script invasion?

I just found a an odd word doc appearing on my desktop...
reftmp83084.doc
now that I think of it, I've had them before, but don't know why I considered them...well I didn't much, frankly, but this one:
I opened in word 2000 by simple double click (prorlly the least safe move!) and got gibberish, in my terms. So,
I opened in word via "recover any data" (or the like) option:
the attachment is the version I saved as a text file. When I changed filename back to doc exrension, Script Sentry piped up!
Within the text, I'm particularly concerned when reading:

script
Robots
"in real bits, urls get returned to our script like this:
// res://shdocvw.dll/http_404.htm#http://www. <my break> DocURL.com/bar.htm"
return text.replace
"href="http://www. <my break> microsoft.com/ContentRedirect."

Any insights, please!

looks like a source code for a web page....possibly the "page cannot be found". I don't know how it would have got on to your desktop without opening the source and saving it as a doc.

(when you're browsing click on "view" and then "source" and you'll see a similar code)

Davey if you have a concern re: evil bots lurking around a simple
test will reveal them.

A Quick & Easy Check for IRC Zombie/Bots If you have managed to read all the way through this lengthy and detailed adventure, I am sure you will agree that you do NOT want any of these nasty Zombies or their relatives running around loose inside your PC. Fortunately, it's quite easy to verify that your system is not currently infected by one of these IRC Zombie/Bots. All of the IRC Zombie/Bots open and maintain static connections to remote IRC chat servers whenever the host PC is connected to the Internet. Although it is possible for an IRC chat server to be configured to run on a port other than "6667", every instance I have seen has used the IRC default port of "6667". Consequently, an active connection to an IRC server can be detected with the following command:
netstat -an | find ":6667"
Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:
TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED
. . . then the only question remaining is how quickly you can disconnect your PC from the Internet! A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:
netstat -an | find ":113 "
As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:
TCP 0.0.0.0:113 0.0.0.0:0 LISTENING
. . . then it's probably time to pull the plug on your cable-modem! Note that a Windows IRC client program running in the PC will generate false-positive reports since these are tests for IRC client programs. So be sure to completely exit from any known IRC client programs BEFORE performing the tests above.

The above was taken froma very imformitive article on the grc
site, so it can be trusted. Try it out and see what you get.
beagle8 mm

5 more new similar files on the desktop since I just got home. Here are the file names the html codes and text within them:
reftmp19457.tmp

PHP Code:

---

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.ad-aware.net/error.htm">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.26 Server at [url]www.hypergate.de[/url] Port 80</ADDRESS>
</BODY></HTML> 


---

reftmp37261.tmp

PHP Code:

---

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.ad-aware.net/error.htm">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.26 Server at [url]www.hypergate.de[/url] Port 80</ADDRESS>
</BODY></HTML> 


---

reftmp33873.tmp & reftmp194821.tmp
these ones show no text content, and properties show then as zero filesize.
I am very concerned about this, obviously, and I'm concerned with whatever could be happening with reboots and even being online, of course, too! The sygate site mentioned in the texts I put in my restricted zone, for starters, but notice that there is mention of
port 80
a Lavasoft Adaware url,
"content.redirect"
"robot"
"script"
and more slimy looking stuff. What can I do? I've read Steve Gibson's site before and he recommends getting offline if something is detected as mentioned, but then what? I have run his tests before, but getting no hits thins time is not going to explain the contents of these files mysteriously appearing on my desktop - WHAT should I do?
TIA...

^

Been playing with any test sites or security sites regarding cross-site scripting ?? Your first one looks almost demo'ish

Have a look at http://proxy2.stealthedip.com/maniac/Texts/webinfo.txt for example

Here I was careful to link you to a text file :)

Not real sure about the ms word connection here though - I'd consider renaming the normal.dot template for a while at this point. Probably in C:\Program Files\Microsoft Office\Templates and just a precaution.

What do your startups look like?

I would be concerned to :-(((
Go here http://www.simplysup.com/tremover/
dld it. Has a 30 day Trial operational Trojan Remover

You didn't mention if you have ZoneAlarm, get it on.
Free one here http://www.zonelabs.com/store/content/home.jsp

Also to track these beasties load http://zonelog.co.uk/
this works in conjunction with zonealarm giving you access to
whois and tracking ISP #'s

I also see lavasoft reference here which is Ad-Aware I run adaware also but wondering why the reference. The .de I believe is site from overseas Germany perhaps.

Keep hunting & good luck. I will try a little hunting myself after I get some zzzzzzzz's

Originally posted by IMM
<who clearly rocks again!!>
I HOPED I'd here from you on this one, IMM - I think you'e right on the money...

>>Been playing with any test sites or security sites regarding cross-site scripting ??
YES!! (a few days ago)

>>Your first one looks almost demo'ish
like harmless now, you mean?

>>Have a look at http://proxy2.stealthedip.com/maniac/Texts/webinfo.txt for example
doing that now

>>Here I was careful to link you to a text file :)
that ws nice :)

>>renaming the normal.dot template
done - NORMAL.OLD

>>What do your startups look like?
whistle clean:

AVG (avgserv9 & av_cc)
ZA (+ mini log & t-vector)
S-Sentry
LPProfile
systray (gunna remove, just hadn't gotten to it yet)
Messengerplus (this has to be here, and I like it)

beagle8
>>Go here http://www.simplysup.com/tremover/
dld it.
checking it out shortly
>>ZoneAlarm
have it (2.6 WITH all the mailsafe extension coverage)

>>to track these beasties load http://zonelog.co.uk/
this works in conjunction with zonealarm giving you access to
whois and tracking ISP #'s
I haven't had a lot of luck with whois and the like - dopn't know how to read the results. I'll take a look at the page you've linked.

>>Ad-Aware - I run adaware also but wondering why the reference.
I dunno, but as you can see, it's in the text of those *.temp files, along with "redirect" etc :(

Thanks guys - gunna click your links and will update soon...

Renamed normal.dot to normal.old, the GRC.com site's check for "6667" and "113" came up clean, as did my AVG with new refs, housecall, Script Sentry in place and ZA with mailsafe plural extensions...
Although I'm not exactly clear how I set this problem in place (oh, but I know it was my fault, alright!), I think I'm going to be ok.
Thanks