Re: Did an online scan wondering if I have a virus or remants of headers

From: Pam (pfloresatcharterdotnet)
Date: 03/01/04

Next message: Lil' Dave: "Re: Source of file?"

Previous message: Lil' Dave: "Re: Source of file?"
In reply to: cquirke (MVP Win9x): "Re: Did an online scan wondering if I have a virus or remants of headers"
Next in thread: cquirke (MVP Win9x): "Re: Did an online scan wondering if I have a virus or remants of headers"
Reply: cquirke (MVP Win9x): "Re: Did an online scan wondering if I have a virus or remants of headers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 1 Mar 2004 14:59:45 -0800

"cquirke (MVP Win9x)" <cquirkenews@nospam.mvps.org> wrote in
message news:3o86409gu5g4pbqkpqqrvlr66it6fmtkuc@4ax.com...
| On Sat, 28 Feb 2004 01:54:38 -0800, "Pam"
<pfloresatcharterdotnet>
| wrote:
|
| >...NAV said it could not clean or delete, and it is not in
| >my quarantine file. Nav logs say basically the same thing.
|
| "Can't clean" means:
|
| 1) The file is 100% malware (common)
| 2) The file is "in use" (i.e. has gone active; bad)
| 3) The file is within a container file

How do I find it, I'm very new at this and don't know how to
do a lot of things.
|
| "Can't detele" means:
|
| 1) The file is "in use" (i.e. has gone active; bad)
| 2) The file is within a container file
|
| Some av may delete the containter; others not.

I also scanned at Panda online and Trend with no viruses
found.
|
| >I ran a scan with NAV, and it shows nothing.
|
| If the malware's active, all bets are potentially off when
it comes to
| scanning within the infected environment. Some malware are
OK for
| this; others pre-empt the attempt by killing the av, some
may hide,
| and some may take punitive action when av attacks them.
|
| If you suspect *active* malware infection, you should really
scan
| formally, i.e. without running any potential malware code in
the
| process. That means booting off something other than the HD
and
| scanning all files using something that was not created from
the
| potentially infected system.

I have Win XP Home, and unfortunately I don't know how to boot
off something other than the HD, unless I was given step by
step instructions.
|
| For systems based on FATxx, that's usually done from DOS
mode.

I don't know how to do this in DOS unless given instructions.
I have FAT32
|
| For systems based on NTFS, no satisfactory solution yet
exists.
|
| >I did an online scan at RAV
|
| Online scans are even less formal than Windows-based av,
so...

Exactly what does less formal mean?
|
| >I'm not having any noticeable computer problems, and I have
| >"all" of the MS patches/fixes, properly configured
firewall,
| >and up to date virus defs. Also, several seconds after the
| >NAV alert my firewall blocked an inbound attempt by Ultor
| >Trojan Horse. Then I decided to run Adaware and found 68
new
| >objects, which is really unusual for me because I generally
| >only get 2-3 new objects on each scan.
|
| You're right to tackle commercial malware with Ad-Aware and
similar
| tools (I like Spybot) as antivirus software generally
ignores these.
| As at February 2004, you can scan for commercial malware
informally;
| they have to "play nice" to maintain plausible deniability,
i.e. stay
| within the lines of "the user consented us to...".

I also run Spybot as well, and don't understand what you mean
by "scan for commercial malware informally" "stay
| within the lines of "the user consented us to...".

|
| Expect this game to get extremely ugly in a post-DRM future.

Sorry again but I don't know what that means either.

|
| >...said it was only a matter of removing these from my dbx
files,

I deleted all news post's and the original Swen and IFrame
Exploit disappeared. I did a second scan at RAV and it now
says those files aren't on my computer.
|
| Container files can be a bloody menace, in that they can
hide malware
| from av scanners. The two biggest container systems that
threaten to
| serve as malware hiding places are System Restore data
(WinME, WinXP)
| and email / new message stores.

I have no problem deleting my email entirely, and I do have
WinXP as mentioned above.

|
| If you want to preserve your email message stores, do this:
|
| 1) Install Eudora
| 2) Set Eudora, Tools, Options, Attachments location
| 3) Import mail into Eudora
| 4) This splits out attachments into the ATTACH location as
files
| 5) This splits out MIME-spoofed into EMBEDDED location as
files
| 6) Virus-scan the ATTACH and EMBEDDED locations, and clean
|
| Now the Eudora copy of the mail data is clean. Eudora
exiles
| MIME-spoofed attachments into EMBEDDED, does not link to
them, and
| does not automatically run them (don't use MS Viewer!).
Eudora links
| to attachments stored as files in ATTACH; once those are
cleaned,
| subsequent access from eudora's links run the clean file.
|
| To manage the malware still hidden in Outbreak, OE, etc. you
can:
|
| a) Forensically back-track, delete corresponding messages
| b) Purge the mail data and import from Eudora (uses "clean"
files)
| c) Purge the mail data and use Eudora instead
|
| Eudora doesn't do news; only Internet email. You'd have to
find some
| other way of dealing with malware hidden in news stores.

How would I delete malware hidden in news stores? I did what
Mike mentioned and that provided me with a clean scan at RAV
however, I wasn't trying to remove PWSteal.TarnoB because it
didn't show up on any scan and I didn't think it was a
problem. I looked for the file using the path given for
PWSteal.TarnoB, and of course I couldn't find it. Your mind
is probably reeling at this point at my lack of knowledge, but
what I don't understand is why don't I have some kind of
symptom for this, and is it possible to get this malware from
opening the post from Papadimoulis? I did not go to the url
for MonCash.net. Also, the last two scans using AdAware and
Spybot were clean--no new objects found.

Your help would be greatly appreciated... But I need really
simplified explanations.
Thanks greatly...

Pam

Next message: Lil' Dave: "Re: Source of file?"

Previous message: Lil' Dave: "Re: Source of file?"
In reply to: cquirke (MVP Win9x): "Re: Did an online scan wondering if I have a virus or remants of headers"
Next in thread: cquirke (MVP Win9x): "Re: Did an online scan wondering if I have a virus or remants of headers"
Reply: cquirke (MVP Win9x): "Re: Did an online scan wondering if I have a virus or remants of headers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Did an online scan wondering if I have a virus or remants of headers
... The file is 100% malware ... Set Eudora, Tools, Options, Attachments location ... This splits out attachments into the ATTACH location as files ... Virus-scan the ATTACH and EMBEDDED locations, and clean ...
(microsoft.public.security.virus)
Re: Netsky.P
... malware creates itself as a file; ... OE and Outlook use IE's HTML rendering engine to display HTML "message ... formally scan and clean the PC ... - then install Eudora, set to NOT us MS viewer, import mail ...
(microsoft.public.windowsxp.general)
Re: Netsky.P
... malware creates itself as a file; ... OE and Outlook use IE's HTML rendering engine to display HTML "message ... formally scan and clean the PC ... - then install Eudora, set to NOT us MS viewer, import mail ...
(microsoft.public.windowsxp.perform_maintain)
Re: Netsky.P
... malware creates itself as a file; ... OE and Outlook use IE's HTML rendering engine to display HTML "message ... formally scan and clean the PC ... - then install Eudora, set to NOT us MS viewer, import mail ...
(microsoft.public.windowsxp.configuration_manage)
Re: about:blank
... cleaning, a re-install of the OS may often be a better choice than cleaning. ... If you want to try and clean your machine, then read ALL of this carefully ... Before you try to remove spyware using any of the programs below, download ... The process of removing certain malware may kill your internet connection. ...
(microsoft.public.windowsxp.help_and_support)