TechSpot

Problems with Msconfig, Regedit, Hijack This

By _beaks_
Jun 22, 2007
  1. Hullo! :)

    My problem seems quite a common one; whenever I try and run Msconfig, Regedit or HijackThis, they close after a few seconds. Whenever I type HijackThis into firefox, this also shuts the page down. I don’t, however, have any problem with Task Manager (I’ve read a lot of posts with this sort of problem, where this also shuts down). I was hoping you guys could help (please!)

    System Specs…

    Laptop: Toshiba Equium A110-233 (about ten months old)
    Processor: Intel Centrino Mobile Technology
    Memory: 512MB / DDR2 RAM / 533 MHz
    Running: Windows XP Home Edition (Legit)

    What I’ve Tried/Am Running So Far…

    Trend Micro Housecall & Kaspersky Online Scanners
    Norton Internet Security 2006 (I know, I know ;) )
    Spybot Search & Destroy
    Ad-Aware SE Personal
    IObit SmartDefrag
    CCleaner

    (all up-to-date and having been run within the last few hours, or running constantly, like Norton)

    I rebooted in safe mode and ran HijackThis, and attached the log to this thread (I hope this worked hehe). Anything else you need to know, just say.

    Thank-yoooooou!

    Hope
    x
     
  2. CCT

    CCT TS Evangelist Posts: 2,653   +6

    F3 - REG:win.ini: load=C:\WINDOWS\system32\ etcetera are trojans.
     
  3. jobeard

    jobeard TS Ambassador Posts: 9,317   +618

    host file (\windows\system32\drivers\etc\host) is contaminated to prevent valid site access!
    O1 - Hosts: 1.1.1.1 free.grisoft.com
    O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
    O1 - Hosts: 1.1.1.1 usa.kaspersky.com
    O1 - Hosts: 1.1.1.1 ewido.net
    O1 - Hosts: 1.1.1.1 www.ewido.net
    O1 - Hosts: 1.1.1.1 zonelabs.com
    O1 - Hosts: 1.1.1.1 www.zonelabs.com
    O1 - Hosts: 1.1.1.1 bitdefender.com
    O1 - Hosts: 1.1.1.1 www.bitdefender.com
    O1 - Hosts: 1.1.1.1 download.bitdefender.com
    O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
    O1 - Hosts: 1.1.1.1 spywareinfo.com
    O1 - Hosts: 1.1.1.1 www.spywareinfo.com
    O1 - Hosts: 1.1.1.1 merijn.org
    O1 - Hosts: 1.1.1.1 www.merijn.org
    O1 - Hosts: 1.1.1.1 sysinternals.com
    O1 - Hosts: 1.1.1.1 www.sysinternals.com
    O1 - Hosts: 1.1.1.1 onguardonline.gov
    O1 - Hosts: 1.1.1.1 www.onguardonline.gov
    O1 - Hosts: 1.1.1.1 avast.com
    O1 - Hosts: 1.1.1.1 www.avast.com
    O1 - Hosts: 1.1.1.1 safety.live.com
    O1 - Hosts: 1.1.1.1 www.paretologic.com
    O1 - Hosts: 1.1.1.1 paretologic.com
    O1 - Hosts: 1.1.1.1 services.google.com
    O1 - Hosts: 1.1.1.1 www.webroot.com
    O1 - Hosts: 1.1.1.1 webroot.com

    suggest you delete all entries and then add only
    127.0.0.1 localhost

    mark the file READ-ONLY!


    then flush your dnsclient run->ipconfig /flushdns
     
  4. CCT

    CCT TS Evangelist Posts: 2,653   +6

  5. momok

    momok TS Rookie Posts: 2,265

    Hi _beaks_ and welcome to techspot. =)

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Alcmtr

    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    ALCMTR.EXE

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    F3 - REG:win.ini: load=C:\WINDOWS\system32\emqjofo\winlogon.exe
    F3 - REG:win.ini: run=C:\WINDOWS\system32\emqjofo\winlogon.exe
    Fix all O1 entries as suggested by jobeard.
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - Global Startup: LaunchU3.exe.lnk = ?

    Close HJT.


    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\WINDOWS\ALCMTR.EXE

    Flush your DNS client like jobeard suggested.

    Reboot into normal mode and rehide your protected OS files.

    Next, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

    Also, please let me know the results of the AVG Antirootkit scan


    Regards,
    Your friendly momok =)

    This thread is for the use of _beaks_ only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. _beaks_

    _beaks_ TS Rookie Topic Starter

    Thank-you so much!! I'll get all this done tomorrow and then post the results asap. You guys are computer geniuses :)

    (( Edit: Sorry for the delay, haven't been able to get onto my laptop in the past few days. Nearly finished the steps ))
     
  7. momok

    momok TS Rookie Posts: 2,265

    No problem, no hurries. Just be sure to complete the steps correctly and post the 3 required logs as well as the results of the anti-rootkit scan.

    Regards,
    Your friendly momok =)

    This thread is for the use of _beaks_ only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. _beaks_

    _beaks_ TS Rookie Topic Starter

    Hullo!!

    Reet...got all that done, and hopefully in the right way hehe.
    I've posted the three logs...the AVG Spyware one is from the 25th as it picked up something then, and the one I did today didn't show anything. AVG Anti-Rootkit didn't find any rootkits either.
    I was hoping you could check over the HJ log and see if there's anything left to clear up?

    Thank-you for all of your help in sorting this, I can now run msconfig and regedit without problem :giddy:
     
  9. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I noticed that you do not run any firewall on your system. That is not recommended since it is the first layer of protection against external online threats. Here are some recommended ones and links to them.

    For firewalls please use one and only one. Using more than one is not recommended as it will hog your system resources.
    Zonealarm
    Kerio
    Comodo

    Your logs look clean now.

    Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of _beaks_ only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. almcneil

    almcneil TS Guru Posts: 1,277

    I've had this type of problem with a few customers. What I did was go into MSCONFIG and deselect unnecessary/useless services and startup programs. What probably has happened is that some spyware has corrupted a service or startup background program. Even though you remove the spyware, the corruption it caused remains. If you're lucky, it's in a service or program you don't need and by deselecting it, the problem disappears.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...