User User name Password  
   
Tuesday 12.11.2024 / 09:11
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > cws.msconfig
Show topics
 
Forums
Forums
cws.msconfig
  Jump to:
 
Posted Message
ozzymary
Suspended permanently
_
2. January 2006 @ 04:27 _ Link to this message    Send private message to this user   
here is what i found on this i wonder if it is safe to do this
Approx date first sighted: February 5, 2004
Symptoms: IE pages being hijacked to www.31234.com on system startup and when changing homepage back, continuous errors about an invalid Registry script in temp2.txt, extra item in right-click menu of webpages named '??????'
Cleverness: 2/10
Manual removal difficulty: Involves a process killer, some Registry editing and restoring a Windows system file from CD
This variant uses the filename msconfig.exe which overwrites the real Windows file in Windows 98/98SE/ME. The temp2.txt file it drops is actually a Registry script, but since it's in the wrong format, Windows 9x/ME will throw up an error about an invalid Registry script. Windows 2000/XP will import it without complaining, creating the '??????' item in the IE right-click menu. The msconfig.exe file will always stay in memory, reinstalling the hijack every 5 seconds. Killing the process, deleting the file and restoring the IE homepages/search pages fixes this hijack.

The real Windows file msconfig.exe can be download here, if you can't restore it from your Windows Setup CD for some reason.
-kemisti-
AfterDawn Addict
_
2. January 2006 @ 04:40 _ Link to this message    Send private message to this user   
@ozzymary: You don't have cws.msconfig. Msconfig just starts while booting, this line in HjT log ->
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

You can fix this line, too.

EDIT: I just checked that from merijn, you don't have this cws-variant.

This message has been edited since posting. Last time this message was edited on 2. January 2006 @ 04:42

ozzymary
Suspended permanently
_
2. January 2006 @ 04:48 _ Link to this message    Send private message to this user   
iran cwshreeder and it says i have it
Advertisement
_
__
 
_
-kemisti-
AfterDawn Addict
_
2. January 2006 @ 04:52 _ Link to this message    Send private message to this user   
Well, that must be false alarm.
You must have these line in your HjT-log if you have it,see here ->
http://www.merijn.org/cwschronicles.html#msconfig

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.31234.com/www/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.31234.com/www/homepage.html
O4 - HKLM\..\Run: [msconfig] C:\WINDOWS\SYSTEM\msconfig.exe
O4 - HKCU\..\Run: [msconfig] C:\WINDOWS\SYSTEM\msconfig.exe
O8 - Extra context menu item: ?????? - C:\WINDOWS\system32\openme.htm

And you don't have.

I guess cwshedder thinks that this line ->

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

is this line

O4 - HKLM\..\Run: [msconfig] C:\WINDOWS\SYSTEM\msconfig.exe
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > cws.msconfig
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2024 by AfterDawn Ltd.

  IDG TechNetwork