Re: Msconfig won't stay running...

From: Malke (malke_at_nospoonnotreally.com)
Date: 05/07/04 

Date: Fri, 07 May 2004 13:47:52 -0700

*Vanguard* wrote:

> L. A. Powell said in news:OQ7fntFNEHA.3520@tk2msftngp13.phx.gbl:
>> Thanks to "Vanguard" and BC. I ran a virus scan using latest
>> definitions with AVG, had online scan from Trend Micro, ran Spybot
>> S&D, Lavasoft Ad-Aware already. Nothing, nada, zilch, zip!
>
> Check the Event Viewer to see if there are any errors at the time you
> run
> msconfig. Rather than bother hunting back to the lack incidence, just
> run msconfig again, it dies, and check the logs immediately afterward.
>
> Run CWShredder. If you already have a copy, be sure to run its update
> check
> to ensure you are using the latest version of its .exe file.
> Presumably you also did an update check for Ad-Aware and Spybot before
> running them.
>
> Run HijackThis and post the log here. Maybe someone can catch
> something
> suspicious in one of the probably infection targets. Also, HijackThis
> does not list the following key which is a new tactic employed by
> spyware to attach itself to logon/logoff/shutdown events:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Notify
>
> Open regedit, export this key to a .reg file, but do NOT attach it to
> your
> post (I *never* open attachments in newsgroups). Instead, right-click
> on it
> and edit it, then copy and paste its contents into your post. This
> registry key isn't listed by HijackThis, I've just read about exploits
> using it, and
> have submitted a request to its author to include it. I think a
> "Guardian" named key or data item got added under here.
>
> If we still don't find anything, could be files were corrupted and you
> might then try booting using the Windows XP install CD to run a Repair
> which will copy files from the CD to overwrite them on your hard drive
> (which means you will have to followup with a run at Windows Update to
> get all the files
> updated again). But that is rather drastic so don't do that yet.

You've gotten good advice so far, but you should know that not all
antivirus programs will find variants of the Gaobot worm. Up until this
morning, it was reported that AVG, F-Prot, and TrendMicro did *not*
find a file that was known to be infected with Gaobot. So a) you should
update all virus definitions and scan again; b) check all your hosts
files for any entries that are *not* 127.0.0.1 localhost. If you need
help in finding the hosts files and how to work with them, please
repost.

Malke 

-- 
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"