|
|
|
msconfig32x.exe
Showing all messages in thread #1127752509
Windows 2000 Annoyances Discussion Forum
The following are all of the messages in this thread (6 in all), shown in chronological order. Click any message subject to view that message by itself or to view the thread hierarchy.
|
msconfig32x.exe
Monday, September 26, 2005 at 9:35 am
Posted by John
(4 messages posted)
Hi, having just done a clean reinstal of Win 2000 due to virus damage, I let the
file msconfig32x.exe (note the 'x' after 32) in my C:\WINNT\system32 folder through
my AVG antivirus and let it perform an action online, assuming it was something to
do with the browser upgrade to IE5.5 I'd just installed.
But then when I signed back in, the connection icon shows I'm apparently downloading
something all the time, whether a browser window is open or not. To be on the safe
side I managed to stop unlisted programs from connecting via the AVG control centre,
which solves the problem to a certain extent, but is this a real system file or virus?
AVG sees nothing suspicious in it, and the virus database is up to date.
What worries me is I can't find any reference to a file of that name, with the 'x'
suffix, in microsoft.com or even google!
Any help would be appreciated, thanks -
John.
[Reply or follow-up to this message]
| |
re: msconfig32x.exe
Monday, September 26, 2005 at 11:26 am
Posted by DEX
(11847 messages posted)
John
It may have rename the file to hide the virus.
Use HiJack This to take it off the machine.
Then reboot into safemode and edit the reg.file to make sure it's gone.
download HiJack This ver.1.98.2
Use this program with care it will take out many items.
For the advance computer user.
download from:
http://www.majorgeeks.com/download3155.html
Also read the one below
http://www.help2go.com/article153.html
Or from
http://tools.radiosplace.com/HijackThis.exe
ver. 1.91
-------------------------------
http://research.pestpatrol.com/HowTo/How_To_Clear_a_Hijack.asp
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
******>>>>>>>>>>********>>>>>>>
ONCE YOU HAVE THE LOG FILE USE THIS SITE TO
Help You ANALYZE IT.......,see below
http://hijackthis.de/index.php?langselect=english
Post it at
http://hijackthis.de/index.php?langselect=english
Read the Web Page when it pops up
If you are NOT sure don't check the item to be removed
READ,READ,READ
When your done go back and do it one more time
to make sure you got them all...
NOTE***it will make a back up so you can put them
back in if you need to,,,see desktop for folder and files
when your done with the 2nd pass....
------------------------
MSCONFIG32.EXE - Dangerous
--------------------------------------------------------------------------------
msconfig32.exe
W32.Tulu virus.
When W32.Tulu is executed, it attempts to copy itself as
%system%\Rundll32.exe
and
%windir%\Msconfig32.exe
where:
%windir% is C:\Windows or C:\Winnt
%system% is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000),
or C:\Windows\System32 (Windows XP).
Virus add the value:
shell %system%\rundll32.exe
to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs each time that you start Windows.
Also creates the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Ktulu
This key is used by the macro component of the virus.
The virus next attempts to locate the Microsoft Word global template, Normal.dot.
If the virus finds the file, it infects the file with a macro virus.
The only purpose of the macro virus is to execute the W32.Tulu virus.
The virus now stays memory resident. Every few minutes, it attempts to copy itself
to drive A.
How to delete this virus:
1. Run a full system scan whit your antivirus tools.
If any files are detected as infected with W32.Tulu, click Delete.
For example, Symantec antivirus products detect this macro component as W97M.Tulu.
If any files are detected as infected with W97M.Tulu, click Repair.
2. Delete the value "shell" from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
------------------------------------------
On Monday, September 26, 2005 at 9:35 am, John wrote:
>Hi, having just done a clean reinstal of Win 2000 due to virus damage, I let the
>file msconfig32x.exe (note the 'x' after 32) in my C:\WINNT\system32 folder through
>my AVG antivirus and let it perform an action online, assuming it was something
to
>do with the browser upgrade to IE5.5 I'd just installed.
>
>But then when I signed back in, the connection icon shows I'm apparently downloading
>something all the time, whether a browser window is open or not. To be on the safe
>side I managed to stop unlisted programs from connecting via the AVG control centre,
>which solves the problem to a certain extent, but is this a real system file or
virus?
>AVG sees nothing suspicious in it, and the virus database is up to date.
>
>What worries me is I can't find any reference to a file of that name, with the 'x'
>suffix, in microsoft.com or even google!
>
>Any help would be appreciated, thanks -
>John.
[Reply or follow-up to this message]
|
re: msconfig32x.exe
Tuesday, September 27, 2005 at 12:47 am
Posted by John
(4 messages posted)
Thanks for the info, DEX - I don't feel quite confident enough to use Hijack This
yet, or changing the registry without being sure of what I'm doing.
I configured AVG so that msconfig32x.exe is now permanently blocked from access,
and the whole system seems to be running very much better.
Would it be dangerous to the PC to either delete the above file or 'quarantine' it
in another folder? Would the original file be on the Win2000 installation disk, and
if so, could I just replace the file and then delete the 'x' version?
TIA - John.
On Monday, September 26, 2005 at 11:26 am, DEX wrote:
>John
>It may have rename the file to hide the virus.
>Use HiJack This to take it off the machine.
>Then reboot into safemode and edit the reg.file to make sure it's gone.
>
>download HiJack This ver.1.98.2
>Use this program with care it will take out many items.
>For the advance computer user.
>download from:
>http://www.majorgeeks.com/download3155.html
>Also read the one below
>http://www.help2go.com/article153.html
>Or from
>http://tools.radiosplace.com/HijackThis.exe
>ver. 1.91
>-------------------------------
>http://research.pestpatrol.com/HowTo/How_To_Clear_a_Hijack.asp
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>******>>>>>>>>>>********>>>>>>>
>ONCE YOU HAVE THE LOG FILE USE THIS SITE TO
>Help You ANALYZE IT.......,see below
>
>http://hijackthis.de/index.php?langselect=english
>
>Post it at
>
>http://hijackthis.de/index.php?langselect=english
>
>
>
>Read the Web Page when it pops up
>If you are NOT sure don't check the item to be removed
>READ,READ,READ
>When your done go back and do it one more time
>to make sure you got them all...
>NOTE***it will make a back up so you can put them
>back in if you need to,,,see desktop for folder and files
>when your done with the 2nd pass....
>------------------------
>MSCONFIG32.EXE - Dangerous
>
>--------------------------------------------------------------------------------
>
>msconfig32.exe
>W32.Tulu virus.
>
>When W32.Tulu is executed, it attempts to copy itself as
>%system%\Rundll32.exe
>and
>%windir%\Msconfig32.exe
>where:
>%windir% is C:\Windows or C:\Winnt
>%system% is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000),
>or C:\Windows\System32 (Windows XP).
>
>Virus add the value:
>shell %system%\rundll32.exe
>to the registry key
>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>so that the worm runs each time that you start Windows.
>
>Also creates the registry key
>HKEY_LOCAL_MACHINE\Software\Microsoft\Ktulu
>This key is used by the macro component of the virus.
>
>The virus next attempts to locate the Microsoft Word global template, Normal.dot.
>If the virus finds the file, it infects the file with a macro virus.
>The only purpose of the macro virus is to execute the W32.Tulu virus.
>
>The virus now stays memory resident. Every few minutes, it attempts to copy itself
>to drive A.
>
>How to delete this virus:
>
>1. Run a full system scan whit your antivirus tools.
>If any files are detected as infected with W32.Tulu, click Delete.
>
>For example, Symantec antivirus products detect this macro component as W97M.Tulu.
>If any files are detected as infected with W97M.Tulu, click Repair.
>
>2. Delete the value "shell" from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>
>
>------------------------------------------
>
>
[Reply or follow-up to this message]
|
re: msconfig32x.exe
Tuesday, September 27, 2005 at 6:48 am
Posted by DEX
(11847 messages posted)
John
quarantine the file,that should be fine the msconfig32 is NOT a windows file, windows
dropped the file called msconfig in win2k but you can see it in XP but not as msconfig32
or32x.
But if you don't feel confident to run HijackThis and edit the reg. file don't that's
a good view point.
Many machines will crash because the reg.files runs the machine and you have a error
it will lock it up at boot.
I would tell you to back the reg file b/4 you try it but you don't want to if you
have the virus call still in the reg.file.
On Tuesday, September 27, 2005 at 12:47 am, John wrote:
>Thanks for the info, DEX - I don't feel quite confident enough to use Hijack This
>yet, or changing the registry without being sure of what I'm doing.
>
>I configured AVG so that msconfig32x.exe is now permanently blocked from access,
>and the whole system seems to be running very much better.
>
>Would it be dangerous to the PC to either delete the above file or 'quarantine'
it
>in another folder? Would the original file be on the Win2000 installation disk,
and
>if so, could I just replace the file and then delete the 'x' version?
>
>TIA - John.
>
>
>
[Reply or follow-up to this message]
|
re: msconfig32x.exe
Wednesday, September 28, 2005 at 12:56 am
Posted by John
(4 messages posted)
Thanks DEX, I quarantined the file with no ill effects, the system boots up fine.
I've also downloaded Hijack This so I can learn how to use it by the time the next
crisis arises!
On Tuesday, September 27, 2005 at 6:48 am, DEX wrote:
>John
>quarantine the file,that should be fine the msconfig32 is NOT a windows file, windows
>dropped the file called msconfig in win2k but you can see it in XP but not as msconfig32
>or32x.
>But if you don't feel confident to run HijackThis and edit the reg. file don't that's
>a good view point.
>Many machines will crash because the reg.files runs the machine and you have a error
>it will lock it up at boot.
>I would tell you to back the reg file b/4 you try it but you don't want to if you
>have the virus call still in the reg.file.
>
>
>
[Reply or follow-up to this message]
|
re: msconfig32x.exe
Wednesday, September 28, 2005 at 7:34 am
Posted by DEX
(11847 messages posted)
You're Welcome John
Have a good week
On Wednesday, September 28, 2005 at 12:56 am, John wrote:
>Thanks DEX, I quarantined the file with no ill effects, the system boots up fine.
>
>I've also downloaded Hijack This so I can learn how to use it by the time the next
>crisis arises!
>
>
>
[Reply or follow-up to this message]
| |
| |
Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread
| |
Return to the Windows 2000 Discussion Forum
|
|
|
|
