Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

strange startup files and win32cfg

6 views
Skip to first unread message

yankele

unread,
Oct 24, 2003, 4:08:20 PM10/24/03
to
I recently noticed in my RunOnce value in the Win2k
registry an entry called MS38495 for which the value was
win32cfg.exe. That file exists in my WINNT/System32
directory but is not identifiable. If I try to remove the
entry from the RunOnce listing, it reinstalls itself. I
have been unable to identify the MS38495 name either in
the MS Knowledge Base or in the Newsgroups, nor have I
been able to come up with much for win32cfg.exe. I think I
remember seeing somewhere that it was a "nasty" file but I
can't seem to track it down. A search in the registry led
me to discover that the entry for win32cfg.exe was in the
following key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon] where Shell was given the
value explorer.exe Win32cfg.exe.
When I deleted that value, I was able to stop the file
from loading and so far everything seems to be running
correctly. Am I correct in assuming that such an entry
should not appear in the Shell value which should be only
explorer.exe?
Can anyone tell me what win32cfg.exe is and whether or not
it is useful to let it run?
Thanks.

Sir_George

unread,
Oct 24, 2003, 6:21:33 PM10/24/03
to
yankele,

Visit the following Symantec site for some useful info;

http://securityresponse.symantec.com/avcenter/venc/data/false.nimda.aris.email.message.html

--
Sir_George
For better access to newsgroups;
http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp


"yankele" <yankel...@hotmail.com> wrote in message
news:02a301c39a6a$92155bb0$a401...@phx.gbl...

YoKenny

unread,
Oct 24, 2003, 6:29:52 PM10/24/03
to

yankele

unread,
Oct 25, 2003, 7:54:47 AM10/25/03
to
"YoKenny" <YK...@home.invalid> wrote in message news:<#un2m5nm...@TK2MSFTNGP11.phx.gbl>...

Many thanks for the info. Hey, YoKenney, I DID do searches for
win32cfg in both Google and Symantec and came up with nothing useful.
However, after disabling the virus, I ran the searches again and this
time the searches were fruitful. I suspect that the virus may also
block web searches for it. I also noticed that the keyboard.* files
mentioned by Symantec as being apart of the trojan were absent from my
computer--a little strange. Furthermore, I am virtually certain that I
did not run this trojan myself. I do NOT open unidentified e-mail
attachments. And finally, I did an AVG scan of the win32cfg file using
the latest updates both before and after disabling the virus and both
times the result was negative! Hmmm...

Andrew Z Carpenter [now with added MVP!]

unread,
Oct 25, 2003, 8:43:04 AM10/25/03
to
> "yankele" <yankele%%%cak...@hotmail.com> wrote in message
> news:2944723b.03102...@posting.google.com...

>
> Many thanks for the info. Hey, YoKenney, I DID do searches for
> win32cfg in both Google and Symantec and came up with nothing useful.
> However, after disabling the virus, I ran the searches again and this
> time the searches were fruitful. I suspect that the virus may also
> block web searches for it. I also noticed that the keyboard.* files
> mentioned by Symantec as being apart of the trojan were absent from my
> computer--a little strange. Furthermore, I am virtually certain that I
> did not run this trojan myself. I do NOT open unidentified e-mail
> attachments. And finally, I did an AVG scan of the win32cfg file using
> the latest updates both before and after disabling the virus and both
> times the result was negative! Hmmm...


You can submit the file to AVERT Labs for analysis at http://www.webimmune.net
or you can send it to me attached to an email. If it is identified as
being a threat, you will receieve an automated email in return.

--
AZC
MVP


---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.530 / Virus Database: 325 - Release Date: 22/10/2003


yankele

unread,
Oct 26, 2003, 8:01:02 PM10/26/03
to
"Andrew Z Carpenter [now with added MVP!]" <a...@FILTERcirencester.ac.uk> wrote in message news:<eUm9JWv...@TK2MSFTNGP12.phx.gbl>...

Darn! I tried to do just that by offering to send the file to AVG but
I received an automated response saying that support was provided only
to regitered users. So I just deleted the file. tried to recover it,
but too late--it's been quite a while now. Thanks anyway.

0 new messages