-
December 5th, 2004, 03:55 PM
#1
Junior Member
Worm exploited system
Hello:
I am running XP with nav, spybot, th, adaware, and cyberscrub. I got a worm entitled "I-Worm 97.teocatl"....it was removed but not before erasing everything in my documents. In addition, I have been unable to find out any information on it.
My problem is that 2 folders are created in My Documents - neither has a name-just random letters - and there is nothing in them. I delte them but when I restar the computer-there they are again.
Here is hijack this:
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jay\Desktop\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Post To &WP : Right Journal - javascript:doc=external.menuArguments.document;Q=doc.selection.createRange().text;void(btw=window.open('http://rightjournal.com/wp-admin/bookmarklet.php?text='+escape(Q)+'&trackback=1&pingback=1&popupurl='+escape(doc.location.href)+'&popuptitle='+escape(doc.title),'bookmarklet','scrollbars=no,width=480,height=590,left=100,top=150,status=yes'));btw.focus();
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
-
December 5th, 2004, 05:35 PM
#2
if you don't know what exactly iespell is get rid of it......
Further.... That script has got to go (O8 - Extra context menu item: Post To &WP : Right Journal - java script:doc=external.menuArguments.document.......), unless you know exactly what it is...... The rest looks fine but that doesn't mean it is. Get rid of the iespell and the script and see what happens.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
December 5th, 2004, 05:57 PM
#3
The I-Worm 97 and its variants were/are used to damage/erase data bases.
The “97” refers to its roots as a macro-virus that attacked Word 97 and the
other MS 97 Office Software such as Excel, Access, etc
Connection refused, try again later.
-
December 7th, 2004, 02:40 AM
#4
Banned
i tell this to other people, and i accept all offensive remarks. Norton isnt the best antivirus
to use, for it has some bugs in it that will cause u problems. i had norton sys security and it would
reboot my comp without warning every 5 minutes or so. i miss the old thunderbyte AV years ago
things changed so much
-
December 7th, 2004, 03:49 AM
#5
I guess this is for Karmine?
/humour?
i miss the old thunderbyte AV years ago
It was a cold winter's morning in early 2000...........the Millenium Bug had failed to strike...but I had just scored $6580 bonus for "being on duty".............the local publican, an excellent gentleman from the county Roscommon (Republic of Ireland) met me after Mass (a Christian religious thingy)........we went to his house, where I examined the contents of his kids' computer (and a bottle of straight malt )
All sorts of stuff had happened.............................shrunk window, proggies would not run........
It turned out that his 1996 version of Thunderbyte was running in the background, and killing anything with a year 2000 date!!!
I think that Norton bought Thunderbyte?
/end
I think that Karmine is an old fart like me?...........probably uses 80 column punch cards instead of postit notes?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|