1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cws.msconfig

Discussion in 'Windows - Virus and spyware problems' started by ozzymary, Jan 2, 2006.

  1. ozzymary

    ozzymary Guest

    here is what i found on this i wonder if it is safe to do this
    Approx date first sighted: February 5, 2004
    Symptoms: IE pages being hijacked to www.31234.com on system startup and when changing homepage back, continuous errors about an invalid Registry script in temp2.txt, extra item in right-click menu of webpages named '??????'
    Cleverness: 2/10
    Manual removal difficulty: Involves a process killer, some Registry editing and restoring a Windows system file from CD
    This variant uses the filename msconfig.exe which overwrites the real Windows file in Windows 98/98SE/ME. The temp2.txt file it drops is actually a Registry script, but since it's in the wrong format, Windows 9x/ME will throw up an error about an invalid Registry script. Windows 2000/XP will import it without complaining, creating the '??????' item in the IE right-click menu. The msconfig.exe file will always stay in memory, reinstalling the hijack every 5 seconds. Killing the process, deleting the file and restoring the IE homepages/search pages fixes this hijack.

    The real Windows file msconfig.exe can be download here, if you can't restore it from your Windows Setup CD for some reason.
     
  2. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    @ozzymary: You don't have cws.msconfig. Msconfig just starts while booting, this line in HjT log ->
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    You can fix this line, too.

    EDIT: I just checked that from merijn, you don't have this cws-variant.
     
    Last edited: Jan 2, 2006
  3. ozzymary

    ozzymary Guest

    iran cwshreeder and it says i have it
     
  4. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Well, that must be false alarm.
    You must have these line in your HjT-log if you have it,see here ->
    http://www.merijn.org/cwschronicles.html#msconfig

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.31234.com/www/homepage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.31234.com/www/homepage.html
    O4 - HKLM\..\Run: [msconfig] C:\WINDOWS\SYSTEM\msconfig.exe
    O4 - HKCU\..\Run: [msconfig] C:\WINDOWS\SYSTEM\msconfig.exe
    O8 - Extra context menu item: ?????? - C:\WINDOWS\system32\openme.htm

    And you don't have.

    I guess cwshedder thinks that this line ->

    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    is this line

    O4 - HKLM\..\Run: [msconfig] C:\WINDOWS\SYSTEM\msconfig.exe
     

Share This Page