remove doomjuice.b ???

[Karen]

NOTE: This message was sent thru a mail2news gateway.
No effort was made to verify the identity of the sender.
--------------------------------------------------------

Stephen,

Thanks (reply inside quotes)

You got Doomjuice because you had MyDoom. i think you got cought out cos it
moved fast! in some cases faster than the updates!

Not sure I had MyDoom unless the doomjuice.b only installs when MyDoom is
present. The Kerio block seemed to work for those ports as netstat showed
no activity on them (I've a dialup)

Here is a link to the MyDoom removal tool,
http://www.bitdefender.com/html/free_tools.php

Thanks. D/l'd and ran and showed no trace of mydoom. I did manage to get
rid of that doomjuice.b registry entry though using TDS3. The normal
"right click/delete" option did not seem to have any effect as I'd
mentioned it kept popping up again. There is a manual cntl/A that shows
all startup files and I found the entry that ran "nerocheck" blah blah,
deleted it and now TDS3 runs clean. So I think I've gotten rid of it.

This morning got hit with swen and Nod32 found and I deleted it. I'm
hesitant to put spam block on ISP as it may block some things that I need.
I use Thunderbird and have occasionally found that it marks as spam emails
from people that are newly know, but whom I need to communicate with.

Thanks again,

Karen

Also i have some background info cut n pasted below.

Keeping your scanner updated is important and via your ISP use filters for
the spam.
Also starting your pc in safemode and then try the scan helps in many cases.


Name: Win32.Mydoom.B@m (Win32.Novarg.B@mm)
Aliases: I-Worm.Mydoom.b, W32/Mydoom.b@MM, W32/MyDoom-B
Type: Executable Backdoor Mass Mailer
Size: 29184 bytes, 5632 bytes
Discovered: 28.01.2004
Detected: 28.01.2004
Spreading: Low
Damage: Medium
In The Wild: Unknown

Symptoms:
The following files in the Windows System folder (%SYSDIR%):
EXPLORER.EXE
CTFMON.DLL

The following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
with the value:
Explorer = %SYSDIR%\EXPLORER.EXE

Activity on ports 1080 or 10080 and 3127.



Technical description:
This is an internet worm that spreads trough e-mail and file sharing
programs and has backdoor capabilities.

It also tries to infect computers in the local network already infected by
the former variant of the worm, by using the backdoor already installed on
port 3127.

The e-mail arrives in the following format:

From:
A random text or an address with one of the following domains:


a.. aol.com

b.. msn.com

c.. yahoo.com

d.. hotmail.com

Subject:
Randomly chosen from the following list:

a.. Mail Transaction Failed

b.. Unable to deliver the message

c.. Status

d.. Delivery Error

e.. Mail Delivery System

f.. hello

g.. Error

h.. Server Report

i.. Returned mail

Body text:
A random text or one of the following:

a.. test

b.. The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.

c.. sendmail daemon reported: Error #804 occured during SMTP session.
Partial message has been received.

d.. The message contains Unicode characters and has been sent as a binary
attachment.

e.. The message contains MIME-encoded graphics and has been sent as a
binary attachment.

f.. Mail transaction failed. Partial message is available.
etc etc

Stephen

I am in no way a prof in these matters so i advise you to check more
sources.

NOTE: This message was sent thru a mail2news gateway.
No effort was made to verify the identity of the sender.
--------------------------------------------------------

I run Nod32 and update it almost twice daily. Have firewall blocking ports
3127 through 3198 both for UDP and TCP both directions. I use TDS3
(updated daily) and it consistently comes up with I also use Reg Protect
that alerts me as to anything added to registry and unless installing a
pgm, nothing goes into it.

Scan Control Dumped @ 12:15:04 13-02-04
RegVal Trace: Worm.Doomjuice.b please submit: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run
[NeroCheck=C:\WINDOWS\system32\NeroCheck.exe]

on a full scan. I delete this *())_%$#**% and on reboot appears again.
Can't get rid of the thing. Nod32 did catch 6 "mydoom" viruses in 3 days
primarily from spam but on my main account that I don't use for anything
but business.

How do i get rid of this thing?

I thought TDS3 and Nod32 were some of the best software for this stuff??? .
Nothing came up for this one.

Karen


~~~~~~~~~~~~~~~~~~~~~
If you consider the content of this post to be particularly offensive, disgusting or plain illegal,
it is probably 'designer abuse', a message designed specifically to hurt

the remailer's reputation/existence.

http://groups.google.com/groups?selm=6THHPRAL38002.4374074074@anonymous&oe
=UTF-8&output=gplain
Some people hate this remailer so badly that, for example, they did not

hesitate to celebrate the death of 148 French tourists in a plane crash.

Those people seceded from the human race, so don't hesitate to report them directly to the police.
2004/01/03 (contact <[email protected]>) Blue.Jay celebrates
http://groups.google.com/groups?selm=Ymx1ZWpheQ==.19d787f018eb3019d6fd3f
aa2125547c%401073158846.cotse.net&oe=UTF-8&output=gplain
2004/01/19 <[email protected]> Len Sassaman chooses that moment to bring his support to Blue.Jay
http://groups.google.com/groups?selm=Pine.LNX.4.58.0401181826110.31463@the
tis.deor.org&oe=UTF-8&output=gplain

More about the subject will be available http://frogadmin.yi.org/HOS/

~~~~~~~~~~~~~~~~~~~~~
If you consider the content of this post to be particularly offensive, disgusting or plain illegal,
it is probably 'designer abuse', a message designed specifically to hurt the remailer's reputation/existence.
http://groups.google.com/groups?selm=6THHPRAL38002.4374074074@anonymous&oe=UTF-8&output=gplain
Some people hate this remailer so badly that, for example, they did not hesitate to celebrate the death of 148 French tourists in a plane crash.
Those people seceded from the human race, so don't hesitate to report them directly to the police.
2004/01/03 (contact <[email protected]>) Blue.Jay celebrates
http://groups.google.com/[email protected]&oe=UTF-8&output=gplain
2004/01/19 <[email protected]> Len Sassaman chooses that moment to bring his support to Blue.Jay
http://groups.google.com/[email protected]&oe=UTF-8&output=gplain

More about the subject will be available http://frogadmin.yi.org/HOS/

 

[FromTheRafters]

NOTE: This message was sent thru a mail2news gateway.
No effort was made to verify the identity of the sender.
--------------------------------------------------------

Stephen,

Thanks (reply inside quotes)

Not sure I had MyDoom unless the doomjuice.b only installs when MyDoom is
present. The Kerio block seemed to work for those ports as netstat showed
no activity on them (I've a dialup)

Thanks. D/l'd and ran and showed no trace of mydoom.

You probably already know this, but...

Removal tools are not a good substitute for up-to-date
detection tools. A removal tool might not detect the one
(or in the case of ones like "stinger", thirtysomething) it
is looking for and convince you that you are not affected.