Security Incidents mailing list archives
infection?
From: Night M0de <nightm0de () HOTMAIL COM>
Date: Wed, 27 Dec 2000 11:32:00 -0000
hiya. recently i have had to install the microsoft patch for disableing active x controls from websites and just to be on the safeside i d/led the cleaner and ran it. I got a very weird log entry/error: c:\windows\TEMP\tc$1924\Compiled.exe PROBLEM: Could not scan this file. Error Code = 5 SOLUTION: Inspect the file manually or ask for help. AND c:\windows\TEMP\tc$1924\Server.exe PROBLEM: Could not scan this file. Error Code = 5 SOLUTION: Inspect the file manually or ask for help. the thing is, there is no c:\windows\TEMP\tc$1924 file,( there are tc$1013, tc1247, up to tc$1964 but no tc$1924) and there is no server.exe or compiled.exe. i made sure show all files was checked and also used the find util. when checking my .ini files out in the win.ini file i saw run=C:\windows\options\systools\cyxid98.exe. I searched the web for information on cyxid98.exe including microsoft. i found nothing on that file. i am assuming that i am infected. my firewall doesnt show any suspicious activity (although a couple of days ago i was getting a couple of scans[or i assumed they were scans] on port 27374(i think) and i researched the port and found it was a sub7 port. the (attacker?) was spoofed. an alarming registry entry in current version/run shows: IEMicrosoft C:/Windows/class011784dll.exe this is a very alarming key in my experience. now lets just say the (attacker?) wasn't scanning he was actualy connecting on 27374 which is commonly used by sub7. If I were infected by sub7 then the cleaner should have in theory found it. so I am assuming(not safely) that im not infected with sub7. Something else. before I take the C:\windows\options\systools\cyxid98.exe out of the run=C:\windows\options\systools\cyxid98.exe in win.ini and delete the key C:/Windows/class011784dll.exe from the registry, i just thought i would check here and see if anyone has any information they could share about this problem. Sorry for the long (boring?) message but just wanted to include all the info i could. Thanks for your time! _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com
Current thread:
- infection? Night M0de (Dec 27)