re: msconfig32x.exe
Tuesday, September 27, 2005 at 12:47 am
Windows 2000 Annoyances Discussion Forum
Posted by John
(4 messages posted)
Thanks for the info, DEX - I don't feel quite confident enough to use Hijack This
yet, or changing the registry without being sure of what I'm doing.
I configured AVG so that msconfig32x.exe is now permanently blocked from access,
and the whole system seems to be running very much better.
Would it be dangerous to the PC to either delete the above file or 'quarantine' it
in another folder? Would the original file be on the Win2000 installation disk, and
if so, could I just replace the file and then delete the 'x' version?
TIA - John.
On Monday, September 26, 2005 at 11:26 am, DEX wrote:
>John
>It may have rename the file to hide the virus.
>Use HiJack This to take it off the machine.
>Then reboot into safemode and edit the reg.file to make sure it's gone.
>
>download HiJack This ver.1.98.2
>Use this program with care it will take out many items.
>For the advance computer user.
>download from:
>http://www.majorgeeks.com/download3155.html
>Also read the one below
>http://www.help2go.com/article153.html
>Or from
>http://tools.radiosplace.com/HijackThis.exe
>ver. 1.91
>-------------------------------
>http://research.pestpatrol.com/HowTo/How_To_Clear_a_Hijack.asp
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>******>>>>>>>>>>********>>>>>>>
>ONCE YOU HAVE THE LOG FILE USE THIS SITE TO
>Help You ANALYZE IT.......,see below
>
>http://hijackthis.de/index.php?langselect=english
>
>Post it at
>
>http://hijackthis.de/index.php?langselect=english
>
>
>
>Read the Web Page when it pops up
>If you are NOT sure don't check the item to be removed
>READ,READ,READ
>When your done go back and do it one more time
>to make sure you got them all...
>NOTE***it will make a back up so you can put them
>back in if you need to,,,see desktop for folder and files
>when your done with the 2nd pass....
>------------------------
>MSCONFIG32.EXE - Dangerous
>
>--------------------------------------------------------------------------------
>
>msconfig32.exe
>W32.Tulu virus.
>
>When W32.Tulu is executed, it attempts to copy itself as
>%system%\Rundll32.exe
>and
>%windir%\Msconfig32.exe
>where:
>%windir% is C:\Windows or C:\Winnt
>%system% is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000),
>or C:\Windows\System32 (Windows XP).
>
>Virus add the value:
>shell %system%\rundll32.exe
>to the registry key
>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>so that the worm runs each time that you start Windows.
>
>Also creates the registry key
>HKEY_LOCAL_MACHINE\Software\Microsoft\Ktulu
>This key is used by the macro component of the virus.
>
>The virus next attempts to locate the Microsoft Word global template, Normal.dot.
>If the virus finds the file, it infects the file with a macro virus.
>The only purpose of the macro virus is to execute the W32.Tulu virus.
>
>The virus now stays memory resident. Every few minutes, it attempts to copy itself
>to drive A.
>
>How to delete this virus:
>
>1. Run a full system scan whit your antivirus tools.
>If any files are detected as infected with W32.Tulu, click Delete.
>
>For example, Symantec antivirus products detect this macro component as W97M.Tulu.
>If any files are detected as infected with W97M.Tulu, click Repair.
>
>2. Delete the value "shell" from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>
>
>------------------------------------------
>
>
- Written in response to:
- re: msconfig32x.exe (DEX: Monday, September 26, 2005 at 11:26 am)
Responses to this message:
|
|
All messages in this thread [show all]
 | |  | re: msconfig32x.exe (John: Tue, Sep 27, 2005, 12:47 am) |
| |
| |
Return to the Windows 2000 Discussion Forum
|
|
