Possible Virus Problem

I have a customer who has a Windows 2000 Server w/SP4 that was originally have a problem with Backup Exec.  After rebooting the server, I could get into Backup Exec and I performed a test backup successfully.  When their nightly backup runs, it fails (nothing gets backed up).  Upon further investigating, I have found the following issues with the server:

1.  Can't access the properties of the Local Area Connection, gives message "An unexpected error has occurred."
2.  In Internet Explorer, if I click on Help, About it does not show what version of IE it is.
3.  If I go into Add/Remove programs, it doesn't show anything listed.
4.  When I checked the processes that are running, I saw one in particular, WINCFGMAN32.EXE, whose utilization would spike somewhere between 75% and 90%, go to zero, spike again, go to 0, and so on, so the CPU Utilization looks like a rollercoaster.  I found WINCFGMAN32.EXE in C:\WINNT\SYSTEM32 however, I get zero hits when I search Google, zero hits on Microsoft, and zero hits on Symantec.  I tried to end the process but it said "Access denied."
5.  Network Monitor won't run, can't find NETMON.EXE.
6.  If I click on Start, Find the search window doesn't open, nothing happens.
7.  If I go into Device Manager and double-click on a device, the property window does not appear.  If I then try to close Device Manager, I get a message stating that Device Manager can't close until all of the property windows are closed.
8.  I can't run Windows Update.
9.  Symantec Antivirus Corporate Edition 8.1 real-time protection does not run and if I try to open SAVCE it opens for about 2 seconds then goes away.  Sometimes if I'm not quick enough the password prompt for SAVCE will disappear before I've had a chance to type in the whole password.
10.  If I go to Microsoft's Knowledge Base and try to select a specific product to search, the product list is blank.
11.  The customer has a LAN modem which for the last few days has not been working most of the time.  I'm not sure if it's related to the server problems or not.  I had previously tried running the virus detection program from Symantec's web site but it never did run.

All users can login fine and access their data and print to the network plotter which prints through the server.  I have run the virus removal tools for Blaster, Sobig, Swen and Welchia and each found zero instances of those viruses.  I'm figuring it's most likely a virus problem.  

If anyone has heard anything about the file WINCFGMAN32.EXE, please let me know.  If you have any thoughts, ideas, etc. I would greatly appreciate hearing your input.

Thanks,
Rob Pritchard
Newark, DE
robpritchardAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LucFEMEA Server EngineerCommented:
Never heard of wincfgman32.exe, but I have heard of wincfg32.exe wich is a virus. I suggest you start running one of these:

http://housecall.trendmicro.com/ 
http://security.symantec.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.pcpitstop.com/antivirus/default.asp 

LucF
0
sunray_2003Commented:
robpritchard,

Run Hijackthis and give us the log file .. We can sort out the issue here

Thanks,
Sunray
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

MSGeekCommented:
If you boot into safe mode I suspect you can run a scan with SAV CE and get the culprit.  LucF and Sunray have given good information.

If in fact the file is wincfg32.exe SARC has complete removal instructions at: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.silverftp.html 

If that were my network I would pull every cable at the switches, start with the server and go workstation by workstation until I was sure I was clean.  This one calls for an all nighter.  The longer you leave it the more damage it will inflict.  Good luck, MSGeek.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
wtrmk74Commented:
It sounds like a variant of the Trojan Horse Backdoor

Backdoor.Elitem  
Discovered on: September 26, 2002  

Details:

Backdoor.Elitem consists of two parts: the server part that runs on the infected computer, and the client part that is run by the hacker.

When the server part of Backdoor.Elitem runs, it does the following,

It copies itself as C:\%windir%\System32\Wincfg.exe. The attribute of this file is set to hidden.

NOTE: %windir% is a variable. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt and copies itself into the System32 subfolder in that location.

It adds the value

Wincfg.exe C:\%Windir%\System32\Wincfg.exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the Trojan runs each time that you start Windows.


REMOVAL INSTRUCTIONS:

Restart the computer in Safe mode.
Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the following value:

Wincfgman.exe C:\%Windir%\System32\Wincfgman.exe

Click Registry, and click Exit.

Verify that the file is no longer in your WINNT\System32 folder
and empty recycle bin

I wouldn't expect your virus update to detect anything....It looks like you discovered a new TROJAN
report your findings to your Software Vendor

I will do the same!

wtrmk74
0
wtrmk74Commented:
Did anything happen?
0
robpritchardAuthor Commented:
Sorry for the delayed response.  Work has been murder the past two weeks and myself and my family got the flu bug last week.

I've resolved the problem.  The file in question is definitely WINCFGMAN32.EXE, which was running as a service.  I booted the server in Safe Mode, ran RegEdit and removed the two registry entries that I found:
HKey_local_machine\software\microsoft\windows\currentversion\run - the name of the entry was "Windows Config Manager", Type was REG_SZ, Data value set to WINCFGMAN32.EXE
HKey_local_machine\software\microsoft\windows\currentversion\runservices - same info as the above entry.

While in Safe Mode, I was able to access SAV Corp. Edition.  Although the virus definition file was dated 11/5/03, I went ahead and did a fully system scan and it didn't find any viruses.  I then booted in Normal mode and I didn't experience any of the problems that I listed in my original post.  I was able to run LiveUpdate and ran another full system scan - no viruses found.  I had previously physically disconnected all of the workstations from the network.  While the system scan was running on the server, I went around to each workstation, applied the latest virus definition file that I had downloaded and burned to a CD, ran a full system scan on each workstation (except for one) and did a search on each system for WINCFG*.*.  No viruses were found on any of the workstations and I did not find any WINCFG*.* files.  The one workstation that I did not run a full system scan on has a problem with the antivirus software, it's listed in Start, Programs and the program folder is there but the folder is empty.  I have to go back and resolve this in order to check for viruses on this workstation.

I saved a copy of the WINCFGMAN32.EXE to a floppy disk.  I haven't had a chance to contact Symantec yet.  I appreciate everyone's input.  I've definitely gained a lot of knowledge from all of your responses.

Thanks and Happy Thanksgiving!
Rob Pritchard
Newark, DE
0
wtrmk74Commented:
I'm glad to hear that your system is restored and the manual removal of this new trojan worked well.

have a great thanksgiving and remember to close this question.


thanks,
wtrmk74
0
MSGeekCommented:
Glad you got it resolved.  You took the appropriate measures.  Have a happy.  MSGeek
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.