super_si

500+ attacks since 10am.
The Remote + Local host is my IP.
So am i infected already?
What action should be taken?

thanks for any info

Si

Fatman

Can you check whether you have this in your registry...?

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run] "kernel16"="C:\\WINDOWS\\kernel16.exe"

I've not found much on the Web so far about this, but got the above from this site. It says:"...Transscout 1.1 +1.2... Copies to c:\windows\kernel16.exe..." i.e. suggesting that the kernel16.exe is the trojan executable.

I'll keep looking around...

Fatman

OK - this is fairly suggestive that the kernel16.exe binary is the trojan. I'd say - delete the above registry entry and the .exe and you'll be good to rock'n'roll.

Check also for kernel16.dl* as well as this NT Security article mentions a SubSeven trojan using the same file name.

super_si

Alrite mate , cheers for this.

But there is no Kernel16 in that folder im afraid.

Si

Jye_0

download 'Swatit' Si, good free trojan and bot remover, ps its not me

super_si

Thanks

Jye_0

Let us know how ye get on, hate script kiddies mesel like

super_si

Its just scanning at the moment. Off to clear the snow off the drive so might be done by the time im back.

Cheers


Si

super_si

NT Rebooter - C:\WINNT\Temp\~GL_2753.EXE


that what it found

Jye_0

Hmmm, nasty, least it found it, u really gotta stop dl'in that **** off Kazza Si

super_si

nope up to 602 now mate! Still there the damm thing

Jye_0

Did you update the definitions in Swatit and are you on a lan just looked at the IP and it looks like yer lan to me?

[Edited by Jye_0 - 1/31/2003 12:28:58 AM]

super_si

967 now, I am on a lan mate. ive 4pcs off the router.

Ill update it later got things to do.

Si