E-mail attachment virii clean-up

Hello all,

Yesterday I'd visited an old friend. He's running Win Me, with no
AV/IDS/FW. His sister was checking her hotmail a/c and downloaded &
opened 2 attachments... Double extension .txt........scr type. Ahem.

I'd only rocked up after the fact. Given that laptop is not mine, not
a whole lot i can do (brute format + OS upgrade was not an option),
however, took the following steps:

Wiped all unsolicited e-mail, all downloaded attachments, and all
files created on disk within last 24 hours. (Suspiciously many EXE &
DLLs in that lot, all same size at that)
(web)Port scanned the machine - even though no firewall is present, no
services are listening on common high numbered ports.

Seems to be working ok - anything else that could be done (other than
convincing people to not trust odd attachments and have latest AV
etc..., and upgrade to a later OS)

Interestingly, the hotmail AV scanner did not detect anything in those
e-mails.

Next step (today) will be to re-check any new file creations and clean
the registry. (Easy part) And try to convince my non-paranoid friends
to use later OS,AV+etc...

P.S. Sometimes malice can't happen without a little bit of stupidity
from people who are normally intelligent. Then again, sometimes we see
stupidity in manifestations of trust.

Tom:

There is no such terminology as "virii' The plural of virus is viruses.

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt248.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinXP, create a new Restore point

* * * Please report back your results * * *

Dave



"Tom Kazanski" wrote in message
om...
| Hello all,
|
| Yesterday I'd visited an old friend. He's running Win Me, with no
| AV/IDS/FW. His sister was checking her hotmail a/c and downloaded &
| opened 2 attachments... Double extension .txt........scr type. Ahem.
|
| I'd only rocked up after the fact. Given that laptop is not mine, not
| a whole lot i can do (brute format + OS upgrade was not an option),
| however, took the following steps:
|
| Wiped all unsolicited e-mail, all downloaded attachments, and all
| files created on disk within last 24 hours. (Suspiciously many EXE &
| DLLs in that lot, all same size at that)
| (web)Port scanned the machine - even though no firewall is present, no
| services are listening on common high numbered ports.
|
| Seems to be working ok - anything else that could be done (other than
| convincing people to not trust odd attachments and have latest AV
| etc..., and upgrade to a later OS)
|
| Interestingly, the hotmail AV scanner did not detect anything in those
| e-mails.
|
| Next step (today) will be to re-check any new file creations and clean
| the registry. (Easy part) And try to convince my non-paranoid friends
| to use later OS,AV+etc...
|
| P.S. Sometimes malice can't happen without a little bit of stupidity
| from people who are normally intelligent. Then again, sometimes we see
| stupidity in manifestations of trust.

I assume you ran updated anti-virus scanner.

Also scan for spyware with Spybot or Adaware.

-------
Warren
For additional help, post in
http://groups.msn.com/HelpforInterne...owsME/homepage

Tom Kazanski wrote:
Hello all,

Yesterday I'd visited an old friend. He's running Win Me, with no
AV/IDS/FW. His sister was checking her hotmail a/c and downloaded &
opened 2 attachments... Double extension .txt........scr type. Ahem.

I'd only rocked up after the fact. Given that laptop is not mine, not
a whole lot i can do (brute format + OS upgrade was not an option),
however, took the following steps:

Wiped all unsolicited e-mail, all downloaded attachments, and all
files created on disk within last 24 hours. (Suspiciously many EXE &
DLLs in that lot, all same size at that)
(web)Port scanned the machine - even though no firewall is present, no
services are listening on common high numbered ports.

Seems to be working ok - anything else that could be done (other than
convincing people to not trust odd attachments and have latest AV
etc..., and upgrade to a later OS)

Interestingly, the hotmail AV scanner did not detect anything in those
e-mails.

Next step (today) will be to re-check any new file creations and clean
the registry. (Easy part) And try to convince my non-paranoid friends
to use later OS,AV+etc...

P.S. Sometimes malice can't happen without a little bit of stupidity
from people who are normally intelligent. Then again, sometimes we see
stupidity in manifestations of trust.

On 15 Nov 2004 18:56:52 -0800, (Tom Kazanski) wrote:

Hello all,

Yesterday I'd visited an old friend. He's running Win Me, with no
AV/IDS/FW. His sister was checking her hotmail a/c and downloaded &
opened 2 attachments... Double extension .txt........scr type. Ahem.


A file like "story.txt.scr" does not have a double extension. The
extension is .SCR (the text after the RIGHTMOST dot). However, it does
look like .TXT when Winsdows is lying to you about what's there ("hide
common file extensions", a very bad decision for MS to nmake this the
default).

I'd only rocked up after the fact. Given that laptop is not mine, not
a whole lot i can do (brute format + OS upgrade was not an option),
however, took the following steps:

Wiped all unsolicited e-mail, all downloaded attachments, and all
files created on disk within last 24 hours. (Suspiciously many EXE &
DLLs in that lot, all same size at that)

This is a good reason for avoiding Outlook Express. It shows messages
in HTML, which allows malicious code to be run automatically (you
don't even have to open an attachment). It seems to be less important,
but it still helps to avoid Internet Explorer when possible. Try
Firefox (http://www.mozilla.org/products/firefox/).

Note that at least one person I know thought you could turn HTML off
by changing the "send messages" setting. That has NO effect on
incoming messaes.

(web)Port scanned the machine - even though no firewall is present, no
services are listening on common high numbered ports.


That would be common LOW numbered ports (0-1055). Also, this does not
protect you from spyware (the XP firewall won't either).

There's another good port scanning service at
https://www.grc.com/x/ne.dll?bh0bkyd2 .However, none of these will
show vulnerability to OUTGOING connections (such as from spyware,
Windows itself is a big offender here too).

Seems to be working ok - anything else that could be done (other than
convincing people to not trust odd attachments and have latest AV
etc..., and upgrade to a later OS)


I listed a few others.

Notice that the XP firewall is incoming-only, and provides much less
protection than a good firewall.

Interestingly, the hotmail AV scanner did not detect anything in those
e-mails.


AV scanners often don't detect spyware (although it's still a good
idea to use one). A firewall is still important.

Next step (today) will be to re-check any new file creations and clean
the registry. (Easy part) And try to convince my non-paranoid friends
to use later OS,AV+etc...


And turn off the stupid "hide file extensions" setting (it's in
"folder options").

P.S. Sometimes malice can't happen without a little bit of stupidity
from people who are normally intelligent. Then again, sometimes we see
stupidity in manifestations of trust.

Both true. And in many cases the stupidity seems to be voluntary.

--
39 days until the winter solstice celebration

Mark Lloyd
http://notstupid.laughingsquid.com

Note that at least one person I know thought you could turn HTML off
by changing the "send messages" setting. That has NO effect on
incoming messaes.


set 'read' to plain text only,,,, very simple


"Mark Lloyd" wrote in message
...
On 15 Nov 2004 18:56:52 -0800, (Tom Kazanski) wrote:

Hello all,

Yesterday I'd visited an old friend. He's running Win Me, with no
AV/IDS/FW. His sister was checking her hotmail a/c and downloaded &
opened 2 attachments... Double extension .txt........scr type.
Ahem.


A file like "story.txt.scr" does not have a double extension. The
extension is .SCR (the text after the RIGHTMOST dot). However, it
does
look like .TXT when Winsdows is lying to you about what's there
("hide
common file extensions", a very bad decision for MS to nmake this
the
default).

I'd only rocked up after the fact. Given that laptop is not mine,
not
a whole lot i can do (brute format + OS upgrade was not an option),
however, took the following steps:

Wiped all unsolicited e-mail, all downloaded attachments, and all
files created on disk within last 24 hours. (Suspiciously many EXE
&
DLLs in that lot, all same size at that)

This is a good reason for avoiding Outlook Express. It shows
messages
in HTML, which allows malicious code to be run automatically (you
don't even have to open an attachment). It seems to be less
important,
but it still helps to avoid Internet Explorer when possible. Try
Firefox (http://www.mozilla.org/products/firefox/).

Note that at least one person I know thought you could turn HTML off
by changing the "send messages" setting. That has NO effect on
incoming messaes.

(web)Port scanned the machine - even though no firewall is present,
no
services are listening on common high numbered ports.


That would be common LOW numbered ports (0-1055). Also, this does
not
protect you from spyware (the XP firewall won't either).

There's another good port scanning service at
https://www.grc.com/x/ne.dll?bh0bkyd2 .However, none of these will
show vulnerability to OUTGOING connections (such as from spyware,
Windows itself is a big offender here too).

Seems to be working ok - anything else that could be done (other
than
convincing people to not trust odd attachments and have latest AV
etc..., and upgrade to a later OS)


I listed a few others.

Notice that the XP firewall is incoming-only, and provides much less
protection than a good firewall.

Interestingly, the hotmail AV scanner did not detect anything in
those
e-mails.


AV scanners often don't detect spyware (although it's still a good
idea to use one). A firewall is still important.

Next step (today) will be to re-check any new file creations and
clean
the registry. (Easy part) And try to convince my non-paranoid
friends
to use later OS,AV+etc...


And turn off the stupid "hide file extensions" setting (it's in
"folder options").

P.S. Sometimes malice can't happen without a little bit of
stupidity
from people who are normally intelligent. Then again, sometimes we
see
stupidity in manifestations of trust.

Both true. And in many cases the stupidity seems to be voluntary.

--
39 days until the winter solstice celebration

Mark Lloyd
http://notstupid.laughingsquid.com

On Tue, 16 Nov 2004 11:38:03 -0800, "JAD"
wrote:

Note that at least one person I know thought you could turn HTML off
by changing the "send messages" setting. That has NO effect on
incoming messaes.


set 'read' to plain text only,,,, very simple


And off by default, so the lazy and unknowing majority won't be using
this.

I'd be more likely to know that if I'd used OE regularly during the
last 4 years or so.


"Mark Lloyd" wrote in message
.. .
On 15 Nov 2004 18:56:52 -0800, (Tom Kazanski) wrote:

Hello all,

Yesterday I'd visited an old friend. He's running Win Me, with no
AV/IDS/FW. His sister was checking her hotmail a/c and downloaded &
opened 2 attachments... Double extension .txt........scr type.
Ahem.


A file like "story.txt.scr" does not have a double extension. The
extension is .SCR (the text after the RIGHTMOST dot). However, it
does
look like .TXT when Winsdows is lying to you about what's there
("hide
common file extensions", a very bad decision for MS to nmake this
the
default).

I'd only rocked up after the fact. Given that laptop is not mine,
not
a whole lot i can do (brute format + OS upgrade was not an option),
however, took the following steps:

Wiped all unsolicited e-mail, all downloaded attachments, and all
files created on disk within last 24 hours. (Suspiciously many EXE
&
DLLs in that lot, all same size at that)

This is a good reason for avoiding Outlook Express. It shows
messages
in HTML, which allows malicious code to be run automatically (you
don't even have to open an attachment). It seems to be less
important,
but it still helps to avoid Internet Explorer when possible. Try
Firefox (http://www.mozilla.org/products/firefox/).

Note that at least one person I know thought you could turn HTML off
by changing the "send messages" setting. That has NO effect on
incoming messaes.

(web)Port scanned the machine - even though no firewall is present,
no
services are listening on common high numbered ports.


That would be common LOW numbered ports (0-1055). Also, this does
not
protect you from spyware (the XP firewall won't either).

There's another good port scanning service at
https://www.grc.com/x/ne.dll?bh0bkyd2 .However, none of these will
show vulnerability to OUTGOING connections (such as from spyware,
Windows itself is a big offender here too).

Seems to be working ok - anything else that could be done (other
than
convincing people to not trust odd attachments and have latest AV
etc..., and upgrade to a later OS)


I listed a few others.

Notice that the XP firewall is incoming-only, and provides much less
protection than a good firewall.

Interestingly, the hotmail AV scanner did not detect anything in
those
e-mails.


AV scanners often don't detect spyware (although it's still a good
idea to use one). A firewall is still important.

Next step (today) will be to re-check any new file creations and
clean
the registry. (Easy part) And try to convince my non-paranoid
friends
to use later OS,AV+etc...


And turn off the stupid "hide file extensions" setting (it's in
"folder options").

P.S. Sometimes malice can't happen without a little bit of
stupidity
from people who are normally intelligent. Then again, sometimes we
see
stupidity in manifestations of trust.

Both true. And in many cases the stupidity seems to be voluntary.

--
39 days until the winter solstice celebration

Mark Lloyd
http://notstupid.laughingsquid.com


--
39 days until the winter solstice celebration

Mark Lloyd
http://notstupid.laughingsquid.com

You know Mark that is a good example where things are going. The fact
that you would rather have "defaults' set at the beginning of an
installation that are conformed around your personal comfort, is a
way of say of saying 'take care of me please I don't want to be
bothered with learning anything. I'll trust you to protect me. or
maybe 'take away whatever services that are suspect' and don't offer
me any options. All in the name of security...and fear. Ignorance of
how something works doesn't make the that 'something' at fault, as
usual lets point the finger elsewhere.

You know that ad "Jusy do it" 2004 version should be "Just do it
for me"

Thanks all for your constructive posts.

Cleaned things up and got latest AV on it.
Now i'll just have to persuade the guy to actually *GET* XP SP2 with
firewall. - As I've noted in original post, he's running Millennium
:-(

All the fun of installing XP... Again

He'd better hike the RAM too while he's at it... 512 should do it.

Unless he wants a new laptop. But that's going OT.

Forking out $$ for a new OS that really is rather similar is probably
not the best "selling point", but heck, WinMe is no longer supported
and XP SP2 is the most secure MS OS there is.

Still, it's difficult to recommend getting XP when its license cost is
actually comparable to the cost of buying a new laptop - e.g. a yet
another friend showed off his new toy last night - new XP laptop with
DVD burner, 512 RAM, 17in screen, etc, for $800. NEW, from vendor. Oh
well.

Cheers

"Mark Lloyd" wrote in message =
...
=20
Notice that the XP firewall is incoming-only, and provides much less
protection than a good firewall.
=20
Mark Lloyd

No, Mark. You're describing the old Internet Connection Firewall.
The Windows Firewall in XP intercepts both incoming and outgoing =
traffic.
---JRC---

"John R. Copeland" wrote
"Mark Lloyd" wrote

Notice that the XP firewall is incoming-only, and provides much less
protection than a good firewall.

Mark Lloyd

No, Mark. You're describing the old Internet Connection Firewall.
The Windows Firewall in XP intercepts both incoming and outgoing traffic.
---JRC---

No it doesn't and it doesn't to avoid law suits like what happened with
Internet Explorer. Please do your research before you post false
information.

Thanks

Alias