Problems with Msconfig, Regedit, Hijack This

[_beaks_]

Hullo!

My problem seems quite a common one; whenever I try and run Msconfig, Regedit or HijackThis, they close after a few seconds. Whenever I type HijackThis into firefox, this also shuts the page down. I don’t, however, have any problem with Task Manager (I’ve read a lot of posts with this sort of problem, where this also shuts down). I was hoping you guys could help (please!)

System Specs…

Laptop: Toshiba Equium A110-233 (about ten months old)
Processor: Intel Centrino Mobile Technology
Memory: 512MB / DDR2 RAM / 533 MHz
Running: Windows XP Home Edition (Legit)

What I’ve Tried/Am Running So Far…

Trend Micro Housecall & Kaspersky Online Scanners
Norton Internet Security 2006 (I know, I know )
Spybot Search & Destroy
Ad-Aware SE Personal
IObit SmartDefrag
CCleaner

(all up-to-date and having been run within the last few hours, or running constantly, like Norton)

I rebooted in safe mode and ran HijackThis, and attached the log to this thread (I hope this worked hehe). Anything else you need to know, just say.

Thank-yoooooou!

Hope
x

 

[CCT]

F3 - REG:win.ini: load=C:\WINDOWS\system32\ etcetera are trojans.

 

[DelJo63]

host file (\windows\system32\drivers\etc\host) is contaminated to prevent valid site access!
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com

suggest you delete all entries and then add only
127.0.0.1 localhost

mark the file READ-ONLY!


then flush your dnsclient run->ipconfig /flushdns

 

[CCT]

I am just getting this started for momok:

Read this FIRST:

https://www.techspot.com/vb/topic65943.html

Then, follow these steps if still interested:

https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[momok]

Hi _beaks_ and welcome to techspot. =)

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Alcmtr

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

ALCMTR.EXE

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

F3 - REG:win.ini: load=C:\WINDOWS\system32\emqjofo\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\emqjofo\winlogon.exe
Fix all O1 entries as suggested by jobeard.
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - Global Startup: LaunchU3.exe.lnk = ?

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\ALCMTR.EXE

Flush your DNS client like jobeard suggested.

Reboot into normal mode and rehide your protected OS files.

Next, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

Also, please let me know the results of the AVG Antirootkit scan


Regards,
Your friendly momok =)

This thread is for the use of _beaks_ only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[_beaks_]

Thank-you so much!! I'll get all this done tomorrow and then post the results asap. You guys are computer geniuses

(( Edit: Sorry for the delay, haven't been able to get onto my laptop in the past few days. Nearly finished the steps ))

 

[momok]

No problem, no hurries. Just be sure to complete the steps correctly and post the 3 required logs as well as the results of the anti-rootkit scan.

Regards,
Your friendly momok =)

This thread is for the use of _beaks_ only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[_beaks_]

Hullo!!

Reet...got all that done, and hopefully in the right way hehe.
I've posted the three logs...the AVG Spyware one is from the 25th as it picked up something then, and the one I did today didn't show anything. AVG Anti-Rootkit didn't find any rootkits either.
I was hoping you could check over the HJ log and see if there's anything left to clear up?

Thank-you for all of your help in sorting this, I can now run msconfig and regedit without problem :giddy:

 

[momok]

Hi,

I noticed that you do not run any firewall on your system. That is not recommended since it is the first layer of protection against external online threats. Here are some recommended ones and links to them.

For firewalls please use one and only one. Using more than one is not recommended as it will hog your system resources.
Zonealarm
Kerio
Comodo

Your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of _beaks_ only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[almcneil]

I've had this type of problem with a few customers. What I did was go into MSCONFIG and deselect unnecessary/useless services and startup programs. What probably has happened is that some spyware has corrupted a service or startup background program. Even though you remove the spyware, the corruption it caused remains. If you're lucky, it's in a service or program you don't need and by deselecting it, the problem disappears.