Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Possible Virus Problem

Posted on 2003-11-17
Medium Priority
Last Modified: 2011-09-20
I have a customer who has a Windows 2000 Server w/SP4 that was originally have a problem with Backup Exec.  After rebooting the server, I could get into Backup Exec and I performed a test backup successfully.  When their nightly backup runs, it fails (nothing gets backed up).  Upon further investigating, I have found the following issues with the server:

1.  Can't access the properties of the Local Area Connection, gives message "An unexpected error has occurred."
2.  In Internet Explorer, if I click on Help, About it does not show what version of IE it is.
3.  If I go into Add/Remove programs, it doesn't show anything listed.
4.  When I checked the processes that are running, I saw one in particular, WINCFGMAN32.EXE, whose utilization would spike somewhere between 75% and 90%, go to zero, spike again, go to 0, and so on, so the CPU Utilization looks like a rollercoaster.  I found WINCFGMAN32.EXE in C:\WINNT\SYSTEM32 however, I get zero hits when I search Google, zero hits on Microsoft, and zero hits on Symantec.  I tried to end the process but it said "Access denied."
5.  Network Monitor won't run, can't find NETMON.EXE.
6.  If I click on Start, Find the search window doesn't open, nothing happens.
7.  If I go into Device Manager and double-click on a device, the property window does not appear.  If I then try to close Device Manager, I get a message stating that Device Manager can't close until all of the property windows are closed.
8.  I can't run Windows Update.
9.  Symantec Antivirus Corporate Edition 8.1 real-time protection does not run and if I try to open SAVCE it opens for about 2 seconds then goes away.  Sometimes if I'm not quick enough the password prompt for SAVCE will disappear before I've had a chance to type in the whole password.
10.  If I go to Microsoft's Knowledge Base and try to select a specific product to search, the product list is blank.
11.  The customer has a LAN modem which for the last few days has not been working most of the time.  I'm not sure if it's related to the server problems or not.  I had previously tried running the virus detection program from Symantec's web site but it never did run.

All users can login fine and access their data and print to the network plotter which prints through the server.  I have run the virus removal tools for Blaster, Sobig, Swen and Welchia and each found zero instances of those viruses.  I'm figuring it's most likely a virus problem.  

If anyone has heard anything about the file WINCFGMAN32.EXE, please let me know.  If you have any thoughts, ideas, etc. I would greatly appreciate hearing your input.

Rob Pritchard
Newark, DE
Question by:robpritchard
  • 3
  • 2
  • 2
  • +2
LVL 32

Assisted Solution

LucF earned 200 total points
ID: 9767337
Never heard of wincfgman32.exe, but I have heard of wincfg32.exe wich is a virus. I suggest you start running one of these:


LVL 49

Expert Comment

ID: 9767508

Run Hijackthis and give us the log file .. We can sort out the issue here

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Accepted Solution

MSGeek earned 500 total points
ID: 9768481
If you boot into safe mode I suspect you can run a scan with SAV CE and get the culprit.  LucF and Sunray have given good information.

If in fact the file is wincfg32.exe SARC has complete removal instructions at: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.silverftp.html 

If that were my network I would pull every cable at the switches, start with the server and go workstation by workstation until I was sure I was clean.  This one calls for an all nighter.  The longer you leave it the more damage it will inflict.  Good luck, MSGeek.

Assisted Solution

wtrmk74 earned 300 total points
ID: 9776380
It sounds like a variant of the Trojan Horse Backdoor

Discovered on: September 26, 2002  


Backdoor.Elitem consists of two parts: the server part that runs on the infected computer, and the client part that is run by the hacker.

When the server part of Backdoor.Elitem runs, it does the following,

It copies itself as C:\%windir%\System32\Wincfg.exe. The attribute of this file is set to hidden.

NOTE: %windir% is a variable. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt and copies itself into the System32 subfolder in that location.

It adds the value

Wincfg.exe C:\%Windir%\System32\Wincfg.exe

to the registry key


so that the Trojan runs each time that you start Windows.


Restart the computer in Safe mode.
Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to the following key:


In the right pane, delete the following value:

Wincfgman.exe C:\%Windir%\System32\Wincfgman.exe

Click Registry, and click Exit.

Verify that the file is no longer in your WINNT\System32 folder
and empty recycle bin

I wouldn't expect your virus update to detect anything....It looks like you discovered a new TROJAN
report your findings to your Software Vendor

I will do the same!


Expert Comment

ID: 9821773
Did anything happen?

Author Comment

ID: 9824464
Sorry for the delayed response.  Work has been murder the past two weeks and myself and my family got the flu bug last week.

I've resolved the problem.  The file in question is definitely WINCFGMAN32.EXE, which was running as a service.  I booted the server in Safe Mode, ran RegEdit and removed the two registry entries that I found:
HKey_local_machine\software\microsoft\windows\currentversion\run - the name of the entry was "Windows Config Manager", Type was REG_SZ, Data value set to WINCFGMAN32.EXE
HKey_local_machine\software\microsoft\windows\currentversion\runservices - same info as the above entry.

While in Safe Mode, I was able to access SAV Corp. Edition.  Although the virus definition file was dated 11/5/03, I went ahead and did a fully system scan and it didn't find any viruses.  I then booted in Normal mode and I didn't experience any of the problems that I listed in my original post.  I was able to run LiveUpdate and ran another full system scan - no viruses found.  I had previously physically disconnected all of the workstations from the network.  While the system scan was running on the server, I went around to each workstation, applied the latest virus definition file that I had downloaded and burned to a CD, ran a full system scan on each workstation (except for one) and did a search on each system for WINCFG*.*.  No viruses were found on any of the workstations and I did not find any WINCFG*.* files.  The one workstation that I did not run a full system scan on has a problem with the antivirus software, it's listed in Start, Programs and the program folder is there but the folder is empty.  I have to go back and resolve this in order to check for viruses on this workstation.

I saved a copy of the WINCFGMAN32.EXE to a floppy disk.  I haven't had a chance to contact Symantec yet.  I appreciate everyone's input.  I've definitely gained a lot of knowledge from all of your responses.

Thanks and Happy Thanksgiving!
Rob Pritchard
Newark, DE

Expert Comment

ID: 9827171
I'm glad to hear that your system is restored and the manual removal of this new trojan worked well.

have a great thanksgiving and remember to close this question.


Expert Comment

ID: 9828919
Glad you got it resolved.  You took the appropriate measures.  Have a happy.  MSGeek

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This applies to Dell but may also apply to other manufacturers as well. We ran across a few machines that just dropped recently it trust relationship with the server. After doing the basic removing and joining the domain again, it changed to No logo…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question