I've been able to delete malware that sends command to load this program that msconfig blocks. I want to get rid of this program that appears in msconfig. According to msconfig the program, I want rid of, resides in HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run. When I go there I can find one registry key that could be it but when I try to delete it an error appears. I've tried to delete it in safemode and I have tried to delete it as administrator but even then I get an error. I have all the permissions that should allow me to delete that key. Anyone have any idea how to solve this problem?
Problem: Malware in registry
- Thread starter Ventress
- Start date
- Status
Um, What is the registry key name you are trying to remove? (That would be nice to know 
By the way you should run through this guide: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
By the way you should run through this guide: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Combofix didn't definitely help solve the problem, it caused one. After I had ran Combofix the computer restarted but it couldn't load Windows anymore. Fortunately I had the installation CD so I was able to fix it. Combofix didn't find anything wrong with the registry either. Why is msconfig saying it blocked a program, that doesn't exist, from starting then?
Ventress, I didn't ask you to run Combofix
We cannot ask users to run Combofix until we see the logs, the reason is that Combofix is a very critical software package that should only be run under the supervision of a Malware specialist, plus there are a few recommendations to do before running Combofix. Else you may corrupt Windows
As stated to you, you should run through the GUIDE first
But your call Do you what you want to do, if you feel experienced enough
But since you have Repaired Windows, who knows what may be corrupted now
ie After running through the GUIDE, you may need to run another Repair or System File Checker
A Repair, will also lose all your Windows Security Updates since the time of the Setup files, ie What Service Pack are you on now?
We cannot ask users to run Combofix until we see the logs, the reason is that Combofix is a very critical software package that should only be run under the supervision of a Malware specialist, plus there are a few recommendations to do before running Combofix. Else you may corrupt Windows
As stated to you, you should run through the GUIDE first
But your call
Do you what you want to do, if you feel experienced enough But since you have Repaired Windows, who knows what may be corrupted now
ie After running through the GUIDE, you may need to run another Repair or System File Checker
A Repair, will also lose all your Windows Security Updates since the time of the Setup files, ie What Service Pack are you on now?
As per the first reply to you, please read the guide and post the 3 logs:
Malwarebytes
SUPERAntispyware
Hijackthis
Its all in the Guide
If you have any issues doing this, please let us know
D
DelJo63
FYI:
you can set permissions of registry keys, but usually it's a good idea to let Windows manage that.
you can set permissions of registry keys, but usually it's a good idea to let Windows manage that.
If you do not require the following 3 programs any longer, please uninstall them:
Run IE Reset Fixit Tool:
Or manually from here https://www.techspot.com/vb/post682762-2.html
Then restart Internet Explorer
Please download and run TFC by Old Timer: http://oldtimer.geekstogo.com/TFC.exe
You may need to Restart during the cleaning process
Now you can run Combofix
Run IE Reset Fixit Tool:
Or manually from here https://www.techspot.com/vb/post682762-2.html
Then restart Internet Explorer
Please download and run TFC by Old Timer: http://oldtimer.geekstogo.com/TFC.exe
You may need to Restart during the cleaning process
Now you can run Combofix
- Download
Combofix to your desktop. - Double click ComboFix & follow the prompts.
- A window will open with a warning.
- When the scan completes it will open a text window. Please attach that log back here
- together with a fresh HJT log. But restart first before creating this log
Well I found all these suspicious (likely malware) in your Combofix log
And I noticed that you have had (or presently have) these programs installed
If Panda Security is still installed please uninstall it as you already have F-Secure Internet Security
-------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt please attachthis to your next reply.
-------------------------------------------------------------
But I'm thinking an online scan would be the best place to go at this point:
Please do an online scan with Kaspersky
Open >> Kaspersky Online Scanner in Internet Explorer
Please provide the log from this scan as well
And I noticed that you have had (or presently have) these programs installed
If Panda Security is still installed please uninstall it as you already have F-Secure Internet Security
-------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt please attachthis to your next reply.
-------------------------------------------------------------
But I'm thinking an online scan would be the best place to go at this point:
Please do an online scan with Kaspersky
Open >> Kaspersky Online Scanner in Internet Explorer
- Click Accept and the web scanner will begin to load
- If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
- You will be prompted to install an ActiveX component from Kaspersky, click Install
- If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT and then Scan Settings
- In the scan settings make that the following are selected:
[o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
[o] Scan Options: Scan Archives> Scan Mail Bases - Click OK
- Now under select a target to scan:
[o] Select My Computer - The program will start to scan your system.
- Once the scan is complete, click on the Save as Text button and save the file to your desktop
Please provide the log from this scan as well
Please run CCleaner to remove any temp files
Then run TFC.exe to remove more temp files (restart may be required)
Then run CCleaner again, but this time click on the "Registry" button, and do a scan and fix all issues (no backup required)
You may need to run this multiple times until all errors are uncovered and fixed
Then Restart
Then run a scan only with HJT and attach >
the log to a new reply
Edit:
Please download MBR.EXE by GMER. Save the file in your Root directory (C:\).
Go to Start -> Run, type cmd and click OK.
Copy and paste the following lines one by one in the open command window and press Enter after each line:
cd\ & c:\mbr.exe -t
c:\mbr.log
A log file (c:\mbr.log) will open. Post the contents of it to your reply.
--------------------
Please click here to download AVP Tool by Kaspersky.
After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.
Then run TFC.exe to remove more temp files (restart may be required)
Then run CCleaner again, but this time click on the "Registry" button, and do a scan and fix all issues (no backup required)
You may need to run this multiple times until all errors are uncovered and fixed
Then Restart
Then run a scan only with HJT and attach >
Edit:
Please download MBR.EXE by GMER. Save the file in your Root directory (C:\).
Go to Start -> Run, type cmd and click OK.
Copy and paste the following lines one by one in the open command window and press Enter after each line:
cd\ & c:\mbr.exe -t
c:\mbr.log
A log file (c:\mbr.log) will open. Post the contents of it to your reply.
--------------------
Please click here to download AVP Tool by Kaspersky.
- Save it to your desktop.
- Reboot your computer into SafeMode.
You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter.
- Double click the setup file to run it.
- Click Next to continue.
- It will by default install it to your desktop folder.Click Next.
- Hit ok at the prompt for scanning in Safe Mode.
- It will then open a box There will be a tab that says Automatic scan.
- Under Automatic scan make sure these are checked.
- System Memory
- Startup Objects
- Disk Boot Sectors.
- My Computer.
- Also any other drives (Removable that you may have)
After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.
- Then click on Scan at the to right hand Corner.
- It will automatically Neutralize any objects found.
- If some objects are left un-neutralized then click the button that says Neutralize all
- If it says it cannot be Neutralized then chooose The delete option when prompted.
- After that is done click on the reports button at the bottom and save it to file, name it Kas.
- Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
Note: This tool will self uninstall when you close it so please save the log before closing it.
Did you run IE Reset, (as requested) 2 days ago? (^^ up there)
Because many entries look to be individualized in your log
You may want to do it again, with IE closed
You can also open HJT scan only, and fix the following 3 entries:
My biggest concern is this:
We can just as easily copy another Atapi.sys from another computer, but do you have another computer running Windows Vista?
If so, here is the command to copy Atapi.sys to your USB Flash Drive, from the other computer (please substitute F for your Flash drive drive letter)
cmd /c copy C:\WINDOWS\system32\drivers\atapi.sys F:\ >log.txt&log.txt
You will get notified: "1 file(s) copied"
We can then copy this new file to your C:\, overwriting the old one
But, do you have another computer to do this in the first place?
Please run the following command, on the possible still infected computer:
cmd /c dir /a c:\atapi.sys >log.txt&log.txt
A text file opens, please post the content.
Because many entries look to be individualized in your log
You may want to do it again, with IE closed
You can also open HJT scan only, and fix the following 3 entries:
Then re-open Internet Explorer and run through the standard initial configurations by MS
My biggest concern is this:
But Kaspersky online scanner detected nothing
We can just as easily copy another Atapi.sys from another computer, but do you have another computer running Windows Vista?
If so, here is the command to copy Atapi.sys to your USB Flash Drive, from the other computer (please substitute F for your Flash drive drive letter)
cmd /c copy C:\WINDOWS\system32\drivers\atapi.sys F:\ >log.txt&log.txt
You will get notified: "1 file(s) copied"
We can then copy this new file to your C:\, overwriting the old one
But, do you have another computer to do this in the first place?
Please run the following command, on the possible still infected computer:
cmd /c dir /a c:\atapi.sys >log.txt&log.txt
A text file opens, please post the content.
Lets just go with "fixmbr" for Vista (this will not upset your files, but its always best to backup first)
Run another Combofix, and provide the log as an Attachment
(this will not upset your files, but its always best to backup first)- Boot from your Vista Disc
- Select "Repair your computer"
- Choose "Command prompt"
- Type in: bootrec /FixMbr and then press Enter
Run another Combofix, and provide the log as an Attachment
That looks better :grinthumb
The fault before, actually (I believe) came from DAEMON Tools Lite
All seems ok now, but if you do not use this program any longer, please uninstall it.
Can I ask why you use "F-Secure" Antivirus?
It is not one of the big players in the world (although been around for years) I don't feel that it has protected you this time
If "F-Secure" Antivirus is nearing the end of its subscription (paid service) I would suggest uninstall it, and update to a better (IMO) Antivirus, such as the one I use (and have used for a long time) Free Avira Antivirus (oh and its free)
Un-install Combofix
Remove old System Restore Points
Restart, and let me know how its performing
The fault before, actually (I believe) came from DAEMON Tools Lite
All seems ok now, but if you do not use this program any longer, please uninstall it.
Can I ask why you use "F-Secure" Antivirus?
It is not one of the big players in the world (although been around for years) I don't feel that it has protected you this time
If "F-Secure" Antivirus is nearing the end of its subscription (paid service) I would suggest uninstall it, and update to a better (IMO) Antivirus, such as the one I use (and have used for a long time) Free Avira Antivirus (oh and its free
)Un-install Combofix
- Click START then RUN
- Now type Combofix /uninstall in the runbox and click OK
- Any popup errors about Antivirus just ok or close
Remove old System Restore Points
Open System by clicking the Start button, right-clicking Computer, and then clicking Properties.
- In the left pane, click System protection . Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
- Under Protection Settings, click the disk, and then click Configure.
- Click Turn off system protection, click OK, and then click OK again.
Restart, and let me know how its performing
- Status
Similar threads
