re: msconfig32x.exe
Monday, September 26, 2005 at 11:26 am
Windows 2000 Annoyances Discussion Forum
Posted by DEX
(11846 messages posted)
John
It may have rename the file to hide the virus.
Use HiJack This to take it off the machine.
Then reboot into safemode and edit the reg.file to make sure it's gone.
download HiJack This ver.1.98.2
Use this program with care it will take out many items.
For the advance computer user.
download from:
http://www.majorgeeks.com/download3155.html
Also read the one below
http://www.help2go.com/article153.html
Or from
http://tools.radiosplace.com/HijackThis.exe
ver. 1.91
-------------------------------
http://research.pestpatrol.com/HowTo/How_To_Clear_a_Hijack.asp
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
******>>>>>>>>>>********>>>>>>>
ONCE YOU HAVE THE LOG FILE USE THIS SITE TO
Help You ANALYZE IT.......,see below
http://hijackthis.de/index.php?langselect=english
Post it at
http://hijackthis.de/index.php?langselect=english
Read the Web Page when it pops up
If you are NOT sure don't check the item to be removed
READ,READ,READ
When your done go back and do it one more time
to make sure you got them all...
NOTE***it will make a back up so you can put them
back in if you need to,,,see desktop for folder and files
when your done with the 2nd pass....
------------------------
MSCONFIG32.EXE - Dangerous
--------------------------------------------------------------------------------
msconfig32.exe
W32.Tulu virus.
When W32.Tulu is executed, it attempts to copy itself as
%system%\Rundll32.exe
and
%windir%\Msconfig32.exe
where:
%windir% is C:\Windows or C:\Winnt
%system% is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000),
or C:\Windows\System32 (Windows XP).
Virus add the value:
shell %system%\rundll32.exe
to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs each time that you start Windows.
Also creates the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Ktulu
This key is used by the macro component of the virus.
The virus next attempts to locate the Microsoft Word global template, Normal.dot.
If the virus finds the file, it infects the file with a macro virus.
The only purpose of the macro virus is to execute the W32.Tulu virus.
The virus now stays memory resident. Every few minutes, it attempts to copy itself
to drive A.
How to delete this virus:
1. Run a full system scan whit your antivirus tools.
If any files are detected as infected with W32.Tulu, click Delete.
For example, Symantec antivirus products detect this macro component as W97M.Tulu.
If any files are detected as infected with W97M.Tulu, click Repair.
2. Delete the value "shell" from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
------------------------------------------
On Monday, September 26, 2005 at 9:35 am, John wrote:
>Hi, having just done a clean reinstal of Win 2000 due to virus damage, I let the
>file msconfig32x.exe (note the 'x' after 32) in my C:\WINNT\system32 folder through
>my AVG antivirus and let it perform an action online, assuming it was something
to
>do with the browser upgrade to IE5.5 I'd just installed.
>
>But then when I signed back in, the connection icon shows I'm apparently downloading
>something all the time, whether a browser window is open or not. To be on the safe
>side I managed to stop unlisted programs from connecting via the AVG control centre,
>which solves the problem to a certain extent, but is this a real system file or
virus?
>AVG sees nothing suspicious in it, and the virus database is up to date.
>
>What worries me is I can't find any reference to a file of that name, with the 'x'
>suffix, in microsoft.com or even google!
>
>Any help would be appreciated, thanks -
>John.
- Written in response to:
- msconfig32x.exe (John: Monday, September 26, 2005 at 9:35 am)
Responses to this message:
|
|
All messages in this thread [show all]
 |  | re: msconfig32x.exe (DEX: Mon, Sep 26, 2005, 11:26 am) |
|
