| Author |
Topic: SpyBot Registry Warning Flag - keeps popping up |
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 8 Jun 2006 12:31 pm |
|
I recently installed MSN Messenger, and true to form I guess, I'm now getting a Can't-Figure-This-One-Out flag alert from Spybot.
Here's what it says: Spybot - Search & Destroy has detected an important registry entry that has been changed.
Category: System Startup global entry
Change: value deleted
Entry: msconfig
Old Data:C:\WINDOWS\PCHealth\HelpCTR\Binaries
(and there is more, but the flag size has cut it off)
New Data: greyed out/nothing listed
Wiz, Jack, anybody, can you help me with this one? Oh yeah - also, in the lower task bar is a SB icon with a padlock on it over a blue and white square and says Spybot-SD Resident
[and a number of things blacklisted].
Thanks all, again.You still
|
|
|
 |
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 8 Jun 2006 8:44 pm
|
|
It sounds like some evil program has invaded you 'puter and deleted your MsConfig.exe file from the path and directory you specified. Without MsConfig you would have to manually edit startup items in the Windows Registry. There are many hostile programs that delete protective software and Windows utilities. You need to scan for viruses and spyware immediately.
Visit my blog (see link in signature) and look on the right sidebar for links to additional anti-spyware programs. Also, search that path to see if the file is really gone from there. Update Spybot with the latest definitions and scan again.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices[This message was edited by Wiz Feinberg on 08 June 2006 at 09:47 PM.] |
|
|
|
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 9 Jun 2006 5:14 am
|
|
Hi Wiz,
I did a through virus scan yesterday with AVAST and nothing came up. I also ran SB a few days ago with their upgrade and a couple things were found, 'immunized' & 'fixed'.
I'll run SB again, now. |
|
|
|
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 9 Jun 2006 5:53 am
|
|
Just ran SB and there were no new updates, but one problem was found: ValueClick (Internet Explorer: Owner) Internet Explorer (Owner): Cookie: owner@valueclick.com\()
Wiz - couldn't find any additional spyware programs on your site. I have ADAWARE and SPYWARE BLASTER, all updated.
Even if I was to put on another spyware program, what's to say this one would correct this problem? It's like taking a shot in the dark, isn't it? |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 9 Jun 2006 6:51 am
|
|
Chip said; quote:
couldn't find any additional spyware programs on your site.
Chip;
If you visit my blog and look at the links on the right side, starting at the top of the sidebar, you will see green headings, starting with SEARCH, then Google adlinks, then "Categories," with links to "Wizcrafts main pages," then "Anti-Spyware websites" links, followed by "Spyware Removal Forums."
BTW: did you search your hard drive for msconfig.exe? If it is missing something removed it from your system. As a test to prove this goto Start > Run and type MSCONFIG into the input field and press Enter. If the Msconfig utility opens it was a false alarm. Otherwise, you have an invader, or worse, a rootkit hiding at the Kernel level of your OS.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices[This message was edited by Wiz Feinberg on 09 June 2006 at 07:54 AM.] |
|
|
|
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 9 Jun 2006 8:47 am
|
|
Wiz,
MSCONFIG opens but somehow in GENERAL the 'selective'startup mode was checked, and the PC advised me to check off 'normal', which I did.
Another flag popped up with the title:
SYSTEM SETTINGS PROTECTOR
Error Signature
szAppName: TeaTimer.exe szAppVer: 1.4.0.2
szModName: hungapp szModVer: 0.0.0.0
offset: 00000000
I'll give your Blog site a visit; thanks for clearing that up.
Chipper[This message was edited by CHIP FOSSA on 09 June 2006 at 09:48 AM.] |
|
|
|
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 9 Jun 2006 9:46 am
|
|
Hi Wiz,
I just ran TrendMicro 'Housecall' and it found
6 infected files and 38 HTTP cookies.
After I clicked on "clean", Trend said it could not clean 3 of the files and directed me to another page as to what to do - quarrantine, but didn't say how to do it. So when I tried to get back to the 3 infected files page, it disappeared.
I wrote the files down, initially:
BHO_SE.18212 ADW_SE.73586 ADW_SE.73762
ADW_SE.87836 ADW_SE.131223 PAR_SE.91609 |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
|
|
|
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 9 Jun 2006 12:36 pm
|
|
OK Wiz, here are the results:
ADAWARE: 16 negligible objects [MRU list]
4 critical objects: cookie  wner@2o7.net
cookie wner@trafficmp.c cookie wner@steelguitar
cookie wner@ads.pointrol
I removed all but the steel forum one.
CWSHREDDER: Found the following (1) variant:
1. CWS, MSConfig
Didn't do anything
HIJACKFREE: this program showed a lot of problems; worms and trojans all over the place.
SunJava Update Schedule ^ good:2- bad:3
Requires Attention
CTHelper ^ good:2- bad:1 Requires Attention
QuickTime Task ^ good:3- bad:2 RA
MSConfig ^ good:2- bad:10 RA
MSNMSGR ^ good:1 bad:7 RA
1029TCP ^ good:1- bad:1 RA
1025UDP ^ good:1- bad:1 RA
csrss.exe ^ good:1- bad:2 RA
I 'viewed details' on some and saw a lot of red devil heads and the words 'trojan' and 'worm'.
A-SQUAREDFREE SETUP: 23 malicious objects were found and I removed them.
|
|
|
|
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 9 Jun 2006 12:37 pm
|
|
| That's interesting. I did not put those red faces in the 'result' reply. I have no idea how that happened. |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 9 Jun 2006 1:29 pm
|
|
Chip;
Your Msconfig.exe has been hijacked and replaced by a CoolWebSearch parasite version, meant to prevent people from using Msconfig to remove spyware from starting up. I'm surprised that CWShredder didn't fix that. Did you select Scan Only, or Fix? If the prior, re-run CWS using the FIX button, then report back.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices
|
|
|
|
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 9 Jun 2006 3:46 pm
|
|
| Yeah, I think I did run scan only. I'll run 'fix'. It was sorta misleading. |
|
|
|
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 9 Jun 2006 3:51 pm
|
|
Wiz,
That went quick. CWShredder said it removed the
CWS,MSConfig variant. |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 9 Jun 2006 10:14 pm
|
|
Excellent!
I'll check back with you tomorrow afternoon to see how it's going. We'll run HiJack This tomorrow and analyze the results.[This message was edited by Wiz Feinberg on 09 June 2006 at 11:14 PM.] |
|
|
|
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 10 Jun 2006 2:13 am
|
|
Hiya Wiz,
Well, this morning MSN messenger main page popped up, plus another "ad" page behind it. Yesterday I went into msngr OPTIONS and un-checked "MSNGR to open when logging onto Windows" (so it wouldn't pop up, but it did anyway). Probably another indication something isn't quite right.
And, again the same alert flag from Spybot popped up, plus MSConfig automatically popped up, as well as the warning flag connected with STARTUP (saying you've chosen to configure 'startup' a certain way).
Wiz, did downloading and using MSN Messenger cause this big mess? All this started just after MSNGR was installed. The bass player in
my band suggested doing this, cuz his company
frowns on him tying-up their email [or something to that affect]. Believe me, I reluctantly downloaded and installed it [and now I'm regretting this]. [This message was edited by CHIP FOSSA on 10 June 2006 at 03:21 AM.] |
|
|
|
Dave Potter
From:
Texas
|
Posted 10 Jun 2006 4:56 am
|
|
PMJI here, Chip, but, in my opinion, it's coincidental. I'm not a fan of all those instant messenger/MS messenger type programs, but I don't think they would cause the kind of trouble you're having. Sounds more to me like something got past your anti-virus program or your firewall.
Really sorry to hear about this; you have a mess to fix, and sometimes, it's hard to get everything cleared up.
Your bass player needs to get his own email account like the rest of us. 
Good luck.[This message was edited by Dave Potter on 10 June 2006 at 05:59 AM.] |
|
|
|
Jack Stoner
From:
Kansas City, MO
|
Posted 10 Jun 2006 5:12 am
|
|
| And, if it's real bad the only real option is a "clean" reinstall - reformat the hard drive and reinstall everything. A hassle but sometimes needed. |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 10 Jun 2006 5:52 am
|
|
Chip;
I doubt that this was caused by MSN Messenger - the program, if you downloaded it directly from Microsoft.com. However, if you downloaded it from somewhere else it may have contained a trojan horse program that is causing your troubles. Also, if you used Messenger and a Worm mascerading as your friend sent you a link to a hostile website, you may have acquired the parasites from that website. Or, someone is exploiting a flaw in MSN Messenger to infect computers when it launches. I don't use it myself.
I forgot to tell you to turn OFF System Restore, because viruses and spyware may be backed up in a Restore file, and restored after you reboot. To turn it off right click on My Computer, select the System Restore tab, and check the box labeled "Turn Off System Restore." Click Apply, then OK to close the properties box.
Apparently, your Msconfig hijacker has a Watcher running in the background, either as a Service, or as a Rootkit, which is how it came back after you removed it with CWShredder. Run that again using FIX, then immediately update Spybod, immunize, then scan for problems and remove them. Spybot may not be able to remove an active threat, and might ask for permission to run upon system restart. Allow this to happen and reboot.
Go get Windows Defender, install it, update it and do a full system scan. Have it remove all pests it finds.
After all these programs have done their thing, reboot and scan again with everything you've got. After all the scans are complete I may have you run Hijack This and post the log for analysis. There are specialized forums that have volunteers who analyze Hijack This logs and assist people in removing spyware, viruses and rootkits.
Reformatting is a last resort, but you might want to think about saving your data files to a CD.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices
[This message was edited by Wiz Feinberg on 10 June 2006 at 06:53 AM.] |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
|
|
|
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 10 Jun 2006 7:19 am
|
|
WOW! Could going back to a restore point help? I know you probably would have thought of this, and it does sound too easy to do the fix.
Thanks Dave and Jack for your input.
I'll get going, Wiz, on your latest instructos.
This could take a while, it looks like.
Other than those opening pop-ups, the PC seems OK. messenger.msn.com page was sent to me by Sandman, our bassplayer, and that's where I downloaded from.
Thanks for all this help. I appreciate it. |
|
|
|
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 10 Jun 2006 7:37 am
|
|
Uh, just to be on the cautious side, on COMPUTER right click there was no option to
'turn off system restore', but I got to the page I guess in START/HELP?
But it warned that in closing 'restore' I would be deleting all restore points. Right now there are points at June 1, May 1, and April 30.
Should I still CLOSE? Also I checked just yesterday for Spybot Updates and there weren't any, and it didn't find ANYTHING yesterday.
Of course, I haven't run SB just yet. Unsure
now about this restore point thing[This message was edited by CHIP FOSSA on 10 June 2006 at 08:38 AM.] |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 10 Jun 2006 8:29 am
|
|
Chip;
Try restoring the June 1 backup and see what happens!!!!! |
|
|
|
Dave Potter
From:
Texas
|
Posted 10 Jun 2006 8:46 am
|
|
Chip, I know you have more important issues than this to take care of, but you got me wondering about those little red faces in your earlier post.
They're "smilies" in the list supported on this forum. If you type a colon next to the letter "o", it makes a "shameful face" smiley. There are several colons next to "o"s in that post. |
|
|
|
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 10 Jun 2006 9:02 am
|
|
Ok, getting back now. I'll try the June restore, Wiz.
Dave - AHA! Good sleuthing. I'd a-never guessed. |
|
|
|
Chip Fossa
From:
Monson, MA, USA (deceased)
|
Posted 10 Jun 2006 9:14 am
|
|
Well,
The restoration for June 1 was successfully completed. The only popup on startup was AVAST
saying it needed to restart the PC.
However, that Spybot blue & white square, with a padlock, is still in the taskbar. |
|
|
|
