Re: Please Help with WINCFG.SCR Infection !
From: Andrew (andrew_at_fried.us)
Date: 07/30/03
- Next message: Security Alert: "SSRT3585 Potential Security Vulnerability in PHNE_26413 and PHNE_27128 (rev.1)"
- Previous message: Samui: "Re: How Java work with PKCS12?"
- In reply to: Reticulum: "Re: Please Help with WINCFG.SCR Infection !"
- Next in thread: Reticulum: "Re: Please Help with WINCFG.SCR Infection !"
- Reply: Reticulum: "Re: Please Help with WINCFG.SCR Infection !"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 30 Jul 2003 07:57:08 -0700
I received a very prompt reply from Symantec (less than six hours) on
the file submission which contained WINCFG.SCR. They advised that it
was a known trojan which had been identified in April. They suggested
that I download their intelligent anti-vius updater, as opposed to
Live Update. I did, and Norton detected the trojan. I'm a little
puzzled, however, as to why Norton chose not to include the signature
in the regular signature file. After all, isn't that what an
anti-virus program is supposed to do??? My concern now is in trying
to determine HOW that trojan got installed in the first place.
I also submitted the files to TrendMicro and two days later have yet
to receive any kind of reply.
Andrew
cathexis@erols.com (Reticulum) wrote in message news:<3f26f1c2.1069031@localhost>...
> Andrew,
>
> WINCFG.SCR is DEAD !!
> Thanks Man.
>
> If you'd like the specifics,....
> Reboot to Safe Mode caused error screen for "Registry Problem" and suggested
> restore --
> "Okay" pressed and rebooted to normal mode, No change noted in problem.
> Rebooted back into Safe Mode without error message.
> Regedit then would come up.
> Followed path to trojan ref in registry as posted many places on internet
> (Can re-post that here if you'd like). Deleted relevant refs.
> *** NOTE: Also found ref. to "WINKEET" a known trojan I'd thought I'd killed
> last year. Deleted same.
> Rebooted to normal mode, regedit works fine, no more Connection Screen pop-ups
> (see my original post)
> No further signs of WINCFG.SCR activity on Outpost Firewall.
>
> So I guess that's it!
>
> One more question;
>
> Using "Find" under Regedit to search for refs. to wincfg I still
> come up with two. I won't give whole path unless you want but they
> boil down to - ,.../explorer/Doc Find Spec MRU and also RunOnce.
> Are these harmless refs. to my own Find searches or should they also
> be killed ??
>
> Again -- My Hearty Thanks,
>
> Andrew
>
> Reticulum
>
> Remove "your.hat" when replying via e-mail
- Next message: Security Alert: "SSRT3585 Potential Security Vulnerability in PHNE_26413 and PHNE_27128 (rev.1)"
- Previous message: Samui: "Re: How Java work with PKCS12?"
- In reply to: Reticulum: "Re: Please Help with WINCFG.SCR Infection !"
- Next in thread: Reticulum: "Re: Please Help with WINCFG.SCR Infection !"
- Reply: Reticulum: "Re: Please Help with WINCFG.SCR Infection !"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
