Please help - Virus or Trojan - squares in msconfig startup

Feline · 07. Dec 2010, 06:10 AM

Hello,

please help, as I fear my computer is infected. When I run msconfig, it shows entries that weren't there before. The 'names' are merely squares, most likely representing some foreign font. The entries are:

HKCU\Software\Microsoft\WindowsNT\Currentversion\W indows:Run
HKCU\Software\Microsoft\WindowsNT\Currentversion\W indows:Load
Software\Microsoft\WindowsNT\Currentversion\Window s
Software\Microsoft\WindowsNT\Currentversion\Window s

I've unchecked them and windows starting to tell me it cannot find 'two squares' etc. Nonetheless, the entries are back, checked.

CCleaner shows an unchecked row of squares and one new entry that wasn't there before:

C:\Windows\PCHealth\Helpctr\Binaries\MsConfig.exe /auto

(This one doesn't show up in run> msconfig, so I surmise it is one of the lines with squares)

MalwareBytes found nothing.

Super AntiSpyware found a malware tracker (the first in months) and removed it, but the system restarted just the same as before, with the cryptic squares in startup.

On a second full scan, SAS found nothing.

Sophos Anti-Rootkit found nothing in Running Processes and windows Registry, only flagged c:\Program Files\Opera\opera.dll
(I might add that Opera is there for months and wasn't flagged before)

Avira Antivir Full scan found nothing.

Ironically, the whole mess all started with updating Malwarebytes from 1.46 to 1.50, which is more than confusing. I try and begin from the start.

First, I've updated MBAM, by simply using the programs feature to install the new version above the old.

Then, I ran a full scan. MBAM detected trojans in my Sun Java. Trusting MBAM and not really needing Java anyway, I uninstalled Java (using Revo Uninstaller). Though, it might have been a false positive.

Then, after the next system start I noticed Avira demanding to connect to the internet which it never did before, causing Sygate to note the failed attempt as the comp wasn't even online. (My usual morning routine is drinking coffee, going online and update Avira, SuperAntiSpyware and MBAM, so none of the three sits there with outdated defs or some such.)

I also run quick scans every morning with MBAM and SAS, neither found anything.

Next morning, same thing, Sygate showed Avira trying to go online and I checked the msconfig startup to see if there was anything wrong, thus detecting two of the strange entries. I unchecked them and restarted, and they were back (see above).

As said, the only change to the system was the program's updating of Malwarebytes from 1.46 to 1.50. Other than that, nothing was downloaded or installed (except, of course, for the daily updates of Avira, MBAM, SAS).

I always use Sandboxie for surfing and the sandbox is deleted by closing it.

I run CCleaner every day.

My last addition to the system before MBAM 1.50 was the Caminova DjVu plugin which I installed Nov 28. I doubt it was 'the cuplrit'. I installed it under Time Freeze and checked the system before I 'let it go'.

Unfortunately, I took no such precautions with MalwareBytes, as I really trusted the program. I'm still not sure if MBAM is to blame. But I have no clue where else this could come from. I did not visit any dubious websites, watched no movies, got no email attachements, nothing.

I don't know what to do. I'm thinking of uninstalling MalwareBytes, but I somehow cannot believe MalwareBytes is a virus, or shoveled one in.

And none of my antivirus/antimalware/anti-whatever finds ANYTHING!

I really hope someone can help,

thanks so much

Feline

J_L · 07. Dec 2010, 06:26 AM

Try scanning with Hitman Pro and Emsisoft Emergency Kit. They're both freeware, although Hitman Pro has a 30-day removal trial license.
If you still suspect something, try G Data BootCD, which is an .iso that file you can burn onto a cd-rom and boot from. No malware will be active when you use it.

Please report back your results.

bo.elam · 07. Dec 2010, 07:22 AM

Feline I can not tell if you are or not infected but MBAM not finding anything,
not even a single infected registry key makes think that you are OK. Do you
see or feel any signs of an infection?

Bo

Feline · 07. Dec 2010, 10:15 AM

Thanks for your replies!

I've downloaded Emisoft Emergency Kit and it is scanning ever since, but so far has not found anything. It's already at the last data drive, so there probably won't be any detection at all.

In the meanwhile, I've uninstalled MBAM - and now I'm unsure if I should reinstall the old version 1.46 or the new one, 1.50. I don't want to trash it, I always thought it was a good program.

As for the strange entries in the startup, I've managed to 'get rid' of them by chosing selective startup in msconfig and unchecking 'process system.ini file' and 'process win.ini file'. The computer starts up without them quite well.

Unfortunately, I have one ageold program that I still need and this one needs the win.ini. It won't start without it.

Also, I feel that with this method I merely shoved the problem under the carpet. As soon as the win.ini is back in, or the system starts with a normal startup, the strange entries are back.

I can't even tell if they 'do' anything, other that Windows starts searching for all kinds of unidentifiable stuff (as the names are just squares) which it cannot find. I can click every message 'ok' and that's that. No other visible consequences.

But, this can't be right, and I don't think it is recommendable to just leave them there. The strange squares suggest that they are in a different language for which Windows has no font, this alone is a sign that they do not belong there.

For now, the entries are not loaded due to the win.ini and system.ini not being loaded, but as said, I need the win.ini, and I want my normal comp back.

I'm pretty clueless as what to do next...

Feline

mrpink · 07. Dec 2010, 10:35 AM

Why don't you grab a copy of System Explorer first? Then go to startup, highlight these entries, right click them and you can directly scan them with VirusTotal to see if they are malicious. And you can check for info at Google, ProccessLibrary or SystemExplorer's webpage directly from the UI. And then go from there.
Since SAS found a malware, maybe there was/is something in your system. I don't think MBAM has something to do with it, but who knows? Maybe you should take a look at their forum, see if anyone else had similar issues with it

And Feline, if i were you i would scan with Hitman, Prevx and DrWebCureIt for the possibility of having a rootkit that the other scanners missed. But be careful about false positives, you don't have to delete right away every file that an antimalware program says it's malicious. You should do a little research first

Feline · 07. Dec 2010, 02:41 PM

Thank you! That's a good idea to look up a MalwareByte forum, I should have done that right away.

For now, I've downloaded Dr. Web Cureit and ran both the Express scan and a complete scan for drive C. It did not find anything.

I also looked up SuperAntiSpyware's quarantine folder to see what exactly it caught this morning. It's a thing called
'Malware.Trace - HKLM\Software\Microsoft\WindowsNT\Currentversion\W inlogon (taskman - )'

Given the locations of the startup entries, I begin to think if SAS has probably quarantined the malware but forgotten its traces in the startup - as Windows searches but cannot find it when win.ini and system.ini are loaded.

MrPink, I've been to the page you linked to for System Explorer but some of the comments were a tad discouraging.

I'm still a bit uncertain with new programs now after it all started with MBAM - one of the very few programs I trusted blindly.

Thanks,

Feline

Taurus · 07. Dec 2010, 04:44 PM

Quote:

Originally Posted by bo.elam

Feline I can not tell if you are or not infected but MBAM not finding anything,
not even a single infected registry key makes think that you are OK. Do you
see or feel any signs of an infection?

Bo

Very good question Bo. Feline, is your machine running and acting normally? When you surf the web, is your browser redirected? Do normal, everyday activities on your computer seems different in any manner? You have used a lot of different scanners and they all turn up pretty much nothing.

T

deya · 07. Dec 2010, 04:56 PM

@ Feline - have a look at this thread in the SAS forum. Is it the same problem you're having?

Taurus · 07. Dec 2010, 05:30 PM

Ninja'd by deya.

Feline · 07. Dec 2010, 06:18 PM

Thank you all!

Taurus - no, I'm actually having no problems whatsoever since I did the selective startup with win.ini and system.ini deactivated.

Sadly, this is not a solution, as I will need the win.ini at a later time.

I've posted in the Malwarebytes forum and as of now one other user has replied who has the exact same problem on two of his computers, according to him it also appeared after updating MBAM. As I understood, one of his computers is giving him some trouble going online.

Deya, thanks so much for the link, I think I might sign up there. It seems the same problem, but I'm not so sure if it is a false positive. I mean, suddenly having cryptic hieroglyphs in my startup and not being able to run win.ini without all kinds of 'not found' messages popping up cannot be normal.

Thank y'all

Feline

07. Dec 2010, 06:10 AM	#1 (permalink)
Feline Full Member Join Date: Oct 2010 Posts: 41	Please help - Virus or Trojan - squares in msconfig startup Hello, please help, as I fear my computer is infected. When I run msconfig, it shows entries that weren't there before. The 'names' are merely squares, most likely representing some foreign font. The entries are: HKCU\Software\Microsoft\WindowsNT\Currentversion\W indows:Run HKCU\Software\Microsoft\WindowsNT\Currentversion\W indows:Load Software\Microsoft\WindowsNT\Currentversion\Window s Software\Microsoft\WindowsNT\Currentversion\Window s I've unchecked them and windows starting to tell me it cannot find 'two squares' etc. Nonetheless, the entries are back, checked. CCleaner shows an unchecked row of squares and one new entry that wasn't there before: C:\Windows\PCHealth\Helpctr\Binaries\MsConfig.exe /auto (This one doesn't show up in run> msconfig, so I surmise it is one of the lines with squares) MalwareBytes found nothing. Super AntiSpyware found a malware tracker (the first in months) and removed it, but the system restarted just the same as before, with the cryptic squares in startup. On a second full scan, SAS found nothing. Sophos Anti-Rootkit found nothing in Running Processes and windows Registry, only flagged c:\Program Files\Opera\opera.dll (I might add that Opera is there for months and wasn't flagged before) Avira Antivir Full scan found nothing. Ironically, the whole mess all started with updating Malwarebytes from 1.46 to 1.50, which is more than confusing. I try and begin from the start. First, I've updated MBAM, by simply using the programs feature to install the new version above the old. Then, I ran a full scan. MBAM detected trojans in my Sun Java. Trusting MBAM and not really needing Java anyway, I uninstalled Java (using Revo Uninstaller). Though, it might have been a false positive. Then, after the next system start I noticed Avira demanding to connect to the internet which it never did before, causing Sygate to note the failed attempt as the comp wasn't even online. (My usual morning routine is drinking coffee, going online and update Avira, SuperAntiSpyware and MBAM, so none of the three sits there with outdated defs or some such.) I also run quick scans every morning with MBAM and SAS, neither found anything. Next morning, same thing, Sygate showed Avira trying to go online and I checked the msconfig startup to see if there was anything wrong, thus detecting two of the strange entries. I unchecked them and restarted, and they were back (see above). As said, the only change to the system was the program's updating of Malwarebytes from 1.46 to 1.50. Other than that, nothing was downloaded or installed (except, of course, for the daily updates of Avira, MBAM, SAS). I always use Sandboxie for surfing and the sandbox is deleted by closing it. I run CCleaner every day. My last addition to the system before MBAM 1.50 was the Caminova DjVu plugin which I installed Nov 28. I doubt it was 'the cuplrit'. I installed it under Time Freeze and checked the system before I 'let it go'. Unfortunately, I took no such precautions with MalwareBytes, as I really trusted the program. I'm still not sure if MBAM is to blame. But I have no clue where else this could come from. I did not visit any dubious websites, watched no movies, got no email attachements, nothing. I don't know what to do. I'm thinking of uninstalling MalwareBytes, but I somehow cannot believe MalwareBytes is a virus, or shoveled one in. And none of my antivirus/antimalware/anti-whatever finds ANYTHING! I really hope someone can help, thanks so much Feline

07. Dec 2010, 10:35 AM	#5 (permalink)
mrpink Senior Member Join Date: Apr 2010 Posts: 177	Why don't you grab a copy of System Explorer first? Then go to startup, highlight these entries, right click them and you can directly scan them with VirusTotal to see if they are malicious. And you can check for info at Google, ProccessLibrary or SystemExplorer's webpage directly from the UI. And then go from there. Since SAS found a malware, maybe there was/is something in your system. I don't think MBAM has something to do with it, but who knows? Maybe you should take a look at their forum, see if anyone else had similar issues with it And Feline, if i were you i would scan with Hitman, Prevx and DrWebCureIt for the possibility of having a rootkit that the other scanners missed. But be careful about false positives, you don't have to delete right away every file that an antimalware program says it's malicious. You should do a little research first Last edited by mrpink; 07. Dec 2010 at 10:49 AM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

07. Dec 2010, 06:26 AM	#2 (permalink)
J_L Co-Author, Best Free Security List Join Date: Dec 2008 Posts: 1,475	Try scanning with Hitman Pro and Emsisoft Emergency Kit. They're both freeware, although Hitman Pro has a 30-day removal trial license. If you still suspect something, try G Data BootCD, which is an .iso that file you can burn onto a cd-rom and boot from. No malware will be active when you use it. Please report back your results.

07. Dec 2010, 07:22 AM	#3 (permalink)
bo.elam Senior Member Join Date: Nov 2009 Posts: 1,224	Feline I can not tell if you are or not infected but MBAM not finding anything, not even a single infected registry key makes think that you are OK. Do you see or feel any signs of an infection? Bo

07. Dec 2010, 10:15 AM	#4 (permalink)
Feline Full Member Join Date: Oct 2010 Posts: 41	Thanks for your replies! I've downloaded Emisoft Emergency Kit and it is scanning ever since, but so far has not found anything. It's already at the last data drive, so there probably won't be any detection at all. In the meanwhile, I've uninstalled MBAM - and now I'm unsure if I should reinstall the old version 1.46 or the new one, 1.50. I don't want to trash it, I always thought it was a good program. As for the strange entries in the startup, I've managed to 'get rid' of them by chosing selective startup in msconfig and unchecking 'process system.ini file' and 'process win.ini file'. The computer starts up without them quite well. Unfortunately, I have one ageold program that I still need and this one needs the win.ini. It won't start without it. Also, I feel that with this method I merely shoved the problem under the carpet. As soon as the win.ini is back in, or the system starts with a normal startup, the strange entries are back. I can't even tell if they 'do' anything, other that Windows starts searching for all kinds of unidentifiable stuff (as the names are just squares) which it cannot find. I can click every message 'ok' and that's that. No other visible consequences. But, this can't be right, and I don't think it is recommendable to just leave them there. The strange squares suggest that they are in a different language for which Windows has no font, this alone is a sign that they do not belong there. For now, the entries are not loaded due to the win.ini and system.ini not being loaded, but as said, I need the win.ini, and I want my normal comp back. I'm pretty clueless as what to do next... Feline

07. Dec 2010, 02:41 PM	#6 (permalink)
Feline Full Member Join Date: Oct 2010 Posts: 41	Thank you! That's a good idea to look up a MalwareByte forum, I should have done that right away. For now, I've downloaded Dr. Web Cureit and ran both the Express scan and a complete scan for drive C. It did not find anything. I also looked up SuperAntiSpyware's quarantine folder to see what exactly it caught this morning. It's a thing called 'Malware.Trace - HKLM\Software\Microsoft\WindowsNT\Currentversion\W inlogon (taskman - )' Given the locations of the startup entries, I begin to think if SAS has probably quarantined the malware but forgotten its traces in the startup - as Windows searches but cannot find it when win.ini and system.ini are loaded. MrPink, I've been to the page you linked to for System Explorer but some of the comments were a tad discouraging. I'm still a bit uncertain with new programs now after it all started with MBAM - one of the very few programs I trusted blindly. Thanks, Feline

07. Dec 2010, 04:56 PM	#8 (permalink)
deya Senior Member Join Date: Oct 2009 Location: UK Posts: 528	@ Feline - have a look at this thread in the SAS forum. Is it the same problem you're having?

07. Dec 2010, 05:30 PM	#9 (permalink)
Taurus Senior Member Join Date: Jul 2009 Location: Northeast US Posts: 422	Ninja'd by deya.

07. Dec 2010, 06:18 PM	#10 (permalink)
Feline Full Member Join Date: Oct 2010 Posts: 41	Thank you all! Taurus - no, I'm actually having no problems whatsoever since I did the selective startup with win.ini and system.ini deactivated. Sadly, this is not a solution, as I will need the win.ini at a later time. I've posted in the Malwarebytes forum and as of now one other user has replied who has the exact same problem on two of his computers, according to him it also appeared after updating MBAM. As I understood, one of his computers is giving him some trouble going online. Deya, thanks so much for the link, I think I might sign up there. It seems the same problem, but I'm not so sure if it is a false positive. I mean, suddenly having cryptic hieroglyphs in my startup and not being able to run win.ini without all kinds of 'not found' messages popping up cannot be normal. Thank y'all Feline