TechSpot

Annoying Trojan *msconfig32.exe and msdirectx*

By kinship
Apr 5, 2006
  1. Hey

    I seem to have a virus, my task manager wont open, iexplore seems to be really buggy too. Im trying to run HJT atm (it closes nearly instantly) so ill post it down here when i can get it up. Ive done virus scans and i keep getting a virus or trojan. I keep deleting it and i clear all of the regestry values in regedit, system restore is off. msconfig32.exe keeps popping up in search right after i delete it, i try using killbox *kill on startup* but it seems to not work, ive run ccleaner and flushed out all the temp files.

    help ><
     
  2. Spike

    Spike TS Evangelist Posts: 2,168

    See HERE, and follow the instructions as given by Howard.
     
  3. kinship

    kinship TS Rookie Topic Starter

    ive done all that mentioned above, and as i said HJT instantly closes, same as regedit and taskmanager
     
  4. Spike

    Spike TS Evangelist Posts: 2,168

    SO where's the HJT log file? ;)

    There's not much we can easily do for you if we've got nothing to look at.

    edit:sorry about that. I missed the bit about hjt instantly closing.

    The nothing to look at comment still stands though.

    the trend micro scan will have told you what the virus/trojan/worm is, and we need that info. Ewido will produce logs to tell you what it finds and removes also. which would be useful.

    From what I've just googled, msconfig32.exe can be a few different things, and further to that, it may not nessecarily be the only one you have.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions.

    Then see if you can post your HJT log as an attachment.

    Regards Howard :wave: :wave:
     
  6. kinship

    kinship TS Rookie Topic Starter

    hjt log

    here it is the hjt file, running housecall atm
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Locate the following services(if there) and double click on them. If they are running, select stop. Set the startup type to disabled.

    Compaq32 Service Drivers

    Click apply/ok.

    Open your task manager, bu holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    msconfig32.exe

    Close task manager.

    Run HJT with no other programmes running. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe

    Fix all 016_DPF entries, no matter what they are.

    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    msconfig32.exe

    Reboot into normal mode and turn system restore back on.

    Regards Howard :)
     
  8. kinship

    kinship TS Rookie Topic Starter

    mm

    that seemed to have word temporarily, it comes back by the looks of it. The computer lasts for around 10 minutes and then it just dies and goes back to how it was before.. ty for the help so far, this thing is getting annoying
     
  9. Spike

    Spike TS Evangelist Posts: 2,168

  10. kinship

    kinship TS Rookie Topic Starter

    i ran the tool and i have this:

    Backdoor:Win32/Sdbot!3AB7

    restart, comp stays normal for around 10 mins then everything acts like its infectd again
     
  11. Spike

    Spike TS Evangelist Posts: 2,168

    I did suspect SDbot from the filenames in the title, but wasn't sure enough to suggest it.

    Did you manage to remove the compaq32 service, installed by SDbot? It's file, apparently, is msdirectx.sys - which should say something ;)

    Unfortunately, the precise variant you have doesn't seem clear, making it difficult to find a precise removal tool (I'm somewhat suprised that Trend Micro didn't detect it!)

    have you tried downloading and running Ewido yet?

    If you haven't. try running it. If you have, reboot your machine, post a HJT log from before "all hell breaks loose", and also one from afterwards (while it's breaking loose) for comparison to each other, and your original.
     
  12. kinship

    kinship TS Rookie Topic Starter

    going to install and run ewido,i have panda atm, it seems to be not working against this little worm. It somehow has a way to revive itself. It seems theres a few diffrent things that start this worm, msconfig32.exe and msdirectx.sys are the main culprits ill try to kill them in safemode now, shoud i also kill all the registry instances of em?
     
  13. Spike

    Spike TS Evangelist Posts: 2,168

    No, simply follow Howards instructions again, except You should probably also find and delete msdirectx.sys If ewido doesn't get it as well as msconfig32.exe

    Run ewido before you do it though :)

    (how to remove trojans and it's ilk was in Howards instructions, and contains an instruction to run Ewido by the way, just so that you know)

    Once you've completed, please do me a favour (for my own curiosity) and post the Ewido logfile, along with a new HJT log to check that it's all clean (or not as the case may be - should be good though.)
     
  14. kinship

    kinship TS Rookie Topic Starter

    well i deleted msdirectx.sys and msconfig32.exe and it still pops up, i think theres another virus or something here, im thinking of using the windows cd to repair but im not sure if that would help.. i have sp1 installed (havnt been able to get sp2 by cd) maybe thats why?
     
  15. Spike

    Spike TS Evangelist Posts: 2,168

    What do you mean by "all hell breaks loose"? Have those files returned? No, using the repair option on the CD won't help, and it's not an SP1 vs SP2 issue.

    Given the "10 minutes" statement, is your computer on a network with another machine, which could possibly be infected?

    Could you please post that ewido and HJT log - not that I don't trust that you're following instructions, but it means we can actually take a look at what's been happening with them.
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go HERE and follow the instructions exactly.

    Then post a fresh HJT log.

    Regards Howard :)
     
  17. kinship

    kinship TS Rookie Topic Starter

    okay so i did all that above, and i did a registry search on all msconfig32.exe and msdirectx.sys and cleared all them out and im posting my hjt log and edwido scan down here. 5 mins in and clean so far, ill post if symptoms start coming up again. ty =]
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`d still like to see a fresh HJT log.

    Regards Howard :)
     
  19. kinship

    kinship TS Rookie Topic Starter

    soz didnt realise that you could only attach one file, heres the fresh hjt log
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Regards Howard :)
     
  21. kinship

    kinship TS Rookie Topic Starter

    this time it took alot longer for the thing to come back.. symptoms show again. Could it be firefox? *i have no plugins or such installed* im going to do another cleanup again and im going to install a firewall, maybe that should fix my problems. Panda doesnt seem to be enough. Any other suggestions?
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I hadn`t noticed you didn`t have a firewall installed.

    This may well be the reason you keep getting infected. Get Zonealarm free from HERE.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...