Removing items from MSCONFIG after WMF exploit



OK, so, I’m busy killing off running processes and fire up MSConfig to try to keep them from coming back on the next boot. To launch msconfig go to start, run… type in msconfig and click ok. The startup tab is where we’re looking for programs running at startup (makes sense…) This is a bit easier and more straightforward than visiting the run entry in the registry. It does combine a few locations into one place.


That much said, one or two visits I made were in the registry currentversion/run key that msconfig gives a listing for. Anyway, here’s what I found THERE….

There was an entry called system which was set to c:windowswsystem32kernels64.exe and xp_system which is set to c:windowsinet20001winlogon.exe in addition winstall.exe was run from c:winstall.exe

I was able to get rid of kernels64.exe and winstall.exe (they had been killed from memory using task manager.) Winlogon was running (two copies, system process and user process, the user process was coming from the strange directory inet20001 which is not a legit windows directory.)

The process of disabling did take a couple boots and the registry fix to run Task Manager had to be run each time as I tried to “kill” off running processes.

Related Posts

Blog Traffic Exchange Related Posts
  • Task Manager Suspicious Processes after WMF exploit After getting into Task Manager I saw a number of suspicious processes. There were a lot of things running as my user that I didn't recognize. kernels64.exe, vxgame6.exe, vxgame4.exe, mm4.exe, vxh8jkdq2.exe, netsh.exe, cmd.exe, winstall.exe, vxgamet4.exe, vxgame2.exe covers most of the list of suspect entries. netsh and cmd are both legit......
  • Microsoft December 2005 Security updates Sans has the tip that information on the critical Windows updates expected tomorrow from Microsoft has started to be released. MS 05-54: Cumulative Security Update for Internet Explorer This will hopefully patch the javascript issues... MS 05-55: Vulnerability in Windows Kernel Could Allow Elevation of Privilege. More later in the......
  • Disinfecting a PC… part 7 Ok, another reboot after the BHO cleaning. Things are a good deal more responsive now, less disc swapping going on. (I suspect that those three missing BHO entries may have been causing the slow down, but I don't know.) Installing wintop so that processes can be monitored. Also, getting spybot......
Blog Traffic Exchange Related Websites
  • Cleaner For Registry Errors The operating system of the computer has the registry at its core. Over time, the user will install and remove programs, always changing the registry contents. The registry can develop errors as it collects redundant and outdated files over time and it is necessary to fix them. If left alone,......
  • Don't Use Free Registry Cleaners! Whatever you do, don't use free registry cleaners software, read this honest report about free registry cleaners to find out the consequences of using free registry cleaners software! Free registry cleaning software will ruin your computer by deleting important registry entries that are essential to run your computer and these......
  • Run infected exe files without getting infected Don't want to infect your system by executing infected executables? Try Sandboxie then. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. How to run infected files with Sandboxie? 1. Download Sandboxie 2. Navigate to the......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site