Solved

Getting Error When Trying To Run MSCONFIG And Weird Popup Wont Stop Comming Up.

Posted on 2003-11-16
23
7,713 Views
Last Modified: 2012-06-21
Hi I am running Windows XP Pro. I have been having a problem when I try to get to msconfig I get an Error saying "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator". I am logged on as Administrator when it gives me this message so I can’t contact my self. I can access all the other administrators tools like regedit but msconfig gives me the same error and a part of the problem could be almost every time i try to open internet Explorer This popup comes up well it stays minimized and it wont leave I have Norton firewall running with ad blocked on I have Stopzilla a popup stopper running .scanned my computer with norton anti virus 2004 updated, panda online scan, Trojan remover, Trend micro online virus scan, spysweeper, Adware Pro, spy bot S&D and spy blaster .In normal mode and safe mode. the popups window wont show me the full URL but all I can get of  it is "http://nitrous.exitfuel.com/code/exitpoplight1.html?prov=bksp&ref=http://www.g" .I have tried every thing and asked all the tech people I know, no one knows if any one can help please post or send me an e-mail at enp82003@yahoo.com
0
Comment
Question by:ErisSharp
  • 9
  • 6
  • 5
  • +2
23 Comments
 
LVL 97

Expert Comment

by:war1
ID: 9760763
Greetings, ErisSharp!

A Search site has downloaded something into your computer.

1. If you have Windows Messenger Service, disable it.  The Messenger service is typically not needed for home users.

Right-click My Computer and click Manage.
Fold out the Services and Applications option and click Services.
Right-click the Messenger entry, select Properties, and choose Disable under Startup Type.
Click OK.

You should no longer receive messages sent via the messenger service.

2. Use the following scanners to find and remove the website. Download the latest updates and run the scanner.

SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/

3. Some porn websites redirects links to their websites using your HOSTS file. Do a search for the HOSTS (without extension) file and remove the entry.

4. If still no joy, download HijackThis from Spywareinfo download page

http://www.spywareinfo.com/downloads.php

Run the program and you will find many entries. Most are OK. Post the log. I will find the problem for you.

5. For future preventive maintenance, make sure programs cannot just download on your computer without your permission.  From the Internet Toolbar, go to Tools > Internet Options > Advanced.  Make sure "Enable Install On Demand (Internet Explorer)" and "Enable Install On Demand (Other)" are unchecked.

Best wishes, war1
0
 

Author Comment

by:ErisSharp
ID: 9761394
Sorry man that didnt work I still cant get in to msconfig same error message and those program you showed me I already tryed and they are fully updated.  still in confilct here
cant get in to msconfig and weird popup comes up i have tryed something new going to the host file and typeing in the websites IP still dosent work....
0
 
LVL 1

Expert Comment

by:qualserve
ID: 9761487
Did you do step #4 from previous posting?  I didn't see a copy of the info it turned up.
0
 
LVL 97

Expert Comment

by:war1
ID: 9761771
Would you run HijackThis and post a log?
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 9763133
Ok, try this:

Click Start, Run and enter REGEDIT.  Go to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look in the right pane for a value called DisallowRun. If it exists, it should be set to 0 (zero).  If not, double click it and change it to 0.

Next look in the subkey

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Each value in the right pane represents a restricted application.  Right click the appropriate entry and select Delete.
0
 
LVL 2

Accepted Solution

by:
garywowen earned 125 total points
ID: 9764337
Look in your Internet Explorer directory - it sounds like a dialler has tried to install itself - if there is a folder called Signup, delete it - that would be the cause of the pop up.

To look at what programs are run at Startup without using MSCONFIG, open regedit and go to here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Find and delete anything suspicious and reboot.

It may also help to CTRL ALT DELETE and look under the Processes tab - anything strange running? If there is, end the process and see if MSCONFIG works then.

Good luck
0
 

Author Comment

by:ErisSharp
ID: 9768553
Well you guys did it for MSconfig! thanks alot i am still getting that popup it dosent really mater just it gets kinda stupid after awail i tryed Hijack war1 it didnt give me anything under the log... if you guys can figure it out it would be awsome but its not as inportin as msconfig.
so if you got any more adeas about that really dumb popup please share.
0
 
LVL 2

Expert Comment

by:garywowen
ID: 9769742
Having read your pop up problem again it seems you have what's called as JSNOCLOSE - not a virus but similar. It's spread mainly by Kazaa - thing is an up to date copy of Ad Aware should find and delete it? Do a full search on your hard drive for the following file and delete it exitpoplight1[1].htm or exitpoplight1.htm
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 9770044
To check the popup, go to the registry (regedit) and search for all the keys (only keys, no values or data) that start with run (run, runonce, runservices, runservicesonce, run-, runonce-, runonceex, etc.) then post them here and we'll tell you what to delete so you can get rid of it. Most likely you can see it for yourself, but if you have doubts, it is better to post and let us try to find it out. Also, I don't remember if XP's MSconfig shows the runonce tab (I know there's a MSconfig utility that shows it, but I can't remember which).
0
 

Author Comment

by:ErisSharp
ID: 9774698
how am i going post what the post found if i cant take a screen shot of it? and oh yeah who i i gonna give the points to if i cant only chose one persone when i had 2 problems damn..
0
 

Author Comment

by:ErisSharp
ID: 9775278
i scanned my computer for both  exitpoplight1[1].htm and exitpoplight1.htm no luck.  Cluskitt I dont know what you mean post them here you mean make a screen shot? because it wont let me copy and paist.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 18

Expert Comment

by:Cluskitt
ID: 9777570
Ok, I have a very simple way for you to post it. Use this link: http://samhein.netpires.net/Startup_asviewer.zip
This program doesn't need to be installed. It just lists pretty much everything your computer is going to load. When you open it, you can save the results to text file. Do it, then post them here. We'll have it working in no time ;)
0
 
LVL 2

Expert Comment

by:garywowen
ID: 9777681
Have you checked the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ? #
Look for something like filename.exe /install and DLLRun32.exe and delete them - they usually point to a file in your C:\Windows folder called BSX5.DLL and BSX5.INI which should also be deleted.
I wouldn't use Kazaa again, especially the lite version - if you do a lot of filesharing I recommend either eMule or Shareaza both of which are ad and spyware free.
0
 
LVL 2

Expert Comment

by:garywowen
ID: 9777805
OK - the definitive answer to rid you of this pop up! Open up the following file in Notepad

C:\WINDOWS\system32\drivers\etc\hosts

and enter the following line under where it says 127.0.0.1       localhost :

127.0.0.1 nitrous.exitfuel.com

Save it and reboot - you will never see the popup again.
0
 

Author Comment

by:ErisSharp
ID: 9784056
garywowen kazaa lite is the ad / spy ware free verion of kazaa and it is garinteed not to have spy ware or ad ware i havent updated it in wail that could be the problem and i already did the host thing about three times... unless you changed the IP adress on it. i use to get that error when i started my computer BSX.DLL or BSX.DLL was not found but after google checking it i soon learned that it was spy ware and fix the problem. As for you Cluskitt i ran the program it ran fine heres what i got i hope the message isnt to long.


DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Administrator@YOUR-8QN1LEGFUK, 11-19-2003
c:\autoexec.bat
   C:\WINDOWS\hcwSubID.exe
c:\windows\system32\autoexec.nt
   C:\WINDOWS\system32\mscdexnt.exe
   C:\WINDOWS\system32\redir.exe
   C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
   C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [boot]\shell
   C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
   C:\WINDOWS\System32\ATIOCE~1.SCR
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
   C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
   C:\WINDOWS\System32\ATIOCE~1.SCR
HKCR\vbsfile\shell\open\command\
   C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
   C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
   C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1
HKCR\jsefile\shell\open\command\
   C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
   C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
   C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTSysVol
   C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTDVDDet
   C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UpdReg
   C:\WINDOWS\UpdReg.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTStartup
   C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ATIModeChange
   C:\WINDOWS\system32\Ati2mdxx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ATIPTA
   C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ADUserMon
   C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
   C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\STOPzilla
   C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Iomega Drive Icons
   C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Deskup
   C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
   C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Advanced Tools Check
   C:\PROGRA~1\NORTON~3\AdvTools\ADVCHK.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bxsx5
   RunDLL32.EXE C:\WINDOWS\bsx5.dll,DllRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SpySweeper
   C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
   C:\WINDOWS\System32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Weather
   C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
   C:\WINDOWS\system32\SHELL32.dll
   C:\WINDOWS\system32\SHELL32.dll
   C:\WINDOWS\System32\webcheck.dll
   C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
   C:\PROGRA~1\NORTON~3\Navw32.exe
C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
   C:\Program Files\Norton SystemWorks\OBC.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
   C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
   C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
   C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
   C:\Program Files\Microsoft Office\Office10\OSA.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MUPS.lnk
   C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
   C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
   autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
   C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
   C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
   C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
   C:\WINDOWS\System32\dcsws2.dll
   C:\WINDOWS\system32\mswsock.dll
   C:\WINDOWS\system32\rsvpsp.dll
0
 

Author Comment

by:ErisSharp
ID: 9784077
WOW i was looking at my start for msconfig and found BSX% i closed that asp!
0
 
LVL 2

Expert Comment

by:garywowen
ID: 9785756
I can assure you that although Kazaa Lite will 'install' without spyware or adware, unless you turn it off in options (and it's on by default) it will download the spyware AFTER installation - out it this way - how did I know you were running it?
0
 

Author Comment

by:ErisSharp
ID: 9790206
sorry i just been running kazaa lite for more then 2 years now and never had this problem since now I think it all started when I downloaded a freeware program called "MP3 to WAV Decoder" came bundled with gain and proply this exitfuel thing even after I  Turned off BSX5 in msconfig's run menu i still get this message. and i havent installed any new types of kazaa or updated it in like mouths and this just started happing a few weeks ago so i really dont think its kazaa lite.
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 9790491
Go through stages. In MSconfig, first untick startup group, then autoexec.bat, then config.sys, etc till you know which group causes it. Then try to find the most likely to do it, but if you can't, then try one by one as well. There are lots of processes running in your computer that I'm unfamiliar with, and some that I don't feel are necessary (but this is just my opinion), and I've noticed some are from programs that I don't know. I wouldn't really like to tell you to delete anything I don't know what it is, so I would first try to find out which exactly makes it. (a tip: instead of rebooting, try just ending the session. Should be faster, if a little less reliable. Try ending the session, and when it doesn't load anymore, reboot and use trial and error to identify which one it is exactly.)
0
 

Author Comment

by:ErisSharp
ID: 9792054
dont worry you tell me what to delet and its gone just to warn you I got belkin UPS  and thats the MUPS processe running and I got Norton System works 2003 and Norton Anti Virus 2004 and Norton PErson Firewall 2003 and I also got MS office XP and SQL server. so thats a few of the spaces. i know i have weather bug but i made sure it had no ad or spy ware in it. so just tell me Cluskitt and i am at your comand.
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 9795846
Ok, I will separate it into 2 classes: The ones I know and don't think are necessary, and the ones I don't know ;-)

The ones I know, and don't think are necessary:
c:\windows\system.ini [boot]\scrnsave.exe
   C:\WINDOWS\System32\ATIOCE~1.SCR
HKCU\Control Panel\Desktop\scrnsave.exe
   C:\WINDOWS\System32\ATIOCE~1.SCR
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTSysVol
   C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTDVDDet
   C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTStartup
   C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ATIPTA
   C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bxsx5
   RunDLL32.EXE C:\WINDOWS\bsx5.dll,DllRun (I think you mentioned already having deleted this one, right?)
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
   C:\WINDOWS\System32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Weather
   C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
C:\WINDOWS\Tasks\Symantec NetDetect.job
   C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
   C:\Program Files\Microsoft Office\Office10\OSA.EXE
These, for one reason or other, are services I usually disable from the startup. For whatever advantages they may have, they will make you boot slower, and usually I just turn them on whenever I want (the same goes for scheduled tasks, but I didn't want to tell you to remove them). Anyway, neither of these should be the ones making the popup. (except for maybe bxsx5)

The ones I'm not sure, or don't know but find suspicious:
c:\autoexec.bat
   C:\WINDOWS\hcwSubID.exe (what is this one exactly?)
HKCR\vbsfile\shell\open\command\
   C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
   C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
   C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
   C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
   C:\WINDOWS\System32\WScript.exe "%1" %* (what's with all the wscripts?)
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ADUserMon
   C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Iomega Drive Icons
   C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Deskup
   C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART (Zip drive?)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
   C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (should be ok, but I'm curious, what's this? ;-)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MUPS.lnk
   C:\Program Files\Belkin Bulldog Plus\MUPS.exe (what's this?)


That's pretty much all I can help you with. Maybe someone will see something I missed, or will give you reasons not to delete some of the things I would have. Most files (like creative's, and office's) don't give you that much advantage, but some may have other opinions and want them turned on. It's more an opinion than a fact, actually. Still, it's worth a try! ;-)
0
 

Author Comment

by:ErisSharp
ID: 9805034
Well I figuerd out how to do stop the popup. it seemed as if the people who made the spyware put a lock on msconfig becuase after i deleted the bsx.dll in REGEDIT it would still come back so i stoped in MSconfig then delete it in REGEDIT and i havent saw it since so thanks to all for the help and i'll let you know if it comes back agein. i am gonna give the point to the person who help me get in to msconfig if you can give more point out to more then one person then i would deffently give almost every one in this room my points
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 9805658
You can share points, if you wish. Check the faq for how to do so, or the community support.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now