Jump to content

System Configuration Utility

Recommended Posts

Dear Experts,

I'm in the final stages of eliminating the Antivirus 2010 spamware/extortion software from my laptop, thanks to all the help I've received from this and other tech forums.

The bulk of the problem was removed over two sweeps with Malwarebytes, although McAfee antivirus, spydoctor and ad aware also picked up small pieces of the problem.

Although the sweeps are now all coming back clean and there don't seem to be any problems, there is one final issue that I need help with.

When my computer starts up, a "System Configuration Utility" box pops up warning me that I've made changes to the way Windows starts up and I am currently in diagnostic or selective startup mode. It asks me to select normal startup to undo the changes ive made.

I havent made any changes to way the system starts up on purpose, so its either the spamware that changed things or the programs that I used to eliminate the spamware.

Either way, my question is can I safely select the normal startup mode and undo the changes (what ever they are)? Im worried that by undoing the changes some of the changes Ive worked so hard to eliminate will return.

Some forums suggest just ignoring the box every startup and just continue along as if nothing happened. I'm not satisfied that this is the best way forward, I'd be more comfortable having everything on my computer back to its pre-spamware state.

So whats your view? Select normal or leave it as is?

Also is there any way to ever know whether the system is fully clean?

I posted the above paragraphs in a general forum and received instructions on posting to this forum. Below and attached please find the required logs from the programs.

Please note that I downloaded and ran defogger and it said it had completed its task successfully, but it did not ask me to reboot the computer as the instructions I received said it would. not sure if thats a problem or not.

Please also note that I also ran DDS, but Im not aware whether I have any script blocking programs, so I didnt turn off anything before running the program.

Thank you for any help that you can provide

Text of DDS Scan

DDS (Ver_09-12-01.01) - NTFSx86

Run by Fraser at 13:05:39.06 on 24/01/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1526.269 [GMT -7:00]

AV: Norton AntiVirus 2005 *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup





C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe



C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe


C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe


C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe


C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe




C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe


C:\Program Files\Everything\Everything.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe


C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe


C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


C:\Program Files\MagicDisc\MagicDisc.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Fraser\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://webmail.flemingc.on.ca/

uInternet Settings,ProxyOverride = *.local

TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe

mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe

mRun: [ZoomingHook] ZoomingHook.exe

mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP

mRun: [TOSHIBA Accessibility] c:\program files\toshiba\accessibility\FnKeyHook.exe

mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [sVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL

mRun: [TPSMain] TPSMain.exe

mRun: [TCtryIOHook] TCtrlIOHook.exe


mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [shStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey

mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [Everything] "c:\program files\everything\Everything.exe" -startup

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe

dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08c5 -f video -m logitech -d

StartupFolder: c:\docume~1\fraser\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe

StartupFolder: c:\docume~1\fraser\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://jenn-pics.spaces.live.com/PhotoUpload/MsnPUpld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fraser\applic~1\mozilla\firefox\profiles\kkbwyvit.default\

FF - prefs.js: browser.startup.homepage - hxxp://webmail.flemingc.on.ca/

FF - plugin: c:\progra~1\mozilla firefox\plugins\npJoostPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {D634AF78-7BB6-4CF8-9197-96A05B6EDBD9} - c:\documents and settings\fraser\local settings\application data\{D634AF78-7BB6-4CF8-9197-96A05B6EDBD9}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}


c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-5 64160]

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-1-8 59904]

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\SAVRTPEL.SYS [2004-7-23 50312]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-13 198304]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-13 181920]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-1-8 98304]

R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2007-11-26 221191]

R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2007-11-26 29184]

R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2007-1-8 117024]

S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2004-8-18 67184]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-13 79520]

S3 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2004-8-17 177264]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20061206.016\NAVENG.Sys [2006-12-6 79240]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20061206.016\NavEx15.Sys [2006-12-6 831880]

S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\roxio creator 2009 ultimate\digital home 11\roxioupnprenderer11.exe" --> c:\program files\roxio creator 2009 ultimate\digital home 11\RoxioUPnPRenderer11.exe [?]

S3 SAVRT;SAVRT;c:\program files\norton antivirus\SAVRT.SYS [2004-7-23 336008]

S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVSCAN.EXE [2004-7-23 198368]

S3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2009-8-16 16896]

=============== Created Last 30 ================

2010-01-24 19:58:55 0 ----a-w- c:\documents and settings\fraser\defogger_reenable

2010-01-21 01:11:06 0 ----a-w- c:\windows\TPTray.INI

2010-01-14 02:57:03 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-01-10 00:33:51 0 dc----w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

2010-01-09 20:00:27 0 d-----w- C:\quarantine

2009-12-28 20:48:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Sony Corporation

2009-12-28 20:47:18 0 d-----w- c:\program files\common files\Sony Shared

2009-12-28 20:47:17 0 d-----w- c:\program files\Sony

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll

2010-01-05 10:00:21 78336 ------w- c:\windows\system32\ieencode.dll

2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll

2009-12-21 02:08:01 164352 ----a-w- c:\windows\system32\SpoonUninstall.exe

2004-03-11 20:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 13:07:16.28 ===============

Text of Latest MBAM Scan

Malwarebytes' Anti-Malware 1.44

Database version: 3620

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

23/01/2010 1:02:55 PM

mbam-log-2010-01-23 (13-02-55).txt

Scan type: Full Scan (C:\|)

Objects scanned: 278300

Time elapsed: 2 hour(s), 15 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)



Link to post
Share on other sites

  • 2 weeks later...
  • Staff


When my computer starts up, a "System Configuration Utility" box pops up warning me that I've made changes to the way Windows starts up and I am currently in diagnostic or selective startup mode. It asks me to select normal startup to undo the changes ive made.
I see you have Teatimer + Adwatch running in the background, so that may interfere here as well.

Do the following please..

I suggest you temporary disable Teatimer because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Also disable ad-watch:


Then, when the System Configuration Utility pops up again, just check the box there where it says to not show this message anymore.


Then it won't show up after next reboot anymore. Before it was your Teatimer+Adwatch preventing the deletion of the msconfig startup key in the registry when you did that, so that explains why it came back all the time again.

By the way, what is this program?

mRun: [Everything] "c:\program files\everything\Everything.exe" -startup

Link to post
Share on other sites

Hi Miekemoes,

Thanks for your response.

I just want to be sure you understood my problem. I havent made any conscious changes to my system config, so im curious as to why the box pops up. I was infected with the PC Security/Antivirus 2010 trojan and used malwarebytes to remove it. I imagine that in installing itself the trojan made changes to my system config. Then Im also thinking that when malware bytes removed the trojan, it made further changes. However I have no idea what those changes are/were.

But more importantly, the box is asking me to switch from selective/diagnosis startup mode to 'normal' mode. It seems to me that 'normal' mode is, in normal situations, what my computer should be running in. However in this situation, once the trojan has been removed, am I right in thinking that if i return to 'normal' mode I will undo some of the positive changes that malware bytes made to my sys config, therefore allowing some of the negative changes made by the trojan to return? If so, then obviously I shouldnt now return to 'normal' mode. If not, then I should return to 'normal' mode.

So I want to know which to choose and why.

I havent done anything with the System Configuration Utility box yet. When it pops up, I have simply clicked the red X in the top right corner to close the box without making any choice or ticking the box to not show the box again.

If you tell me that I can leave my computer in selective startup mode permanently, without any harm to my system or loss in system resources, then I will tick the box to not show the utility box again and see what happens. If it doesnt pop up again, then Im going to assume that it worked and I wont need to do the work-through that you suggest above. If it still pops up then I will resort to what you've suggested.

So I guess my question is, should I return to normal mode or not?

Also, as far as you can tell from the logs ive posted, is my system clean? (i havent changed anything or really used the computer since posting in this forum).

FYI, Everything is a search program which is way faster than xp's search facility for finding things on a hard drive.

Thanks for your help


Link to post
Share on other sites

  • Staff


The only time when "System Configuration Utility" appears with the warning is when you have used msconfig, or you have openened it/whatever. Otherwise it won't appear. It won't even appear when malware makes changes on your system. So the "System Configuration Utility" opening is not as a result of malware. :)

But more importantly, the box is asking me to switch from selective/diagnosis startup mode to 'normal' mode. It seems to me that 'normal' mode is, in normal situations, what my computer should be running in.
According to your log, everything appears fine there, you are not in diagnostic/selective startup, but normal startup, otherwise a lot of startup keys would have been disabled. So the only thing you have to do is to check the box to not show this message again. :)

Yes, your system looks clean, I can't see anything strange/suspicious in your logs (otherwise I would have told you) :)

The only strange thing I saw was the "everything" program, so that's why I asked you if you knew it :)

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.