BleepingComputer.com: How to delete unchecked items from Sys Config

I have unchecked items on my System Configuration Utility>Startup left over from a virus cleaning.

I've done searches, antivirus and malware scans for each of the items:
putabami
veregofu
zakanilu
xppolice

they are nowhere to be found.

They aren't causing problems, but it's annoying me to see them on the Start Up list and not being able to get rid of them.

I've even looked at HKEY_LOCAL_MACHINE>SOFTWARE>WINDOWS>RUN folders but to no avail . . .

NOTE: I always get a "An Access Denied error was returned. log on using an Admin account" when I click 'Apply' when leaving the System Config Utility.
Which is wierd, because it's my PC, and I'm most definitely logged in as Admin. . .

Any ideas?

(XP Pro)

This post has been edited by Studio Era: 29 March 2009 - 03:45 PM

I'm having the same problem. Hopefully we'll get some advice soon.

WARNING : Modifying Windows registry can lead to disastrous results. Please backup your Registry before continuing. You can do that by creating a System Restore point (as advised by Microsoft). Also there are tools like ERUNT which you can download from: http://www.larshederer.homepage.t-online.de/erunt/index.htm

First: MSCONFIG is not a tool to delete or disable any startup items permanently. It should be used only for troubleshooting and diagnosis.

Now that you understand the above two things:

All the items that you disabled are listed in this Registry Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig

There are four subkeys (which look like subfolders in Regedit) :
services : disabled services are stored here. You should not find anything here.
startupreg: disabled apps that ran from registry are stored here.
startupfolder: disabled apps that ran from StartUp folder are stored here.
state : it stores whether you are using a selective startup, diagnosis startup using msconfig or not.

All disabled items are stored as subkeys (that look like subfolders). You can delete the key you want. (Be very careful)

There are various values under the subkey "state" like bootini, startup etc. To fool MSConfig you can set all the values to 0.

You need to be an administrator to make changes to registry.

If anything goes wrong you can always restore registry from a backup.

This post has been edited by Romeo29: 29 March 2009 - 08:33 PM

Another way to do this is to put the checkmark back in the entries in msconfig--this will rewrite the autostart entries back to the run key of the registry you had checked before and is safe to do as long as the actual files are gone and you don't reboot until the reg entries are deleted.

I would only recommend deleting those values from the Run key or what Romeo29 suggests if you are very familiar with and comfortable working with your registry. There are several safer ways to go about it to accomplish what you want. But before doing that my main question is are you sure all the malware is gone and these are just leftover reg entries? Malware is very complex nowdays--some of it you can still just deleted the startup entry and the file it points to and be rid of it, but many require much more to be done.

How did you clean up those malwares and what did you use? My guess is you're trying to do this manually and from your questions here and in other threads, I don't think you understand enough about how to do that for it to be a good idea.

I would strongly suggest that you run your antivirus after you've re-enabled those startups in msconfig and after the scan is finished, check to see if they're still there. If not you'll need further assistance. BTW, what antivirus are you running?

The other and safest way to deal with those entries is to use a startup manager that allows you to delete startup entries. But they still need to have the startup enabled in msconfig to be able to "see" them.

FWIW: Msconfig is designed to be a troubleshooting tool, not a startup manager, http://support.microsoft.com/kb/310560

In fact, I don't believe that it reflects all startup items. To see such, I suggest (as previously suggested) using a tool designed for such (there are several that are popular).

I prefer AutoRuns for Windows - http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx, which reflects everything (drivers, startups, services, etc.). If only looking for startups, stick with the Logon tab of this tool.

The use of Msconfig to manage startups initiated with older Windows O/Ses, before there were better tools designed for this particular job.

Louis

hamluis, on Mar 30 2009, 10:49 AM, said:

I completely agree with you about this, Louis. It is a bit like sticking your head in the sand.

However, I will not recommend AutoRuns without a disclaimer that one should create a Restore Point or registry backup first. AutoRuns is very powerful and shows about the same number of startup areas as HijackThis--in fact HJT is safer to use IMO than AutoRuns. HJT does make backups of "fixed" items--AutoRuns doesn't. And HJT whitelists system startups so there is no chance of those being deleted either.

For the most part if used to just disable statups, that would be OK--deleting them can easily get you in trouble. But either way anyone should read the following thead at the Sysinternals forum before using AutoRuns:
http://forum.sysinternals.com/forum_posts....D=5226&PN=4

It links to these horror story threads that show even disabling some startups can cause problems:
http://forum.sysinternals.com/forum_posts....D=2288&PN=1
http://forum.sysinternals.com/forum_posts....D=2847&PN=1
http://forum.sysinternals.com/forum_posts....D=1374&PN=1

The second two are especially timely, as there is a recent trend for malware to write to the userinit.exe--recovering from a deleted one isn't easy.

That's why for simple startup management, I prefer Mike Linn's Startup Control Panel:
http://www.mlin.net/StartupCPL.shtml
It doesn't show as much, but that is why it's safer--for simple startup management. Use other tools for malware removal. And it does allow deletion of startup entries if that's needed--and those are backed up to a trash bin that can be restored just like Windows Recycle Bin.

@ Studio Era
After rereading your original post, those startups appear to be Vundo. It's hard to remove and is what the majority of victims in the malware removal forums are infected with. Most antivirus won't remove it. Some antimalwares will, but this is a clue that you are still infected:

Quote

So please let me know what, if any program you've run so far to get rid of it--you may need to post your log to the malware removal forum.

Concur with PK's remarks about using Autoruns...I sometimes (not always) follow up any recommendation/suggestion of such with the comment that users need to also restrict themselves to the Logon tab...and leave the others alone...since the typical startup items users would be interested in appear only on the Logon tab.

The various other tabs reflect a rather exhaustive list of everything (drivers, services, necessary Microsoft entries, etc.) that begin as part of the boot/initialization process.

Louis

Papakid, on Mar 30 2009, 10:29 AM, said:

I thought about that. Check the items back and use Startup control panel or AutoRuns to disable them. But MSConfig doesnt put keys back into usual places in the registry until you restart, which means you risk running malwares(you never know if they are gone).

Papakid, on Mar 30 2009, 12:14 PM, said:

IMHO I dont like HijackIt logs they dont give desired details. For example, they enlist many "svchost.exe" instances running but they dont show the command-line. On the other hand, AutoRuns Data saves all the details. And when you load up data file back into Autoruns, you can clearly see all the processes as if they are on your own sytem. I dont understand why BleepingComputer is so crazy about HijackIt logs.

The standard use of HJT logs...as you will see on just about any computer website...relates to malware issues, nothing else.

This is why the posting of such logs in any XP forum on any website...will normally draw an immediate recommendation to post such log in the website's appropriate forum for dealing with malware.

BC is just following a recognized pattern that has existed for several years.

I have seen users who don't understand the significance of a HJT log...post such as if this is the first step in having someone tell them what programs they need to uninstall, etc. But that's not the purpose of a HJT log.

I suspect that these (persons who don't know what HJT logs are for) are some of the same persons who think that Msconfig.exe was designed to be used as a startup manager for Windows.

A tool can only be used properly...by someone who understands what it is designed to do and what it is NOT designed to do.

Louis

Romeo29, on Mar 30 2009, 08:25 PM, said:

While you are correct that it is a bad idea to enable a malware startup just before rebooting if you are not sure the malware files are gone, you are mistaken about data being written to the registry only after a reboot. If you don't mind performing a little experiment I can prove it to you.

You'll need a small utility by the name of RegShot:
http://sourceforge.net/projects/regshot/

Quote

RegShot does not alter the registry in any way, so it is safe for anyone to run and is a great way to learn more about your registry.

Here is the experiment I conducted and the results--you can try this on your own system with any startup after installing RegShot--I used the Java updater.

*Open msconfig to the Startup tab and then Open RegShot.
*In RegShot, click 1st Shot/Shot. In a few seconds the first snapshot of your registry will be taken. When the Snapshot is finished the 2nd shot button will no longer be grayed out.
*Make your changes now. In my first experiment, I took the checkmark out of jusched, which is the Java updater startup. Click Apply to write the changes to the registry.
*In RegShot, click 2nd Shot/Shot. In a few seconds the second snapshot of your registry will be taken.
*When this Snapshot is finished the cOmpare button will no longer be grayed out. Click it.
*After the two snapshots are compared, a log in Notepad will open showing what changes were made to the registry. The following is the result of my experiment, and I did not reboot for this data to be written to the registry file.
---

Quote

The second experiment, I followed the same procedure and put the check back next to jusched and clicked Apply. Here are the results--again without rebooting.
---

Quote

Now if you were to restore a startup whether malware or not and then reboot, then the program will begin running when windows starts. That's the definition of a startup. But if you just re-enable the startup without rebooting, the program will not run unless you start it yourself. I just mentioned that you can do this in order to get the reg entry in an easier to locate and manipulate place so that it can be deleted before rebooting.

To delete the reg entry use any tool you prefer:

Windows Registry Editor (regedit)
HijackThis
AutoRuns
Startup Control Panel
A registry import file

They all do the same thing--delete the value and data from this reg key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Romeo29, on Mar 30 2009, 08:25 PM, said:

Well, first of all, I don't like HijackIt logs either as I've never seen one. HijackThis logs, however, I've been observing the use of, then using and training of others in its use for over six years now.

I'm not sure what you are trying to say about AutoRuns when you talk about loading data files and looking at processes. Are you sure you aren't confusing it with Process Explorer, also by SysInternals? AutoRuns just deals with startups, which is a registry thing--the only thing I can find in AutoRuns that has anything to do with processes is a menu item where you can switch to Process Explorer--I just tried it and it says I have to have PE installed and running for it to work.

You don't have to look at a svchost process command line to find out what services are running--and you don't have to use HijackThis to do malware removal. HJT does show standard services in the 023 section. Drivers, which are what most rootkits are and have similar architecture to services, are not shown in HJT however--where AutoRuns does show them. HJT has fallen a bit behind the times, I never said it showed as much as AutoRuns--why do you think the Prep guide now does not even ask for HijackThis to be run?
http://www.bleepingcomputer.com/forums/topic34773.html

Instead BC asks that DDR be run that has more comprehensive information, including listing drivers. In malware removal you use whatever tool is necessary to accomplish the goal--I don't care if it's Mother Mabel's Mighty Mojo. All I said was that HijackThis is safer to use than AutoRuns--but neither is completely safe if you don't pay attention and know what you are doing.

For a couple of years now, it's been debated whether or not HijackThis should be phased out. But it still has a usefullness, unlike another of merijn's programs that is still used by some people but is completely obsolete now--CWShredder.

But for the first four or five years of its existence, HijackThis helped out thousands, if not more than a million people get back use of their computer when they had given up hope. So why begrudge people who have a fondness for this little app?

I tested before posting my first post here.

I used Regedit to see registry changes, just pressed F5 each time I changed. Unfortunately I chose to uncheck/check Outpost firewall's feedback process.

Now that I tried checking/unchecking other items in MSConfig I found I was wrong.

The outpost Firewall was protecting itself and reverting all changes.

And yes I confused ProcessExplorer with AutoRuns.

I just made a fool of myself. So much of my posting on BC.

Sorry for posting wrong things. Please remove my posts if you find them misleading.

A bit drastic, don't you think ?

Don't take it so hard when someone finds that you've made a mistake...corrections of such should always be made in a forum like this where unintentional misinformation...is just as capable of creating problems for many users...as deliberate lies do for the unskilled/novice/uncaring user.

I know that there are some here who think it's a "sin" to be publicly depicted as being "wrong" or making an error...don't be among them, life is for learning.

Louis