 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Outlook Express / General Topics / October 2005Netsky and Mydoom etc. attacks while using this service
As a newcomer here I find it most unsettling that my virus checker is constantly warning of them while I am logged on to msnews! SteveH > As a newcomer here I find it most unsettling that my virus checker is > constantly warning of them while I am logged on to msnews! > > SteveH Steve, What virus checker is that, and which newsgroup? I haven't seen any attachments in this one lately? If you read all messages in "plain text", it's safer. Also, don't click on attachments until scanned. charlie R 'Virus Scan Enterprise'; a number of instances of Netsky, and several other viruses were registered when I was viewing the response to my earlier enquiry about Hotmail crashing my OE below. It seems to be centred on PA Bear's reply as viruses were coming thick and fast when I tried to thank him. Incidentally (?) when I tried to reply directly to him the message bounced. I'm using plain text and I've seen no attachments. Regards, SteveH >> As a newcomer here I find it most unsettling that my virus checker > is [quoted text clipped - 8 lines] > > charlie R Please read my further response to your earlier post. DON'T use a valid email address in newsgroups. It's not considered polite to try to respond to a newsgroup post directly. Please post all responses in the newsgroup only, so that all may benefit. You got a bounce because PA Bear used an invalid email address in his posting, as I suggested you do. Kath > 'Virus Scan Enterprise'; a number of instances of Netsky, and > several other viruses were registered when I was viewing the response [quoted text clipped - 20 lines] >> >> charlie R  SignatureKath Adams MS MVP - Windows (Outlook Express) > 'Virus Scan Enterprise'; a number of instances of Netsky, and > several other viruses were registered when I was viewing the response [quoted text clipped - 20 lines] >> >> charlie R I have looked at your original thread (Hotmail links cause OE to shutdown) and see no viruses in any message in that thread, so I don't know what you are talking about. If your anti-virus is seeing viruses in that thread then it is faulty. SignatureFrank Saunders, MS-MVP OE Please respond in Newsgroup only. Do not send email http://www.fjsmjs.com Protect your PC http://www.microsoft.com./athome/security/protect/default.aspx http://defendingyourmachine.blogspot.com/ See repies to your original thread here (Hotmail links cause OE to shutdown). Signature~Robear Dyer (PA Bear) MS MVP-Windows (IE/OE, Shell/User, Security), AH-VSOP > As a newcomer here I find it most unsettling that my virus checker is > constantly warning of them while I am logged on to msnews! > > SteveH Thanks to all for tips, I now note that the virus hits are also occurring when visiting other sites (eg NetDoctor) and suspect that this may have something to do with having turned off e-mail scanning as per instructions on reducing dangers of compaction. Incidentally, I've since discovered the log file from an earlier compaction and was surprised to find that it took over 3 hours, so I would imagine that pcs are very often shut down while it is going on if this is normal! Regards, SteveH > See repies to your original thread here (Hotmail links cause OE to shutdown). >> As a newcomer here I find it most unsettling that my virus checker is >> constantly warning of them while I am logged on to msnews! >> >> SteveH When you say you're gettinghits, are you talking about thru your firewall notifications or actual email coming in? If it's the firewall, thats normal. You've got these morons running port scans left and right. These are just idiots looking to see if there are open ports they can use.Just reading newsgroups or email won't cause this. Opening attachments that aren't scanned first can cause this if they are infected and undetected. You then have those ports open and are vunerable. I would imagine it's just the port scans you are seeing and if you're protected there is no problem as by the time you were notified that it was blocked they're a hundred computers on down the road. > Thanks to all for tips, > [quoted text clipped - 17 lines] >>> >>> SteveH Discussion of firewalls and ports is all a bit over my head I'm afraid (how do you all learn this stuff in the first place - I could spend a lifetime just reading this column!?). A message box just pops up to say that virus scan enterprise has detected and removed xxx, that it is a virus and that I may tick a box to remove something which I am not clear is the warning itself or the virus which it says it removed? I am just ignoring them... Would turning off e-mail scanning have started this behaviour? Regards, SteveH > When you say you're gettinghits, are you talking about thru your firewall > notifications or actual email coming in? [quoted text clipped - 30 lines] >>>> >>>> SteveH No. <snip> > Would turning off e-mail scanning have started this behaviour? > [quoted text clipped - 35 lines] > > > > > checker is constantly warning of them while I am logged on to > > > > > msnews! SteveH See my reply to your other thread (posted 26 Oct-05) about hijackware. Signature~PA Bear > Discussion of firewalls and ports is all a bit over my head I'm afraid > (how do you all learn this stuff in the first place - I could spend a [quoted text clipped - 45 lines] > > > > > checker is constantly warning of them while I am logged on to > > > > > msnews! SteveH > Discussion of firewalls and ports is all a bit over my head I'm afraid > (how do you all learn this stuff in the first place - I could spend a [quoted text clipped - 5 lines] > > Would turning off e-mail scanning have started this behaviour? No turning off email scanning would have no effect, the base AV will be working reguardless. What you're not saying is does this happen in email or when you browse the web. The reason I ask is because you've made mention of "... when visiting other sites ..." When the AV software detects something, it will notifiy you as you are seeing. However, whether it has removed it or can remove it at that time is something else. Somve viruses, when running can't be shut down and you may have to boot up into Safe Mode, then scan and see if it will remove it. You probably have something starting it in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run or the other RunXXXX subkeys or also in HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows\CurrentVersion\Run and other RunXXXX subkeys. By booting to Safe Mode, some things will not load, can't say all of them won't however but booting to Safe Mode may not allow what you have to start running. Make sure you look at the logs or anything viewable in your AV software to see what has happened, it may be telling you it can't remove it at that time or something may be propagating itself when the object has been removed. As Robear has mention, check the other thread as there will be additional info on spyware and such as some spyware is being treated s a trojan by the AV software and showing it as such. Boot to Safe Mode, scan with the AV then scan with the spyware removal software. For free software, install Spybot AND Adaware, for purchased spyware removal, WebRoot SpySweeper is pretty good in detecting what the above free one's won't or can't yet. To put it in a percentage perspective, the free one's hit about 65% of the time while the SpySweeper is hitting about 90% which isn't too bad IMHO. I've recommended it to a couple of clients so far and it's done quite well. I haven't had much testing with the Microspft AntiSpyware Beta but the company it bought did a fairly good job. As to firewalls, ports and other stuff, I learned it just like I learned to weld, cabinet making, framing, flooring, drywall, auto mechanics, auto body repair, drilling/blasting and operating all sorts of heavy construction equipment and numerous other things. Saw it, looked it over then jumped in. Thanks for the extra info: I've already run Ad-aware and SpyBot, and following other correspondents' ideas, have just scanned with HijackThis and posted the log. I never quite got the hang of welding, but I expect some of what you just posted will begin to make sense after a while on this newsgroup (I hope!)! The virus warnings seem to have subsided after the initial flurry that seemed to coincide with turning off e-mail scanning. They just popped up while I was reading entries here, and on another site (NetDoctor) without following any particular action of my own. I don't recall any warnings from e-mail of late. Today, IE and another user's Outlook have been going glacially slow. Outlook kept freezing and having to be shut, with the consequent error report saying to go to Office Update. Couldn't do that either because intitally it froze while looking for the updates, then it froze before even getting to the update site. Been able to get to other sites but panes tend to imprint on each other instead of changing smoothly when trying to move between them. All rather a pain - hence the Hijack This scan. Another possibility is that a recent download of the new MSNSearch engine is screwing things up (although it says it has finished indexing it still has to be turned off via a pop up after selecting to shut down the rest of the system?) I already had Indexing Service turned on and Google Desktop Search before trying the new MS one (which I downloaded after another inquiry as to how I could get better access to the 'Query the Indexing Service' panel!). Thanks once again, SteveH >> Discussion of firewalls and ports is all a bit over my head I'm afraid >> (how do you all learn this stuff in the first place - I could spend a [quoted text clipped - 52 lines] > construction equipment and numerous other things. Saw it, looked it over > then jumped in. Where did you post the Hijack log? In this group or elsewhere? I would imagine you're loaded with spyware that's returning. I have the MSN Search on a computer here and nada happening with it. Turn off System Restore. Run the programs again. > Thanks for the extra info: > [quoted text clipped - 87 lines] >> construction equipment and numerous other things. Saw it, looked it over >> then jumped in. Posted it to AumHa as per instructions (not sure I like exposing my files like this though), but here it is if you are keen. How would System Restore put things back when I haven't asked it to restore anything? I thought it only restored when a restore to such and such a date was selected? Logfile of HijackThis v1.99.1 Scan saved at 20:23:04, on 30/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\RF Wireless Mouse\cm20.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe C:\Program Files\MSAC-FD1\MSSTAT.EXE C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe C:\Program Files\Outlook Express\OEExtras\OETool.exe C:\Program Files\Taskbar Activate\TaskbarActivate.exe C:\Program Files\ntl\broadband medic\bin\mpbtn.exe C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\WINDOWS\system32\cidaemon.exe C:\Documents and Settings\SteveH\Desktop\Management\Security\hijackthis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: Shortcut to OETool.exe.lnk = C:\Program Files\Outlook Express\OEExtras\OETool.exe O4 - Startup: Taskbar Activate.lnk = C:\Program Files\Taskbar Activate\TaskbarActivate.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe O4 - Global Startup: Memory Stick Monitor.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?a96bb239f2fc4102a0965951225a2b6d O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?a96bb239f2fc4102a0965951225a2b6d O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.bbc.co.uk O15 - Trusted Zone: http://www.multimap.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe > Where did you post the Hijack log? In this group or elsewhere? > [quoted text clipped - 96 lines] >>> construction equipment and numerous other things. Saw it, looked it over >>> then jumped in. > Posted it to AumHa as per instructions (not sure I like exposing my files > like this though), but here it is if you are keen. > > How would System Restore put things back when I haven't asked it to > restore anything? I thought it only restored when a restore to such and > such a date was selected? Really didn't want you to post it here since you had posted it somewhere else already was just wondering where it was posted. As to System Restore. I mentioned turning it off as there are points that a restore point is set. If the restore point was infected at the time, should you restore it will put it back and you get to start all over again. Turning it off till you find the source of the problem then turn it on and create a new uninfected point. Windows will set restore points during software installations and updating. Steve's thread in Aumha Forums: http://aumha.net/viewtopic.php?t=16445 I have asked that Steve restrict all further posts here to this thread. Signature~PA Bear > Where did you post the Hijack log? In this group or elsewhere? <snip> |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.