If the Symantec's instuctions do not work (They should) Try this:- ---------------- Failing those solving your problems a post of a hijackthis log for the experts to advise. HijackThis From Here Download, run, scan, save log, then in notepad copy the FULL log by copy and paste to a post in one of these specialist spyware removal forums:-
You should post your log as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training. DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me. ChrisRLG therock247uk TomCoyote (of http://tomcoyote.org/forums/index.php fame above) irelynmisses YoKenny baskar1234
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.
The file or the registry could not be deleted so have tried the hijackthis download...
Logfile of HijackThis v1.97.7 Scan saved at 12:51:31, on 27/12/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Before do any of the following, please move hijackthis to its own folder (Say c:\hjt), not in the temp folders area. Backups of the removed items will be kept in that new folder and I would not like them deleted by accident.
Then in hijackthis, tick the following, AND WITH ALL OTHER WINDOWS CLOSED, fix ticked.
If you have a laptop and use it at hotels or from work where digital phone lines will be used leave this line, else tick to remove. O4 - Global Startup: Digital Line Detect.lnk = ?
Below is the data for these network address's, which if not your ISP's DNS servers etc (You should have some info from them), should be ticked in hijackthis DO NOT TICK IF CONNECTED TO YOUR ISP IN ANY WAY or you may not get back on the net after you remove that line :- O17 - HKLM\System\CCS\Services\Tcpip\..\{81D6437D-B48D-421E-9443-4B101CF46DAE}: NameServer = 193.38.113.3 194.117.157.4 --------------- 12/27/03 16:24:22 IP block 193.38.113.3 Trying 193.38.113.3 at ARIN Trying 193.38.113 at ARIN
OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: Singel 258 Address: 1016 AB City: Amsterdam StateProv: PostalCode: Country: NL ---------------
Reboot to safe mode, and delete this file :- C:\WINDOWS\svchost.exe Please note ONLY the file by that name, at that location, NOT the file by the same name at c:\windows\system32\svchost.exe which is the MS file.
I also have the Trojan Bookmarker and it will NOT LEAVE....
I have tried all of the Symantec suggestions, have run adaware's program and Spybot Search and Destroy but it is till there!
In fact, I even spent about 4 hours on the phone and $70 with a security advisor from Symantec yesterday but we could not remove this thing...
I guess I am lucky that the thing isn't more harmful but it sure is a frustrating little pr#$k! Any help from anyone out there that KNOWS how to kill this? Thank you very much in advance!!!
1) SpyBot Search and Destroy After installing SpyBot Search & Destroy, first press Online, and search for, put a check mark at, and install all updates. Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
2) Get Ad-Aware After installing Ad-Aware, and before running the program, first press “check for updates now". Click "Connect" and install all updated components available. Click 'Finish'. Press "Scan Now", then 'next', and let Ad-Aware scan your drives. It will find a number of "bad" files and registry keys. Click 'Next' again. Check all found items, and click 'next' once more. It will ask you whether you'd like to remove all checked items. Click OK.
Always reboot the computer between each program - both of these may find things that they need to have a reboot of the machine to clear - please reboot and let them finish .
Failing those solving your problems a post of a hijackthis log for the experts to advise. HijackThis From Here Download, run, scan, save log, then in notepad copy the FULL log by copy and paste to new message on this board NOT AS A REPLY HERE PLEASE and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training. DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me. ChrisRLG therock247uk TomCoyote (of http://tomcoyote.org/forums/index.php ) YoKenny baskar1234
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.
Hi ChrisRLG - have followed instructions however there was only the system32\svchost.exe file on my system - the ip addresses are the server DNS and are ok...
Logfile of HijackThis v1.97.7 Scan saved at 18:36:49, on 27/12/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Please post any logs in new messages, not as replies to this thread, it can get very confusing, trying to answer more that one problem in a thread. Also please do not copy the instuctions given here for yourself, each hijackthis answer is tailored to each log, you could do harm to your computer, post a log and someone will get to answering it.
-----------------------
Jose125
You now look clean.
Also follow the link below to my site and install spywareblaster and spywareguard from the malware section. Also look at the link for 'how did I get infected in the first place'.
I have a similar problem. I have the virus and the affected file is MSCONFD.DLL. However, I cannot delete this file as symantec suggests I do. I suspect that this is because to do so would bugger up the operating system!
I am keen to here if either you or Jase solve the problem. As you say this trojan isn't damaging but it is really aggravating.
I will watch the forum with added interest.
Regards
An Everton FC (English soccer club) supporter in Illinois, USA
I have spyware blaster already along with adaware, spybot and a sygate firewall so not sure how the thing was downloaded onto the machine?
The virus is still there and still getting the messages access to the file was denied - can not delete file - unable to repair file - stubborn so and so this thing!!
Variant 22: CWS.Msconfd - Finally using rundll32
Approx date first sighted: November 26, 2003
Symptoms: IE pages being changed to webcoolsearch.com, bogus error message about msconfd.dll at startup, pxxx bookmarks added to Favorites (some possibly childpxxx)
Cleverness: 7/10
Manual removal difficulty: Involves quite some Registry editing and deleting porn bookmarks
Identifying lines in HijackThis log:
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=msconfd.dll
This is the first variant to use a dll file together with the Windows rundll32 file. This makes it a little harder to find the culprit msconfd.dll, responsible for hijacking IE to webcoolsearch.com and adding 11 adult bookmarks to IE, of which 4 are possibly child pxxx sites.
Deleting the autorun entry, resetting IE, deleting msconfd.dll and the pxxx bookmarks fixes this hijack.
----------------------------------------------------------------
I would suggest running cwshredder from
Here
That may clean up what your AV could not, also try starting in safe mode and deleting the file.
Where is the virus found. If the system restore area, you will need to turn that off, reboot and turn it back on to clear the old restore points. Then re scan with your AV.
the file is found on C:\windows\system32\msconfd.dll - it's 4.50 KB (4,608 bytes) in size and 8.00 KB (8,192 bytes) size on disk and an application extension.
This is the registry part that will not delete as instructed by symantec
If you are running Windows NT/2000/XP, navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows In the right pane, delete the value: "AppInit_DLLs"="msconfd.dll"
And this is what the whole instructions were from the site
Disable System Restore (Windows Me/XP). Update the virus definitions. Run a full system scan and delete all the files detected as Trojan.Bookmarker. Delete the value that was added to the registry. Reset the Internet Explorer Home page. Reset the Internet Explorer Search page Remove the links in the Favorites folder.
Added: The latest CWShredder has been updated so the following registry fix might NOT be necessary. Use the updated CWShredder and see if the infection is removed.
Added: This registry fix should
not be used unless specifically asked to. It is a fix for a specific operating system on a specific hard drive.
Open Notepad. Copy the following contents between the lines. Name the file rid.reg Save as All files in a place you know. Double click on rid.reg to enter in to the registry. Then Reboot.Total Restart is required. Not just a logoff and back on.
Yellowhammer
725 Posts
0
December 25th, 2003 18:00
ChrisRLG
3.9K Posts
0
December 26th, 2003 19:00
If the Symantec's instuctions do not work (They should) Try this:-
----------------
Failing those solving your problems a post of a hijackthis log for the experts to advise.
HijackThis From Here
Download, run, scan, save log, then in notepad copy the FULL log by copy and paste to a post in one of these specialist spyware removal forums:-
You should post your log as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training.
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.
ChrisRLG
therock247uk
TomCoyote (of http://tomcoyote.org/forums/index.php fame above)
irelynmisses
YoKenny
baskar1234
You could also go to one of the more specalist forums where more experts will be able to help.
http://tomcoyote.org/forums/index.php
http://forums.spywareinfo.com/index.php
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi
http://boards.cexx.org/index.php
Do read the sites FAQ before posting, and advise your problem and what steps you have already done to try to cure your problem.
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.
jase125
6 Posts
0
December 27th, 2003 11:00
The file or the registry could not be deleted so have tried the hijackthis download...
Logfile of HijackThis v1.97.7
Scan saved at 12:51:31, on 27/12/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bad-url.com/autosearch.php?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bad-url.com/autosearch.php?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dial.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?aid=240
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://bad-url.com/autosearch.php?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://bad-url.com/autosearch.php?
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1071692004390
O17 - HKLM\System\CCS\Services\Tcpip\..\{81D6437D-B48D-421E-9443-4B101CF46DAE}: NameServer = 193.38.113.3 194.117.157.4
ChrisRLG
3.9K Posts
0
December 27th, 2003 14:00
Before do any of the following, please move hijackthis to its own folder (Say c:\hjt), not in the temp folders area. Backups of the removed items will be kept in that new folder and I would not like them deleted by accident.
Then in hijackthis, tick the following, AND WITH ALL OTHER WINDOWS CLOSED, fix ticked.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bad-url.com/autosearch.php?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bad-url.com/autosearch.php?
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?aid=240
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://bad-url.com/autosearch.php?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://bad-url.com/autosearch.php?
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
If you have a laptop and use it at hotels or from work where digital phone lines will be used leave this line, else tick to remove.
O4 - Global Startup: Digital Line Detect.lnk = ?
Below is the data for these network address's, which if not your ISP's DNS servers etc (You should have some info from them), should be ticked in hijackthis
DO NOT TICK IF CONNECTED TO YOUR ISP IN ANY WAY or you may not get back on the net after you remove that line :-
O17 - HKLM\System\CCS\Services\Tcpip\..\{81D6437D-B48D-421E-9443-4B101CF46DAE}: NameServer = 193.38.113.3 194.117.157.4
---------------
12/27/03 16:24:22 IP block 193.38.113.3
Trying 193.38.113.3 at ARIN
Trying 193.38.113 at ARIN
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL
---------------
Reboot to safe mode, and delete this file :-
C:\WINDOWS\svchost.exe
Please note ONLY the file by that name, at that location, NOT the file by the same name at c:\windows\system32\svchost.exe which is the MS file.
Then reboot and post a fresh log for me to check.
stiffeye
3 Posts
0
December 27th, 2003 15:00
Hi,
I also have the Trojan Bookmarker and it will NOT LEAVE....
I have tried all of the Symantec suggestions, have run adaware's program and Spybot Search and Destroy but it is till there!
In fact, I even spent about 4 hours on the phone and $70 with a security advisor from Symantec yesterday but we could not remove this thing...
I guess I am lucky that the thing isn't more harmful but it sure is a frustrating little pr#$k! Any help from anyone out there that KNOWS how to kill this? Thank you very much in advance!!!
ChrisRLG
3.9K Posts
0
December 27th, 2003 16:00
stiffeye,
Use these to remove Malware (Spyware and Adware).
1) SpyBot Search and Destroy
After installing SpyBot Search & Destroy, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
2) Get Ad-Aware
After installing Ad-Aware, and before running the program, first press “check for updates now".
Click "Connect" and install all updated components available. Click 'Finish'.
Press "Scan Now", then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Check all found items, and click 'next' once more.
It will ask you whether you'd like to remove all checked items. Click OK.
Always reboot the computer between each program - both of these may find things that they need to have a reboot of the machine to clear - please reboot and let them finish .
Failing those solving your problems a post of a hijackthis log for the experts to advise.
HijackThis From Here
Download, run, scan, save log, then in notepad copy the FULL log by copy and paste to new message on this board NOT AS A REPLY HERE PLEASE and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training.
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.
ChrisRLG
therock247uk
TomCoyote (of http://tomcoyote.org/forums/index.php )
YoKenny
baskar1234
You could also go to one of the more specalist forums where more experts will be able to help.
http://tomcoyote.org/forums/index.php
http://forums.spywareinfo.com/index.php
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi
http://boards.cexx.org/index.php
Do read the sites FAQ before posting, and advise your problem and what steps you have already done to try to cure your problem.
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.
jase125
6 Posts
0
December 27th, 2003 16:00
Hi ChrisRLG - have followed instructions however there was only the system32\svchost.exe file on my system - the ip addresses are the server DNS and are ok...
Logfile of HijackThis v1.97.7
Scan saved at 18:36:49, on 27/12/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dial.blueyonder.co.uk/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1071692004390
ChrisRLG
3.9K Posts
0
December 27th, 2003 17:00
Stiffeye & everton carl,
Please post any logs in new messages, not as replies to this thread, it can get very confusing, trying to answer more that one problem in a thread. Also please do not copy the instuctions given here for yourself, each hijackthis answer is tailored to each log, you could do harm to your computer, post a log and someone will get to answering it.
-----------------------
Jose125
You now look clean.
Also follow the link below to my site and install spywareblaster and spywareguard from the malware section. Also look at the link for 'how did I get infected in the first place'.
Also ie-spyad from http://www.staff.uiuc.edu/~ehowes/resource.htm
Those programs will help you stay clean.
everton carl
3 Posts
0
December 27th, 2003 17:00
Stiffeye,
I have a similar problem. I have the virus and the affected file is MSCONFD.DLL. However, I cannot delete this file as symantec suggests I do. I suspect that this is because to do so would bugger up the operating system!
I am keen to here if either you or Jase solve the problem. As you say this trojan isn't damaging but it is really aggravating.
I will watch the forum with added interest.
Regards
An Everton FC (English soccer club) supporter in Illinois, USA
jase125
6 Posts
0
December 27th, 2003 18:00
Hi ChrisRLG
I have spyware blaster already along with adaware, spybot and a sygate firewall so not sure how the thing was downloaded onto the machine?
The virus is still there and still getting the messages access to the file was denied - can not delete file - unable to repair file - stubborn so and so this thing!!
Any more ideas?
ChrisRLG
3.9K Posts
0
December 27th, 2003 19:00
Variant 22: CWS.Msconfd - Finally using rundll32
Approx date first sighted: November 26, 2003
Symptoms: IE pages being changed to webcoolsearch.com, bogus error message about msconfd.dll at startup, pxxx bookmarks added to Favorites (some possibly childpxxx)
Cleverness: 7/10
Manual removal difficulty: Involves quite some Registry editing and deleting porn bookmarks
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://webcoolsearch.com/
O4 - HKLM\..\RunServices: [Desktop] rundll32.exe msconfd,Restore ControlPanel
Additional line from StartupList log:
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=msconfd.dll
This is the first variant to use a dll file together with the Windows rundll32 file. This makes it a little harder to find the culprit msconfd.dll, responsible for hijacking IE to webcoolsearch.com and adding 11 adult bookmarks to IE, of which 4 are possibly child pxxx sites.
Deleting the autorun entry, resetting IE, deleting msconfd.dll and the pxxx bookmarks fixes this hijack.
----------------------------------------------------------------
I would suggest running cwshredder from Here
That may clean up what your AV could not, also try starting in safe mode and deleting the file.
ChrisRLG
3.9K Posts
0
December 27th, 2003 19:00
Where is the virus found. If the system restore area, you will need to turn that off, reboot and turn it back on to clear the old restore points. Then re scan with your AV.
If not give the location of the files found.
jase125
6 Posts
0
December 27th, 2003 19:00
Hi yes have done that.
the file is found on C:\windows\system32\msconfd.dll - it's 4.50 KB (4,608 bytes) in size and 8.00 KB (8,192 bytes) size on disk and an application extension.
This is the registry part that will not delete as instructed by symantec
If you are running Windows NT/2000/XP, navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
In the right pane, delete the value:
"AppInit_DLLs"="msconfd.dll"
And this is what the whole instructions were from the site
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan and delete all the files detected as Trojan.Bookmarker.
Delete the value that was added to the registry.
Reset the Internet Explorer Home page.
Reset the Internet Explorer Search page
Remove the links in the Favorites folder.
YoKenny
363 Posts
0
December 27th, 2003 20:00
Added: The latest CWShredder has been updated so the following registry fix might NOT be necessary. Use the updated CWShredder and see if the infection is removed.
Added: This registry fix should not be used unless specifically asked to. It is a fix for a specific operating system on a specific hard drive.Open Notepad. Copy the following contents between the lines. Name the file rid.reg Save as All files in a place you know. Double click on rid.reg to enter in to the registry.
Then Reboot. Total Restart is required. Not just a logoff and back on.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
"PendingFileRenameOperations"=hex(7):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,\
77,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,73,00,79,00,73,00,74,00,65,\
00,6d,00,33,00,32,00,5c,00,6d,00,73,00,63,00,6f,00,6e,00,66,00,64,00,2e,00,\
64,00,6c,00,6c,00,00,00,00,00,00,00
Download then unzip and run CWShredder to clean up clicking Next to have it remove all it finds.
Check with HijackThis to see if it is gone now but post a log here to be sure.
http://www.merijn.org/files/cwshredder.zip
Read the links below to keep your system secure.
I recommend IE-SPYAD and SpywareBlaster available in the links.
Message Edited by YoKenny on 12-29-2003 08:27 PM
ChrisRLG
3.9K Posts
0
December 27th, 2003 20:00