Startup Problem...

[LilAznAccommodator]

Dunno all of a sudden I have this new Program taht boots up on my StartUp...
It is called: msc0nfig.jpg (the 0 is a Zero not an o)...

ANd I did a search of this in Search and found nothing... More or less with the program I use to customize my StartUp, it gives me the Location of it and location in registry... Strange thing about that... I can't seem to locate the file in iehter places even when I UnHide all my files...

I haven't done a virus check as I currently don't have one right now, but I heard that is one by some name of Panda something... Which you don't really have to dl the program...

But anyway... I not sure if anyone happens to know what the problem is... so I just thought I would post this and see if anyone does have any clue on it.

---Thanks


---Forgot to mention that what this thing does is... Whenever I boot up my computer, my Microsoft Photo Editor starts up and displays error saying it can't locate msc0nfig.jpg and it does that twice after i click ok and that is it... ALthough I don't think it really does anything else... it is annoying having ot click ok several times every boot up.

[dopey]

hi,

download hijack this, and save a log, copy & paste the contents here.

Code:

http://www.net-integration.net/tools/hijackthis.html

as for the virus scan, these 2 are the ones i would recommend:

(you just download the virus database)

Code:

http://housecall.trendmicro.com/housecall/start_corp.asp  -or-
http://www3.ca.com/virusinfo/virusscan.aspx

[LilAznAccommodator]

I am new to that pgoram so I do hope I did the right thing:



Logfile of HijackThis v1.98.1
Scan saved at 10:12:49 PM, on 8/6/2004
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TweakNow PowerPack\RAM_XP.exe
C:\Program Files\ProfileAMP\Profile8.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris La\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,msc0nfig.jpe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\TweakNow PowerPack\RAM_XP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mediadriver{5}] msc0nfig.jpe
O4 - HKCU\..\Run: [ProfileAMP] C:\Program Files\ProfileAMP\Profile8
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1090634628687
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

[dopey]

hi,

rescan with hijack this and check these:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,msc0nfig.jpe,

O4 - HKLM\..\Run: [mediadriver{5}] msc0nfig.jpe

this one is optional. it is not needed at startup and takes resources at every boot.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

close all browser windows and hit fix checked.

reboot into safe mode (hit f8 during startup) and delete this file:

msc0nfig.jpe

reboot back into normal mode and post a new log.

[LilAznAccommodator]

I not sure what you mean on the SafeMode part could you expand on that? Anyway here is the new Log:


Logfile of HijackThis v1.98.1
Scan saved at 6:28:16 AM, on 8/7/2004
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SYSTEM32\Userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\TweakNow PowerPack\RAM_XP.exe
C:\Program Files\ProfileAMP\Profile8.exe
C:\Documents and Settings\Chris La\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\TweakNow PowerPack\RAM_XP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ProfileAMP] C:\Program Files\ProfileAMP\Profile8
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1090634628687
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

[longboneslinger]

You got a worm, dude. The W32.Yaha.K@mm worm to be exact.
Go here for the info. There's also a removal tool on the same page.
Get an anti-virus program mucho fast. I reccomend Avast but AVG is also good and both have free versions. BUt use the online scanners after you use the removal tool. That's to find any more you may have. Just go to Google and drop the virus name into the search box for some more info and tools then get some anti-virus software, update it, and do a scan. Update it at least twice a week (I update every time I get on the web, though most of the time no new update is available) and scan at leat weekly. Scan more often if you do a lot of downlads in general and filesharing (P2P) in particular.

Sorry for the bad news but at least now you know. Good luck.
Later,
BoNe

[dopey]

here's more information on safe mode.

Code:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

hitting the f8 key during startup is just a shortcut to getting there.

i agree, you should really consider getting an antivirus program and a firewall.

sygate and zone alarm both have free versions for personal use.

your follow up log looks fine, but you should try to delete the offending file.

[Jg427]

Originally posted by longboneslinger@7 August 2004 - 08:44
You got a worm, dude. The W32.Yaha.K@mm worm to be exact.

What leads you to think that?

[firefox]

do an online virus scan at Housecall and remove the virus.

[longboneslinger]

What leads you to think that?

Did a google search and then checked out the links. One was to Symantecs Security site. Check the link I gave. The page also has a removal tool.

An online scan is always a good idea when a virus is suspected. Since there are so many names used for each virus it may come up as something else and may actually be something else. For example Ive seen virus's listed under one name at AVG but another at Symantec. Can't remember the exact one, but it was the reason I dropped AVG for Avast. AVG misnamed it and it took me a while to find and then kill the booger. AVG was helpless. I also remember it being a virus that wsa over a year old. Shoulda been an easy kill for AVG, Avast found and nuked it no sweat.

At any rate, here's the quote:

WinServices.worm

Overview
WinServices.worm is a mass mailing worm dropping its files in %SystemDir%. You can find more information at Symantec and TrendMicro.

Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Classification
Worm

Files
WinServices.exe, msc0nfig.jpe, netconfig{5}.xtr

Log references
Log 442

Privacy policy
No privacy policy available.

Detection
Bazooka Adware and Spyware Scanner detects WinServices.worm. Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms, etc. Read more »

Manual removal
Please follow the instructions below if you would like to remove WinServices.worm manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If WinServices.worm remains on your system after stepping through the removal instructions, please double-check by stepping through them again.
Start your computer in safe mode.
Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
In the right pane, delete the value called 'WinServices', if it exists.
Browse to the key:
'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
In the right pane, delete the value called 'WinServices', if it exists.
Exit the registry editor.
Start Windows Explorer and delete:
%SystemDir%\WinServices.exe
%SystemDir%\msc0nfig.jpe
%SystemDir%\netconfig{5}.xtr
Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Here's the link from Google:
msc0nfig

Here's the link to WinServices, it also has links to Symantec among others. As I said, the Symantec link at the top right of the page has a link for a removal tool.
Virus info

Good luck again,
BoNe