If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
E-mail attachment virii clean-up
Hello all,
Yesterday I'd visited an old friend. He's running Win Me, with no AV/IDS/FW. His sister was checking her hotmail a/c and downloaded & opened 2 attachments... Double extension .txt........scr type. Ahem. I'd only rocked up after the fact. Given that laptop is not mine, not a whole lot i can do (brute format + OS upgrade was not an option), however, took the following steps: Wiped all unsolicited e-mail, all downloaded attachments, and all files created on disk within last 24 hours. (Suspiciously many EXE & DLLs in that lot, all same size at that) (web)Port scanned the machine - even though no firewall is present, no services are listening on common high numbered ports. Seems to be working ok - anything else that could be done (other than convincing people to not trust odd attachments and have latest AV etc..., and upgrade to a later OS) Interestingly, the hotmail AV scanner did not detect anything in those e-mails. Next step (today) will be to re-check any new file creations and clean the registry. (Easy part) And try to convince my non-paranoid friends to use later OS,AV+etc... P.S. Sometimes malice can't happen without a little bit of stupidity from people who are normally intelligent. Then again, sometimes we see stupidity in manifestations of trust. |
#2
|
|||
|
|||
Tom:
There is no such terminology as "virii' The plural of virus is viruses. 1) Download the following three items... Trend Sysclean Package http://www.trendmicro.com/download/dcs.asp Latest Trend signature files. http://www.trendmicro.com/download/pattern.asp Adaware SE (free personal version v1.05) http://www.lavasoftusa.com/ Create a directory. On drive "C:\" (e.g., "c:\New Folder") or the desktop (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder") Download SYSCLEAN.COM and place it in that directory. Download the Trend Pattern File by obtaining the ZIP file. For example; lpt248.zip Extract the contents of the ZIP file and place the contents in the same directory as SYSCLEAN.COM. 2) Update Adaware with the latest definitions. 3) If you are using WinME or WinXP, disable System Restore http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm 4) Reboot your PC into Safe Mode 5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your platform and clean/delete any infectors/parasites found. (a few cycles may be needed) 6) Restart your PC and perform a "final" Full Scan of your platform using both the Trend Sysclean utility and Adaware 7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB), 8) Reboot your PC. 9) If you are using WinXP, create a new Restore point * * * Please report back your results * * * Dave "Tom Kazanski" wrote in message om... | Hello all, | | Yesterday I'd visited an old friend. He's running Win Me, with no | AV/IDS/FW. His sister was checking her hotmail a/c and downloaded & | opened 2 attachments... Double extension .txt........scr type. Ahem. | | I'd only rocked up after the fact. Given that laptop is not mine, not | a whole lot i can do (brute format + OS upgrade was not an option), | however, took the following steps: | | Wiped all unsolicited e-mail, all downloaded attachments, and all | files created on disk within last 24 hours. (Suspiciously many EXE & | DLLs in that lot, all same size at that) | (web)Port scanned the machine - even though no firewall is present, no | services are listening on common high numbered ports. | | Seems to be working ok - anything else that could be done (other than | convincing people to not trust odd attachments and have latest AV | etc..., and upgrade to a later OS) | | Interestingly, the hotmail AV scanner did not detect anything in those | e-mails. | | Next step (today) will be to re-check any new file creations and clean | the registry. (Easy part) And try to convince my non-paranoid friends | to use later OS,AV+etc... | | P.S. Sometimes malice can't happen without a little bit of stupidity | from people who are normally intelligent. Then again, sometimes we see | stupidity in manifestations of trust. |
#3
|
|||
|
|||
I assume you ran updated anti-virus scanner.
Also scan for spyware with Spybot or Adaware. ------- Warren For additional help, post in http://groups.msn.com/HelpforInterne...owsME/homepage Tom Kazanski wrote: Hello all, Yesterday I'd visited an old friend. He's running Win Me, with no AV/IDS/FW. His sister was checking her hotmail a/c and downloaded & opened 2 attachments... Double extension .txt........scr type. Ahem. I'd only rocked up after the fact. Given that laptop is not mine, not a whole lot i can do (brute format + OS upgrade was not an option), however, took the following steps: Wiped all unsolicited e-mail, all downloaded attachments, and all files created on disk within last 24 hours. (Suspiciously many EXE & DLLs in that lot, all same size at that) (web)Port scanned the machine - even though no firewall is present, no services are listening on common high numbered ports. Seems to be working ok - anything else that could be done (other than convincing people to not trust odd attachments and have latest AV etc..., and upgrade to a later OS) Interestingly, the hotmail AV scanner did not detect anything in those e-mails. Next step (today) will be to re-check any new file creations and clean the registry. (Easy part) And try to convince my non-paranoid friends to use later OS,AV+etc... P.S. Sometimes malice can't happen without a little bit of stupidity from people who are normally intelligent. Then again, sometimes we see stupidity in manifestations of trust. |
#4
|
|||
|
|||
On 15 Nov 2004 18:56:52 -0800, (Tom Kazanski) wrote:
Hello all, Yesterday I'd visited an old friend. He's running Win Me, with no AV/IDS/FW. His sister was checking her hotmail a/c and downloaded & opened 2 attachments... Double extension .txt........scr type. Ahem. A file like "story.txt.scr" does not have a double extension. The extension is .SCR (the text after the RIGHTMOST dot). However, it does look like .TXT when Winsdows is lying to you about what's there ("hide common file extensions", a very bad decision for MS to nmake this the default). I'd only rocked up after the fact. Given that laptop is not mine, not a whole lot i can do (brute format + OS upgrade was not an option), however, took the following steps: Wiped all unsolicited e-mail, all downloaded attachments, and all files created on disk within last 24 hours. (Suspiciously many EXE & DLLs in that lot, all same size at that) This is a good reason for avoiding Outlook Express. It shows messages in HTML, which allows malicious code to be run automatically (you don't even have to open an attachment). It seems to be less important, but it still helps to avoid Internet Explorer when possible. Try Firefox (http://www.mozilla.org/products/firefox/). Note that at least one person I know thought you could turn HTML off by changing the "send messages" setting. That has NO effect on incoming messaes. (web)Port scanned the machine - even though no firewall is present, no services are listening on common high numbered ports. That would be common LOW numbered ports (0-1055). Also, this does not protect you from spyware (the XP firewall won't either). There's another good port scanning service at https://www.grc.com/x/ne.dll?bh0bkyd2 .However, none of these will show vulnerability to OUTGOING connections (such as from spyware, Windows itself is a big offender here too). Seems to be working ok - anything else that could be done (other than convincing people to not trust odd attachments and have latest AV etc..., and upgrade to a later OS) I listed a few others. Notice that the XP firewall is incoming-only, and provides much less protection than a good firewall. Interestingly, the hotmail AV scanner did not detect anything in those e-mails. AV scanners often don't detect spyware (although it's still a good idea to use one). A firewall is still important. Next step (today) will be to re-check any new file creations and clean the registry. (Easy part) And try to convince my non-paranoid friends to use later OS,AV+etc... And turn off the stupid "hide file extensions" setting (it's in "folder options"). P.S. Sometimes malice can't happen without a little bit of stupidity from people who are normally intelligent. Then again, sometimes we see stupidity in manifestations of trust. Both true. And in many cases the stupidity seems to be voluntary. -- 39 days until the winter solstice celebration Mark Lloyd http://notstupid.laughingsquid.com |
#5
|
|||
|
|||
Note that at least one person I know thought you could turn HTML off
by changing the "send messages" setting. That has NO effect on incoming messaes. set 'read' to plain text only,,,, very simple "Mark Lloyd" wrote in message ... On 15 Nov 2004 18:56:52 -0800, (Tom Kazanski) wrote: Hello all, Yesterday I'd visited an old friend. He's running Win Me, with no AV/IDS/FW. His sister was checking her hotmail a/c and downloaded & opened 2 attachments... Double extension .txt........scr type. Ahem. A file like "story.txt.scr" does not have a double extension. The extension is .SCR (the text after the RIGHTMOST dot). However, it does look like .TXT when Winsdows is lying to you about what's there ("hide common file extensions", a very bad decision for MS to nmake this the default). I'd only rocked up after the fact. Given that laptop is not mine, not a whole lot i can do (brute format + OS upgrade was not an option), however, took the following steps: Wiped all unsolicited e-mail, all downloaded attachments, and all files created on disk within last 24 hours. (Suspiciously many EXE & DLLs in that lot, all same size at that) This is a good reason for avoiding Outlook Express. It shows messages in HTML, which allows malicious code to be run automatically (you don't even have to open an attachment). It seems to be less important, but it still helps to avoid Internet Explorer when possible. Try Firefox (http://www.mozilla.org/products/firefox/). Note that at least one person I know thought you could turn HTML off by changing the "send messages" setting. That has NO effect on incoming messaes. (web)Port scanned the machine - even though no firewall is present, no services are listening on common high numbered ports. That would be common LOW numbered ports (0-1055). Also, this does not protect you from spyware (the XP firewall won't either). There's another good port scanning service at https://www.grc.com/x/ne.dll?bh0bkyd2 .However, none of these will show vulnerability to OUTGOING connections (such as from spyware, Windows itself is a big offender here too). Seems to be working ok - anything else that could be done (other than convincing people to not trust odd attachments and have latest AV etc..., and upgrade to a later OS) I listed a few others. Notice that the XP firewall is incoming-only, and provides much less protection than a good firewall. Interestingly, the hotmail AV scanner did not detect anything in those e-mails. AV scanners often don't detect spyware (although it's still a good idea to use one). A firewall is still important. Next step (today) will be to re-check any new file creations and clean the registry. (Easy part) And try to convince my non-paranoid friends to use later OS,AV+etc... And turn off the stupid "hide file extensions" setting (it's in "folder options"). P.S. Sometimes malice can't happen without a little bit of stupidity from people who are normally intelligent. Then again, sometimes we see stupidity in manifestations of trust. Both true. And in many cases the stupidity seems to be voluntary. -- 39 days until the winter solstice celebration Mark Lloyd http://notstupid.laughingsquid.com |
#6
|
|||
|
|||
On Tue, 16 Nov 2004 11:38:03 -0800, "JAD"
wrote: Note that at least one person I know thought you could turn HTML off by changing the "send messages" setting. That has NO effect on incoming messaes. set 'read' to plain text only,,,, very simple And off by default, so the lazy and unknowing majority won't be using this. I'd be more likely to know that if I'd used OE regularly during the last 4 years or so. "Mark Lloyd" wrote in message .. . On 15 Nov 2004 18:56:52 -0800, (Tom Kazanski) wrote: Hello all, Yesterday I'd visited an old friend. He's running Win Me, with no AV/IDS/FW. His sister was checking her hotmail a/c and downloaded & opened 2 attachments... Double extension .txt........scr type. Ahem. A file like "story.txt.scr" does not have a double extension. The extension is .SCR (the text after the RIGHTMOST dot). However, it does look like .TXT when Winsdows is lying to you about what's there ("hide common file extensions", a very bad decision for MS to nmake this the default). I'd only rocked up after the fact. Given that laptop is not mine, not a whole lot i can do (brute format + OS upgrade was not an option), however, took the following steps: Wiped all unsolicited e-mail, all downloaded attachments, and all files created on disk within last 24 hours. (Suspiciously many EXE & DLLs in that lot, all same size at that) This is a good reason for avoiding Outlook Express. It shows messages in HTML, which allows malicious code to be run automatically (you don't even have to open an attachment). It seems to be less important, but it still helps to avoid Internet Explorer when possible. Try Firefox (http://www.mozilla.org/products/firefox/). Note that at least one person I know thought you could turn HTML off by changing the "send messages" setting. That has NO effect on incoming messaes. (web)Port scanned the machine - even though no firewall is present, no services are listening on common high numbered ports. That would be common LOW numbered ports (0-1055). Also, this does not protect you from spyware (the XP firewall won't either). There's another good port scanning service at https://www.grc.com/x/ne.dll?bh0bkyd2 .However, none of these will show vulnerability to OUTGOING connections (such as from spyware, Windows itself is a big offender here too). Seems to be working ok - anything else that could be done (other than convincing people to not trust odd attachments and have latest AV etc..., and upgrade to a later OS) I listed a few others. Notice that the XP firewall is incoming-only, and provides much less protection than a good firewall. Interestingly, the hotmail AV scanner did not detect anything in those e-mails. AV scanners often don't detect spyware (although it's still a good idea to use one). A firewall is still important. Next step (today) will be to re-check any new file creations and clean the registry. (Easy part) And try to convince my non-paranoid friends to use later OS,AV+etc... And turn off the stupid "hide file extensions" setting (it's in "folder options"). P.S. Sometimes malice can't happen without a little bit of stupidity from people who are normally intelligent. Then again, sometimes we see stupidity in manifestations of trust. Both true. And in many cases the stupidity seems to be voluntary. -- 39 days until the winter solstice celebration Mark Lloyd http://notstupid.laughingsquid.com -- 39 days until the winter solstice celebration Mark Lloyd http://notstupid.laughingsquid.com |
#7
|
|||
|
|||
You know Mark that is a good example where things are going. The fact
that you would rather have "defaults' set at the beginning of an installation that are conformed around your personal comfort, is a way of say of saying 'take care of me please I don't want to be bothered with learning anything. I'll trust you to protect me. or maybe 'take away whatever services that are suspect' and don't offer me any options. All in the name of security...and fear. Ignorance of how something works doesn't make the that 'something' at fault, as usual lets point the finger elsewhere. You know that ad "Jusy do it" 2004 version should be "Just do it for me" |
#8
|
|||
|
|||
Thanks all for your constructive posts.
Cleaned things up and got latest AV on it. Now i'll just have to persuade the guy to actually *GET* XP SP2 with firewall. - As I've noted in original post, he's running Millennium :-( All the fun of installing XP... Again He'd better hike the RAM too while he's at it... 512 should do it. Unless he wants a new laptop. But that's going OT. Forking out $$ for a new OS that really is rather similar is probably not the best "selling point", but heck, WinMe is no longer supported and XP SP2 is the most secure MS OS there is. Still, it's difficult to recommend getting XP when its license cost is actually comparable to the cost of buying a new laptop - e.g. a yet another friend showed off his new toy last night - new XP laptop with DVD burner, 512 RAM, 17in screen, etc, for $800. NEW, from vendor. Oh well. Cheers |
#9
|
|||
|
|||
"Mark Lloyd" wrote in message =
... =20 Notice that the XP firewall is incoming-only, and provides much less protection than a good firewall. =20 Mark Lloyd No, Mark. You're describing the old Internet Connection Firewall. The Windows Firewall in XP intercepts both incoming and outgoing = traffic. ---JRC--- |
#10
|
|||
|
|||
"John R. Copeland" wrote "Mark Lloyd" wrote Notice that the XP firewall is incoming-only, and provides much less protection than a good firewall. Mark Lloyd No, Mark. You're describing the old Internet Connection Firewall. The Windows Firewall in XP intercepts both incoming and outgoing traffic. ---JRC--- No it doesn't and it doesn't to avoid law suits like what happened with Internet Explorer. Please do your research before you post false information. Thanks Alias |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Help! Windows98 & Explorer gone mad in safe mode. | Sybil Fox | General | 45 | September 26th 04 09:01 PM |
cant send e mail or forward e mail thru aol | v pellegrini | Internet | 1 | July 21st 04 03:52 PM |
Mail Problem on Windows ME Internet | Jacque® Dupre© | Internet | 0 | July 20th 04 02:46 AM |
Mail from microsoft ? | JohnH | General | 7 | June 14th 04 10:56 PM |
Clean Install of Windows 98 | DL | Disk Drives | 1 | June 9th 04 11:40 PM |