Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

infection?

From: Night M0de <nightm0de () HOTMAIL COM>
Date: Wed, 27 Dec 2000 11:32:00 -0000
hiya.
recently i have had to install the microsoft patch for disableing active x
controls from websites and just to be on the safeside i d/led the cleaner
and ran it. I got a very weird log entry/error:

c:\windows\TEMP\tc$1924\Compiled.exe
PROBLEM: Could not scan this file.  Error Code = 5
SOLUTION: Inspect the file manually or ask for help.
      AND
c:\windows\TEMP\tc$1924\Server.exe
PROBLEM: Could not scan this file.  Error Code = 5
SOLUTION: Inspect the file manually or ask for help.

the thing is, there is no c:\windows\TEMP\tc$1924 file,( there are tc$1013,
tc1247, up to tc$1964 but no tc$1924) and there is no server.exe or
compiled.exe. i made sure show all files was checked and also used the find
util.

when checking my .ini files out in the win.ini file i saw
run=C:\windows\options\systools\cyxid98.exe.

I searched the web for information on cyxid98.exe including microsoft.
i found nothing on that file. i am assuming that i am infected.

my firewall doesnt show any suspicious activity (although a couple of days
ago i was getting a couple of scans[or i assumed they were scans] on port
27374(i think) and i researched the port and found it was a sub7 port. the
(attacker?) was spoofed.

an alarming registry entry in current version/run shows:
IEMicrosoft     C:/Windows/class011784dll.exe

this is a very alarming key in my experience.

now lets just say the (attacker?) wasn't scanning he was actualy connecting
on 27374 which is commonly used by sub7. If I were infected by sub7 then the
cleaner should have in theory found it. so I am assuming(not safely) that im
not infected with sub7. Something else.

before I take the C:\windows\options\systools\cyxid98.exe out of the
run=C:\windows\options\systools\cyxid98.exe in win.ini and delete the key
C:/Windows/class011784dll.exe from the registry, i just thought i would
check here and see if anyone has any information they could share about this
problem.

Sorry for the long (boring?) message but just wanted to include all the info
i could. Thanks for your time!
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
Previous By Date Next
Previous By Thread Next

Current thread: