Re: strange startup files and win32cfg

From: yankele (yankelecakker_at_hotmail.com)
Date: 10/25/03 

Date: 25 Oct 2003 04:54:47 -0700

"YoKenny" <YKnot@home.invalid> wrote in message news:<#un2m5nmDHA.3688@TK2MSFTNGP11.phx.gbl>...
> yankele wrote:
> > I recently noticed in my RunOnce value in the Win2k
> > registry an entry called MS38495 for which the value was
> > win32cfg.exe. That file exists in my WINNT/System32
> > directory but is not identifiable. If I try to remove the
> > entry from the RunOnce listing, it reinstalls itself. I
> > have been unable to identify the MS38495 name either in
> > the MS Knowledge Base or in the Newsgroups, nor have I
> > been able to come up with much for win32cfg.exe. I think I
> > remember seeing somewhere that it was a "nasty" file but I
> > can't seem to track it down. A search in the registry led
> > me to discover that the entry for win32cfg.exe was in the
> > following key
> > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> > NT\CurrentVersion\Winlogon] where Shell was given the
> > value explorer.exe Win32cfg.exe.
> > When I deleted that value, I was able to stop the file
> > from loading and so far everything seems to be running
> > correctly. Am I correct in assuming that such an entry
> > should not appear in the Shell value which should be only
> > explorer.exe?
> > Can anyone tell me what win32cfg.exe is and whether or not
> > it is useful to let it run?
> > Thanks.
>
> It is amazing what you can find with Google!
>
> http://archives.neohapsis.com/archives/incidents/2001-10/0000.html
> http://www.glocksoft.com/trojan_list/WinCrash.htm
> http://www.symantec.com/avcenter/venc/data/false.nimda.aris.email.message.html

Many thanks for the info. Hey, YoKenney, I DID do searches for
win32cfg in both Google and Symantec and came up with nothing useful.
However, after disabling the virus, I ran the searches again and this
time the searches were fruitful. I suspect that the virus may also
block web searches for it. I also noticed that the keyboard.* files
mentioned by Symantec as being apart of the trojan were absent from my
computer--a little strange. Furthermore, I am virtually certain that I
did not run this trojan myself. I do NOT open unidentified e-mail
attachments. And finally, I did an AVG scan of the win32cfg file using
the latest updates both before and after disabling the virus and both
times the result was negative! Hmmm...

Relevant Pages

  • Re: Internet Connection Lost After Installation of Windows XP Service Pack 2 (WinXP SP2)
    ... been quite careful with disabling services, ... do suspect a virus of sorts, because of some really odd behavior I saw. ... when I checked the Winsock in Autoruns once I saw the ... There was also an entry for RAW/IP. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Clicking Links Freezes Programs
    ... RUNDLL32.EXE - Entry Point Not Found" Error Message When You Start Your Computer ... Have you scanned for a virus? ... Mary Sauer MS MVP ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Documenting ClamAV on Fedora?
    ... | virus, spooled to disk, etc., all the normal things, before the scan ... | Calling clamav-milter from sendmail.cf _appears_ to pick the virus ... message something to the effect "Connection Denied: ... The maillog does get an entry about the ...
    (Fedora)
  • Re: RUNDLL/Updater.dll
    ... Rundll.exe is part of Windows. ... Try looking at the relevant Symantec site for your virus. ... If it is only the entry at startup and you don't have the file, ... Click Startup Programs ...
    (microsoft.public.windowsupdate)
  • Re: FbubswrA.exe (windows defender)
    ... an entry in 'currently running programs' an entry entitled FbubswrA.exe, ... referenced as a "system montior". ... thx. ... disabling Defender will not eliminate the problem/threat, ...
    (microsoft.public.windowsxp.help_and_support)