# WINCFG.SCR - a new threat



## tekspirit (Jul 25, 2003)

I have this process called wincfg.scr running on my machine, and even though I've scanned for it, anti-virus scanned, searched the HD's, I still can't find it's carrier. It doesn't exist, but appears in the task list at every boot.

Anyone come across this nasty beast?

Tek


----------



## IMM (Feb 1, 2002)

Nope - but i have some of the usual questions

Is there a c:\windows\winstart.bat file
Is there a c:\windows\wininit.ini file with a read only or system attribute
If this is 9x what is going on in autoexec.bat?

What does Process Explorer show for running processes - in 9x etc it will show things that CAD will not.

Post the Scan log from HijackThis (HJT) http://www.tomcoyote.org/hjt/

Also use HJT to generate a startuplist (Config > Misc Tools > Generate StartupList log) and post that


----------



## tekspirit (Jul 25, 2003)

It's running on XP home.

There are none of the files you mentioned. But here's a list of what matches win*:
C:\WINDOWS>dir win*
Volume in drive C is S3A1173D002
Volume Serial Number is 8428-7B67

Directory of C:\WINDOWS

23/07/2003 10:36 AM 1,932 win.ini
25/07/2003 09:43 AM 215,612 Windows Update.log
18/08/2001 08:00 AM 256,192 winhelp.exe
29/08/2002 06:41 AM 266,752 winhlp32.exe
31/03/2003 08:22 PM WinSxS
4 File(s) 740,488 bytes

I'll try to go to your URL and post there too.

Thanks!

Tek


----------



## tekspirit (Jul 25, 2003)

Here's the list from HJT's Startup list:
(as you can see, there are nearly a million files on this Toshiba laptop)....
---
Tek

StartupList report, 25/07/2003, 11:16:20 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\tek\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TDispVol.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-Link AirPlus\WLANMON.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Copytalk\CTTrayAgent.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\tek.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\tek\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\tek\Start Menu\Programs\Startup]
Copytalk Agent.lnk = C:\Program Files\Copytalk\CTTrayAgent.exe
HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
D-Link AirPlus DWL-650+ Utility.lnk = ?
DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
TrueMobile 1150 Client Manager.lnk = C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /installquiet
00THotkey = C:\WINDOWS\System32\00THotkey.exe
000StTHK = 000StTHK.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
TouchED = C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
TFNF5 = TFNF5.exe
Tpwrtray = TPWRTRAY.EXE
TFncKy = C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe /Type 03
TcmTray = 
TDispVol = TDispVol.exe
TMESBS.EXE = C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
TosHKCW.exe = "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
cPadAlarm = C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
Gnetmous = C:\Program Files\Sanwa\Scroll Mouse\gnetmous.exe
ezShieldProtector for Px = C:\WINDOWS\System32\ezSP_Px.exe
Drag'n Drop CD = C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
GhostStartTrayApp = C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
MXO Auto Loader = C:\WINDOWS\MXOaldr.exe
TempRemove = "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
PostCopy = C:\WINDOWS\System32\Belkin\F5U109\PostCopy.exe
Winsock2 driver = WINCFG.SCR

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Winsock2 driver = WINCFG.SCR

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\windows\googletoolbar_en_2.0.88-big.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\System32\opuc.dll
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

[{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]
CODEBASE = http://toolbar.google.com/data/GoogleActivate.cab

[InstallShield International Setup Player]
InProcServer32 = c:\windows\downlo~1\isetup.dll
CODEBASE = http://www.installengine.com/engine/isetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

--------------------------------------------------
End of report, 8,835 bytes
Report generated in 0.261 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## IMM (Feb 1, 2002)

It seems to be (I'm guessing) a variant of the spybot.gen worm
I have a question about whether or not you were runing a dos window when you ran HJT. I see cmd.exe as a process.

Download Process Explorer
Unzip this somewhere to keep, run the extracted procexp.exe file then right click on and choose KILL for the following tasks:

C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\tek.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
and any other task which isn't essential and 'might' be the worm. Killing a task in this fashion doesn't remove any files - it just boots them out of memory, and anything not dealt with will be back on the reboot.

Regarding finding the file - are you set up to show hidden files?

It has at least two registry entries requiring removal.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Run regedit.exe and navigate to these locations in the registry - in each you should find a _Winsock2 driver_ entry - delete that entry.

Some of these worms will disable msconfig and regedit.exe if we don't succeed in killing the task first - In that case we'll take a different approach or do a better job of figuring out which task.

While you're using regedit have a look for
HKEY_CURRENT_USER\Software\Kazaa\LocalContent\Dir0
Of course if you've never used Kazza the whole kazaa key should be deleted.

make a note of which directory this key (dir0 - if present) points to - there will be lots of copies of the worm present there.

Is there a keylog.txt (or similar name) file in the system directory - if so you migh look to see what it's logged

You look pretty movile  Any of those startups you don't recognize?


----------



## tekspirit (Jul 25, 2003)

I was running a command box, so that one's ok.
also, tek.exe was me as well - taskmgr.exe was unable to run, so I renamed it to tek.exe and ran it without problems.

ComboButton: it's in a directory called Retrospect, as part of a package that came with a Maxtor USB drive (it's for auto-backups). I don't use Retrospect, so I uninstalled it. Combobox.exe was left behind, so I zapped the whole Retrospect directory (keeping a zip copy in case this has something worm related).

Kazaa - it's never been used on this machine, and no entries in the registry were found matching Kazaa

Hidden files: no, the search didn't look at those. Thanks for the hint, I'll run it again...

Found it!

c:\windows\system32\wincfg.scr is here, with the hidden attribute.

Something else - \Windows\Prefetch has a file name similarly:
WINCFG.SCR-38727020.pf
I'll have to learn about these prefetch files...

Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Had wincfg.scr under a "Winsock2 Driver" as you said - I deleted the entry.
In HKCU, it was listed in the RunOnce area - I deleted that, too.

No entries for wincfg exist now.

As for some strange looking entries running, it's not easy. There are so many things running on this laptop, many still look strange to me. Some I have suspicions about, but I found them all at this website (it claims to list "ok" startup apps):
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm

Thanks for your help - I'll reboot and see where things stand.

Tek


----------



## IMM (Feb 1, 2002)

It's fairly characteristic or the spybot family of worms to interfere (terminate) the following 4 processes (while the worm is active)
regedit.exe
msconfig.exe
taskmgr.exe
netstat.exe 
If (for example) you want to know if you've succeeded in terminating the process and msconfig wasn't working properly - try running it (msconfig or netstat) after killing a suspect with process explorer.

To tell the truth - I'm a little surprised that there is no
HKEY_CURRENT_USER\Software\Kazaa\
key. This worm will usu. put one in.


----------



## tekspirit (Jul 25, 2003)

All four of them are running now, and no more wincfg.scr either.

I do have one unknown process, though - touchED, in the program files\Toshiba directory. Might be somthing to do with the Synaptics touchpad. But it's not in the startup list posted above, and has the same memory usage as wincfg.scr.

Everything is running as before wincfg showed up.

IMM, it's great having folks like you around.

Tek


----------



## IMM (Feb 1, 2002)

:up:
It's a good point in time to update your virus defs - or get an online scan at Housecall


----------



## tekspirit (Jul 25, 2003)

Virus defs are up to date, and updated regularly.

Take care,

tek


----------



## k3ypad (Jul 29, 2003)

I found this file earlier this evening after reviewing firewall log files and finding suspicious connections to an IRC server in the Netherlands (ip 194.134.7.194).

The file was located in c:\windows\system32\WINCFG.SCR. None of the spyware or virus scanners picked up on it. I've since sent copies of the file over to Symantec and TrendMicro for further analysis.

I also discovered a second such file on my system. This one was at c:\windows\lan32c.exe and it was attempting to contact an ip in England (81.135.78.76) on port 17773. This was a particulary nasty guy that blocked Norton antivirus from running. I couldn't even do a CTL-ALT-DEL and get a process list - the window closed almost immediately after opening. I finally tracked that one down by doing a netstat -o and obtainin the PID of the program that was making the connection, then using Norton's process viewer to find the actual file.

The lan32c.exe is less than 300 bytes in size. I moved it to another directory after killing the process and my outbound connections ceased. When I executed the program, not only did my connections to 81.135.78.76 begin, but the program relocated itself right back to c:\windows.

To whack that one, boot up in safe mode and obliterate the file. I used PGP to overwrite the file, just to be on the safe side.

And the really strang thing is that I don't open attachments and don't use M$ Outlook.


----------



## Neill (Jul 29, 2003)

Here's my info:

Windows 98 SE

I noticed wincfg.scr in my firewall's (SPF) application list. It was entered once, permanently listening, and would appear every 15 seconds as a second entry and then disappear and reappear on schedule.

I tried to run msconfig and regedit but both apps were automatically closed after one second.

I ran adaware, current update. Wincfg.scr is not registered with adaware.

I ran NAV, July 28 defs. NAV unaware of wincfg.scr.

I ran hijack. I selected the entry for wincfg.scr but it reappeared on the next scan.

I started in safe mode, ran hijack, selected the entry for wincfg.scr, and it was removed. I restarted in normal mode. Msconfig and regedit run OK now.


----------



## Couriant (Mar 26, 2002)

I noticed this file only because when I disconnected from the internet. When I did, Windows said that there was a file or program trying to connect to inutero.hackarmy.uk, which connection should I use?

The only thing i recently downloaded was ADIA (a system information program ppl raved about) and I was looking at newsgroups, which i didn't know Earthlink had until I started using Outlook Express.

Like you guys I went to Safe Mode, looked at the registry since the WINCFG file was blocking me to use it in Normal Mode, found the problem and deleted the file and registry keys associated with WINCFG.

I will make a new post and inform one of the Moderaters to leave it up the top. If you think you got the file any other way, please let me know or add it to the post.


----------



## bro (Jul 31, 2003)

i just picked this one as an scr file from a newsgroup. mcafee didn't recognise it, and even though i was pretty sure it wasn't somebody's hot neighbour tanning topless.... i got curious.  can't help myself, y'see...

of course, it immediately appeared in mcafee firewall trying to connect to the net. 

anyhow, i had to terminate the process using taskinfo (available free, do a search for it). then i could delete the wincfg.scr file from c:\windows\system, and remove it from the 'run' registry entries using the ms system configuration tool. 
for those who don't know how to do that... from the start button: program/accessories/system tools/system information is the default windows location, then the tools menu/system configuration utility/startup, and untick everything you don't need...

if you know how to use regedit, go into that later and delete every key relating to wincfg.scr


----------



## Neill (Jul 29, 2003)

In response to Tidus4Yuna's request for origins information:

Like the previous poster "bro" I was scanning a newsgroup and found an attachment named "Sister in shower.scr". It is 24,576 bytes and is not a regular screensaver. Indeed, we got hosed.


----------



## amsedelm (Jul 31, 2003)

I just got rid of wincfg.scr after having it for sometime. All with your help. Thanks!
Now, what exactly does this thing do? And how does it affect a Win98 AMD k6/2 350 mhz pc? Thanks, you guys know your stuff...


----------



## Neill (Jul 29, 2003)

Hello amsedelm,

When did you first notice it? Or anyone else? I first noticed it July 27.


----------



## mdevour (Jul 31, 2003)

This creature is quite new. In fact, this thread is one of only two hits you'll get from a google search on "wincfg.scr". You'll get many hits on wincfg.c, wincfg.exe, which are legitimate programs, apparently, but only two on the .scr, as of right now.

Your discussion here let me quickly cure the problem once I'd found you: Restart in Safe Mode, regedit two places, delete one file, and good to go.

I'm hopeful the infection didn't actually have a chance to _do_ anything, since my hardware firewall should have blocked it. I do not know that for sure, however. I'll be watching as people find out how it works and what it does.

Thanks, people. This site is a good resource. :up:

Mike D.


----------



## Citation4444 (Jul 31, 2003)

I echo the last post. I was infected with this and found the answer here by doing a Google search on WINCFG.SCR. As a result, I have joined this forum. This thing doesn't seem to be spreading too fast. Maybe we're the only ones who are fortunate enough to have caught it? Doubt it. :up:


----------



## thejj (Jul 31, 2003)

I got that wincfg.scr infection also. I removed entries relating to it in my registry and i deleted it from \windows\system32. Is that it?

Also, has anyone been able to figure out anything about that "prefetch" folder tekspirit refered to earlier? It looks very suspicious. should we delete it also?


----------



## thejj (Jul 31, 2003)

actually, that prefetch dir is looking a little more ligit now that i've inspected it more closely. should we delete the "wincfg.scr" reference though?


----------



## IMM (Feb 1, 2002)

This seems to be getting to be a popular little critter. 

Just a comment to say that I should have asked the original poster to search for lan32c.exe as well. I knew it to be a possibility and at least one person has found it.

Here's some instructions on finding hidden files
How to show hidden files and protected operating system files in Windows

Safe mode isn't needed if you are successful using process explorer to end the task but either method works.

I think that the text file which logs things such as passwords will likely exist on this one (it will be a text file in the system directory such as keylog.txt or testing.txt - but I'm not sure what name it will use).

I wouldn't worry much about the .pf prefetch files on this one.


----------



## bro (Jul 31, 2003)

Just a follow-on from my last message on wincfg.scr...

I updated mcafee virusscan this morning (last update was a week or so ago) and it now recognises this virus.


----------



## tekspirit (Jul 25, 2003)

And Norton released new virus defs yesterday, and it finds WINCFG.SCR now.

More info here: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html


----------



## Brando (Jul 31, 2003)

I just ran into this today by accident. (7/31/03)

Freeagent won't execute *.exe's, but I didn't pay attention to this one and the .scr got clicked.  

Did the same thing as the other folks and got it out of the system.  

2 quick notes:

Wincfg.scr was in my system folder, as opposed to system32. I run Win98se, I'm not sure if that makes a difference.

Second, I rebooted with a dos disk to delete it, and I couldn't find it until I used the 'attribute' switch, it was 'hidden'. I changed the attribute, (had to break out the DOS manual, blow the dust off, and sift through the pages...don't use it much anymore. )

After changing the attribute, I was then able to delete it.

Restarted in safe mode, ran regedit, cleaned it out, no problem.

I could not find any lan32 file (don't use ICQ) and no Kazaa (don't use that on THIS machine.)

Anyways, gone. And this was the only place ala Google! Thanks all and thanks Google!


----------



## MrDave03 (Jul 31, 2003)

I have been hit today with the same infection... I updated Norton and it found it right away.. but couldn't repair or quarantine...and it prevented me from accessing regedit or msconfig... I rebooted in safe mode and let Norton do a full scan.. it found two infected files.."dc323.scr " and "wincfg.scr" in safe mode it allowed me to quarantine both files.. and then I was able to access regedit.. but it hadnt written to the registry.. I believe I was saved by ZoneLabs free Zonealarm firewall... Wincfg.scr attempted 5 times to access the internet but Zonealarm blocked it each time.. so hopefuly Im good togo.. just thought I'd pass along my experience in case its of use ... Dave


----------



## Neill (Jul 29, 2003)

I have a question for tekspirit ( or anyone else with info).

I searched Symantec's website and NAI's and found no references to wincfg.scr.

I followed the link tekspirit provided and there is no occurrence of "wincfg.scr" on the page.

???


----------



## Neill (Jul 29, 2003)

More on wincfg.scr from usenet

http://groups.google.ca/groups?q="wincfg.scr"&ie=UTF-8&oe=UTF-8&hl=en&btnG=Google+Search


----------



## MrDave03 (Jul 31, 2003)

Niell.... I'm not a pro here maybe someone can clarify.... but I failed to mention.. when Norton found my virus it found it as backboor.sdbot....Im assuming that file simply attached itself or created wincfg.scr...in turn causing the infected wincfg.scr file.... hopefully someone can clarify and in turn help me understand if Im on the right track? Thanks, Dave


----------



## CommanderKee (Aug 1, 2003)

Wow, I got this little bugger twice in the last week. I dont know exactly how im getting it. It likes to automatically close the task list, thats for sure. 


Really scary thing to note, in that prefetch directory, it seems to keep a log of all applications that you have run, and network traffic sent. 

hmm.


----------



## Tristaan (Aug 1, 2003)

Kudos to this group for staying on top of things.

Inadvertantly, I ended up with the WINCFG.SCR file and this variant of the backdoor trojan.

In my case, it was on a Windows XP Pro system. Considering that it a) inserts records into the registry and b) adds system/hidden files I decided to try a System Restore.

I have my machine set up to create regular system check points. I happened to know approximately when I picked up this trojan (from when the last time was that I was able to successfully use Task Manager) and, since I hadn't installed any new applications recently, I restored back to the day before that.

Rebooted, and now WINCFG.SCR is gone both from the registry and from Windows\System32.

Thanks, gang!:up:


----------



## ArmandXG (Aug 2, 2003)

I just took it apart. It is the w32.spybot.worm. Update at nortons will help you kill it. nasty little guy. I followed him home. Be careful with this one. Update your AV and it should be prevented.


----------



## IMM (Feb 1, 2002)

It 'felt' more like a spybot than an sdbot but I haven't had my hands on it.


----------



## johnko704 (Aug 3, 2003)

You can get rid of this worm by running NAV in "safe mode". Make sure you have it check all the files. After you've deleted the program with the virus, you have to use regedit to search for all "wincfg.scr" references. Make sure you back up your registry first. This works for all versions of Win.


----------



## Ahhz (Aug 3, 2003)

I picked it up this morning from a newsgroup. Immediately all internet related software quit working. I used the above listed fixes to remove it from my w98se comp. I also recorded the IP address it was trying to connect to. and did a whois search on the resulting info. It traced back to a site on the NTL:home ISP in Middlechurch, UK. After a subsequent, polite email to NTL, I am waiting to see what comes of it. The question I have is, does anyone know what this does? I inadvertantly allowed it to connect, and Immediately, i had 3 dozen port scans from the site.


----------



## Couriant (Mar 26, 2002)

This post has got interesting since my last post.

NTL is going bust, according to a friend of mine who worked there. So emails may be slow.

I believe it's safe to say that no-one knows what the worm does, my only guess right now is that it tries to connect to the a web domain in the UK and possibly sending information about your computer. Since details like your CD KEY code (which I found out in a different post) is stored on your machine, they maybe (just maybe) trying to obtain information from your machine.

But about that prefetch directory, it does seem interesting that it documented what programs you used. MAybe you can determine when the file was created CommanderKee.

MrDave, there is no WINCFG.SCR that exist as a screensaver. It's merely a stage name so that no-one would think it's a virus. As for the virus, they do have a *DNA* pattern. Maybe that's why you got a message as the virus you got is similar to the sdbot virus. Tekspirit did make a link to Norton on more information on the virus.

Brando, if you are running W9x / ME, the virus will go to your System folder. NT / 2K / XP system folder is System32 hence why some ppls infected directory is different (though all OS has both directories.... confusing)


----------



## Couriant (Mar 26, 2002)

I forgot to ask... does anyone have NILAUNCH.EXE in their startup (msconfig)? I never had this in there until I got the worm... The file resides in the System folder (system32 since it;s WXP)


----------



## rash (Aug 3, 2003)

My machine was still infected by "wincfg.scr".
And I found another similar called "hbruop.scr".
Neither of them are screen saver, and after I removed the first one then tried to choose the second as screen saver in the dialog box, I found the first was restored in the registry.


----------



## Lureman (Aug 4, 2003)

The dirty little bugger got me after trying to install "naked girlfriend" last night, a screen saver from a newsgroup. Should have known better!


----------



## Lureman (Aug 4, 2003)

Thanks for all the posters on this; and, kudos to the developer of Process Explorer, pretty neat sw.


----------



## kisrael (Aug 4, 2003)

I got it too. A bit free with Usenet downloads, clicked on an .scr.

One helpful tip: I associated .scr files with TextPad.


----------



## Couriant (Mar 26, 2002)

did you manage to see what it said in Wordpad?


----------



## kisrael (Aug 4, 2003)

Mostly binary goobledygook. Some Strings, most boilerplate stuff. Textpad ain't the best way to analyze a binary file!


----------



## gdon (Aug 5, 2003)

Thanks for the help in this thread... got it, killed it.
I am not sure but I think it also disabled my Norton AntiVirus signature database update. I had to reinstall NAV.
Zone Alarm blocked the outgoing connect attempts and the Router blocked any incoming, So I am 99% sure I am safe.. I highly recommend a good firewall for time like this!


----------



## Mercutio84 (Aug 6, 2003)

I also had this virus on my computer, it seems to be spreading through usenet because I also noticed that my brother had installed a news reader called Xnews or something like that. If you change your regedit.exe file to a regedit.com file, you will be able to run regedit and remove the startup entries, then locate the problem file and delete it.

However, I haven't got this 'prefetch' directory you are talking about. Is it in the c:\windows\" directory, or somewhere else? As well, ever since I got this virus, I've been unable to burn CD's. They get about 4 or 5% in and the burner freezes and I can't even open the cd drawers. i'm using EZ CD creator 5 platinum, but I'm not sure if this is related to the virus, or if it is just a horrible coincident. A good firewall is definately a must with this virus, mine blocked about 30 attempts.:up:

Any new info would be appreciated, I want to be absolutely sure that this thing is gone.

Oh, and also, this virus completely shutdown my NAV, and wouldn't let me run it (virus subscription is out of date anyways, but still).


----------



## chuve10 (Aug 6, 2003)

hi

seems i've got caught by this virus too. This is what i've tried :

use task explorer from sysinternals to kill wincfg.scr process, delete wincfg.scr from 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
, checked ini files for strange programs, checked task list for strange visitors. 

I've download Norton Antivirus with the latest update. It reports the wincfg.scr file as W32.spybot.worm. Removed the infected files. 

So far everything seemed ok after restarting.

However...

Now i get a request from my firewall (ZoneAlarm) that a process called msmsgs.exe tries to acces the internet.
This seemed very strange to me because I don't use MSN Messenger at all. Looked at the tasks using Task explorer from sysinternals and looked at the msmsgs.exe process. It tries to acces the internet using a random port number. I did decline acces to the internet for msmsgs.exe but after a few seconds (10-30) i get a new request from a new process with the same name , msmsgs.exe. This time with anoyther port number.

This seemed very unusual to me , although Norton didn't find a virus in the C:\Program Files\Messenger directory, whereof the msmsgs.exe seems to be executed.

Killed the msmsgs.exe process and quickly renamed the dirrectory from C:\...\Messenger to C:\...\Messenger_old.
The process didn't start again. 

In Task explorer the originator (parent) of the msmsgs.exe seems to be srvhost.exe process, owner SYSTEM. 
Tried to kill the srvhost.exe process but that initiated an uninterupptable system shutdown.

This all; seems very strange to me and especially that the msgmsgs.exe file isn't recognised to be a virus by latest version of Norton updates (4 aug). I'm pretty sure this isn't the normal behaviour of MSN Messenger.

btw. i've winxp pro system and msn messenger 5.

Anyone with similair behaviour ? or tips to gather some more info about this ?


----------



## Argus56 (Aug 8, 2003)

You should also look for a file called *"zooxio.scr"*. I found it in my System32 folder.


----------



## hbv (Aug 5, 2003)

Thanks Argus56,

Searched and thankfully no zooxio.scr. ... this time.

hbv


----------



## scooter360 (Aug 20, 2003)

if you cannot keep taskmgr, regedit, msconfig open, navigate to c:\windows\system32 and locate taskmgr.exe. simply rename it to mgrtask.exe and run it. now search your task list for wincfg.exe. when you find it, end the process 

now open regedit. locate the following key: 

hkey_local_machine\software\microsoft\windows\currentversion\run\

locate task called "Winsock Driver" (bogus entry) wincfg.scr

delete that spacific key (right click on it and delete)

Now, navigate to c:\windows\system32 and locate "wincfg.scr"

It may be hidden so click on tools > Folder options > VIEW > and mark "Show hidden files and folders" click ok.

now see if you can find wincfg.scr. right click it and delete it. its not elastic so it wont come back unless you go to the place where you got it from.

Taskmgr.exe is however which is a good thing. close everything down and reboot. then hit CTRL_ALT_DEL and see if taskmgr is still up and functioning. if it is then great. you're fixed.


----------



## sedgwic (Aug 23, 2003)

no one had mentioned this, but i also noted something odd about the wincfg.scr file: its icon. on mine, it was a rather rude image. i won't go into detail as i've just registered with this forum, i don't know how well a description of such an image would go over with the chiefs, and lastly i don't want to get booted from such an informative place. thank you all for your help.

ciao.sedg


----------



## KennLPeters (Sep 1, 2003)

I was able to find out information regarding the prefetch directory mention earlier in these posts. The winnt\prefetch or windows\prefetch directory that window uses to make itself boot faster. If you have wincfg.scr in that directory you can delete it from there without harm.

P.S. I got the worm from a newsgroup using XNews. My suggestion do not download or decode any *.scr you find in newsgroups. Bad News


----------

