PDA

View Full Version : HELP--regedit, msconfig, mslaugh.exe



shaffy
03-23-2004, 09:24 PM
My desktop came with win 98 but i've been using win xp pro for a while now...i just did a clean install and then upgraded to win xp pro but i'm having some major problems...regardless how many times i install sp1 it keeps on telling me that i still have more patches. I'm also not being able to install mcafee personal firewall or anti-virus. When i start the pc i get an error about hpppt.exe which is related to hp scanner and i found out how to fix it on hp site -- have to edit registery. However the registery window doesn't stay open long enough for me to fix it...same is true for msconfig. I saw that mslaugh.exe was running on my system by hitting ctrl+Alt+delete. I scanned my system with an online free virus scan -- since i can't instal my own -- and found 2 files were infected and couldn't be cleaned so i delted those and restarted my computer. i ran online scan again and found nothing. But i'm still having the same problems.


Please help!!!

superdrumr
03-23-2004, 09:39 PM
If you have access to a functioning computer, try pulling out the HD, setting it as a slave in the other one and scanning it with an antivirus program then. Or try safemode (since that disables most peripherals), you might be able to get into the registry or msconfig and play around.

shaffy
03-23-2004, 09:43 PM
No, i don't have access to another pc...was having problems with laptop as well -- toshiba is taking care of that one.

Budfred
03-23-2004, 10:31 PM
Try downloading and running a trojan cleaner like a2:

http://www.emsisoft.com/en/software/free/

Then download and run spyware scans (Spybot and AdAware) followed by running HijackThis... To run HJT, extract it to a permanent folder such as C:\Documents or one you create like C:\HJT. Close all programs you have opened and make sure that all programs are enabled if you use msconfig. Run it and Scan, then Save the log. When the log window appears, Right click to Copy it, open your browser and come here to Paste the log. Do not make any changes until it is checked since most items are either benign or essential to the computer.

If you can't download and run these, you may have SmartSearch and we will need to try some other options...

shaffy
03-24-2004, 12:30 AM
ok, did that... a sequred didn't find anything; however, found quite a few things with adware and spybot. here is the log from hijackthis... i know it doesn't show that i have applied sp1 but i'm not being able to --although i do get a message that installation was sucessful :confused:
still can't install mcafee.

Logfile of HijackThis v1.97.7
Scan saved at 8:25:05 PM, on 3/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\configldr.exe
C:\WINDOWS\System32\mslaugh.exe
C:\WINDOWS\System32\teekids.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\dvdupgrd.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\Airsvcu.exe
C:\Program Files\HP PhotoSmart\P1000\ereg\Remind32.exe
C:\WINDOWS\System32\svchost.exe
M:\Vsc\Enu\setup.exe
M:\Vsc\Enu\mcappins.exe
C:\Documents and Settings\Shaffy\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Configuration Loader] configldr.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\RunServices: [Configuration Loader] configldr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [aČ] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Media Manager Indexer.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE
O4 - Global Startup: Reminder-hpc40415.lnk = C:\Program Files\HP PhotoSmart\P1000\ereg\Remind32.exe
O4 - Global Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O4 - Global Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38068.0356481482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

thanks for the help!

Budfred
03-24-2004, 01:21 AM
You have some garbage installed, so let's use HJT to clean it up and see if that makes it work better. Before you do that, you may want to move HJT into a folder like C:\HJT, it will leave backups all over your desktop where it is now.... Then close all open windows and your browser, open HJT and mark/fix:

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [Configuration Loader] configldr.exe

Then you will need to reboot into Safe Mode, find and remove these:

C:\WINDOWS\System32\configldr.exe
C:\WINDOWS\System32\mslaugh.exe
C:\WINDOWS\System32\teekids.exe

When you are done, reboot, run HJT and post a fresh log back here....

shaffy
03-24-2004, 01:55 AM
Originally posted by Budfred


Then you will need to reboot into Safe Mode, find and remove these:

C:\WINDOWS\System32\configldr.exe
C:\WINDOWS\System32\mslaugh.exe
C:\WINDOWS\System32\teekids.exe

When you are done, reboot, run HJT and post a fresh log back here....

I did not find any of the above listed.

new log . . .

Logfile of HijackThis v1.97.7
Scan saved at 9:50:14 PM, on 3/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a2\a2guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\dvdupgrd.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\Airsvcu.exe
C:\Program Files\HP PhotoSmart\P1000\ereg\Remind32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async
O4 - HKLM\..\RunServices: [Configuration Loader] configldr.exe
O4 - HKCU\..\Run: [aČ] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Media Manager Indexer.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE
O4 - Global Startup: Reminder-hpc40415.lnk = C:\Program Files\HP PhotoSmart\P1000\ereg\Remind32.exe
O4 - Global Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O4 - Global Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38068.0356481482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks

shanmuga
03-24-2004, 02:07 AM
You need to remove this also

O4 - HKLM\..\RunServices: [Configuration Loader] configldr.exe

Mslaugh.exe, teekids.exe are indications of blaster/lovesan virus, difficult to eradicate completely. I would suggest that you follow the instructions in the links for complete removal, apply all the security patches and post a fresh HJT log for review.


http://www.pchell.com/virus/msblast.shtml
Blaster worm - How to Recover (http://www.techstuff.ca/archives/394.html)
http://www.kellys-korner-xp.com/xp_qr.htm#rpc
http://support.microsoft.com/default.aspx?kbid=826234

shaffy
03-24-2004, 12:37 PM
here it is:

Logfile of HijackThis v1.97.7
Scan saved at 8:32:39 AM, on 3/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\a2\a2guard.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Common Files\Microsoft Shared\Media Manager\Airsvcu.exe
C:\Program Files\HP PhotoSmart\P1000\ereg\Remind32.exe
C:\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKCU\..\Run: [aČ] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Media Manager Indexer.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE
O4 - Global Startup: Reminder-hpc40415.lnk = C:\Program Files\HP PhotoSmart\P1000\ereg\Remind32.exe
O4 - Global Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38068.0356481482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Is it ok if i fix the following?

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async

shanmuga
03-24-2004, 02:16 PM
What happened to the errors and problems posted in your original post ? Are they gone ? Looks like you have been able to install Mcafee. A little feedback about how you got rid of blaster/lovesan and how you are able to install Mcafee would help others........including me...... :)

The log you have posted looks clean of malware. Msdxm.ocx is an activeX Control used by Windows Media Player. It's needed if you plan to use WMP. Can't find any info on DVDUpgrd.exe, right click and check the properties.

These are not malware but not needed to load at startup, hence can be removed safely. I think they can be disabled from the control panel or through program options.

O4 - Global Startup: Reminder-hpc40415.lnk = C:\Program Files\HP PhotoSmart\P1000\ereg\Remind32.exe
O4 - Global Startup: Media Manager Indexer.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE
O4 - Global Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE

shaffy
03-25-2004, 03:31 AM
What happened to the errors and problems posted in your original post ? Are they gone ?
YES...everything is history now :) thanks to all the advice i got from here :D i'm a happy camper.

Looks like you have been able to install Mcafee. A little feedback about how you got rid of blaster/lovesan and how you are able to install Mcafee would help others........including me...... :)
this is what i think was happening: something was closing the installation windows -- probably the same program that was closing regedit and msconfig..hence sp1 wasn't really getting install on my system even though i was getting installtion was sucessful message. Some how i was able to install hijackthis when i wasn't able to install anything else -- i guess the time it took to install hijackthis wasn't long and it didn't give the virus (or whatever it was) chance to close it. After fixing the problems which budfred and you suggested, i was able to install both spybot and adaware. After removing what spybot and adaware found, i was able to install mcafee. Mcafee found couple of things (wasn't mslaugh or teekid...i can't find the log of mcafee so i can't say what it was sorry :o ). After that i was able to install sp1 and everything is working just fine :D

shanmuga
03-25-2004, 03:55 AM
Ok, thanks for replying. Did you apply the Windows XP: DCOM/RPC Exploit patch (http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en) ? To make sure that you really got rid of the worm do the following;

Turn off system restore
Using windows search look for the files named mslaugh.exe and teekids.exe
Ensure that searching inside system and hidden folders in enabled
Delete the files if found.
Empty the Recycle bin, the worm can reinfect even if the files are in the recycle bin.
Reboot the computer, reconnect the network, and update your antivirus software, and run a thorough virus scan.

Now check for the worm again, if it returns, complete these steps once more until the virus is gone. With the patch in place, the virus wont be able to exploit the system, but sometimes it is difficult to remove the files for good.

mjc
03-25-2004, 02:14 PM
something was closing the installation windows -- probably the same program that was closing regedit and msconfig..

Yes, that something was the virus you had, the closing of those items is its self defense to prevent removal.

There were some other ways of defeting it if you could get by with the above methods.

shaffy
03-25-2004, 04:22 PM
Lets say i wasn't able to install anything, then what would be the other way -- just so i know if it (God forbids) come back to hunt my pc?

mjc
03-25-2004, 06:03 PM
One of the first steps is to change the name of some of the tools used, as often times these things just key in on a specific name.

Another is to slave the infected drive to a known clean machine and use the tools from the clean install.

shaffy
03-25-2004, 07:18 PM
ok....
I would also like to say thanks to everyone who helped me and those who put this forum together.