| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 45239 | 2004-05-15 03:17:00 | internet connection | wendy (5057) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 236745 | 2004-05-18 12:23:00 | Wendy - you have a worm. see this from Symantec :- To remove this worm: Update the virus definitions, run a full system scan, and delete all files that are detected as W32.Wotron.Worm. If the worm has run, restore the value in the registry key HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\ open\command to "%1" %* This worm creates a file wininet.exe, which is what you detected. |
TonyF (246) | ||
| 236746 | 2004-05-18 12:26:00 | I think this is a different beastie Tony. wininet32.exe not rather than plain old wininet.exe I'd be glad to be wrong though. Cheers Murray P |
Murray P (44) | ||
| 236747 | 2004-05-18 12:34:00 | > I think this is a different beastie Tony. > wininet32.exe not rather than plain old wininet.exe Herewith a bit more from Symantec... Maybe we are getting warm ... If W32.Wotron.Worm is executed, it does the following: It copies itself as %System%\Wininet.exe. If the password-stealing component was enabled, it creates the following files: \%System%\Sysd.dll \%System%\Exelib.dll Also, if the password-stealing component was enabled, the worm sends passwords that it finds on the infected computer to the worm's creator. The file that contains the stolen passwords is Exelib.dll. In the registry key HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\ open\command it changes the (Default) value to %System%\wininet.exe"%1" %* This causes the worm to run when you attempt to run an .exe file. The worm can also be configured to stop personal firewall and antivirus programs, and to display a message the first time that it is run. Cheers tony |
TonyF (246) | ||
| 236748 | 2004-05-19 05:31:00 | Thanks Murray, Stu, Susan, its all too complicated for me now, I will turn it over to the professionals. Thanks anyway | wendy (5057) | ||
| 1 2 | |||||