Start up Issues after MWB quarantines msconfig

[corabeth]

Hi,

MWB advocate here but I'm stuck! A little background information is necessary but I'll try to keep it brief.

HP installed a new hard drive in my Pavilion laptop in January. When I got it back, the first thing I did was remove Norton and install MWB and eset Nod32, which I have used in combination for over a year with zero problems.

I was having some of the same issues with freezing so when I called HP tech, who tried a few things and then insisted that MWB was causing my problems and instructed me to do a complete restore again (after I had just loaded all my docs, etc.) and keep Norton. I personally think it was a bad Vista install but he insisted he's seen MWB create problems.

I did the new Vista install but I am not comfortable with Norton so I installed MWB too but didn't put it on auto protect at first just to see how things worked. I ran a scan and saw that Norton had let in two trojan.agent Those were quarantined and I uninstalled Norton the next day and put eset on. No more freezing, no more malware or trojans.

I rarely shut off this laptop but when I do for long periods of time (not a reboot), Windows won't start. Shutting down and restarting again kicks in system repair and it then starts fine. I get a "blocked program on Start-up notice" and see that it blocks MWB on start up in order to get a successful Windows start up.

Last night I was looking up something else and noticed my System Configurator is missing. On a hunch, I checked my quarantine logs and found that the two trojan agents in quarantine impacted msconfig.

One is the file c:\windows\system32\msconfig.exe and the second is the registry value HKEY_local_machine\software\microsoft\windows\currentversion\run\msconfig

If I delete these files will it just delete the trojan.agent or will I wipe out the msconfig too? I'm an intermediate user but not strong enough to try to put files back on that I need and I don't want to totally screw up this computer. I just find it interesting that the system repair disables MWB on start up in order to run Windows. I tried to look back in system restore for a restore point earlier than the Feb 3 Trojan.agent capture but I can't find any restore point earlier than Feb 28.

Thanks!

[mylanta3]

I have used Mbam and No32 and Sas and Nod32 for years and never seen an issue, nor have I ever seen an infection. But of course what you are describing sounds like malware for certain and I would bet a rootkit or 2 let in by Norton which is "0" protection from anything in my book.

I think the easiest thing to do would be a "clean install" with HP Recovery Partition which normally gives you the option to do a non destructive recovery which saves files and data and returns you to "day 1" on OS and programs and then install whatever program you added and this time remove Norton immediately and install Mbam and Nod32 from the start. I really think that would be the easiest.

[AdvancedSetup]

Hi Corabeth,

Please post your full scan log from MBAM and I'll take a look.

[corabeth]

This is the log from Feb 3rd which is when it found the problem. If this is not what you need, please advise how to retrieve it. Thanks!

Malwarebytes' Anti-Malware 1.44

Database version: 3687

Windows 6.0.6000

Internet Explorer 7.0.6000.16945

2/3/2010 11:25:55 PM

mbam-log-2010-02-03 (23-25-55).txt

Scan type: Quick Scan

Objects scanned: 101444

Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msconfig (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\System32\msconfig.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[AdvancedSetup]

It should be okay to remove and leave removed. Make sure your updated to the latest version which is 3877 as of now.

As for the startup issues there is talk on a few forums about Nvidia chipsets that might be part of the issue. A bit beyond the realm of our support forum but you should be able to search Google on your issue and find a few Websites that discuss it.

[corabeth]

If I remove it, will I get back the msconfig.exe capabilities?

Thanks for your quick replies today!

[AdvancedSetup]

Cannot promise but if not then you might need to post in the HJT forum to make sure you're not still infected or have some other damage from Malware.

You can also take a look here on how to use MSCONFIG:

http://support.microsoft.com/kb/950093

http://netsquirrel.com/msconfig/msconfig_vista.html

[corabeth]

Sorry, I didn't mean remove it, I was using the words AdvancedSetup used. I checked and the choices are delete or restore. So, I can try to restore since the log shows that the trojans were quarantined and deleted.

Believe me, after two new Vista installs in the last 2 months, I am in no mood to do another!

I'll check the HJT forum as well.

[AdvancedSetup]

You need to UPDATE your definition files. Your version is quite old. The system dllcache on Vista should have restored the original files with good copies.

Please set your files and folders to show hidden files and verify if you can search for MSCONFIG.EXE and find it on your system.

You should be able to type in the search MSCONFIG and run it.

[corabeth]

I thought I had part of the problem resolved.

I hit restore all in the quarantine log

And tried to find the System Configurator and it opened right away. Hooray.

I shut the laptop off last night to see if this resolved the startup problem.

turned it on this morning and it did not and the system repair brought me back to two days ago.

Now I can't find msconfig.exe again (probably because it brought me back to before I restored the files from the quarantine log)

Except now those files are not in the MWB quarantine log anymore either!

(I tried the show hidden files and that didn't help either.)

I think I'm in worse shape than before

[AdvancedSetup]

You should not have done the System Restore. Please contact the Help Desk and they may be able to assist you.

You need to please follow their direction and not take actions on your own though.

Thank you.

[corabeth]

You should not have done the System Restore. Please contact the Help Desk and they may be able to assist you.

You need to please follow their direction and not take actions on your own though.

Thank you.

For the past few weeks, this is the only way the computer would start. I'll contact help desk, thanks.