NT 40 Workstation -- Spybot32 worm -- ???? - Windows NT

This is a discussion on NT 40 Workstation -- Spybot32 worm -- ???? - Windows NT ; Norton AV is telling me that in NT 40, with service pack 6a, I have a file at: C:\winnt\system32\wincfg.scr that has a spybot32 worm. On boot up and initialization, I get an NT screen that tells me that "One or ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: NT 40 Workstation -- Spybot32 worm -- ????

  1. NT 40 Workstation -- Spybot32 worm -- ????

    Norton AV is telling me that in NT 40, with service pack 6a, I have a
    file at:

    C:\winnt\system32\wincfg.scr

    that has a spybot32 worm.


    On boot up and initialization, I get an NT screen that tells me that
    "One or more services have failed to load, yadda yadda yadda", and then get
    a Norton warning about spybot32 worm.

    Manually running a virus/worm sweep with NAV with the latest definitions
    repeatedly shows one and one only worm, spybot32, on the wincfg.scr file.

    Going through the NAV repair . quarantine features, NAV tells me that it
    can't fix the wincfg.scr file but that it can and will quarantine it.

    I can easily find the wincfg.scr file in the WINNT/system32 directory.

    I can't locate a clean copy of wincfg.scr anywhere on the original winnt
    4.0; winnt workstation 4.0 or winnt service pack 4 disks I have.

    (I installed SP 5 and SP 6a through download from MS.)

    I want to delete the dirty copy of wincfg.scr and replace it with a
    clean copy from an original MS winnt disk.

    In theory the .scr extension on the infected file tells me it is a
    screen saver.

    I am beginning to wonder if the entirety of the dirty wincfg.scr is all
    and only the worm, masquerading as a valid .scr file.

    If there is no wincfg.scr file in winnt, that may be what is going on.

    Any ideas?





    --
    Jim McLaughlin
    ************************************************** **************************
    ************************************************** **************************
    I am getting really tired of spam, so the reply address is munged.
    Please don't just hit the reply key.
    Remove the obvious from the address to reply.
    ************************************************** **************************
    ************************************************** **************************
    Special treat for spambots:
    abuse@ftc.gov, spam@ftc.gov, uce@ftc.gov

    ************************************************** *************************



  2. Re: NT 40 Workstation -- Spybot32 worm -- ????


    Jim McLaughlin wrote:

    > Norton AV is telling me that in NT 40, with service pack 6a, I have a
    > file at:
    >
    > C:\winnt\system32\wincfg.scr
    >
    > that has a spybot32 worm.
    >
    > On boot up and initialization, I get an NT screen that tells me that
    > "One or more services have failed to load, yadda yadda yadda", and then get
    > a Norton warning about spybot32 worm.
    >
    > Manually running a virus/worm sweep with NAV with the latest definitions
    > repeatedly shows one and one only worm, spybot32, on the wincfg.scr file.
    >
    > Going through the NAV repair . quarantine features, NAV tells me that it
    > can't fix the wincfg.scr file but that it can and will quarantine it.
    >
    > I can easily find the wincfg.scr file in the WINNT/system32 directory.
    >
    > I can't locate a clean copy of wincfg.scr anywhere on the original winnt
    > 4.0; winnt workstation 4.0 or winnt service pack 4 disks I have.
    >
    > (I installed SP 5 and SP 6a through download from MS.)
    >
    > I want to delete the dirty copy of wincfg.scr and replace it with a
    > clean copy from an original MS winnt disk.
    >
    > In theory the .scr extension on the infected file tells me it is a
    > screen saver.
    >
    > I am beginning to wonder if the entirety of the dirty wincfg.scr is all
    > and only the worm, masquerading as a valid .scr file.
    >
    > If there is no wincfg.scr file in winnt, that may be what is going on.
    >
    > Any ideas?
    >
    > --
    > Jim McLaughlin


    Some information here:

    http://boards.cexx.org/viewtopic.php...608e43667215da

    (Line may wrap.)


+ Reply to Thread