[Dshield] OT W2K/ME

Paul Marsh pmarsh at nmefdn.org
Wed Oct 8 20:35:44 GMT 2003


Off the top of my head I'm going to say no the files not there but I'll
have to check later tonight.  The second scan I did was in Safe Mode so
I'm assuming the system is clean.

-----Original Message-----
From: Deb Hale [mailto:haled at pionet.net] 
Sent: Wednesday, October 08, 2003 04:23 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] OT W2K/ME



You don't by chance have a file on the hard drives that is
malware***.exe (where *** represents any digits, 0-9), do you? This is a
characteristic of  Backdoor.Coreflood.dr (symantec), which was new in
Sept.  I have seen this on a computer and it was reacting similar to
what you are describing.

I had to boot the computer in safe mode and do a virus scan to finally
get rid of all of the residual junk from it.  One thing that I had to do
was unregister a file (don't remember the name of the file :(- ) in
order to stop an error that the registered program had trouble loading
(not exact message!).

Just a thought.


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Paul Marsh
Sent: Wednesday, October 08, 2003 1:08 PM
To: list at dshield.org
Subject: [Dshield] OT W2K/ME


Sorry for the off topic question but I'm starting to think the problem
might have to do with leftovers from a viri or spyware.

So far I've seen two systems with the same following problem.

Every time the system boots My Documents opens in Explorer. I've checked
HKLM\Software\Microsoft\Windows\CurrentVersion\Run and found nothing and
RunOnce found nothing. Nothing in Startup, ran msconfig and found
nothing. Prior to this problem both systems have had Norton 2003
installed and full system scans done with up to date Defs. Both systems
were found to be infected with Backdoor.Coreflood I've also run SpyBot
and cleaned up a bunch of stuff.

I did read last night something about (I hope I gets this right)
DiDer.exe more spyware stuff that could have created a second
Explorer.exe but can't seam to find anything on the system that would
point to that.

Anyone have any ideas?

Thanx, Paul

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list