cws.msconfig

[Guest]

Hi: I have followed all suggestions found on this site; however, it is still
hanging around. HijackThis, Toolbarcop and cws.shredder insist that this is
a a problem and will detete it, but it soon shows up again, here it is:
C:\WINDOWS\PCHealthHelpCtr\Binaries\MSConfig.exe\auto

How do I get rid of this thing that cws.shredder refers to as cws.msconfig?
Hlep, please.

swl

 

[David H. Lipman]

From: "SWL" <[email protected]>

| Hi: I have followed all suggestions found on this site; however, it is still
| hanging around. HijackThis, Toolbarcop and cws.shredder insist that this is
| a a problem and will detete it, but it soon shows up again, here it is:
| C:\WINDOWS\PCHealthHelpCtr\Binaries\MSConfig.exe\auto
|
| How do I get rid of this thing that cws.shredder refers to as cws.msconfig?
| Hlep, please.
|
| swl

It mat be legitimate.

Is this correct ? Is this the full syntax ..\MSConfig.exe\auto

C:\WINDOWS\PCHealthHelpCtr\Binaries\MSConfig.exe\auto

or is it...

C:\WINDOWS\PCHealthHelpCtr\Binaries\MSConfig.exe

If it is the latter, please submit a sample of "MSConfig.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[Juan]

The cause is that the msconfig.exe file is infected, you need to delete it
by what ever means possible, also do a search in the computer for the
msconfig file so no other copy is in the system when you replace it with the
clean copy which you can install from the XP CD or download a copy from an
available download site. Before you delete the infected copy you need to go
into the file properties and remove the read-only check mark (if it's marked
so) and take ownership of the file in the security tab\Advanced
Options\Owner, and remove all user accounts except yours or the
administrators group so you can delete it and as soon as you delete it,
replace it with a "clean" replacement which you need to make read-only as
soon as it's installed. By default it's not a read only file but that may
protect it against infection.

How to take ownership of a file or folder in Windows XP
Describes how to take ownership of files or folders that you may not have
permissions for if you are an administrator for that computer.
http://support.microsoft.com/kb/308421/en-us

Download msconfig here: msconfig for Windows XP
http://www.perfectdrivers.com/howto/msconfig.html
Don't let the link title discourage you msconfig is not included in Widows
2000, but the XP version can be installed in W2000.

 

[Guest]

As mentioned earlier, cws.msconfig is
this--C:\WINDOWS\PCHealthHelpCtr\Binaries\MSConfig.exe\auto

Although I am the administrator I haven't seen anything that will help take
ownership of the file, folder. The instructions in Article ID : 308421
Last Review : June 23, 2005
Revision : 2.4 mention security tab, security message, and owner tab, none
of which I've found. I must be leaving out a step. This is frustrating.

 

[Juan]

I had the same problem on Thursday with the "cws.msconfig" hijacker and
fixed it with no major problem deleting the registry value from the Run
key... I was expecting for the problem to be a pain in the a but it was very
simple to solve and I did not have to delete and replace the windows
msconfig, I read somewhere that the cws.msconfig keeps restoring itself five
seconds after you delete it, but I had no major problem, I just deleted it
from the registry and that did it, I kept checking back to see if it had
restored itself but it did not... hope it works for you.

look in either of the following keys and delete the msconfig value.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

One more tip; delete the " \auto" termination from the file in
C:\WINDOWS\PCHealthHelpCtr\Binaries\MSConfig.exe\auto which has been added,
(leave it at msconfig.exe)... that may be possible only after you have taken
ownership... hope that will help.

------------------------------------

 

[Guest]

Juan: So far, cws.msconig is still lurking in and around the system
configuration.
How did you delete the registry value from the Run Key? Do you mean as in
"start, run"?

I searched the registry for
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and there were two , run and run-. Both of these expanded.

When I look into C:\WINDOWS\PCHealthHelpCtr\Binaries\MSConfig.exe, there is
no "auto". Apparently I do have to take ownership of the file and my
attempts at that have been futile. Could it be that somehow I am not the
computer administrator? I always have been, after all it is my computer, but
is it possible that a virus/spyware/scumware, etc. has done something, or
that I unknowingly clicked something by mistake?

Thanks again. swl

 

[Juan]

Yes I deleted the msconfig value in the
Start\Run\regedit\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run
the value was named msconfig but the edition was
C:\WINDOWS\PCHealthHelpCtr\Binaries\MSConfig.exe\auto and that last word
(\auto) is what identifies it as a trojan. There are several run keys in
the Local Machine hive; Run, RunOnce and RunOnceEx only these three keys are
normal. And there are two in the Current User hive; Run and RunOnce... if
I understand correctly you have two Run keys in the Local Machine hive? If
that's correct, you need to determine which one is the normal system key and
delete the likely spyware key. You can determine that by the antivirus and
system values in it and if they are duplicated on the other key, deleting
the key would not cause a problem. if you have any doubt back up the key
before deleting it just in case you notice any problem afterwards.

And the "C:\WINDOWS\PCHealthHelpCtr\Binaries\MSConfig.exe\auto" I meant it
was in the key value edition not in the msconfig file name.

And try doing things in safe mode (F8 at the begining of the bootup), you
can take ownership and delete the scumware and even run antispyware
programs, they do a better job in safe mode. And if you don't have
ownership or rather the administrators group does not have ownership, it's
probably been caused by the scumware....

Hope this helps.


---------------------------------