Solved

Possible Virus Problem

Posted on 2003-11-17
9
421 Views
Last Modified: 2011-09-20
I have a customer who has a Windows 2000 Server w/SP4 that was originally have a problem with Backup Exec.  After rebooting the server, I could get into Backup Exec and I performed a test backup successfully.  When their nightly backup runs, it fails (nothing gets backed up).  Upon further investigating, I have found the following issues with the server:

1.  Can't access the properties of the Local Area Connection, gives message "An unexpected error has occurred."
2.  In Internet Explorer, if I click on Help, About it does not show what version of IE it is.
3.  If I go into Add/Remove programs, it doesn't show anything listed.
4.  When I checked the processes that are running, I saw one in particular, WINCFGMAN32.EXE, whose utilization would spike somewhere between 75% and 90%, go to zero, spike again, go to 0, and so on, so the CPU Utilization looks like a rollercoaster.  I found WINCFGMAN32.EXE in C:\WINNT\SYSTEM32 however, I get zero hits when I search Google, zero hits on Microsoft, and zero hits on Symantec.  I tried to end the process but it said "Access denied."
5.  Network Monitor won't run, can't find NETMON.EXE.
6.  If I click on Start, Find the search window doesn't open, nothing happens.
7.  If I go into Device Manager and double-click on a device, the property window does not appear.  If I then try to close Device Manager, I get a message stating that Device Manager can't close until all of the property windows are closed.
8.  I can't run Windows Update.
9.  Symantec Antivirus Corporate Edition 8.1 real-time protection does not run and if I try to open SAVCE it opens for about 2 seconds then goes away.  Sometimes if I'm not quick enough the password prompt for SAVCE will disappear before I've had a chance to type in the whole password.
10.  If I go to Microsoft's Knowledge Base and try to select a specific product to search, the product list is blank.
11.  The customer has a LAN modem which for the last few days has not been working most of the time.  I'm not sure if it's related to the server problems or not.  I had previously tried running the virus detection program from Symantec's web site but it never did run.

All users can login fine and access their data and print to the network plotter which prints through the server.  I have run the virus removal tools for Blaster, Sobig, Swen and Welchia and each found zero instances of those viruses.  I'm figuring it's most likely a virus problem.  

If anyone has heard anything about the file WINCFGMAN32.EXE, please let me know.  If you have any thoughts, ideas, etc. I would greatly appreciate hearing your input.

Thanks,
Rob Pritchard
Newark, DE
0
Comment
Question by:robpritchard
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 32

Assisted Solution

by:Luc Franken
Luc Franken earned 50 total points
ID: 9767337
Never heard of wincfgman32.exe, but I have heard of wincfg32.exe wich is a virus. I suggest you start running one of these:

http://housecall.trendmicro.com/
http://security.symantec.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.pcpitstop.com/antivirus/default.asp

LucF
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9767435
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9767508
robpritchard,

Run Hijackthis and give us the log file .. We can sort out the issue here

Thanks,
Sunray
0
 
LVL 9

Accepted Solution

by:
MSGeek earned 125 total points
ID: 9768481
If you boot into safe mode I suspect you can run a scan with SAV CE and get the culprit.  LucF and Sunray have given good information.

If in fact the file is wincfg32.exe SARC has complete removal instructions at: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.silverftp.html

If that were my network I would pull every cable at the switches, start with the server and go workstation by workstation until I was sure I was clean.  This one calls for an all nighter.  The longer you leave it the more damage it will inflict.  Good luck, MSGeek.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Assisted Solution

by:wtrmk74
wtrmk74 earned 75 total points
ID: 9776380
It sounds like a variant of the Trojan Horse Backdoor

Backdoor.Elitem  
Discovered on: September 26, 2002  

Details:

Backdoor.Elitem consists of two parts: the server part that runs on the infected computer, and the client part that is run by the hacker.

When the server part of Backdoor.Elitem runs, it does the following,

It copies itself as C:\%windir%\System32\Wincfg.exe. The attribute of this file is set to hidden.

NOTE: %windir% is a variable. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt and copies itself into the System32 subfolder in that location.

It adds the value

Wincfg.exe C:\%Windir%\System32\Wincfg.exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the Trojan runs each time that you start Windows.


REMOVAL INSTRUCTIONS:

Restart the computer in Safe mode.
Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the following value:

Wincfgman.exe C:\%Windir%\System32\Wincfgman.exe

Click Registry, and click Exit.

Verify that the file is no longer in your WINNT\System32 folder
and empty recycle bin

I wouldn't expect your virus update to detect anything....It looks like you discovered a new TROJAN
report your findings to your Software Vendor

I will do the same!

wtrmk74
0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9821773
Did anything happen?
0
 

Author Comment

by:robpritchard
ID: 9824464
Sorry for the delayed response.  Work has been murder the past two weeks and myself and my family got the flu bug last week.

I've resolved the problem.  The file in question is definitely WINCFGMAN32.EXE, which was running as a service.  I booted the server in Safe Mode, ran RegEdit and removed the two registry entries that I found:
HKey_local_machine\software\microsoft\windows\currentversion\run - the name of the entry was "Windows Config Manager", Type was REG_SZ, Data value set to WINCFGMAN32.EXE
HKey_local_machine\software\microsoft\windows\currentversion\runservices - same info as the above entry.

While in Safe Mode, I was able to access SAV Corp. Edition.  Although the virus definition file was dated 11/5/03, I went ahead and did a fully system scan and it didn't find any viruses.  I then booted in Normal mode and I didn't experience any of the problems that I listed in my original post.  I was able to run LiveUpdate and ran another full system scan - no viruses found.  I had previously physically disconnected all of the workstations from the network.  While the system scan was running on the server, I went around to each workstation, applied the latest virus definition file that I had downloaded and burned to a CD, ran a full system scan on each workstation (except for one) and did a search on each system for WINCFG*.*.  No viruses were found on any of the workstations and I did not find any WINCFG*.* files.  The one workstation that I did not run a full system scan on has a problem with the antivirus software, it's listed in Start, Programs and the program folder is there but the folder is empty.  I have to go back and resolve this in order to check for viruses on this workstation.

I saved a copy of the WINCFGMAN32.EXE to a floppy disk.  I haven't had a chance to contact Symantec yet.  I appreciate everyone's input.  I've definitely gained a lot of knowledge from all of your responses.

Thanks and Happy Thanksgiving!
Rob Pritchard
Newark, DE
0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9827171
I'm glad to hear that your system is restored and the manual removal of this new trojan worked well.

have a great thanksgiving and remember to close this question.


thanks,
wtrmk74
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 9828919
Glad you got it resolved.  You took the appropriate measures.  Have a happy.  MSGeek
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now