Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Empty entry in startup


  • Please log in to reply
35 replies to this topic

#1 Liketo_learn

Liketo_learn

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 24 December 2008 - 11:55 PM

Hi Guys,
Recently i had a malware attack and had run MBAM to remove 60 odd infected objects. Ran kaspersky online scan and everything checked out okay. i was checking my startup list and found a empty entry (that had no name / no command ) and just the location - HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run.

Also have the McENUI.exe entry in the startup. Is this safe?

is this the virus?

Edited by Liketo_learn, 25 December 2008 - 12:23 AM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:51 PM

Posted 25 December 2008 - 06:44 AM

McENUI.exe is part of McAfee,

which may be related to your other problem or damage done to your browser, McAfee has caused me a lot of grief in removing malware, was it active when you got infected?

http://www.bleepingcomputer.com/forums/t/188764/image-thumbnails-not-displayed-on-ie/

Edited by DaChew, 25 December 2008 - 06:45 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 Liketo_learn

Liketo_learn
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 25 December 2008 - 11:39 AM

Also when i tried to remove some entries from my 'Startup' via msconfig it gave me a message that this can be changed only administrator (even though i had admin access) but still went to restart.

This is the HJT log entry when i was infected...

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

Edited by Liketo_learn, 25 December 2008 - 05:05 PM.


#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:51 PM

Posted 26 December 2008 - 08:07 AM

Let's run ATFCleaner and SAS according to these directions

http://www.bleepingcomputer.com/forums/ind...mp;#entry948894

I would also like to see an updated MBAM log

http://www.bleepingcomputer.com/forums/ind...mp;#entry944365
Chewy

No. Try not. Do... or do not. There is no try.

#5 Liketo_learn

Liketo_learn
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 28 December 2008 - 01:22 AM

I ran the ATF cleaner and superantispyware.

I got 14 infections (3 ad tracking cookies, 10 Malware.Installer-pkg/gen and one Rootkit.TDSServ-Trace)

Malware.Installer-pkg/gen were found in C:\Program Files\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B66C9E6].exe

Rootkit.TDSServ-Trace C:\WINDOWS\SYSTEM32\TDSSWUPE.DAT

When I tried to reboot, it failed. I got a message "ATI" or "ATA" (some part of the message said and I shut down my computer and started it again). so not really sure if the cleanup was successful. I could still find the wildtangent exe's.

I ran MBAM (quick scan) and there were no malicious items. Here is the spyware log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/27/2008 at 10:03 PM

Application Version : 4.23.1006

Core Rules Database Version : 3661
Trace Rules Database Version: 1641

Scan type : Complete Scan
Total Scan Time : 01:33:28

Memory items scanned : 221
Memory threats detected : 0
Registry items scanned : 7894
Registry threats detected : 0
File items scanned : 24463
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\Krish\Cookies\Krish@ad.yieldmanager[1].txt
C:\Documents and Settings\Krish\Cookies\Krish@atdmt[1].txt
C:\Documents and Settings\Krish\Cookies\Krish@doubleclick[1].txt

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSWUPE.DAT

Edited by Liketo_learn, 28 December 2008 - 01:57 AM.


#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:51 PM

Posted 28 December 2008 - 12:20 PM

Would you update MBAM and run another scan and post that log?
Chewy

No. Try not. Do... or do not. There is no try.

#7 Liketo_learn

Liketo_learn
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 29 December 2008 - 12:35 AM

Hi Dachew,
I have attached the latest MBAM log...

Malwarebytes' Anti-Malware 1.31
Database version: 1539
Windows 5.1.2600 Service Pack 2

12/28/2008 9:33:07 PM
mbam-log-2008-12-28 (21-33-07).txt

Scan type: Quick Scan
Objects scanned: 75749
Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.31
Database version: 1539
Windows 5.1.2600 Service Pack 2

12/28/2008 9:33:07 PM
mbam-log-2008-12-28 (21-33-07).txt

Scan type: Quick Scan
Objects scanned: 75749
Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:51 PM

Posted 29 December 2008 - 12:49 AM

Do you still have any symptoms of infection left?

Is your admin access working?

Msconfig?
Chewy

No. Try not. Do... or do not. There is no try.

#9 Liketo_learn

Liketo_learn
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 29 December 2008 - 10:03 PM

able to run msconfig. when i uncheck 'msnmgr', it gives me a error message that ' i need to be logged on as admin'.. i close the msconfig, it ask me to 'restart'. when i restart, it says system is started in 'Selective startup' and ask me to undo the changes.

other than that not much symptoms.

is it possible that rootkit program was cleaned, but the 'dat' file was left behind? should i try to just delete this data file? i have attached my first mbam log (after cleanup)

Malwarebytes' Anti-Malware 1.31
Database version: 1526
Windows 5.1.2600 Service Pack 2

12/20/2008 10:18:59 PM
mbam-log-2008-12-20 (22-18-59).txt

Scan type: Quick Scan
Objects scanned: 81622
Time elapsed: 20 minute(s), 34 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 4
Registry Keys Infected: 24
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 26

Memory Processes Infected:
C:\Documents and Settings\krish\Local Settings\Temp\csrssc.exe (Trojan.Clicker) -> Unloaded process successfully.
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\wvUkHXnm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\iifEuSMD.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ijmeft.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tyshb36rfjdf.dll (Trojan.Fakealert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iifeusmd (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7f67bb91-0514-49bd-aef9-6a4f522000f7} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7f67bb91-0514-49bd-aef9-6a4f522000f7} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec66951d-bd20-4c05-8cae-08cb390b6cb3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ec66951d-bd20-4c05-8cae-08cb390b6cb3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7f67bb91-0514-49bd-aef9-6a4f522000f7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnskdfmf9eldfd (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wvukhxnm -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvukhxnm -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iifEuSMD.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wvUkHXnm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mnXHkUvw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mnXHkUvw.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\giyxufah.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hafuxyig.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tyshb36rfjdf.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\ijmeft.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\krish\Local Settings\Temp\csrssc.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSacmn.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSirrx.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSktpo.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSqavh.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\pmnMGYsr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGYqPGw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xogrdelf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSxxou.sys (Trojan.TDSS) -> Delete on reboot.
C:\Documents and Settings\krish\Local Settings\Temp\TDSS8293.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\etc\services.1 (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\etc\services.2 (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\etc\services.3 (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\etc\services.4 (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSuqon.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSwghd.log (Trojan.TDSS) -> Delete on reboot.

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:51 PM

Posted 29 December 2008 - 10:11 PM

Use add/remove windows components in add/remove programs for messenger

Something else you are using may be trying to use it as a dependency tho

Give SAS another try with McAfee disabled
Chewy

No. Try not. Do... or do not. There is no try.

#11 Liketo_learn

Liketo_learn
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 01 January 2009 - 11:57 AM

when I ran SAS, it did not detect any objects. I don't want to remove messenger, i had just wanted to remove it from startup. if i go to msconfig and click 'OK' without any changes, even then it gives me error message saying that ' i do not have admin priv'. further it ask me to restart.

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:51 PM

Posted 01 January 2009 - 01:14 PM

when you disable startups with msconfig you always are asked to reboot

that was quite a nasty infection, you might need to run a tool i can reccomend, let me refer this thread to someone who can make that decision
Chewy

No. Try not. Do... or do not. There is no try.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:51 PM

Posted 01 January 2009 - 01:49 PM

Your MBAM log indicates you are using an outdated database. Please update it through the program's interface (preferable way) or manually download the updates and just double-click on mbam-rules.exe to install. Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

A blank entry in MSConfig is typically the result of an improper install/uninstall which never updated the registry "Run" keys or from a malware infection. There are several places in the registry that items can get added to the startup list. For more details see Why is there a blank entry in my msconfig startup entries?.

MSConfig is a troubleshooting utility used to diagnose and fix system configuration issues. In the Summary section Microsoft says "The System Configuration utility helps you find problems with your Windows XP configuration. It does not manage the programs that run when Windows starts."

Although it works as a basic startup manager, msconfig should not be used routinely to disable auto-start programs. It is a temporary solution and not a good practice for the following reasons:
  • When uninstalling programs while disabled with msconfig, they may not be uninstalled properly and manually editing the registry will be required to remove everything.
  • Msconfig will often leave orphaned entries when software is uninstalled. When used to switch back to normal startup mode, these orphan entries can result in boot up errors.
  • Msconfig allows malware related items to hide in your registry which you may not see or affect your computer until switched back to normal startup mode. This could then result in reinfection of the computer.
  • Msconfig does not list all applications loaded in all possible startup locations (some entry points are hidden and unknown to the user) and does not allow the complete removal of disabled entries from its list.
You should not use msconfig to disable startup applications related to a running service. Doing so alters the registry and there are services that are essential for hardware and booting your system. When you uncheck a service in msconfig, you completely disable it. If you uncheck the wrong one, you may not be able to restart your computer. You should only disable services using Control Panel > Administrative Tools > Services. With the Services Management Console (services.msc) you cannot disable services that may be vital to boot your system.

Any message that "You have used the System Configuration Utility..." is normal after using it. When you alter something in MSConfig you are prompted at the next start up with a notice that explains that you have used the System Configuration Utility. Check the "Don't show this message or launch the System Configuration Utility when Windows starts" box to prevent future warnings from appearing.

IMPORTANT NOTE: One or more of the identified infections (TDSS[random characters.***]) was related to a nasty variant of the TDSSSERV rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice and the infection persists, disinfection will probably require the use of more powerful tools than we recommend in this forum. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is a hidden piece of malware which has not been detected that protects files (which have been detected) and registry keys so they cannot be permanently deleted.

Lets see what happens after you update the MBAM and perform a new scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Liketo_learn

Liketo_learn
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 01 January 2009 - 02:10 PM

Thanks Dachew for your help.

quietman,
Thanks. Please note that the last MBAM log that I posted in this thread was ran on 12-22 (version 1526) and it was this run that found all the entries. I updated the MBAM on 12/28 and ran with new version (1539) and it found no new malicious items. Do you need me to run a new MBAM?

i have another computer that i have been using. i ensured that my infected computer is not connected to network, when i use the non-infected computer. Is that computer also compromised if i am using the same router? are you talking about changing the wireless network password? or router password itself?

I had copied some data in my hard disk to CD (before i had cleaned my infections). is it safe to copy this data back to my computer or should I trash all those CDs? If I decide to backup my data in a new CD now and then reformat my computer , is it safe to copy the backup CD to computer? what are my back up options (since It may take lot of time to copy my data to CD's)

Symptoms of infection (opening of multiple IE windows) appeared on December 15th/16th. After that I stopped using my infected computer to do any banking transaction.. is it possible that i had been infected before December 15th?

Edited by Liketo_learn, 01 January 2009 - 02:23 PM.


#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:51 PM

Posted 01 January 2009 - 02:16 PM

MBAM is up to 1589

please update and rescan
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users