Re: Please Help with WINCFG.SCR Infection !
From: Andrew (andrew_at_fried.us)
Date: 07/29/03
- Previous message: dW: "FYI - Overview of Tivoli Access Manager"
- In reply to: Reticulum: "Please Help with WINCFG.SCR Infection !"
- Next in thread: Reticulum: "Re: Please Help with WINCFG.SCR Infection !"
- Reply: Reticulum: "Re: Please Help with WINCFG.SCR Infection !"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 28 Jul 2003 21:36:56 -0700
cathexis@erols.com (Reticulum) wrote in message news:<3f240136.1283637@localhost>...
> Greetings,
>
> I hope this is the right group to ask for help. My ancient PC is
> infected by WINCFG.SCR and removal as per on-line help available
> at places like Symantec are not working.
>
> All instructions say to run Regedit -- it turns itself off whether
> accessed by Run command or Explorer. The wincfg.scr file is plainly
> visible in windows but neither Eraser nor BC Wipe will remove it. When
> I go to run Regedit then regedit will appear for no more than 1 second
> and then shut itself off. A search was made for any *.el-type file. One
> was found and deleted (gnugo.el in a directory of Go-games I have).
>
> If there's anything "saving" me it is that my system is so ancient
> and I use a dial-up and DONT save the password ( to control kid's access)
> so as soon as I log off the Connection Screen will keep popping up. I was
> hit by some trojan once before and this was the give-away I was infected.
>
> System Info:
>
> Pitiful P-166 running Win95 thru dial-up to Internet.
> Agnitum Outpost Firewall that *appears* to be blocking. It lists WINCFG as
> blocked but oddly it comes up under allowed as well despite multiple attempts
> at rule setting. Also, AVG 6.0 Virus Scan which is seeing NADA despite updates
> and re-tries.
>
> Please help me with this infection. It has stumped anything I can think
> of to eliminate it.
>
> Accept my Thank in Advance,
>
> Andrew
> Reticulum
>
> Remove "your.hat" when replying via e-mail
The file should be located in c:\windows\system32\WINCFG.SCR. Reboot
your system in safe mode and delete the file. I just found this same
file earlier this afternoon, and if you're running any kind of
firewall you'll find that it's attempting to contact an IRC server is
the Netherlands... My file, in particular, was attempting to contact
ip address 194.134.7.194.
It looks like the file hit the net on or about July 26th. I've sent
copies of the program to Symantec and TrendMicro for further analysis.
Also, check and make sure you don't have another infection that might
account for the strangeness you're experiencing with programs closing.
I also found the file c:\windows\lan32c.exe on my system, and that
was attempting to contact ip address 81.135.78.76, port 17773. The
interesting thing about that file is that it's less than 300 bytes and
if moved and executed, it will relocate itself right back to
c:\windows again. Based on my firewall logs, I seems to have picked
that one up on July 28th.
None of the anti-virus or spyware programs detected either of these
files.
Good luck....
- Previous message: dW: "FYI - Overview of Tivoli Access Manager"
- In reply to: Reticulum: "Please Help with WINCFG.SCR Infection !"
- Next in thread: Reticulum: "Re: Please Help with WINCFG.SCR Infection !"
- Reply: Reticulum: "Re: Please Help with WINCFG.SCR Infection !"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
