alt.comp.anti-virus Google Group

Re: Best setup to clean pc

a.nony.m...@example.invalid (Beauregard T. Shagnasty) — Tue, 24 Nov 2009 23:16:54 UT

..and then do it again next week when it is re-infected. Keeping Windows
clean is a full-time job.
Jason needs to google up: practice safe hex

Re: Best setup to clean pc

dlipman~nosp...@verizon.net (David H. Lipman) — Tue, 24 Nov 2009 23:13:19 UT

I agree. Especially since it was noted "Windows 7 Ultimate" and thus could NOT have been
on the PC that long.
It is also indicative that Jason has BAD HABITS and doesn't practice Safe Hex. Failure to
take proper precautions to secure his system (and his data) will just lead Jason right
back into the situation he is now faced with. Jason needs to LEARN from this experience !

Re: Best setup to clean pc

erra...@nomail.afraid.org (FromTheRafters) — Tue, 24 Nov 2009 21:56:22 UT

Wipe the drive, and reinstall the OS from the original installation
media.
Backup what data you can, and then be careful when bringing it back
onboard after the "flatten and rebuild" I suggested above.

Best setup to clean pc

jas...@implode.com (Jason) — Tue, 24 Nov 2009 21:32:23 UT

Runing Windows 7 Ultimate
I have a very badly infected pc & I need instructions along with best
software(freeware) to completely clean my machine also the url's for the
software.
Thanks

Re: N360_Backup Questions

vic...@invalid.invalid (Victek) — Tue, 24 Nov 2009 16:01:18 UT

.
You are correct that NAV has no backup functionality and I believe is
unaware of the leftover N360 backup folder. I'm guessing that uninstalling
N360 does not remove the backup folder in case the backups are still needed.
Obviously it would be good if the user were alerted to this during the
uninstall. In any case if you don't need the backups just deleted the

Re: Obtaining a "Faux Virus"?

m...@privacy.net (ASCII) — Tue, 24 Nov 2009 07:04:20 UT

Yes, George Orwell is all that,
and then some.

Re: Obtaining a "Faux Virus"?

nob...@mixmaster.it (George Orwell) — Mon, 23 Nov 2009 10:19:31 UT

"Toxic" <staring@my_soft_dick> gobfarted:
yet another projectile vomit of puerile gobshite from a discarded
condom hatchling hiding behind the nym it pretends is not a nym.
ooze away and die, spermbreath.
Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real

N360_Backup Questions

p...@dropthespam.com (TheScullster) — Mon, 23 Nov 2009 09:23:06 UT

Hi all
Looking at a PC last night that had a folder N360_Backup which has grabbed
half of a 30GB c: drive.
The PC originally had Norton 360 installed but now has Norton Anti-Virus
2009.
Looks like the newer software doesn't include any backup options and that
the N360_Backup folder can now be deleted.

Re: Personal Anti-Loss Alarm-Kids

m...@privacy.net (ASCII) — Mon, 23 Nov 2009 09:16:12 UT

I didn't notice whether the site offered in addition to tracking collars for
your sprogs, some type of immobilization (dart) device for when spotted.

Personal Anti-Loss Alarm-Kids

nilimashera...@gmail.com (Nilma Shehrawat) — Mon, 23 Nov 2009 09:05:30 UT

Feel safe wherever, whenever with i-safe personal security products.
Product Usage:
Alarm is activated if child is left outside or goes beyond the
specified distance. The product prevents child leaving adult. Distance
up to 10 mts can be set. For more aspect visit -
[link]

Re: Obtaining a "Faux Virus"?

erra...@nomail.afraid.org (FromTheRafters) — Sun, 22 Nov 2009 22:10:59 UT

I'm replying to you because I haven't (yet) filtered out the
anon-remailers or whatever they call them.
Myself, I would not have any problem with VX websites. I would *not*
however recommend them to others. Part of what ASCII snipped was my "but
it is not as safe" statement.

Re: Obtaining a "Faux Virus"?

erra...@nomail.afraid.org (FromTheRafters) — Sun, 22 Nov 2009 22:04:25 UT

I don't know what inconsistencies you are experiencing, but the EICAR
detection is very specific - can not (should not) be detected outside of
the specifications (see the eicar.com website).
I'm not too sure (haven't tried it) but it may be possible to save it as
an exe so that the OS's file browser causes an alert when it is accesed

Re: Obtaining a "Faux Virus"?

erra...@nomail.afraid.org (FromTheRafters) — Sun, 22 Nov 2009 21:56:10 UT

news:4b08e2dd.2041906@EBCDIC...
...and wasn't it Vecna that made a generator for creating FP detections?
(what a hoot)
Do AV programs "retire" old definitions for long ago patched exploit
based malware. I wouldn't expect them to, so having one land on your
harddrive as a file (or embedded in an e-mail to test your (yuck) e-mail

Re: Obtaining a "Faux Virus"?

erra...@nomail.afraid.org (FromTheRafters) — Sun, 22 Nov 2009 21:46:45 UT

To the best of my knowledge, the only thing that has changed is in the
way that the scanners are supposed to detect it. It used to have to be
only the 68 (or 70 w/CRLF) bytes - they have since changed it to include
some amount of trailing whitespace for some reason.

Re: Obtaining a "Faux Virus"?

x...@y.invalid ((PeteCresswell)) — Sun, 22 Nov 2009 21:26:37 UT

Per FromTheRafters:
That seems tb doing the trick. Thanks.
FWIW, Avast's catching it and issuing notifications does not seem
tb that consistent - unless (not unlikely) I'm missing something.

Re: Obtaining a "Faux Virus"?

nob...@mixmaster.it (George Orwell) — Sun, 22 Nov 2009 10:59:14 UT

"ASCII" <m...@privacy.net> gobfarted:
You utter fucking IDIOT!
People with less intelligence than you are few and far between!
Rosenthal is one of them! You should quote the loonie fuckwit
every day because it''s the best chance you''ll ever get to make
Usenet think you're only nine-tenths retarded, you SPASTIC!

Re: "Inheritest the Lions Den" ?? spammed website, suspect javascript

n...@home.today (Ant) — Sun, 22 Nov 2009 15:20:05 UT

The script in the head element starts like this:
evf1=[112,99,97,99,116,...
All that does is set the window.location to kecacbt.cn which is a fake
pills site. No malware involved as far as I can tell. The rest of the
page is just ad-click stuff.

Re: Obtaining a "Faux Virus"?

n...@home.today (Ant) — Sun, 22 Nov 2009 15:18:49 UT

But in order to work it has to modify the last four characters (H+H*)
of the eicar string because the instructions 'int 20' and 'int 21' are
not printable ASCII. Here's the final part of the code where it occurs:
0114 2937 SUB [BX],SI ; modify loc 0140
0116 43 INC BX
0117 43 INC BX
0118 2937 SUB [BX],SI ; modify loc 0142

Re: Obtaining a "Faux Virus"?

a.nony.m...@example.invalid (Beauregard T. Shagnasty) — Sun, 22 Nov 2009 12:58:11 UT

Why use tinyurl for such a short real URL?
hXXp://vx.netlux.org/vx.php?id =sr00
Aah. "vx" <g>

"Inheritest the Lions Den" ?? spammed website, suspect javascript

usenetharves...@aol.com (nobody >) — Sun, 22 Nov 2009 09:55:49 UT

Spammed at me, definite social engineering here (curiosity factor)
Mr Quangle Wangle, grant us that?
hxxp:/**/myguestbook.h1.ru/jeo pardized.html
mqnjzolw
I'm no js expert, all I know is how to spot it. Anyone here want to
tackle it?
URL "defanged". Don't go there unless you *know* what you are doing.

Re: Obtaining a "Faux Virus"?

m...@privacy.net (ASCII) — Sun, 22 Nov 2009 07:06:42 UT

[link]

Re: Obtaining a "Faux Virus"?

bughunter.dus...@gmail.com (Dustin Cook) — Sun, 22 Nov 2009 04:56:44 UT

"FromTheRafters" <erra...@nomail.afraid.org> wrote in news:he9ocl$h8a$1
@news.eternal-september.org:
to
Unless the EICAR file has been changed since it was originally released,
it's not self modifying code; it displays a message to the screen and
exits. It's slightly special codewise because it's creator was sure to

Re: Obtaining a "Faux Virus"?

erra...@nomail.afraid.org (FromTheRafters) — Sat, 21 Nov 2009 22:08:19 UT

Paste this (without the parentheses), all by itself, in a text file
(using notepad).
(X5O!P%@AP[4\PZX54(P^)7CC)7}$E ICAR-STANDARD-ANTIVIRUS-TEST-F ILE!$H+H*)
If your AV doesn't alert to it as a text file (some won't), rename it to
a com filetype.
That string was designed for exactly that purpose.
Yes, and most (if not all) AV programs will have the signature in their

Re: AVG Free 9.0 - Shutting it Down Completely

erra...@nomail.afraid.org (FromTheRafters) — Sat, 21 Nov 2009 21:56:55 UT

How else would you be rid of "all aspects" of it?
Maybe you could ask at their forum. As I recall, their was a way to use
it as an "on-demand" only scanner in the past, but I doubt the newer
versions work that way - what with antimalware, antispyware, automatic
updating, e-mail proxy, and other fluff all added.

Re: Avira switches to new update system

erra...@nomail.afraid.org (FromTheRafters) — Sat, 21 Nov 2009 21:45:38 UT

Same here, but then again I wasn't the kind to worry overmuch about
*late* updates due to overwhelmed servers.

Re: Avira switches to new update system

fr...@blackholespam.net (FredW) — Sat, 21 Nov 2009 20:10:00 UT

On Sat, 21 Nov 2009 07:46:15 -0700, "Buffalo" <E...@nada.com.invalid>
wrote:
Lets hope Avira solved the problems with the large updates.
;-)

Re: AVG Free 9.0 - Shutting it Down Completely

plink.1royt...@spamgourmet.com (Slarty) — Sat, 21 Nov 2009 17:18:36 UT

It's always such a pleasure to read such a cultured and well reasoned
response, so rare here.
Do have a nice day, it sounds as though you need one badly.
Pip! Pip! old bean.

Re: Obtaining a "Faux Virus"?

a.nony.m...@example.invalid (Beauregard T. Shagnasty) — Sat, 21 Nov 2009 17:03:58 UT

Google for: eicar test file

Obtaining a "Faux Virus"?

x...@y.invalid ((PeteCresswell)) — Sat, 21 Nov 2009 15:21:32 UT

I want to test the behavior of my anti-virus program (Avast).
To that end, I'd like to get hold of something that looks like a
virus (contains a known signature?) but doesn't act like a virus
(no damage if I accidentally let it loose on my PC or server).
With something like that, I could provoke the anti-virus

Re: Avira switches to new update system

e...@nada.com.invalid (Buffalo) — Sat, 21 Nov 2009 14:46:15 UT

[link]
It's been working great on my free Avira since the change.
Thanks again,
Buffalo

Re: AVG Free 9.0 - Shutting it Down Completely

no-m...@damaeus.yahoo.invalid (Damaeus) — Sat, 21 Nov 2009 05:45:55 UT

Reading from news:alt.comp.anti-virus,
Slarty <plink.1RoyT...@spamgourmet.co m> posted:
That's one of the stupidest things to write. I like AVG. I just don't
want it running at certain times, at all. And uninstalling it is a stupid
thing to do because I'd just have to reinstall it after playing whatever

Re: Attack of the "trojan/rootkit/virus"

erra...@nomail.afraid.org (FromTheRafters) — Sat, 21 Nov 2009 03:51:03 UT

Thanks David.
That's one stealthy sucker.
...lets just hope that no wormable exploit comes along that gets admin
rights.

Re: *.DAT files

v...@nguard.lh (VanguardLH) — Sat, 21 Nov 2009 00:23:22 UT

Sure there is. Put them in your blacklist that deletes their e-mail
(locally or up on the server). You can probably even define a server-
side rule in your e-mail account to auto-delete their e-mails. The
sender which is being discussed here is probably always using the same
e-mail address in the From header. I doubt the OP said "friend" to

Re: *.DAT files

v...@nguard.lh (VanguardLH) — Sat, 21 Nov 2009 00:18:49 UT

There exist few programs that don't have some means of configuring them
to alter they behavior or actions. There are drivers who don't know how
to activate the hazard lights or change the illumination intensity of
their dashboard lighting in their own car, too. No software can
overcome a person's desire to remain stupid.

Re: Attack of the "trojan/rootkit/virus"

dlipman~nosp...@verizon.net (David H. Lipman) — Sat, 21 Nov 2009 00:11:37 UT

A little something by Marco Giuliani of Prevx on the most prevalent RootKit threat
[link]

Police say father of Jackson accuser has killed himself

fann...@gmail.com (fannehh@gmail.com) — Fri, 20 Nov 2009 23:45:24 UT

The man who accused pop star Michael Jackson of molesting his son in
1993 killed himself in his New Jersey condo earlier this month, police
said.
[link]

Re: *.DAT files

dlipman~nosp...@verizon.net (David H. Lipman) — Fri, 20 Nov 2009 23:29:11 UT

LOL -- They are called Google Groupers !

Re: malware removal test

yawontfin...@here (Cawshus) — Fri, 20 Nov 2009 22:41:18 UT

Daniel Menzel <efmen...@web.de> wrote in
That's logic that should not (but does) need to be stated. About all the
test did for me was reinforce the need for supplementary scanners.

Re: AVG Free 9.0 - Shutting it Down Completely

e...@nada.com.invalid (Buffalo) — Fri, 20 Nov 2009 21:30:19 UT

It probably happens during automatic updates. If that is the case, turn that
function off.
Try the free Avira. It is simple to turn it on and off by just rt clicking
on the taskbar icon and unchecking the enable choice.
Buffalo

Re: *.DAT files

weki...@sympatico.ca (Wolf K) — Fri, 20 Nov 2009 16:56:08 UT

You can't avoid them.
cheers,
wolf k.

Re: *.DAT files

plink.1royt...@spamgourmet.com (Slarty) — Fri, 20 Nov 2009 15:48:43 UT

Then why bother dealing with such ignorant uncooperative dolts?
Cheers,
Roy

Re: AVG Free 9.0 - Shutting it Down Completely

plink.1royt...@spamgourmet.com (Slarty) — Fri, 20 Nov 2009 15:45:18 UT

Unistall it. Obviously. Why are you even bothering to use it again?
Then get something which suits you better.
Try searching this and related newsgroups for many many suggestions and
comments, and then make up you own mind.
Cheers,
Roy

Re: *.DAT files

weki...@sympatico.ca (Wolf K) — Fri, 20 Nov 2009 14:00:18 UT

Easier said than done. Most people not only don't know how to change
program settings, they don't want to know. IMO, certain data format
standards should be mandated, not because I believe in big gummint, but
because too many people can't be bothered to be courteous. And too many
companies won't agree to use each other's formats ("intellectual

Re: Attack of the "trojan/rootkit/virus"

erra...@nomail.afraid.org (FromTheRafters) — Fri, 20 Nov 2009 11:56:45 UT

Running as a limited rights user only makes it more difficult for
malware to be sticky. Since the malware has the rights of the user,
there is still much that it *can* do.
There are no "end all" answers, only measures that can be taken to
reduce impact.
The "root" in rootkit is the *nix term for the higher privilege account.

Re: *.DAT files

v...@nguard.lh (VanguardLH) — Fri, 20 Nov 2009 04:13:22 UT

That was covered by my prior post (I guessed that might be the
attachment's filename) and why your non-Outlook e-mail client can't
figure out what to do with that attachment. Tell the sender to stop
using RTF. For Internet recipients, they should be using plain text or
HTML format for composing their outbound e-mails.

Re: Attack of the "trojan/rootkit/virus"

dlipman~nosp...@verizon.net (David H. Lipman) — Fri, 20 Nov 2009 03:30:51 UT

You are correct "Simply removing admin privs from everyone is not necessarily the end all
answer." when you take into consideration the exploitation/vulnerability vector in terms
of buffer overflow conditions and an elevation of privileges.
However, it does reduce the capcity to be infected to some degree.

Re: Attack of the "trojan/rootkit/virus"

gci...@hotmail.com (The Central Scrutinizer) — Fri, 20 Nov 2009 02:55:59 UT

I attended a conference a few months ago that had a talk about non
admin user virus issues. Even if not admin, the CEO of a company
still has access to critical data and info. If the CEO were to get a virus
or malware the results for that company or user could be devastating.
Simply removing admin privs from everyone is not necessarily the

Re: *.DAT files

dlipman~nosp...@verizon.net (David H. Lipman) — Fri, 20 Nov 2009 02:05:29 UT

This isn't malware related. It is email client/server related. It has to do with with
how the interaction of different email servers and email clients interact.

Re: *.DAT files

rmo...@cox.net — Fri, 20 Nov 2009 01:42:40 UT

The filename I refer to (today) is winmail8.dat.

Re: Search hijacker

bughunter.dus...@gmail.com (Dustin Cook) — Fri, 20 Nov 2009 00:52:21 UT

"Lil' Abner" <blv...@dogpatch.com> wrote in
news:Xns9CC8650F4632Fbutter@wefb973cbe498:
Hi there. You might try our forums for assistance. If you have something
new, we can deal with it. :)
[link]