Annoying Trojan *msconfig32.exe and msdirectx*

[kinship]

Hey

I seem to have a virus, my task manager wont open, iexplore seems to be really buggy too. Im trying to run HJT atm (it closes nearly instantly) so ill post it down here when i can get it up. Ive done virus scans and i keep getting a virus or trojan. I keep deleting it and i clear all of the regestry values in regedit, system restore is off. msconfig32.exe keeps popping up in search right after i delete it, i try using killbox *kill on startup* but it seems to not work, ive run ccleaner and flushed out all the temp files.

help ><

 

[Spike]

See HERE, and follow the instructions as given by Howard.

 

[kinship]

ive done all that mentioned above, and as i said HJT instantly closes, same as regedit and taskmanager

 

[Spike]

SO where's the HJT log file?

There's not much we can easily do for you if we've got nothing to look at.

edit:sorry about that. I missed the bit about hjt instantly closing.

The nothing to look at comment still stands though.

the trend micro scan will have told you what the virus/trojan/worm is, and we need that info. Ewido will produce logs to tell you what it finds and removes also. which would be useful.

From what I've just googled, msconfig32.exe can be a few different things, and further to that, it may not nessecarily be the only one you have.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go HERE and follow the instructions.

Then see if you can post your HJT log as an attachment.

Regards Howard :wave: :wave:

 

[kinship]

hjt log

here it is the hjt file, running housecall atm

 

[howard_hopkinso]

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Locate the following services(if there) and double click on them. If they are running, select stop. Set the startup type to disabled.

Compaq32 Service Drivers

Click apply/ok.

Open your task manager, bu holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

msconfig32.exe

Close task manager.

Run HJT with no other programmes running. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe

Fix all 016_DPF entries, no matter what they are.

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

msconfig32.exe

Reboot into normal mode and turn system restore back on.

Regards Howard

 

[kinship]

mm

that seemed to have word temporarily, it comes back by the looks of it. The computer lasts for around 10 minutes and then it just dies and goes back to how it was before.. ty for the help so far, this thing is getting annoying

 

[Spike]

Try running MSs Malicious Software Removal Tool - here... http://www.microsoft.com/security/malwareremove/default.mspx


...Oh, and if it does find and/or remove anything, make a note of what it was/save a log file. It could potentially be useful to know.

 

[kinship]

i ran the tool and i have this:

Backdoor:Win32/Sdbot!3AB7

restart, comp stays normal for around 10 mins then everything acts like its infectd again

 

[Spike]

I did suspect SDbot from the filenames in the title, but wasn't sure enough to suggest it.

Did you manage to remove the compaq32 service, installed by SDbot? It's file, apparently, is msdirectx.sys - which should say something

Unfortunately, the precise variant you have doesn't seem clear, making it difficult to find a precise removal tool (I'm somewhat suprised that Trend Micro didn't detect it!)

have you tried downloading and running Ewido yet?

If you haven't. try running it. If you have, reboot your machine, post a HJT log from before "all hell breaks loose", and also one from afterwards (while it's breaking loose) for comparison to each other, and your original.

 

[kinship]

going to install and run ewido,i have panda atm, it seems to be not working against this little worm. It somehow has a way to revive itself. It seems theres a few diffrent things that start this worm, msconfig32.exe and msdirectx.sys are the main culprits ill try to kill them in safemode now, shoud i also kill all the registry instances of em?

 

[Spike]

No, simply follow Howards instructions again, except You should probably also find and delete msdirectx.sys If ewido doesn't get it as well as msconfig32.exe

Run ewido before you do it though

(how to remove trojans and it's ilk was in Howards instructions, and contains an instruction to run Ewido by the way, just so that you know)

Once you've completed, please do me a favour (for my own curiosity) and post the Ewido logfile, along with a new HJT log to check that it's all clean (or not as the case may be - should be good though.)

 

[kinship]

well i deleted msdirectx.sys and msconfig32.exe and it still pops up, i think theres another virus or something here, im thinking of using the windows cd to repair but im not sure if that would help.. i have sp1 installed (havnt been able to get sp2 by cd) maybe thats why?

 

[Spike]

What do you mean by "all hell breaks loose"? Have those files returned? No, using the repair option on the CD won't help, and it's not an SP1 vs SP2 issue.

Given the "10 minutes" statement, is your computer on a network with another machine, which could possibly be infected?

Could you please post that ewido and HJT log - not that I don't trust that you're following instructions, but it means we can actually take a look at what's been happening with them.

 

[howard_hopkinso]

Go HERE and follow the instructions exactly.

Then post a fresh HJT log.

Regards Howard

 

[kinship]

okay so i did all that above, and i did a registry search on all msconfig32.exe and msdirectx.sys and cleared all them out and im posting my hjt log and edwido scan down here. 5 mins in and clean so far, ill post if symptoms start coming up again. ty =]

 

[howard_hopkinso]

I`d still like to see a fresh HJT log.

Regards Howard

 

[kinship]

soz didnt realise that you could only attach one file, heres the fresh hjt log

 

[howard_hopkinso]

Your HJT log is clean.

Regards Howard

 

[kinship]

this time it took alot longer for the thing to come back.. symptoms show again. Could it be firefox? *i have no plugins or such installed* im going to do another cleanup again and im going to install a firewall, maybe that should fix my problems. Panda doesnt seem to be enough. Any other suggestions?

 

[howard_hopkinso]

I hadn`t noticed you didn`t have a firewall installed.

This may well be the reason you keep getting infected. Get Zonealarm free from HERE.

Regards Howard