Windows 7: msconfig.exe trojan?

plout · 07 Jul 2010

Hello guys,i use malwarebytes to scan my laptop and everytime lately finds the same problems which deletes but reappear.
Here are the results:

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4288

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

08/07/2010 03:26:02
mbam-log-2010-07-08 (03-26-02).txt

Scan type: Quick scan
Objects scanned: 126992
Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hkcu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\mina\AppData\Roaming\msconfig\msconfig.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\mina\AppData\Roaming\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
C:\Users\mina\AppData\Local\Temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\mina\AppData\Local\Temp\XxX.xXx (Malware.Trace) -> Delete on reboot.

i typed msconfig the first time and appeared:
Yes HKCU:Run BrowserChoice "C:\Windows\System32\browserchoice.exe" /run

Yes HKLM:Run IAStorIcon C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
Yes HKLM:Run ISBMgr.exe "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
Yes HKLM:Run McENUI C:\PROGRA~2\McAfee\MHN\McENUI.exe /hide
Yes HKLM:Run NortonOnlineBackupReminder "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
Yes HKLM:Run PMBVolumeWatcher C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
Yes HKLM:Run MarketingTools C:\Program Files (x86)\Sony\Marketing Tools\MarketingTools.exe
Yes HKLM:Run mcagent_exe "C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe" /runkey
Yes HKLM:Run Adobe Reader Speed Launcher "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Yes HKLM:Run Adobe ARM "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Yes HKLM:Run SunJavaUpdateSched "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Yes HKLM:Run Malwarebytes Anti-Malware (reboot) "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
Yes HKLM:Run IgfxTray C:\Windows\system32\igfxtray.exe
Yes HKLM:Run HotKeysCmds C:\Windows\system32\hkcmd.exe
Yes HKLM:Run Persistence C:\Windows\system32\igfxpers.exe
Yes HKLM:Run RtHDVCpl C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
Yes HKLM:Run Apoint %ProgramFiles%\Apoint\Apoint.exe
Yes Startup Common Bluetooth.lnk C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe

plus another HKCU(which i try to unclick at the startup) where it said No next to it but i can't find it anymore.It was

somekind of msconfig.exe facebook hack..a programm like that

and i also deleted a file folder :msconfig,size:432KB and origin:Roaming

Any suggestions?
Tha antivirus can't find anything.

zigzag3143 · 09 Jul 2010

Quote: Originally Posted by plout

Hello guys,i use malwarebytes to scan my laptop and everytime lately finds the same problems which deletes but reappear.
Here are the results:

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4288

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

08/07/2010 03:26:02
mbam-log-2010-07-08 (03-26-02).txt

Scan type: Quick scan
Objects scanned: 126992
Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hkcu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\mina\AppData\Roaming\msconfig\msconfig.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\mina\AppData\Roaming\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
C:\Users\mina\AppData\Local\Temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\mina\AppData\Local\Temp\XxX.xXx (Malware.Trace) -> Delete on reboot.

i typed msconfig the first time and appeared:
Yes HKCU:Run BrowserChoice "C:\Windows\System32\browserchoice.exe" /run

Yes HKLM:Run IAStorIcon C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
Yes HKLM:Run ISBMgr.exe "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
Yes HKLM:Run McENUI C:\PROGRA~2\McAfee\MHN\McENUI.exe /hide
Yes HKLM:Run NortonOnlineBackupReminder "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
Yes HKLM:Run PMBVolumeWatcher C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
Yes HKLM:Run MarketingTools C:\Program Files (x86)\Sony\Marketing Tools\MarketingTools.exe
Yes HKLM:Run mcagent_exe "C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe" /runkey
Yes HKLM:Run Adobe Reader Speed Launcher "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Yes HKLM:Run Adobe ARM "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Yes HKLM:Run SunJavaUpdateSched "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Yes HKLM:Run Malwarebytes Anti-Malware (reboot) "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
Yes HKLM:Run IgfxTray C:\Windows\system32\igfxtray.exe
Yes HKLM:Run HotKeysCmds C:\Windows\system32\hkcmd.exe
Yes HKLM:Run Persistence C:\Windows\system32\igfxpers.exe
Yes HKLM:Run RtHDVCpl C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
Yes HKLM:Run Apoint %ProgramFiles%\Apoint\Apoint.exe
Yes Startup Common Bluetooth.lnk C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe

plus another HKCU(which i try to unclick at the startup) where it said No next to it but i can't find it anymore.It was

somekind of msconfig.exe facebook hack..a programm like that

and i also deleted a file folder :msconfig,size:432KB and origin:Roaming

Any suggestions?
Tha antivirus can't find anything.

I am afraid this isnt going to be much help, but anytime I get anything that even remotely smells like a virus, I do a clean install. It is the only way to be sure it is gone.

Ken

Dinesh · 09 Jul 2010

Scan your computer with Hitman Pro.
Download link: Downloads - SurfRight

plout · 09 Jul 2010

Quote: Originally Posted by Dinesh

Scan your computer with Hitman Pro.
Download link: Downloads - SurfRight

thank you for this program

here are the results:

BODY{font:x-small 'Verdana';margin-right:1.5em} .c{cursor:hand} .b{color:red;font-family:'Courier New';font-weight:bold;text-decoration:none} .e{margin-left:1em;text-indent:-1em;margin-right:1em} .k{margin-left:1em;text-indent:-1em;margin-right:1em} .t{color:#990000} .xt{color:#990099} .ns{color:red} .dt{color:green} .m{color:blue} .tx{font-weight:bold} .db{text-indent:0px;margin-left:1em;margin-top:0px;margin-bottom:0px;padding-left:.3em;border-left:1px solid #CCCCCC;font:small Courier} .di{font:small Courier} .d{color:blue} .pi{color:blue} .cb{text-indent:0px;margin-left:1em;margin-top:0px;margin-bottom:0px;padding-left:.3em;font:small Courier;color:#888888} .ci{font:small Courier;color:#888888} PRE{margin:0px;display:inline} - <Log computer="MINA-VAIO" scan="Normal" version="3.5.6.106" date="2010-07-09T21:58:29" timeSpentInSecs="108" filesProcessed="12926">
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Users\mina\AppData\Roaming\Microsoft\Windows\Cookies\mina@atdmt[2].txt" />

</Item>

- <Item type="Malware" malwareName="Trojan" score="112.0" status="Deleted">
- <Scanners>
<Scanner id="G Data" name="Trojan.Generic.4129350 (Engine-A)" />

<Scanner id="Prevx" name="High Risk System Back Door" />

<Scanner id="DrWeb" name="BackDoor.IRC.Bot.370" />

</Scanners>

<File path="C:\Users\mina\AppData\Roaming\msconfig\msconfig.exe" hash="9EC272C13474DA8AAE34CE3A6AF003FB4E7E515689D05F26F5C6F27161CE169D" />

- <Startup>
<Key path="HKU\S-1-5-21-2082827157-3937510034-990673929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU" />

</Startup>

</Item>

</Log>

it's a trojan.I'll restart the pc to see if it's gone.

plout · 09 Jul 2010

Excellent!Malwarebytes doesn't find it anymore

Allthough found these,but i don't know if it's the new programm installed

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4288

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

09/07/2010 22:14:45
mbam-log-2010-07-09 (22-14-45).txt

Scan type: Quick scan
Objects scanned: 126886
Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\mina\AppData\Roaming\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
C:\Users\mina\AppData\Local\Temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\mina\AppData\Local\Temp\XxX.xXx (Malware.Trace) -> Quarantined and deleted successfully.

Dinesh · 09 Jul 2010

The virus is deleted.

Windows 7: msconfig.exe trojan?

msconfig.exe trojan? problems?