Please.... Re: XP-Pro and msconfig/boot.ini

[Stuff]

Please...the problem is both msconfig AND boot.ini. (msconfig does not come
up, and boot.ini is glitched) I am under the impression a new msconfig file
from the Windows CD is needed> (???)

Would you please tell me the CMD command to re-install msconfig.com from
START > RUN? I had to do this once before, but I do not remember that
command now.

thanX!
Howie

 

[Doug Knox MS-MVP]

You don't need to reinstall MSCONFIG. You need to post the contents of your
BOOT.INI with more information on your setup, and we'll tell you how to
correct it. You may also want to locate MSCONFIG.EXE and make a copy of it,
naming it MSCONFIG1.EXE If the copy runs, then you have a virus, not a
corrupt MSCONFIG.

 

[Stuff]

Boot.ini has nothing in it...it is a totally empty file. It is located in
the root of the C: drive.

I did, in fact, have a virus a few weeks ago when I mistakenly had Norton
antivirus updates turned off. I have since gotten the updates, and
eradicated that virus.

When I invoke msconfig from START > RUN, it does not come up. Once in a
great while it does for a split second, then shuts down quickly.

ThanX!!!!!
Howie

 

[Doug Knox MS-MVP]

Stuff,

Then you still have the virus. Probably a variant of an older one that the
AV scanners aren't catching. If you can rename MSCONFIG.EXE to
MSCONFIG1.EXE and run it, you have the virus, particularly, if the same
behavior occurs with Task Manager and Regedit.

For a single disk system, a typical BOOT.INI file looks like this:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional" /fastdetect
C:\="Previous Operating System on C:"

Again, if your system is not single disk and/or XP is not installed on C:,
more information is needed to help you correct it manually. You can boot
from the XP CD and when offered the opportunity to Setup or Repair, choose
repair, and at the command prompt type in BOOTCFG /? for the command line
options for the BOOTCFG program.

You may also want to see www.dougknox.com, Win XP Utilities, Create
Emergency Copies of Critical XP System Utilities. This small VB Program
will create backup, usable copies of Task Manger, Regedit and MSConfig
(named Taskmgr1.exe, Regedit.com and MSConfig1.exe) in a new folder
C:\EmergencyUtil. Many virus programs will intercept these programs, based
on their original file name. The modified file names, allow them to be run.
Open Windows Explorer to C:\EmergencyUtil and double click the application
you need. The next revision will allow you to browse for the folder you
want to place the backups in.

Additionally, see the Win XP Utilities section for Startup Programs Tracker.
This small utility scans your system for startup programs and running
processes. It also allows you to create a log file that can be copied and
pasted into a newsgroup post. The contents of the program window are also
copied to the Windows Clipboard, automatically.

These two programs will help you determine what the virus is, and where its
being loaded from.

 

[Stuff]

ThanX Doug ... will do you mentioned ASAP!

Stuff,

Then you still have the virus. Probably a variant of an older one that the
AV scanners aren't catching. If you can rename MSCONFIG.EXE to
MSCONFIG1.EXE and run it, you have the virus, particularly, if the same
behavior occurs with Task Manager and Regedit.

For a single disk system, a typical BOOT.INI file looks like this:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional" /fastdetect
C:\="Previous Operating System on C:"

Again, if your system is not single disk and/or XP is not installed on C:,
more information is needed to help you correct it manually. You can boot
from the XP CD and when offered the opportunity to Setup or Repair, choose
repair, and at the command prompt type in BOOTCFG /? for the command line
options for the BOOTCFG program.

You may also want to see www.dougknox.com, Win XP Utilities, Create
Emergency Copies of Critical XP System Utilities. This small VB Program
will create backup, usable copies of Task Manger, Regedit and MSConfig
(named Taskmgr1.exe, Regedit.com and MSConfig1.exe) in a new folder
C:\EmergencyUtil. Many virus programs will intercept these programs, based
on their original file name. The modified file names, allow them to be run.
Open Windows Explorer to C:\EmergencyUtil and double click the application
you need. The next revision will allow you to browse for the folder you
want to place the backups in.

Additionally, see the Win XP Utilities section for Startup Programs Tracker.
This small utility scans your system for startup programs and running
processes. It also allows you to create a log file that can be copied and
pasted into a newsgroup post. The contents of the program window are also
copied to the Windows Clipboard, automatically.

These two programs will help you determine what the virus is, and where its
being loaded from.

Boot.ini has nothing in it...it is a totally empty file. It is located in
the root of the C: drive.

I did, in fact, have a virus a few weeks ago when I mistakenly had Norton
antivirus updates turned off. I have since gotten the updates, and
eradicated that virus.

When I invoke msconfig from START > RUN, it does not come up. Once in a
great while it does for a split second, then shuts down quickly.

ThanX!!!!!
Howie


of
your of
it, process)
and

 

[Bruce Chambers]

Greetings --

The point is, Boot.ini should *not* be an empty file.

Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Stuff]

WOW Bruce! ThanX!!!!!!!!!!!

Ok...I went to your site and found the emergency msconfig1
deallie...downloaded, unzipped it, and launched it...and, just as you said,
it works!

So that means I still have the virus, or do I have now just contaminated
files...do I now replace every occurrence of msconfig.exe with the new one
(I found several occurrences in different folders)? Delete the old and copy
the new under the original filename?

How to I get rid of the virus (I know I had it several weeks ago, but
thought I got rid of it. I will rerun Norton while I wait for your answer!)

Also, regedit does not work either, just as you suggested it might not! Do
I swap this too? And Task Manager (right..it does not work either!)

Again...many thanX!

 

[Doug Knox MS-MVP]

Bruce,

My apologies for my earlier post. Seems we both looked at the problem a bit
differently

 

[Stuff]

Thank you so much for working this with me, Bruce!

8/23/2003 9:12:49 PM

-- Registry - HKEY_LOCAL_MACHINE RunOnce --
No Items Found

-- Registry - HKEY_LOCAL_MACHINE Run --
ccApp "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
ccRegVfy "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
HPDJ Taskbar Utility
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
Iomega Automatic Backup 1.0.1 C:\Program Files\Iomega\Iomega Automatic
Backup\ibackup.exe
LVCOMS C:\Program Files\Common
Files\Logitech\QCDriver3\LVCOMS.EXE
QD FastAndSafe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
QuickTime Task "C:\Program
Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
Winsock2 driver WINLODR.SCR
KernelFaultCheck

-- Registry - HKEY_CURRENT_USER RunOnce --
Winsock2 driver WINLODR.SCR

-- Registry - HKEY_CURRENT_USER Run --
Iomega Automatic Backup C:\Program Files\Iomega\Iomega Automatic
Backup\ibackup.exe
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
LTM2 C:\WINDOWS\Edit32\Edit32.exe
BySoft FreeRAM C:\Program Files\FreeRAM\freeram.exe
PIMOne C:\Program Files\PIMOne\PIMOne.EXE /AutoRun

-- Registry - HKEY_USERS\.DEFAULT Run --
No Items Found

-- Start Menu - Current User --
iexplore.exe.lnk
msimn.exe (2).lnk
Norton System Doctor.LNK
OUTLOOK.EXE.lnk

-- Start Menu - All Users --
ZoneAlarm.lnk

-- Disabled Items --
DirectCD
INSTAN~1
BackWeb-8876480
ISStart
LogiTray
mcalert
MotiveSB
Netscp
msmsgs
qttask
RealPlay
REGIST~1
realsched
XupiterToolbarLoader
Billminder
Logitech Desktop Messenger
Microsoft Office
Push Client
Quicken Startup
ScanPanel
Verizon Online Dialer
Verizon Online Support Center
PalNetaware
radio@netscape

-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon --
Explorer.exe

-- Running Processes --
System Idle Process
System
smss.exe \SystemRoot\System32\smss.exe
csrss.exe
winlogon.exe winlogon.exe
services.exe C:\WINDOWS\system32\services.exe
lsass.exe C:\WINDOWS\system32\lsass.exe
svchost.exe C:\WINDOWS\system32\svchost -k rpcss
svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
explorer.exe C:\WINDOWS\Explorer.EXE
spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
CCEVTMGR.EXE "C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe"
CCAPP.EXE "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
hpztsb03.exe
"C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe"
iBackup.exe "C:\Program Files\Iomega\Iomega Automatic
Backup\ibackup.exe"
LVComS.exe "C:\Program Files\Common
Files\Logitech\QCDriver3\LVCOMS.EXE"
realsched.exe "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
winlodr.scr "C:\WINDOWS\System32\WINLODR.SCR" /S
ctfmon.exe "C:\WINDOWS\System32\ctfmon.exe"
FreeRAM.exe "C:\Program Files\FreeRAM\freeram.exe"
zonealarm.exe "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe"
iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
msimn.exe "C:\Program Files\Outlook Express\msimn.exe"
SYSDOC32.EXE "C:\Program Files\Norton SystemWorks\Norton
Utilities\SYSDOC32.EXE" /startup
OUTLOOK.EXE "C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE"
inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
AppServices.exe "C:\PROGRA~1\Iomega\System32\AppServices.exe"
mdm.exe "C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe"
NAVAPSVC.EXE "C:\Program Files\Norton SystemWorks\Norton
AntiVirus\navapsvc.exe"
NPROTECT.EXE "C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE"
snmp.exe C:\WINDOWS\System32\snmp.exe
NOPDB.EXE C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
svchost.exe C:\WINDOWS\System32\svchost.exe -k imgsvc
ups.exe C:\WINDOWS\System32\ups.exe
vsmon.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
fxssvc.exe C:\WINDOWS\system32\fxssvc.exe
WINWORD.EXE "C:\Program Files\Microsoft
Office\Office\WINWORD.EXE" -Embedding
explorer.exe "C:\WINDOWS\explorer.exe"
msmsgs.exe "C:\Program Files\Messenger\msmsgs.exe" -Embedding
StartupTracker3.exe "C:\Documents and Settings\Howie\Desktop\Startup
tracker\StartupTracker3.exe"
wmiprvse.exe

 

[Stuff]

Whoopsie...you are Doug...please forgive me!

 

[Doug Knox MS-MVP]

Stuff,

The virus file is WINLODR.SCR This is not a valid file. Open the renamed
Task Manager in C:\EmergencyUtils and go to the Processes tab. Highlight
this process and click End Process. Now, you can try closing the Task
Manager and opening it normally. If its works, you've pinpointed the virus,
and it was the only one.

Now, go to the Windows and Windows\System32 folder and look for the
WINLODR.SCR file. If found, delete it. If necessary, do a search of your
entire hard disk and delete the file, wherever its found.

Next, run REGEDIT (normal, if it will start, or the renamed copy if it
won't). Go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and delete the value in the right pane called Winsock2 Driver.

Then go to:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

and delete the value in the right pane for Winsock2 Driver. Both of these
are references to run the virus file.

The only other two entries that I'm not familiar with are:

LTM2 C:\WINDOWS\Edit32\Edit32.exe
BySoft FreeRAM C:\Program Files\FreeRAM\freeram.exe

These entries are in:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

They may be legitimate programs that you have installed, they may not. Only
you can answer that question. If, after killing the WINLODR.SCR process,
you still can't run Task Manager, MSConfig or REGEDIT, these two would be
where I would start next.

And last but not least, I don't recognize the entry for KernelFaultCheck
which is being loaded from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. It
doesn't show a command line,

 

[Doug Knox MS-MVP]

No problem, and please don't change the subject of the post. It makes it
harder to track

 

[Bruce Chambers]

Greetings --

No problem. The original wasn't what I'd've called "crystal
clear."

Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[kovacsg]

I encountered a similar issue. It all started when I noticed task
manager disappeared and I was not able to start regedit. Using Norton
Anti-virus I updated my system (& dat file) and performed a full
system scan. This did not find any viruses or worms. After reading
about a similar issue on Symantec's site I then Turned off system
restore, Started-up in safe mode and ran a full scan. This also found
no viruses or worms.

I was able to troubleshoot that winlodr.scr was causing the issues so
I removed the file and removed the entries in the registry. After a
few minutes I noticed the file had returned and the registry entries
were back.

To work-around this issue I created a zero byte text file called
winlodr.scr in the appropriate location and set the properties to
hidden and read only. This appears to work but I think if I will
remove the file the mallicious winlodr.scr will be placed back.

I attemped to run an online virus scan form
www.housecall.antivirus.com
and it found SpyBot.Worm on the computer but it did not appear to
clean it and I was not able to verify this with any other virus
checking program.

Can someone shed light onto which virus/worm this is and how can I
remove it from my computer.

Thanks

 

[Doug Knox MS-MVP]

It was likely a new variant of SpyBot. If the file is in use (running),
many times it won't be able to be removed or quarantined. You need to look
for a running process in Task Manager, that has the same name as the virus
checker found. Kill the process, then delete the file, just as you did with
the WINLODR.SCR file.