Help, I'm being attacked!
Hello boffins,
For some reason, a file keeps getting copied / installed to this location on my Win2000 machine. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\683e8586.exe It also finds its way into the registry under HKLM/blah blah/RUN_ONCE under the value name sys1612188 and command line C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\683e8586.exe Microsoft's antispyware blocks this registry key, but it also appears in HKEY_CURRENT_USER and runs! It can be stopped using the task manager. I've looked in the file using a hex editor, it's only 8k but there's a print, SOCK, RasEnum and MSVCRT.dll all mentioned in there. When it runs, there is initial network activity, and it seems to start up ntvdm.dll (and wowexec.dll). NAV is up to date and shows everything is clean. Any thoughts? The only thing I installed recently was a shareware/demo version of a winRAR unzipper. It has since been uninstalled. |
Originally Posted by Jiggerypokery
Hello boffins,
For some reason, a file keeps getting copied / installed to this location on my Win2000 machine. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\683e8586.exe When it runs, there is initial network activity, and it seems to start up ntvdm.dll (and wowexec.dll). Have you tried to "roll back"? |
Actually it looks worse than I thought....
The mere mention of RasEnum and MSVCRT.dll scream out to me that you have a virus infection. The .dll is a visual basic entry and rasenum collects data from your address book. Hhhhmmmmm. Opened any strange emails about Anna Kournikova recently? I just don't get why your AV program doesn't pick up on it. |
Originally Posted by Milamber
Actually it looks worse than I thought....
The mere mention of RasEnum and MSVCRT.dll scream out to me that you have a virus infection. The .dll is a visual basic entry and rasenum collects data from your address book. Hhhhmmmmm. Opened any strange emails about Anna Kournikova recently? I just don't get why your AV program doesn't pick up on it. I might try copying the file to another machine with WinXP and McAfee to see if it picks it up. I'm also running ad-aware which shows nothing out of the ordinary. |
Go here www.webimmune.net and submit the file.
|
McAfee doesn't detect it either :(
Hopefully it won't come back with the firewall installed. |
Will they get back to me, or is it a black hole? |
They'll get back to you.
|
Hello Jack,
I received an update for McAfee in the form of a dat file, which detects this file, but, I can't use McAfee on my main machine as it interferes with another program which needs to access a remote network. Sygate firewall tells me the file is trying to access www.google.com (216.239.59.104) using remote port 80. Any thoughts on why it would want to do this? Thanks. |
Originally Posted by Jiggerypokery
Hello Jack,
I received an update for McAfee in the form of a dat file, which detects this file, but, I can't use McAfee on my main machine as it interferes with another program which needs to access a remote network. Sygate firewall tells me the file is trying to access www.google.com (216.239.59.104) using remote port 80. Any thoughts on why it would want to do this? Thanks. |
Probably searching for new addresses to infect from your machine.
|
Originally Posted by Nicks VR4
What does McAfee report is as ???
|
Proxy-Agent is very old so cant see why ????????????
|
Depends on the variant Nick, .e was last week.
|
All times are GMT +1. The time now is 06:44 AM. |
© 2024 MH Sub I, LLC dba Internet Brands