Ok I seem to have gotten rid of the virus a few hours after I got it which was around august 4th and I’ve been clean the weird thing is 2 of the programs associated with it
wuammgr32.exe and rasmngr.exe are still in my start up when I type in msconfig but what it seems like is I got rid of the virus but there’s leftovers but they cant work cause the virus was deleted.
How can I remove them and am I safe in assuming above that im ok ?
No you are not safe (yet!). But don’t worry, we will help you. For a start do two things. Set Avast to thorough and run a full system scan. After that, run HijackThis and post your log here.
I ran a in depth scan which picked up nothing. and I hope the log below is the right 1
Logfile of HijackThis v1.98.2
Scan saved at 4:11:36 PM, on 8/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Ok welly my question is when I run msconfig why are they still listed in my startup there just disabled ? I enabled each of em once the other night and nothing ! so whats the possable explanation for this ? should I still worry cause SDBOT was a pain to get off?
If you are SURE,
that the files which correspond to the disabled msconfig-entries are gone, then reenable their entries in msconfig and make a new hJT-Log (maybe after reboot)
and fix them there
(it should say now “no file” in the line)
or do a manual search in registry, or use some regCleaner
P.S.:
Imho HJT doesn’t list startup-entries that are disabled via MSCONFIG, as they are inactive… (that’s why you don’t see them in HJT)
ok there they are and this is a update from this post I found the Rascon 1 and deleted it from the registry so when i type in msconfig it’s out of there but the wuammgr32.exe is still there
→ Seems you didn’t enable everything in MSCONFIG yet:
MSConfig
or
MSConfigReminder
msconfig.exe
This is an entry that appears when you uncheck an item in the Startup group, and will disappear if on the next reboot you select the option to not be reminded that you are running in Selective Startup mode
Logfile of HijackThis v1.98.2
Scan saved at 10:53:42 PM, on 8/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Disabling things from loading in msconfig means they will be removed from the registry, but the keys are backup in temp file. MSconfig under XP is NOT for removing things, just for troubleshooting. To remove things from loading at boottime use regedit, or (safer and easier) StartUp.cpl
Since you remove things from the registry on a temporary base with msconfig, HJT doesn’t see the hklm.…\run lines with things you temporary disabled. HJT reports only active things. Why mention something that isn’t there/running? It’s not harmfull, so why report it?
well it was related to the virus so I was on edge.
what I did was I managed to delete the rsgmgr out of my comp with regedit then I ran msconfig and activated the remaining one and fixed/deleted it with Hijack this so my start up is clean