Report New Spyware Here

This is my personal experience

I got it probably via usenet

It installed a program "wincfg.scr" in my c:\windows\system (Windows98 user)

I search the web but got no answer.

This file attemp to access the net by my firewall (ZA) detected it
The problam was to remove it as it blocked the use of the following commands :

regedit
msconfig

Of course the programm was used by windows so the delete key was not in use...

So I fixed the problem like that :

- I shutdown my computer
- I connect an additional harddrive and boot with this one as "primary  master", the other one being secondary master now
- Then I run my computer under Windows95 in safe mode and renade the wincfg.scr

Now my computer is running well
I got regedit and msconfig in us again

So I found in the "startup" panel an item called Winsock2 driver that launch it

If you got any info please reply

No spyware, but very likely a W32/Spybot worm variant.

Cheers,

Most likely yes, regarding the Winsock2 driver.

You can verify this by checking if you have a \WINDOWS\SYSTEM32\kazaabackupfiles\ folder all of a sudden.

Regards,

Pieter

You can boot to dos and go to the windows\system dir. Run attrib wincfg.scr -h. The file will show up and can be deleted. After rebooting back in windows run regedit and remove all wincfg.scr from there. Should be in two locations

Here's another board thread:

http://forums.techguy.org/showthread.php?s=226fe5e2ecd79aa1b3fa84ee76a7f5df&threadid=149985&pagenumber=2

Something killed my soundcard.  It was always in use and so not available for any ap to call it.  Did the usual with no fix.  I can't say wincfg.scr was the problem but that's why I was searching.  I knew something out of the ordinary was running.

I loaded a trial copy of StartUp Manager (http://www.rayslab.com/startup_manager/startup_manager.html)
and saw the winsock2 (several) and that led me to wincfg.scr.  I couldn't delete or rename.

I came here, found out it wasn't a normal windows file and had SM disable it.  Per some other post I did a safe mode boot, deleted it in regedit and renamed the file to wincfg.scr.virus.  In my case it appeared in the register THREE times.

That seemed to fix things.  I did a fresh live update to Norton AV.  When I went in the C:/window/system directory, it caught the renamed file and I had it delete it.

Side note, I do occationally use Kazaa as Metallica noted, but I did NOT have the WINDOWS\SYSTEM32\kazaabackupfiles\  directory.

Thanks a million everyone for the info.

I managed to delete wincfg.scr (backdoor sdbot) using a product called "East Tech Eraser" free trial visit tucows, allowed me then to access registry and delete WINCFG.SCR here

I just booted into Safe Mode and deleted the file, then used regedit and found all the little pieces.