Is it possible to actually delete/remove an entry in Startup from MSCONFIG?
I don't mean simply disable/uncheck the entry, but remove it completely. I
suffered a Trojan hit on my PC, and spent like 5 hours dealing with it. The
Trojan wrote an entry to Startup (ibm00003.exe). I've deleted the culprit in
the registry, I've deleted all the nasty files, and all is (hopefully)
copacetic -- but I still have this entry in Startup that I would like to go
away.
Thanks for your time and response.
Cheers,
- martyh

From: "martyh" <martyh@discussions.microsoft.com>

| Is it possible to actually delete/remove an entry in Startup from MSCONFIG?
| I don't mean simply disable/uncheck the entry, but remove it completely. I
| suffered a Trojan hit on my PC, and spent like 5 hours dealing with it. The
| Trojan wrote an entry to Startup (ibm00003.exe). I've deleted the culprit in
| the registry, I've deleted all the nasty files, and all is (hopefully)
| copacetic -- but I still have this entry in Startup that I would like to go
| away.
| Thanks for your time and response.
| Cheers,
| - martyh

You have a Password Stealing Trojan !


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Hi,

Check these keys in the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

I'm betting you find the disabled entry in the last key.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org

"martyh" <martyh@discussions.microsoft.com> wrote in message
news:4BCB9045-84E3-4DE1-A0E7-13288F1FD74F@microsoft.com...
> Is it possible to actually delete/remove an entry in Startup from
> MSCONFIG?
> I don't mean simply disable/uncheck the entry, but remove it completely.
> I
> suffered a Trojan hit on my PC, and spent like 5 hours dealing with it.
> The
> Trojan wrote an entry to Startup (ibm00003.exe). I've deleted the culprit
> in
> the registry, I've deleted all the nasty files, and all is (hopefully)
> copacetic -- but I still have this entry in Startup that I would like to
> go
> away.
> Thanks for your time and response.
> Cheers,
> - martyh

martyh wrote:

> Is it possible to actually delete/remove an entry in Startup from MSCONFIG?
> I don't mean simply disable/uncheck the entry, but remove it completely. I
> suffered a Trojan hit on my PC, and spent like 5 hours dealing with it. The
> Trojan wrote an entry to Startup (ibm00003.exe). I've deleted the culprit in
> the registry, I've deleted all the nasty files, and all is (hopefully)
> copacetic -- but I still have this entry in Startup that I would like to go
> away.
> Thanks for your time and response.
> Cheers,
> - martyh

Registry Locations for Programs Removed with Msconfig

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

--
Rock
MS MVP Windows - Shell/User

On Sat, 31 Dec 2005 13:51:02 -0800, martyh
<martyh@discussions.microsoft.com> wrote:

>Is it possible to actually delete/remove an entry in Startup from MSCONFIG?

Regsupremepro can do this for you. There is a demo.
http://www.macecraft.com/regsupremepro/

Sean,

You can only disable the program from msconfig. To delete the entry all
together, open Regedit (Start > Run > regedit, OK), navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig. Delete the
folders located inside the 'startupreg' and/or 'startupfolder' key folders.
Before doing this, right-click the 'MSConfig' key folder and 'export' to
somewhere on your drive for backup. I've never had a problem doing this
though.

Drew

"Sean Cousins" <spam@off.invalid> wrote in message
news:2pler193cetrghr2pdudqlgra3cstootq5@4ax.com...
> On Sat, 31 Dec 2005 13:51:02 -0800, martyh
> <martyh@discussions.microsoft.com> wrote:
>
>>Is it possible to actually delete/remove an entry in Startup from
>>MSCONFIG?
>
> Regsupremepro can do this for you. There is a demo.
> http://www.macecraft.com/regsupremepro/

You may want to try STARTUP CPL, a very small utility by Mike Lin, used to
manage your startup programs. Came highly recommended in earlier NG's. If
interested;
http://www.mlin.net/StartupCPL.shtml


"Drew Tognola" <drewtognola@msn.com> wrote in message
news:uw124%23qDGHA.128@tk2msftngp13.phx.gbl...
> Sean,
>
> You can only disable the program from msconfig. To delete the entry all
> together, open Regedit (Start > Run > regedit, OK), navigate to:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig. Delete the
> folders located inside the 'startupreg' and/or 'startupfolder' key
> folders.
> Before doing this, right-click the 'MSConfig' key folder and 'export' to
> somewhere on your drive for backup. I've never had a problem doing this
> though.
>
> Drew
>
> "Sean Cousins" <spam@off.invalid> wrote in message
> news:2pler193cetrghr2pdudqlgra3cstootq5@4ax.com...
>> On Sat, 31 Dec 2005 13:51:02 -0800, martyh
>> <martyh@discussions.microsoft.com> wrote:
>>
>>>Is it possible to actually delete/remove an entry in Startup from
>>>MSCONFIG?
>>
>> Regsupremepro can do this for you. There is a demo.
>> http://www.macecraft.com/regsupremepro/
>
>

martyh wrote:
> Is it possible to actually delete/remove an entry in Startup from MSCONFIG?
> I don't mean simply disable/uncheck the entry, but remove it completely. I
> suffered a Trojan hit on my PC, and spent like 5 hours dealing with it. The
> Trojan wrote an entry to Startup (ibm00003.exe). I've deleted the culprit in
> the registry, I've deleted all the nasty files, and all is (hopefully)
> copacetic -- but I still have this entry in Startup that I would like to go
> away.
> Thanks for your time and response.
> Cheers,
> - martyh



Msconfig was designed to be a troubleshooting tool, not a "startup
configurer." To cease the selective startup notifications, either
return your settings to the way they were, or permanently remove the
undesirable programs from your startup configuration.

In most cases, with "well-mannered" applications, it's usually as
simple as opening the undesired program and deselecting the option to
"display icon in the system tray" or to "start when Windows starts."

Additionally, Look in the C:\Documents and Settings\All
Users\Start Menu\Programs\Start Up and C:\Documents and
Settings\username\Start Menu\Programs\Start Up folders, and in the
system registry, primarily in the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run keys.

How to Troubleshoot By Using the Msconfig Utility in Windows XP
http://support.microsoft.com/default...b;EN-US;310560


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

David,

I downloaded the Multi_AV.exe and ran all the included apps. Whew, took
like four hours! Anyhow, I did this in standard/normal Windows mode -- *not*
in Safe Mode yet as I had a couple questions.

I'm probably not as computer-savvy as I need to be to run this stuff; wasn't
sure about "killing" all running processes and probably had a few running in
the background. Will post the final summary logs below for all four
processes for your review; if you need to see the entire logs (some are quite
long, as I'm sure you know), I can post them.

About running in Safe Mode: I wasn't quite sure in the docs about the
explanation regarding a boot disc. I'm running XP under NTFS (I think those
are the correct letters!), and I'm assuming that the boot disc is *only*
necessary if one is having problems booting their PC because of the
viruses/trojans. I'm not having such a problem; PC boots fine. So do I
assume I just go into Safe Mode and run the apps from there? Hope I'm making
this all clear.

Anhow, here's the base results from the scans from the four apps in normal
mode:


KAV

Current object: c:\

Sector Objects : 0 Known viruses : 2
Files : 122323 Virus bodies : 3
Folders : 3330 Disinfected : 0
Archives : 14637 Deleted : 3
Packed : 747 Warnings : 0
Suspicious : 0
Scan speed (Kb/sec) : 0 Corrupted : 1
Scan time : 01:36:27 I/O Errors : 0


Scan process completed.

Result for all objects:

Sector Objects : 0 Known viruses : 2
Files : 122323 Virus bodies : 3
Folders : 3330 Disinfected : 0
Archives : 14637 Deleted : 3
Packed : 747 Warnings : 0
Suspicious : 0
Scan speed (Kb/sec) : 1388 Corrupted : 1
Scan time : 01:36:27 I/O Errors : 0
----------------------------------------------------

McAFEE

12/31/2005 15:55:23
Options: /ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL
/DEL /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML
"C:\AV-CLS\MCAFEE\SCANREPORT.HTML"
Scanning C: []
Scanning C:\*.*
C:\WINDOWS\cpbrkpie.ocx ... Found potentially unwanted program CouponBar.
The file or process has been deleted.
Summary report on C:\*.*
File(s)
Total files: ........... 50932
Clean: ................. 50882
Possibly Infected: ..... 0
Cleaned: ............... 0
Deleted: ............... 1
Non-critical Error(s): 1
Master Boot Record(s): ......... 3
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0
Time: 00:20.51
----------------------------------------------------
SOPHOS
4 master boot records swept.
33928 files swept in 1 hour, 4 minutes and 10 seconds.
76 errors were encountered.
3 viruses were discovered.
3 files out of 33928 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
6 encrypted files were not checked.
Ending Sophos Anti-Virus.
----------------------------------------------------

TREND

2005-12-31, 15:48:24, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/31/2005 15:38:09
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 137 (117449 Patterns) (2005/12/29) (313700)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD
/LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=c:\AV-CLS\Trend

32608 files have been read.
32608 files have been checked.
25658 files have been scanned.
32999 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/31/2005 15:48:24 10 minutes 14 seconds (613.88 seconds) has
elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-12-31, 15:48:24, Scanner "c:\AV-CLS\Trend\VSCANTM.BIN" has finished
running.






"David H. Lipman" wrote:

> From: "martyh" <martyh@discussions.microsoft.com>
>
> | Is it possible to actually delete/remove an entry in Startup from MSCONFIG?
> | I don't mean simply disable/uncheck the entry, but remove it completely. I
> | suffered a Trojan hit on my PC, and spent like 5 hours dealing with it. The
> | Trojan wrote an entry to Startup (ibm00003.exe). I've deleted the culprit in
> | the registry, I've deleted all the nasty files, and all is (hopefully)
> | copacetic -- but I still have this entry in Startup that I would like to go
> | away.
> | Thanks for your time and response.
> | Cheers,
> | - martyh
>
> You have a Password Stealing Trojan !
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

From: "martyh" <martyh@discussions.microsoft.com>

| David,
|
| I downloaded the Multi_AV.exe and ran all the included apps. Whew, took
| like four hours! Anyhow, I did this in standard/normal Windows mode -- *not*
| in Safe Mode yet as I had a couple questions.
|
| I'm probably not as computer-savvy as I need to be to run this stuff; wasn't
| sure about "killing" all running processes and probably had a few running in
| the background. Will post the final summary logs below for all four
| processes for your review; if you need to see the entire logs (some are quite
| long, as I'm sure you know), I can post them.
|
| About running in Safe Mode: I wasn't quite sure in the docs about the
| explanation regarding a boot disc. I'm running XP under NTFS (I think those
| are the correct letters!), and I'm assuming that the boot disc is *only*
| necessary if one is having problems booting their PC because of the
| viruses/trojans. I'm not having such a problem; PC boots fine. So do I
| assume I just go into Safe Mode and run the apps from there? Hope I'm making
| this all clear.
|
| Anhow, here's the base results from the scans from the four apps in normal
| mode:
|
< snip >

| C:\WINDOWS\cpbrkpie.ocx ... Found potentially unwanted program CouponBar.

< snip >

I wouldn' woory about running it in safe Mode Except for the one piece of adware above,
your PC is clean. That's good.

Since IBM00003.EXE is a Torpig Trojan variant and is a Password Stealing Trojan, I suggest
you change any/all passwords that you have used in conjunction with the computer

http://www.sophos.com/virusinfo/anal...ojtorpigg.html

http://vil.nai.com/vil/content/v_136035.htm

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm