webdav.exe, msconfig32, shutdown = virus?

[rainypickles]

hey all. i was using my computer tonight, and all of a sudden this appears. (winxp pro)

http://fox302.com/index.pl?s=vf&user=sunny&category=images&file=error.gif

it gave me a minute to shut down my programs. i closed everything and took a screenshot.

when it reboot, everything seemed fine until i tried to do the task manager. when i did ctrl-alt-del, the task manager would appear and disappear really quickly. no matter how many times i did it, it would do that. i noticed that "msconfig32.exe" was running in the processes.

i tried running msconfig (start->run) but that would appear and disappear like that. so would regedit.

i then open the task manager, quickly used arrows to move it to msconfig32 and did alt-e to close the process. once i did that, it stayed open. msconfig worked now. regedit works now.

i found two files that were suspicious, msconfig32 in the windows/system directory and it was hidden. there was a file webdav.exe in my startup folder (the file, not a shortcut). they are both the same size (23.5 KB (24,064 bytes)) and modified at the same time.

i searched for these files on google, i didnt find anything, nothing on the ms support site either. AV program didnt find anything.

i was just wondering if this had happened to anyone before or if anyone knew what was up. thanks!

 

[ClueLis]

msconfig32 is a system file that is supposed to be there.

As for webdav.exe, this seems to indicate that webdav is a legit file, but that there is a minor security hole in it.

My guess it that neither of these are the problem, but I'm afraid I can't say what is.

 

looks like your system is vulnerable to the RPC exploit.

 

[rainypickles]

so i guess i'll apply the patch to rid myself of the vulnerability. should i send these files to someone or a virus checking place or something? anyone have a webpage where i can submit it? or would nobody care because its not really a virus?

 

Yes you should patch your system. Security people already know about the kraylor webdav trojan you recieved.

 

[PlatinumGold]

I got this email from another member who is currently on aol.

I am trying to post a response to this thread http://forums.anandtech.com/messageview.cfm?catid=33&threadid=1109322&FTVAR_MSGDBTABLE= @ AnandTech and I cant register because I have an aol email address. I tried to find someone who looked like a moderator and couldn't find anyone so I went with the first member email address I could find. Got yours from this post http://forums.anandtech.com/messageview.cfm?catid=33&threadid=992058&STARTPAGE=2 . anyway, rainypickles from the webdav thread needs to check and make SURE that the msconfig32 that he saw is not actually msconfig35. I had exactly what he described happen to me and whoever tried to break in apperently left a coreflood worm behind. msconfig 35 was running and not allowing me to access msconfig32, regedit, or the task manager. Went to 3 different virus scans (panda, pcpitstop, and mccafee as I have no vscan on my comp) the first two found nothing only mcafee was able to find the trojan. If he does not have a virus scan he will need to resart in safe and manually delete the offenders. Thanks!

basically, the virus renames msconfig32 to msconfig35 and that's why the virus scans aren't cleaning your system.

i think that's what he's saying.

hope this helps.

if you have any questions you Can email him at MRWEWIII@aol.com

 

[igowerf]

You were very considerate not to release the name of the unfortunate member stuck using AOL.

 

[de8212]

Any ideas on how to get rid of this? SOmeone called me today and read off this exact error message. I had no idea what it was.

 

[clicknext]

http://forums.anandtech.com/messageview.cfm?catid=38&threadid=1114378&FTVAR_MSGDBTABLE=

 

[rainypickles]

thanks to the aol dude for the suggestion =)

i updated my norton AV definitions and it caught both webdav and msconfig32 as w32.spybot.worm (or something). no other files were infected. so it looks like i just got a "harmless" strain. lucky it made me patch my system.