AIM Send out random messages



asdf
07-09-2005, 11:51 PM
people on our network seem to be affected with a weird security problem.
Their
AIM's are sending out random messages to their buddies. Scanned entire
network
with Mcafee and all the spyware removers. All the critical updats are
installed.
Also tried upgrading to the latest version of AIM but that didnt help.
THey dont have firewall on their network just ACLs on their router.
Any other ideas on how to approach this problem

Michael Pelletier
07-09-2005, 11:51 PM
asdf wrote:

> people on our network seem to be affected with a weird security problem.
> Their
> AIM's are sending out random messages to their buddies. Scanned entire
> network
> with Mcafee and all the spyware removers. All the critical updats are
> installed.
> Also tried upgrading to the latest version of AIM but that didnt help.
> THey dont have firewall on their network just ACLs on their router.
> Any other ideas on how to approach this problem

I remember reading about a virus that does that. It sounds like you have it.
First, at least block AIM so you do not infect other people. I will do a
search and see if I can find the name of the virus. You should try also.

Michael
--
"Trusted Computing" is a SCAM
http://www.gnu.org/philosophy/can-you-trust.html

Protect your rights
http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

Michael Pelletier
07-09-2005, 11:51 PM
asdf wrote:

> people on our network seem to be affected with a weird security problem.
> Their
> AIM's are sending out random messages to their buddies. Scanned entire
> network
> with Mcafee and all the spyware removers. All the critical updats are
> installed.
> Also tried upgrading to the latest version of AIM but that didnt help.
> THey dont have firewall on their network just ACLs on their router.
> Any other ideas on how to approach this problem

This might be what you are looking for:
http://www.jayloden.com/BestFriends.htm


Michael
--
"Trusted Computing" is a SCAM
http://www.gnu.org/philosophy/can-you-trust.html

Protect your rights
http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

PA Bear
07-09-2005, 11:51 PM
W32/Oscarbot & variants (which are multiplying exponentially)
http://www.google.com/search?hl=en&q=oscarbot

For a sample of what you're in for, see "Oscarbot The Grouch" at
http://aumha.org/elist.cgi

Checking for/Help with Hijackware & (Trojans like Oscarbot)
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/data/tshoot.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/

Meanwhile, forbid the use of AIM on *any* machine. Keep seeking and
installing McAfee updates (i.e., several times a day) and scanning.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security




asdf wrote:
> people on our network seem to be affected with a weird security problem.
> Their
> AIM's are sending out random messages to their buddies. Scanned entire
> network
> with Mcafee and all the spyware removers. All the critical updats are
> installed.
> Also tried upgrading to the latest version of AIM but that didnt help.
> THey dont have firewall on their network just ACLs on their router.
> Any other ideas on how to approach this problem

asdf
07-09-2005, 11:51 PM
thank you all for awesome replies. However do you have any idea why would
mcafee with the latest definitions not be able to detect the problem?
Will scanning with norton, kaspersky would be more successful?


"PA Bear" <PABearMVP@gmail.com> wrote in message
news:OvkhH8CXFHA.2980@TK2MSFTNGP10.phx.gbl...
> W32/Oscarbot & variants (which are multiplying exponentially)
> http://www.google.com/search?hl=en&q=oscarbot
>
> For a sample of what you're in for, see "Oscarbot The Grouch" at
> http://aumha.org/elist.cgi
>
> Checking for/Help with Hijackware & (Trojans like Oscarbot)
> http://aumha.org/a/parasite.htm
> http://aumha.org/a/quickfix.htm
> http://aumha.net/viewtopic.php?t=5878
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/data/prevention.htm
> http://inetexplorer.mvps.org/data/tshoot.htm
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> http://defendingyourmachine.blogspot.com/
>
> Meanwhile, forbid the use of AIM on *any* machine. Keep seeking and
> installing McAfee updates (i.e., several times a day) and scanning.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE/OE) & Security
>
>
>
>
> asdf wrote:
> > people on our network seem to be affected with a weird security problem.
> > Their
> > AIM's are sending out random messages to their buddies. Scanned entire
> > network
> > with Mcafee and all the spyware removers. All the critical updats are
> > installed.
> > Also tried upgrading to the latest version of AIM but that didnt help.
> > THey dont have firewall on their network just ACLs on their router.
> > Any other ideas on how to approach this problem
>

Tom Pepper Willett
07-09-2005, 11:51 PM
Maybe McAfee doesn't have it in their defs at this time.

http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html

"asdf" <dfsa@sadf.com> wrote in message
news:OY_ie.12569$yx.10846@fe08.lga...
| thank you all for awesome replies. However do you have any idea why would
| mcafee with the latest definitions not be able to detect the problem?
| Will scanning with norton, kaspersky would be more successful?
|
|
| "PA Bear" <PABearMVP@gmail.com> wrote in message
| news:OvkhH8CXFHA.2980@TK2MSFTNGP10.phx.gbl...
| > W32/Oscarbot & variants (which are multiplying exponentially)
| > http://www.google.com/search?hl=en&q=oscarbot
| >
| > For a sample of what you're in for, see "Oscarbot The Grouch" at
| > http://aumha.org/elist.cgi
| >
| > Checking for/Help with Hijackware & (Trojans like Oscarbot)
| > http://aumha.org/a/parasite.htm
| > http://aumha.org/a/quickfix.htm
| > http://aumha.net/viewtopic.php?t=5878
| > http://mvps.org/winhelp2002/unwanted.htm
| > http://inetexplorer.mvps.org/data/prevention.htm
| > http://inetexplorer.mvps.org/data/tshoot.htm
| > http://www.mvps.org/sramesh2k/Malware_Defence.htm
| > http://defendingyourmachine.blogspot.com/
| >
| > Meanwhile, forbid the use of AIM on *any* machine. Keep seeking and
| > installing McAfee updates (i.e., several times a day) and scanning.
| > --
| > ~Robear Dyer (PA Bear)
| > MS MVP-Windows (IE/OE) & Security
| >
| >
| >
| >
| > asdf wrote:
| > > people on our network seem to be affected with a weird security
problem.
| > > Their
| > > AIM's are sending out random messages to their buddies. Scanned entire
| > > network
| > > with Mcafee and all the spyware removers. All the critical updats are
| > > installed.
| > > Also tried upgrading to the latest version of AIM but that didnt help.
| > > THey dont have firewall on their network just ACLs on their router.
| > > Any other ideas on how to approach this problem
| >
|
|

PA Bear
07-09-2005, 11:51 PM
The filenames which Oscarbot & variants drop are constantly morphing. At
this point, AV and anti-malware teams can't keep up with them all so no,
scanning with other AVs aren't likely to offer better results (but YMMV).
See the "Oscarbot The Grouch" story I linked to earlier.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security

asdf wrote:
> thank you all for awesome replies. However do you have any idea why would
> mcafee with the latest definitions not be able to detect the problem?
> Will scanning with norton, kaspersky would be more successful?
>
>
> "PA Bear" <PABearMVP@gmail.com> wrote in message
> news:OvkhH8CXFHA.2980@TK2MSFTNGP10.phx.gbl...
>> W32/Oscarbot & variants (which are multiplying exponentially)
>> http://www.google.com/search?hl=en&q=oscarbot
>>
>> For a sample of what you're in for, see "Oscarbot The Grouch" at
>> http://aumha.org/elist.cgi
>>
>> Checking for/Help with Hijackware & (Trojans like Oscarbot)
>> http://aumha.org/a/parasite.htm
>> http://aumha.org/a/quickfix.htm
>> http://aumha.net/viewtopic.php?t=5878
>> http://mvps.org/winhelp2002/unwanted.htm
>> http://inetexplorer.mvps.org/data/prevention.htm
>> http://inetexplorer.mvps.org/data/tshoot.htm
>> http://www.mvps.org/sramesh2k/Malware_Defence.htm
>> http://defendingyourmachine.blogspot.com/
>>
>> Meanwhile, forbid the use of AIM on *any* machine. Keep seeking and
>> installing McAfee updates (i.e., several times a day) and scanning.
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-Windows (IE/OE) & Security
>>
>>
>>
>>
>> asdf wrote:
>>> people on our network seem to be affected with a weird security problem.
>>> Their
>>> AIM's are sending out random messages to their buddies. Scanned entire
>>> network
>>> with Mcafee and all the spyware removers. All the critical updats are
>>> installed.
>>> Also tried upgrading to the latest version of AIM but that didnt help.
>>> THey dont have firewall on their network just ACLs on their router.
>>> Any other ideas on how to approach this problem

Lord Loki
07-09-2005, 11:51 PM
Something like this just happened to me too....
I deleted AIM >.>
and ANOTHER AIM.exe in my program files, though when i deleted THAT one aim
still worked O.o
then i reinstalled AIM... and.... then some other things happened, so i
uninstalled it again
now i'm freaked out by what DID happen
for one, the second i foolishly clicked that link and discovered it was NOT
a link *mad*, i scanned my comp, both with Norton, totally updated, and with
Trendmicro (online one), alsow with Adaware, and Spykiller, NOTHING FOUND IT,
NOTHING.
I hoped it might be gone... but i doubt it, when i went to open my paint
shop pro program, an installing screen appeared, the kind that appears when
you dont haev the programe, but the icon... I dont knwo WHY that happened,
but psp8 WAS there earlier that day. then i desided to relax and play a
game...
I opened up FFXI... the same screen appeared, i freaked and closed it, the
game still came up however and i can still play it, even though it tries to
install it each time... >.<
I kinda... freaked out... and asked alotta ppl waht to do, i've scanned
multiple times with norton and others and i cant find it, but i know its
tehre... so i tried to do a system restore, (my own idea, didnt know if it'd
help or not) but... IT WONT LET ME! i tried several times... itd come outta
the black screen saying it failed... that REALLY freaked me out
so i asked some more ppl, everyones talkign about me reinstalling windows....
one person told me to try to scan norton through safe mode, so i go into
safe mode, and try to scan norton, NORTON DOESNT OPEN, it pops up witht he
screen when a program freezes... i've tried a few times, both norton
anti-virus and norton internet security, neither opens...

when the computer came to under normal turning on, the scariest thing
happened... a install window for WINDOWS appeared... i dont knwo wtf that
means, since i cancled it and windows is working FINE ('cept for the missing
program and the strange install windows, and i dont think i can dl large
files <-- probally not same prob)
i let the install window go until it asked for a CD (or atleast when it
SHOULD ask for cd), and a notice popped up saying Norton internet Security
2005 doesnt allow windows *something* something or other... (i'm pretty sure
it said something about um... like windows self-fix? something like that, i
forgot....)

also, one time, shortly after i rebooted the first time tht day, norton
popped up in corner saying it blocked an hack attack... yet i've scanned my
comp for trojans and worms along with viruses spyware and adware that day,
and i didnt find a SINGLE torjan (normally i have alot... but i deleted ALL
my cookies that day)

think its teh same virus? and if so, you think that link'll work, even
though i deleted AIM???
sorry for posting my prob an' not helping yours XD i jsu' dont wanna create
another thread when the problems here.....

oh yeah, aim did send out the messages the second i contracted this "virus"
to everyone online on my list, i told htem all not to click, and it did it
again abotu a hour or two later.. >.< my message i got mine with said "Please
look at my /pictures/" (pictures being the hyperlink) >.<
thank you if you can help, and thank you for reading this anyways even if
you cant help XD

"PA Bear" wrote:

> The filenames which Oscarbot & variants drop are constantly morphing. At
> this point, AV and anti-malware teams can't keep up with them all so no,
> scanning with other AVs aren't likely to offer better results (but YMMV).
> See the "Oscarbot The Grouch" story I linked to earlier.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE/OE) & Security
>
> asdf wrote:
> > thank you all for awesome replies. However do you have any idea why would
> > mcafee with the latest definitions not be able to detect the problem?
> > Will scanning with norton, kaspersky would be more successful?
> >
> >
> > "PA Bear" <PABearMVP@gmail.com> wrote in message
> > news:OvkhH8CXFHA.2980@TK2MSFTNGP10.phx.gbl...
> >> W32/Oscarbot & variants (which are multiplying exponentially)
> >> http://www.google.com/search?hl=en&q=oscarbot
> >>
> >> For a sample of what you're in for, see "Oscarbot The Grouch" at
> >> http://aumha.org/elist.cgi
> >>
> >> Checking for/Help with Hijackware & (Trojans like Oscarbot)
> >> http://aumha.org/a/parasite.htm
> >> http://aumha.org/a/quickfix.htm
> >> http://aumha.net/viewtopic.php?t=5878
> >> http://mvps.org/winhelp2002/unwanted.htm
> >> http://inetexplorer.mvps.org/data/prevention.htm
> >> http://inetexplorer.mvps.org/data/tshoot.htm
> >> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> >> http://defendingyourmachine.blogspot.com/
> >>
> >> Meanwhile, forbid the use of AIM on *any* machine. Keep seeking and
> >> installing McAfee updates (i.e., several times a day) and scanning.
> >> --
> >> ~Robear Dyer (PA Bear)
> >> MS MVP-Windows (IE/OE) & Security
> >>
> >>
> >>
> >>
> >> asdf wrote:
> >>> people on our network seem to be affected with a weird security problem.
> >>> Their
> >>> AIM's are sending out random messages to their buddies. Scanned entire
> >>> network
> >>> with Mcafee and all the spyware removers. All the critical updats are
> >>> installed.
> >>> Also tried upgrading to the latest version of AIM but that didnt help.
> >>> THey dont have firewall on their network just ACLs on their router.
> >>> Any other ideas on how to approach this problem
>
>

asdf
07-09-2005, 11:51 PM
yes you were right it was the opanki worm.
new mcafee dats detected it

"Tom Pepper Willett" <tompepper@mvps.org> wrote in message
news:eyK25oGXFHA.3280@TK2MSFTNGP09.phx.gbl...
> Maybe McAfee doesn't have it in their defs at this time.
>
> http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html
>
> "asdf" <dfsa@sadf.com> wrote in message
> news:OY_ie.12569$yx.10846@fe08.lga...
> | thank you all for awesome replies. However do you have any idea why
would
> | mcafee with the latest definitions not be able to detect the problem?
> | Will scanning with norton, kaspersky would be more successful?
> |
> |
> | "PA Bear" <PABearMVP@gmail.com> wrote in message
> | news:OvkhH8CXFHA.2980@TK2MSFTNGP10.phx.gbl...
> | > W32/Oscarbot & variants (which are multiplying exponentially)
> | > http://www.google.com/search?hl=en&q=oscarbot
> | >
> | > For a sample of what you're in for, see "Oscarbot The Grouch" at
> | > http://aumha.org/elist.cgi
> | >
> | > Checking for/Help with Hijackware & (Trojans like Oscarbot)
> | > http://aumha.org/a/parasite.htm
> | > http://aumha.org/a/quickfix.htm
> | > http://aumha.net/viewtopic.php?t=5878
> | > http://mvps.org/winhelp2002/unwanted.htm
> | > http://inetexplorer.mvps.org/data/prevention.htm
> | > http://inetexplorer.mvps.org/data/tshoot.htm
> | > http://www.mvps.org/sramesh2k/Malware_Defence.htm
> | > http://defendingyourmachine.blogspot.com/
> | >
> | > Meanwhile, forbid the use of AIM on *any* machine. Keep seeking and
> | > installing McAfee updates (i.e., several times a day) and scanning.
> | > --
> | > ~Robear Dyer (PA Bear)
> | > MS MVP-Windows (IE/OE) & Security
> | >
> | >
> | >
> | >
> | > asdf wrote:
> | > > people on our network seem to be affected with a weird security
> problem.
> | > > Their
> | > > AIM's are sending out random messages to their buddies. Scanned
entire
> | > > network
> | > > with Mcafee and all the spyware removers. All the critical updats
are
> | > > installed.
> | > > Also tried upgrading to the latest version of AIM but that didnt
help.
> | > > THey dont have firewall on their network just ACLs on their router.
> | > > Any other ideas on how to approach this problem
> | >
> |
> |
>
>

Lord Loki
07-09-2005, 11:51 PM
well.... I came back from dinner today and norton had a large message for me
saying (memorized it)
VIRUS FOUND:
object: C:\im.exe
virus: W32.Allim

i went to the C drive, scanned the im file to be sure, it said it was an
unreparable virus, i quarenteened, then deleted.... its gone forever now
right? and...... you think that is THE virus that was causeing the strange
happenings? O.o ^^

PA Bear
07-09-2005, 11:52 PM
Well, yes, that could be /your/ Trojan...

Symantec Security Response - W32.Allim.A:
http://securityresponse.symantec.com/avcenter/venc/data/w32.allim.a.html

This one displays a message "hey check out _this_!" where "this!" is a link
to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php. A
recipient must click on the link, download a file, and then execute the file
which then installs a W32.Spybot.Worm
variant(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html).

But Allim.A dates from a few weeks ago (Discovered on: April 26, 2005).

From another post in this thread:

Symantec Security Response - W32.Opanki (Discovered on: May 18, 2005)
http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html

Here, the message is "check this out, is that you?", where "this" is a
configured link that will download a copy of the worm if a user clicks on
it.

To be safe, I'd manually install virus definition updates via Intelligent
Updater (http://securityresponse.symantec.com/avcenter/download.html) and
then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406).

Note that NAV users who rely on LiveUpdate won't get definitions which
include W32.Opanki until 25 May, according to the page!!!

Let us know how you make out.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security


Lord Loki wrote:
> well.... I came back from dinner today and norton had a large message for
> me
> saying (memorized it)
> VIRUS FOUND:
> object: C:\im.exe
> virus: W32.Allim
>
> i went to the C drive, scanned the im file to be sure, it said it was an
> unreparable virus, i quarenteened, then deleted.... its gone forever now
> right? and...... you think that is THE virus that was causeing the strange
> happenings? O.o ^^

Lord Loki
07-09-2005, 11:52 PM
I delted it... however... i dont think its that... >.< even though it does
sound right (i read the symantic thing before i deleted...) because when ever
i turn on the comp it still tries to "install" something... otherwise
everythings fine... i think...

by manually updating... you mean going to the site and manually downloading,
or going into norton using live update, but dont just let live update wait
for a few weeks to do it itself? (NAV users?)

also... this morning, we found a virus on the home computer, this was a
bloodhound... do you think my virus would cause that to get through the
network into the home comp, or that its unrelated?

lastly... how do you run a system scan in safe mode? i tried... and i
couldnt even open norton >.<
every time i tried it froze.... >.< and went to "send error report?"
would a virus cause that (or hacker), or would that just be me, somehow
screwing things up?

Thanks for your help

"PA Bear" wrote:

> Well, yes, that could be /your/ Trojan...
>
> Symantec Security Response - W32.Allim.A:
> http://securityresponse.symantec.com/avcenter/venc/data/w32.allim.a.html
>
> This one displays a message "hey check out _this_!" where "this!" is a link
> to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php. A
> recipient must click on the link, download a file, and then execute the file
> which then installs a W32.Spybot.Worm
> variant(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html).
>
> But Allim.A dates from a few weeks ago (Discovered on: April 26, 2005).
>
> From another post in this thread:
>
> Symantec Security Response - W32.Opanki (Discovered on: May 18, 2005)
> http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html
>
> Here, the message is "check this out, is that you?", where "this" is a
> configured link that will download a copy of the worm if a user clicks on
> it.
>
> To be safe, I'd manually install virus definition updates via Intelligent
> Updater (http://securityresponse.symantec.com/avcenter/download.html) and
> then run a full system scan in Safe Mode
> (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406).
>
> Note that NAV users who rely on LiveUpdate won't get definitions which
> include W32.Opanki until 25 May, according to the page!!!
>
> Let us know how you make out.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE/OE) & Security
>
>
> Lord Loki wrote:
> > well.... I came back from dinner today and norton had a large message for
> > me
> > saying (memorized it)
> > VIRUS FOUND:
> > object: C:\im.exe
> > virus: W32.Allim
> >
> > i went to the C drive, scanned the im file to be sure, it said it was an
> > unreparable virus, i quarenteened, then deleted.... its gone forever now
> > right? and...... you think that is THE virus that was causeing the strange
> > happenings? O.o ^^
>
>

PA Bear
07-09-2005, 11:52 PM
Lord Loki wrote:
> I delted it... however... i dont think its that... >.< even though it does
> sound right (i read the symantic thing before i deleted...) because when
> ever i turn on the comp it still tries to "install" something... otherwise
> everythings fine... i think...

Not surprising.

> by manually updating... you mean going to the site and manually
> downloading,
> or going into norton using live update, but dont just let live update wait
> for a few weeks to do it itself? (NAV users?)

Yes, manually seek and install updated definitions. See Intelligent Updater
section here: http://securityresponse.symantec.com/avcenter/download.html
(posted earlier, too).

> also... this morning, we found a virus on the home computer, this was a
> bloodhound... do you think my virus would cause that to get through the
> network into the home comp, or that its unrelated?

There are literally /hundreds/ of Bloodhound variants and, yes, most likely
"your" Bloodhound was "dropped" by the Trojan.

> lastly... how do you run a system scan in safe mode? i tried... and i
> couldnt even open norton >.<
> every time i tried it froze.... >.< and went to "send error report?"
> would a virus cause that (or hacker), or would that just be me, somehow
> screwing things up?

Again, see instructions on this page for booting to Safe Mode:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

It would be highly unusual for NAV not to work in Safe Mode but [stuff]
happens.

> Thanks for your help

YW. Let us know how you make out. Note that it might take several updates
and scans over several days in the coming week or so for NAV to be able to
find and remove everything.

You might follow the QuickFix protocol here http://aumha.org/a/quickfix.htm,
then scan your system with HijackThis (don't let the name scare you) and
post your log to an appropriate forum. Do not post your log here, please.
--
~PA Bear

> "PA Bear" wrote:
>> Well, yes, that could be /your/ Trojan...
>>
>> Symantec Security Response - W32.Allim.A:
>> http://securityresponse.symantec.com/avcenter/venc/data/w32.allim.a.html
>>
>> This one displays a message "hey check out _this_!" where "this!" is a
>> link
>> to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php. A
>> recipient must click on the link, download a file, and then execute the
>> file which then installs a W32.Spybot.Worm
>> variant(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html).
>>
>> But Allim.A dates from a few weeks ago (Discovered on: April 26, 2005).
>>
>> From another post in this thread:
>>
>> Symantec Security Response - W32.Opanki (Discovered on: May 18, 2005)
>> http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html
>>
>> Here, the message is "check this out, is that you?", where "this" is a
>> configured link that will download a copy of the worm if a user clicks on
>> it.
>>
>> To be safe, I'd manually install virus definition updates via Intelligent
>> Updater (http://securityresponse.symantec.com/avcenter/download.html) and
>> then run a full system scan in Safe Mode
>> (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406).
>>
>> Note that NAV users who rely on LiveUpdate won't get definitions which
>> include W32.Opanki until 25 May, according to the page!!!
>>
>> Let us know how you make out.
>> --
>> Lord Loki wrote:
>>> well.... I came back from dinner today and norton had a large message
>>> for
>>> me
>>> saying (memorized it)
>>> VIRUS FOUND:
>>> object: C:\im.exe
>>> virus: W32.Allim
>>>
>>> i went to the C drive, scanned the im file to be sure, it said it was an
>>> unreparable virus, i quarenteened, then deleted.... its gone forever now
>>> right? and...... you think that is THE virus that was causeing the
>>> strange
>>> happenings? O.o ^^

Jim Carlock
07-09-2005, 11:52 PM
FWIW there is software out there that is NOT considered virus but
is used to open a PC up for "folks" to access it anytime "they" want.

There is some FTP server software. Virus scanners will never catch it,
but a good firewall should catch it and present a message that something
is trying to open up a certain port (Serv-U ?).

So if something opened up the system, "the attackers" commonly put a
non-viral backdoor in place that will never be detected by virus scanners.

--
Jim Carlock
Please post replies to newsgroup.

"PA Bear" <PABearMVP@gmail.com> wrote:
Lord Loki wrote:
> I delted it... however... i dont think its that... >.< even though it does
> sound right (i read the symantic thing before i deleted...) because when
> ever i turn on the comp it still tries to "install" something... otherwise
> everythings fine... i think...

Not surprising.

> by manually updating... you mean going to the site and manually
> downloading,
> or going into norton using live update, but dont just let live update wait
> for a few weeks to do it itself? (NAV users?)

Yes, manually seek and install updated definitions. See Intelligent Updater
section here: http://securityresponse.symantec.com/avcenter/download.html
(posted earlier, too).

> also... this morning, we found a virus on the home computer, this was a
> bloodhound... do you think my virus would cause that to get through the
> network into the home comp, or that its unrelated?

There are literally /hundreds/ of Bloodhound variants and, yes, most likely
"your" Bloodhound was "dropped" by the Trojan.

> lastly... how do you run a system scan in safe mode? i tried... and i
> couldnt even open norton >.<
> every time i tried it froze.... >.< and went to "send error report?"
> would a virus cause that (or hacker), or would that just be me, somehow
> screwing things up?

Again, see instructions on this page for booting to Safe Mode:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

It would be highly unusual for NAV not to work in Safe Mode but [stuff]
happens.

> Thanks for your help

YW. Let us know how you make out. Note that it might take several updates
and scans over several days in the coming week or so for NAV to be able to
find and remove everything.

You might follow the QuickFix protocol here http://aumha.org/a/quickfix.htm,
then scan your system with HijackThis (don't let the name scare you) and
post your log to an appropriate forum. Do not post your log here, please.
--
~PA Bear

> "PA Bear" wrote:
>> Well, yes, that could be /your/ Trojan...
>>
>> Symantec Security Response - W32.Allim.A:
>> http://securityresponse.symantec.com/avcenter/venc/data/w32.allim.a.html
>>
>> This one displays a message "hey check out _this_!" where "this!" is a
>> link
>> to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php. A
>> recipient must click on the link, download a file, and then execute the
>> file which then installs a W32.Spybot.Worm
>> variant(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html).
>>
>> But Allim.A dates from a few weeks ago (Discovered on: April 26, 2005).
>>
>> From another post in this thread:
>>
>> Symantec Security Response - W32.Opanki (Discovered on: May 18, 2005)
>> http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html
>>
>> Here, the message is "check this out, is that you?", where "this" is a
>> configured link that will download a copy of the worm if a user clicks on
>> it.
>>
>> To be safe, I'd manually install virus definition updates via Intelligent
>> Updater (http://securityresponse.symantec.com/avcenter/download.html) and
>> then run a full system scan in Safe Mode
>> (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406).
>>
>> Note that NAV users who rely on LiveUpdate won't get definitions which
>> include W32.Opanki until 25 May, according to the page!!!
>>
>> Let us know how you make out.
>> --
>> Lord Loki wrote:
>>> well.... I came back from dinner today and norton had a large message
>>> for
>>> me
>>> saying (memorized it)
>>> VIRUS FOUND:
>>> object: C:\im.exe
>>> virus: W32.Allim
>>>
>>> i went to the C drive, scanned the im file to be sure, it said it was an
>>> unreparable virus, i quarenteened, then deleted.... its gone forever now
>>> right? and...... you think that is THE virus that was causeing the
>>> strange
>>> happenings? O.o ^^

Lord Loki
07-09-2005, 11:52 PM
Ok, I retried to scan my computer in safe mode (this time using the msconfig
method...) and norton still wont open >.<

I downloaded the latest virus definations for intellegent updator... however
when i go to install them it says i cannot, and that its expired...

"Your virus protection cannot be updated.
Your subscription as expired. You must renew your subscription to continue
using Intellegent Updater. Run LiveUpdate from Norton AntiVirus to renew your
subscription and then run Intellegent Updater again."

i ran live update again, just to be sure, its fully updated, tried
installing again and got the same message... i JUST bought norton a few
months ago its definatly not expired... is live update something i have to
pay for myself? (darn... more and more problems keep on coming...)

i'm not so sure i'm ready for the HijackThis thing... with my luck i'd
accidently delete something very important...

also... i deleted aim, but aim was no longer connected to the virus once it
got in right? so if i reinstalled it, it'd be ok... because the one virus i
did delete was most likely THE aim virus? (since it gets passed through aim,
and thats what it does...) so i could reinstall aim? or should i wait longer?

Jim, you think its a trojan and i'm being hacked? or atleast my computer is
being used for whatever?

what kind of "non-viral backdoor" something OTHER than spywar, adware,
trojans, worms, and viruses (obviously)??? what else is there....?

yet again, thank you both for your assistance ^^

"Jim Carlock" wrote:

> FWIW there is software out there that is NOT considered virus but
> is used to open a PC up for "folks" to access it anytime "they" want.
>
> There is some FTP server software. Virus scanners will never catch it,
> but a good firewall should catch it and present a message that something
> is trying to open up a certain port (Serv-U ?).
>
> So if something opened up the system, "the attackers" commonly put a
> non-viral backdoor in place that will never be detected by virus scanners.
>
> --
> Jim Carlock
> Please post replies to newsgroup.
>
> "PA Bear" <PABearMVP@gmail.com> wrote:
> Lord Loki wrote:
> > I delted it... however... i dont think its that... >.< even though it does
> > sound right (i read the symantic thing before i deleted...) because when
> > ever i turn on the comp it still tries to "install" something... otherwise
> > everythings fine... i think...
>
> Not surprising.
>
> > by manually updating... you mean going to the site and manually
> > downloading,
> > or going into norton using live update, but dont just let live update wait
> > for a few weeks to do it itself? (NAV users?)
>
> Yes, manually seek and install updated definitions. See Intelligent Updater
> section here: http://securityresponse.symantec.com/avcenter/download.html
> (posted earlier, too).
>
> > also... this morning, we found a virus on the home computer, this was a
> > bloodhound... do you think my virus would cause that to get through the
> > network into the home comp, or that its unrelated?
>
> There are literally /hundreds/ of Bloodhound variants and, yes, most likely
> "your" Bloodhound was "dropped" by the Trojan.
>
> > lastly... how do you run a system scan in safe mode? i tried... and i
> > couldnt even open norton >.<
> > every time i tried it froze.... >.< and went to "send error report?"
> > would a virus cause that (or hacker), or would that just be me, somehow
> > screwing things up?
>
> Again, see instructions on this page for booting to Safe Mode:
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
>
> It would be highly unusual for NAV not to work in Safe Mode but [stuff]
> happens.
>
> > Thanks for your help
>
> YW. Let us know how you make out. Note that it might take several updates
> and scans over several days in the coming week or so for NAV to be able to
> find and remove everything.
>
> You might follow the QuickFix protocol here http://aumha.org/a/quickfix.htm,
> then scan your system with HijackThis (don't let the name scare you) and
> post your log to an appropriate forum. Do not post your log here, please.
> --
> ~PA Bear
>
> > "PA Bear" wrote:
> >> Well, yes, that could be /your/ Trojan...
> >>
> >> Symantec Security Response - W32.Allim.A:
> >> http://securityresponse.symantec.com/avcenter/venc/data/w32.allim.a.html
> >>
> >> This one displays a message "hey check out _this_!" where "this!" is a
> >> link
> >> to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php. A
> >> recipient must click on the link, download a file, and then execute the
> >> file which then installs a W32.Spybot.Worm
> >> variant(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html).
> >>
> >> But Allim.A dates from a few weeks ago (Discovered on: April 26, 2005).
> >>
> >> From another post in this thread:
> >>
> >> Symantec Security Response - W32.Opanki (Discovered on: May 18, 2005)
> >> http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html
> >>
> >> Here, the message is "check this out, is that you?", where "this" is a
> >> configured link that will download a copy of the worm if a user clicks on
> >> it.
> >>
> >> To be safe, I'd manually install virus definition updates via Intelligent
> >> Updater (http://securityresponse.symantec.com/avcenter/download.html) and
> >> then run a full system scan in Safe Mode
> >> (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406).
> >>
> >> Note that NAV users who rely on LiveUpdate won't get definitions which
> >> include W32.Opanki until 25 May, according to the page!!!
> >>
> >> Let us know how you make out.
> >> --
> >> Lord Loki wrote:
> >>> well.... I came back from dinner today and norton had a large message
> >>> for
> >>> me
> >>> saying (memorized it)
> >>> VIRUS FOUND:
> >>> object: C:\im.exe
> >>> virus: W32.Allim
> >>>
> >>> i went to the C drive, scanned the im file to be sure, it said it was an
> >>> unreparable virus, i quarenteened, then deleted.... its gone forever now
> >>> right? and...... you think that is THE virus that was causeing the
> >>> strange
> >>> happenings? O.o ^^
>
>
>

Jim Carlock
07-09-2005, 11:52 PM
"Lord Loki" <LordLoki@discussions.microsoft.com> wrote:
> Jim, you think its a trojan and i'm being hacked? or atleast my computer
> is being used for whatever?

Well, this is what I'd do:

1) Search the computer for files with dates later than the current date. If
you find a .dll in the windows\system32 or windows\system folder dated
later than today, then you've definitely been hacked. Hackers sometimes
future date files trying to prevent Microsoft updates from taking affect.

2) Let us know if you find any suspiciously dated files or folders.

3) Check to see if there are some files that do you not recognize. Maybe
all of them are unrecognized <g>. That'll help the folks here by letting
them know your current skill set.

4) Visit http://housecall.trendmicro.com/ and use their online antivirus
scan to scan your system. They seem to have beta software for new
antivirus software... Their online scan does a pretty good job.

5) Download ZoneAlarm from www.zonelabs.com. If you are having
problems installing ZoneAlarm, delete the folder where it's installed...
maybe C:\Program Files\ZoneLabs, and then try reinstalling it again.
If it fails again. Download a new copy from ZoneLabs then open a
DOS prompt to the folder where the two downloads are and type in:
fc /b <filename1> <filename2>
where filename1 is the name of the first download and filename2 is
the name of the second download. If the DOS fc (file compare)
command indicates the files are different, then you'll need to clear
your browser cache (Internet Explorer or FireFox cache) and
download the file again. Do the file compare to detect which two
copies are identical. This lets you know that your downloads are
valid and non-corrupted.

I'll stop there for the moment. ZoneAlarm used to make a really
nice firewall but in 2000 they seemed to have gone overboard
and I've lost interest in their firewall products myself. Maybe
someone else will know and provide an honest opinion of their
current software. I like the 1998/1999 versions of their software.

> what kind of "non-viral backdoor" something OTHER than spywar,
> adware, trojans, worms, and viruses (obviously)??? what else is
> there....?

Serv-U, other FTP server software. You can press CTRL+ALT+DEL
and open the task manager. Provide us with a list of processes running
on your system.

Also let us know if you have NTFS installed.
1) Open "My Computer"
2) Right-click on a hard disk drive and let us know if there is a Security
tab.

--
Jim Carlock
Please post replies to newsgroup.

Ok, I retried to scan my computer in safe mode (this time using the msconfig
method...) and norton still wont open >.<

I downloaded the latest virus definations for intellegent updator... however
when i go to install them it says i cannot, and that its expired...

"Your virus protection cannot be updated.
Your subscription as expired. You must renew your subscription to continue
using Intellegent Updater. Run LiveUpdate from Norton AntiVirus to renew your
subscription and then run Intellegent Updater again."

i ran live update again, just to be sure, its fully updated, tried
installing again and got the same message... i JUST bought norton a few
months ago its definatly not expired... is live update something i have to
pay for myself? (darn... more and more problems keep on coming...)

i'm not so sure i'm ready for the HijackThis thing... with my luck i'd
accidently delete something very important...

also... i deleted aim, but aim was no longer connected to the virus once it
got in right? so if i reinstalled it, it'd be ok... because the one virus i
did delete was most likely THE aim virus? (since it gets passed through aim,
and thats what it does...) so i could reinstall aim? or should i wait longer?

Jim, you think its a trojan and i'm being hacked? or atleast my computer is
being used for whatever?

what kind of "non-viral backdoor" something OTHER than spywar, adware,
trojans, worms, and viruses (obviously)??? what else is there....?

yet again, thank you both for your assistance ^^

"Jim Carlock" wrote:

> FWIW there is software out there that is NOT considered virus but
> is used to open a PC up for "folks" to access it anytime "they" want.
>
> There is some FTP server software. Virus scanners will never catch it,
> but a good firewall should catch it and present a message that something
> is trying to open up a certain port (Serv-U ?).
>
> So if something opened up the system, "the attackers" commonly put a
> non-viral backdoor in place that will never be detected by virus scanners.
>
> --
> Jim Carlock
> Please post replies to newsgroup.
>
> "PA Bear" <PABearMVP@gmail.com> wrote:
> Lord Loki wrote:
> > I delted it... however... i dont think its that... >.< even though it does
> > sound right (i read the symantic thing before i deleted...) because when
> > ever i turn on the comp it still tries to "install" something... otherwise
> > everythings fine... i think...
>
> Not surprising.
>
> > by manually updating... you mean going to the site and manually
> > downloading,
> > or going into norton using live update, but dont just let live update wait
> > for a few weeks to do it itself? (NAV users?)
>
> Yes, manually seek and install updated definitions. See Intelligent Updater
> section here: http://securityresponse.symantec.com/avcenter/download.html
> (posted earlier, too).
>
> > also... this morning, we found a virus on the home computer, this was a
> > bloodhound... do you think my virus would cause that to get through the
> > network into the home comp, or that its unrelated?
>
> There are literally /hundreds/ of Bloodhound variants and, yes, most likely
> "your" Bloodhound was "dropped" by the Trojan.
>
> > lastly... how do you run a system scan in safe mode? i tried... and i
> > couldnt even open norton >.<
> > every time i tried it froze.... >.< and went to "send error report?"
> > would a virus cause that (or hacker), or would that just be me, somehow
> > screwing things up?
>
> Again, see instructions on this page for booting to Safe Mode:
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
>
> It would be highly unusual for NAV not to work in Safe Mode but [stuff]
> happens.
>
> > Thanks for your help
>
> YW. Let us know how you make out. Note that it might take several updates
> and scans over several days in the coming week or so for NAV to be able to
> find and remove everything.
>
> You might follow the QuickFix protocol here http://aumha.org/a/quickfix.htm,
> then scan your system with HijackThis (don't let the name scare you) and
> post your log to an appropriate forum. Do not post your log here, please.
> --
> ~PA Bear
>
> > "PA Bear" wrote:
> >> Well, yes, that could be /your/ Trojan...
> >>
> >> Symantec Security Response - W32.Allim.A:
> >> http://securityresponse.symantec.com/avcenter/venc/data/w32.allim.a.html
> >>
> >> This one displays a message "hey check out _this_!" where "this!" is a
> >> link
> >> to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php. A
> >> recipient must click on the link, download a file, and then execute the
> >> file which then installs a W32.Spybot.Worm
> >> variant(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html).
> >>
> >> But Allim.A dates from a few weeks ago (Discovered on: April 26, 2005).
> >>
> >> From another post in this thread:
> >>
> >> Symantec Security Response - W32.Opanki (Discovered on: May 18, 2005)
> >> http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html
> >>
> >> Here, the message is "check this out, is that you?", where "this" is a
> >> configured link that will download a copy of the worm if a user clicks on
> >> it.
> >>
> >> To be safe, I'd manually install virus definition updates via Intelligent
> >> Updater (http://securityresponse.symantec.com/avcenter/download.html) and
> >> then run a full system scan in Safe Mode
> >> (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406).
> >>
> >> Note that NAV users who rely on LiveUpdate won't get definitions which
> >> include W32.Opanki until 25 May, according to the page!!!
> >>
> >> Let us know how you make out.
> >> --
> >> Lord Loki wrote:
> >>> well.... I came back from dinner today and norton had a large message
> >>> for
> >>> me
> >>> saying (memorized it)
> >>> VIRUS FOUND:
> >>> object: C:\im.exe
> >>> virus: W32.Allim
> >>>
> >>> i went to the C drive, scanned the im file to be sure, it said it was an
> >>> unreparable virus, i quarenteened, then deleted.... its gone forever now
> >>> right? and...... you think that is THE virus that was causeing the
> >>> strange
> >>> happenings? O.o ^^

PA Bear
07-09-2005, 11:52 PM
First things first: Contact Symantec about your subscription.

Symantec Support:
http://www.symantec.com/techsupp/index.html

I see a Subscription Troubleshooter on the above page, LL. Using it will
require accepting a cookie and probably installing an ActiveX control.
YMMV.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security

Lord Loki wrote:
> Ok, I retried to scan my computer in safe mode (this time using the
> msconfig
> method...) and norton still wont open >.<
>
> I downloaded the latest virus definations for intellegent updator...
> however
> when i go to install them it says i cannot, and that its expired...
>
> "Your virus protection cannot be updated.
> Your subscription as expired. You must renew your subscription to continue
> using Intellegent Updater. Run LiveUpdate from Norton AntiVirus to renew
> your subscription and then run Intellegent Updater again."
>
> i ran live update again, just to be sure, its fully updated, tried
> installing again and got the same message... i JUST bought norton a few
> months ago its definatly not expired... is live update something i have to
> pay for myself? (darn... more and more problems keep on coming...)
>
> i'm not so sure i'm ready for the HijackThis thing... with my luck i'd
> accidently delete something very important...
>
> also... i deleted aim, but aim was no longer connected to the virus once
> it
> got in right? so if i reinstalled it, it'd be ok... because the one virus
> i
> did delete was most likely THE aim virus? (since it gets passed through
> aim,
> and thats what it does...) so i could reinstall aim? or should i wait
> longer?
>
> Jim, you think its a trojan and i'm being hacked? or atleast my computer
> is
> being used for whatever?
>
> what kind of "non-viral backdoor" something OTHER than spywar, adware,
> trojans, worms, and viruses (obviously)??? what else is there....?
>
> yet again, thank you both for your assistance ^^
>
> "Jim Carlock" wrote:
>
>> FWIW there is software out there that is NOT considered virus but
>> is used to open a PC up for "folks" to access it anytime "they" want.
>>
>> There is some FTP server software. Virus scanners will never catch it,
>> but a good firewall should catch it and present a message that something
>> is trying to open up a certain port (Serv-U ?).
>>
>> So if something opened up the system, "the attackers" commonly put a
>> non-viral backdoor in place that will never be detected by virus
>> scanners.
>>
>> --
>> Jim Carlock
>> Please post replies to newsgroup.
>>
>> "PA Bear" <PABearMVP@gmail.com> wrote:
>> Lord Loki wrote:
>>> I delted it... however... i dont think its that... >.< even though it
>>> does
>>> sound right (i read the symantic thing before i deleted...) because when
>>> ever i turn on the comp it still tries to "install" something...
>>> otherwise
>>> everythings fine... i think...
>>
>> Not surprising.
>>
>>> by manually updating... you mean going to the site and manually
>>> downloading,
>>> or going into norton using live update, but dont just let live update
>>> wait
>>> for a few weeks to do it itself? (NAV users?)
>>
>> Yes, manually seek and install updated definitions. See Intelligent
>> Updater section here:
>> http://securityresponse.symantec.com/avcenter/download.html (posted
>> earlier, too).
>>
>>> also... this morning, we found a virus on the home computer, this was a
>>> bloodhound... do you think my virus would cause that to get through the
>>> network into the home comp, or that its unrelated?
>>
>> There are literally /hundreds/ of Bloodhound variants and, yes, most
>> likely
>> "your" Bloodhound was "dropped" by the Trojan.
>>
>>> lastly... how do you run a system scan in safe mode? i tried... and i
>>> couldnt even open norton >.<
>>> every time i tried it froze.... >.< and went to "send error report?"
>>> would a virus cause that (or hacker), or would that just be me, somehow
>>> screwing things up?
>>
>> Again, see instructions on this page for booting to Safe Mode:
>> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
>>
>> It would be highly unusual for NAV not to work in Safe Mode but [stuff]
>> happens.
>>
>>> Thanks for your help
>>
>> YW. Let us know how you make out. Note that it might take several
>> updates
>> and scans over several days in the coming week or so for NAV to be able
>> to
>> find and remove everything.
>>
>> You might follow the QuickFix protocol here
>> http://aumha.org/a/quickfix.htm, then scan your system with HijackThis
>> (don't let the name scare you) and post your log to an appropriate forum.
>> Do not post your log here, please. --
>> ~PA Bear
>>
>>> "PA Bear" wrote:
>>>> Well, yes, that could be /your/ Trojan...
>>>>
>>>> Symantec Security Response - W32.Allim.A:
>>>> http://securityresponse.symantec.com/avcenter/venc/data/w32.allim.a.html
>>>>
>>>> This one displays a message "hey check out _this_!" where "this!" is a
>>>> link
>>>> to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php. A
>>>> recipient must click on the link, download a file, and then execute the
>>>> file which then installs a W32.Spybot.Worm
>>>> variant(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html).
>>>>
>>>> But Allim.A dates from a few weeks ago (Discovered on: April 26, 2005).
>>>>
>>>> From another post in this thread:
>>>>
>>>> Symantec Security Response - W32.Opanki (Discovered on: May 18, 2005)
>>>> http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html
>>>>
>>>> Here, the message is "check this out, is that you?", where "this" is a
>>>> configured link that will download a copy of the worm if a user clicks
>>>> on
>>>> it.
>>>>
>>>> To be safe, I'd manually install virus definition updates via
>>>> Intelligent
>>>> Updater (http://securityresponse.symantec.com/avcenter/download.html)
>>>> and
>>>> then run a full system scan in Safe Mode
>>>> (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406).
>>>>
>>>> Note that NAV users who rely on LiveUpdate won't get definitions which
>>>> include W32.Opanki until 25 May, according to the page!!!
>>>>
>>>> Let us know how you make out.
>>>> --
>>>> Lord Loki wrote:
>>>>> well.... I came back from dinner today and norton had a large message
>>>>> for
>>>>> me
>>>>> saying (memorized it)
>>>>> VIRUS FOUND:
>>>>> object: C:\im.exe
>>>>> virus: W32.Allim
>>>>>
>>>>> i went to the C drive, scanned the im file to be sure, it said it was
>>>>> an
>>>>> unreparable virus, i quarenteened, then deleted.... its gone forever
>>>>> now
>>>>> right? and...... you think that is THE virus that was causeing the
>>>>> strange
>>>>> happenings? O.o ^^

Lord Loki
07-09-2005, 11:52 PM
ok... obviously, i only have mediocre knowledge of this stuff.... so before i
post everything that is going on in task manager... is that info i can freely
give out? none of that would permit a hacker (if he wanted) to hack or get in
right? non of that stuff that always there and is part of my comp liks
svchosts and stuff.... if i tell just anyone, and they WERE a hacker... they
couldnt hack with that knowledge right? because... i really dont know, and i
dont want to take chances

and yes... my skills suck i know that much...

also, i DID use trendmicro... the second i first knew i got the virus, and
it didnt even find a single trojan, normally it finds them... even worms, but
they're all probally from my IE cache since i deleted it then... so
trendmicro didnt help XD >.<

for the ZoneAlarm thing... you want me to install the firewall (thats what
it is right?) or do you want me to check to see if i can download properly??
because i've downloaded several other things and they've worked... just not a
program or anything... also.. if you DO want me to install it as a
firewall... is it really neccesary? i really dont want to trust too much
stuff on the web... >.<


and lastly... about the searching thing... i'm searching now, but exactly
HOW do i search for things dated later than today?
i'm currently searching my comp for anything with the modified date between
tomarrow and 2010... but.... is that what you meant? or look for ALL .dll
files then look at the date (im gonna do that next anyways), and... want me
too look at modified date or created date, or accessed date, and any specific
file names to search for?

ok well before i posted this the scans ended, i didnt find anything with a
date later than an hour and a half ago today, and in the first scan
nothing... none of the ways i've tried found anything... what way do you
suggest?

i right clicked on the local disk, and i do not have a security tab...

ftp stuff >.< the only one i belive i've personally installed would be
anti-leech... about a year ago... and i'm not even positive if you could call
it an FTP... else i dont know of any... but thats not positive...

i'm sorry if i'm hard to work with ^^ i just REALLY dont like to install
stuff on my comp....


and to lengthen this post even more... PAB, you think its an overal
subscription problem? everything else on norton works fine... and thats the
only thing thats ever mentioned having being expired.... maybe its possibly
something seperate that i have to buy? (i went through the subscription
trouble shooter... didnt seem to find anything...)

"Jim Carlock" wrote:

> "Lord Loki" <LordLoki@discussions.microsoft.com> wrote:
> > Jim, you think its a trojan and i'm being hacked? or atleast my computer
> > is being used for whatever?
>
> Well, this is what I'd do:
>
> 1) Search the computer for files with dates later than the current date. If
> you find a .dll in the windows\system32 or windows\system folder dated
> later than today, then you've definitely been hacked. Hackers sometimes
> future date files trying to prevent Microsoft updates from taking affect.
>
> 2) Let us know if you find any suspiciously dated files or folders.
>
> 3) Check to see if there are some files that do you not recognize. Maybe
> all of them are unrecognized <g>. That'll help the folks here by letting
> them know your current skill set.
>
> 4) Visit http://housecall.trendmicro.com/ and use their online antivirus
> scan to scan your system. They seem to have beta software for new
> antivirus software... Their online scan does a pretty good job.
>
> 5) Download ZoneAlarm from www.zonelabs.com. If you are having
> problems installing ZoneAlarm, delete the folder where it's installed...
> maybe C:\Program Files\ZoneLabs, and then try reinstalling it again.
> If it fails again. Download a new copy from ZoneLabs then open a
> DOS prompt to the folder where the two downloads are and type in:
> fc /b <filename1> <filename2>
> where filename1 is the name of the first download and filename2 is
> the name of the second download. If the DOS fc (file compare)
> command indicates the files are different, then you'll need to clear
> your browser cache (Internet Explorer or FireFox cache) and
> download the file again. Do the file compare to detect which two
> copies are identical. This lets you know that your downloads are
> valid and non-corrupted.
>
> I'll stop there for the moment. ZoneAlarm used to make a really
> nice firewall but in 2000 they seemed to have gone overboard
> and I've lost interest in their firewall products myself. Maybe
> someone else will know and provide an honest opinion of their
> current software. I like the 1998/1999 versions of their software.
>
> > what kind of "non-viral backdoor" something OTHER than spywar,
> > adware, trojans, worms, and viruses (obviously)??? what else is
> > there....?
>
> Serv-U, other FTP server software. You can press CTRL+ALT+DEL
> and open the task manager. Provide us with a list of processes running
> on your system.
>
> Also let us know if you have NTFS installed.
> 1) Open "My Computer"
> 2) Right-click on a hard disk drive and let us know if there is a Security
> tab.
>
> --
> Jim Carlock
> Please post replies to newsgroup.
>
> Ok, I retried to scan my computer in safe mode (this time using the msconfig
> method...) and norton still wont open >.<
>
> I downloaded the latest virus definations for intellegent updator... however
> when i go to install them it says i cannot, and that its expired...
>
> "Your virus protection cannot be updated.
> Your subscription as expired. You must renew your subscription to continue
> using Intellegent Updater. Run LiveUpdate from Norton AntiVirus to renew your
> subscription and then run Intellegent Updater again."
>
> i ran live update again, just to be sure, its fully updated, tried
> installing again and got the same message... i JUST bought norton a few
> months ago its definatly not expired... is live update something i have to
> pay for myself? (darn... more and more problems keep on coming...)
>
> i'm not so sure i'm ready for the HijackThis thing... with my luck i'd
> accidently delete something very important...
>
> also... i deleted aim, but aim was no longer connected to the virus once it
> got in right? so if i reinstalled it, it'd be ok... because the one virus i
> did delete was most likely THE aim virus? (since it gets passed through aim,
> and thats what it does...) so i could reinstall aim? or should i wait longer?
>
> Jim, you think its a trojan and i'm being hacked? or atleast my computer is
> being used for whatever?
>
> what kind of "non-viral backdoor" something OTHER than spywar, adware,
> trojans, worms, and viruses (obviously)??? what else is there....?
>
> yet again, thank you both for your assistance ^^
>
> "Jim Carlock" wrote:
>
> > FWIW there is software out there that is NOT considered virus but
> > is used to open a PC up for "folks" to access it anytime "they" want.
> >
> > There is some FTP server software. Virus scanners will never catch it,
> > but a good firewall should catch it and present a message that something
> > is trying to open up a certain port (Serv-U ?).
> >
> > So if something opened up the system, "the attackers" commonly put a
> > non-viral backdoor in place that will never be detected by virus scanners.
> >
> > --
> > Jim Carlock
> > Please post replies to newsgroup.
> >
> > "PA Bear" <PABearMVP@gmail.com> wrote:
> > Lord Loki wrote:
> > > I delted it... however... i dont think its that... >.< even though it does
> > > sound right (i read the symantic thing before i deleted...) because when
> > > ever i turn on the comp it still tries to "install" something... otherwise
> > > everythings fine... i think...
> >
> > Not surprising.
> >
> > > by manually updating... you mean going to the site and manually
> > > downloading,
> > > or going into norton using live update, but dont just let live update wait
> > > for a few weeks to do it itself? (NAV users?)
> >
> > Yes, manually seek and install updated definitions. See Intelligent Updater
> > section here: http://securityresponse.symantec.com/avcenter/download.html
> > (posted earlier, too).
> >
> > > also... this morning, we found a virus on the home computer, this was a
> > > bloodhound... do you think my virus would cause that to get through the
> > > network into the home comp, or that its unrelated?
> >
> > There are literally /hundreds/ of Bloodhound variants and, yes, most likely
> > "your" Bloodhound was "dropped" by the Trojan.
> >
> > > lastly... how do you run a system scan in safe mode? i tried... and i
> > > couldnt even open norton >.<
> > > every time i tried it froze.... >.< and went to "send error report?"
> > > would a virus cause that (or hacker), or would that just be me, somehow
> > > screwing things up?
> >
> > Again, see instructions on this page for booting to Safe Mode:
> > http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
> >
> > It would be highly unusual for NAV not to work in Safe Mode but [stuff]
> > happens.
> >
> > > Thanks for your help
> >
> > YW. Let us know how you make out. Note that it might take several updates
> > and scans over several days in the coming week or so for NAV to be able to
> > find and remove everything.
> >
> > You might follow the QuickFix protocol here http://aumha.org/a/quickfix.htm,
> > then scan your system with HijackThis (don't let the name scare you) and
> > post your log to an appropriate forum. Do not post your log here, please.
> > --
> > ~PA Bear
> >
> > > "PA Bear" wrote:
> > >> Well, yes, that could be /your/ Trojan...
> > >>
> > >> Symantec Security Response - W32.Allim.A:
> > >> http://securityresponse.symantec.com/avcenter/venc/data/w32.allim.a.html
> > >>
> > >> This one displays a message "hey check out _this_!" where "this!" is a
> > >> link
> > >> to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php. A
> > >> recipient must click on the link, download a file, and then execute the
> > >> file which then installs a W32.Spybot.Worm
> > >> variant(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html).
> > >>
> > >> But Allim.A dates from a few weeks ago (Discovered on: April 26, 2005).
> > >>
> > >> From another post in this thread:
> > >>
> > >> Symantec Security Response - W32.Opanki (Discovered on: May 18, 2005)
> > >> http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html
> > >>
> > >> Here, the message is "check this out, is that you?", where "this" is a
> > >> configured link that will download a copy of the worm if a user clicks on
> > >> it.
> > >>
> > >> To be safe, I'd manually install virus definition updates via Intelligent
> > >> Updater (http://securityresponse.symantec.com/avcenter/download.html) and
> > >> then run a full system scan in Safe Mode
> > >> (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406).
> > >>
> > >> Note that NAV users who rely on LiveUpdate won't get definitions which
> > >> include W32.Opanki until 25 May, according to the page!!!
> > >>
> > >> Let us know how you make out.
> > >> --
> > >> Lord Loki wrote:
> > >>> well.... I came back from dinner today and norton had a large message
> > >>> for
> > >>> me
> > >>> saying (memorized it)
> > >>> VIRUS FOUND:
> > >>> object: C:\im.exe
> > >>> virus: W32.Allim
> > >>>
> > >>> i went to the C drive, scanned the im file to be sure, it said it was an
> > >>> unreparable virus, i quarenteened, then deleted.... its gone forever now
> > >>> right? and...... you think that is THE virus that was causeing the
> > >>> strange
> > >>> happenings? O.o ^^
>
>
>

Jim Carlock
07-09-2005, 11:52 PM
"Lord Loki" <LordLoki@discussions.microsoft.com> wrote:
> if i tell just anyone, and they WERE a hacker... they couldnt hack
> with that knowledge right? because... i really dont know, and i
> dont want to take chances

I don't really know the full answer to that. :-) So I'll post mine. I've
removed alot of the duplicate stuff, so you'll likely see svchost.exe
listed a few times in yours.

If you see something different on your system you might want
to ask what it is.

File Cache
Idle Process
System
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
ati2evxx.exe
svchost.exe
spoolsv.exe
avgserv.exe
Runservice.exe
mdm.exe
OWSTIMER.EXE
alg.exe
explorer.exe
soundman.exe
AsusProb.exe
EM_EXEC.EXE
PRONoMgr.exe
avgcc32.exe
ATnotes.exe
gcasDtServ.exe
dllhost.exe
Tcpview.exe
gcasServ.exe
taskmgr.exe
notepad.exe
uPad.exe
firefox.exe
cmd.exe
MSDEV.EXE
msimn.exe
pstat.exe

If you have another firewall working... don't worry about Zone
Alarm.

Also, you might want to check out what's happening here:
https://www.grc.com/x/ne.dll?bh0bkyd2

That should take you the ShieldsUp test. Run the test there and let
us know what it tells you. They have a lot of information there, so
you might want to look through some of it and see if it helps.

Once you get there, click on the buttons on the silver bar near the
bottom:
File Sharing
Common Ports
All Service Ports

The "All Service Ports" test should show up as all green, and you'll
need to read the stuff on that page. Take some time to read it all.

If you have any questions, feel free to ask. Let us know what it tells
you.

Everything showed up as "green" when I ran the "All Service Ports" test.
It indicated that my system "failed" at:
Unsolicited Packets: RECEIVED (FAILED)

<shrug> I'm only running the Windows XP SP2 Firewall and I think it's
doing a fairly decent job.

If someone else wants to advise me against this, I'd appreciate knowing
what's up.

The grc.com has been around since 1998 or thereabouts and I've used
them to test systems I've set up.

Hope that helps.

--
Jim Carlock
Please post replies to newsgroup.

"Lord Loki" <LordLoki@discussions.microsoft.com> wrote:
ok... obviously, i only have mediocre knowledge of this stuff.... so before i
post everything that is going on in task manager... is that info i can freely
give out? none of that would permit a hacker (if he wanted) to hack or get in
right? non of that stuff that always there and is part of my comp liks
svchosts and stuff....

and yes... my skills suck i know that much...

also, i DID use trendmicro... the second i first knew i got the virus, and
it didnt even find a single trojan, normally it finds them... even worms, but
they're all probally from my IE cache since i deleted it then... so
trendmicro didnt help XD >.<

for the ZoneAlarm thing... you want me to install the firewall (thats what
it is right?) or do you want me to check to see if i can download properly??
because i've downloaded several other things and they've worked... just not a
program or anything... also.. if you DO want me to install it as a
firewall... is it really neccesary? i really dont want to trust too much
stuff on the web... >.<


and lastly... about the searching thing... i'm searching now, but exactly
HOW do i search for things dated later than today?
i'm currently searching my comp for anything with the modified date between
tomarrow and 2010... but.... is that what you meant? or look for ALL .dll
files then look at the date (im gonna do that next anyways), and... want me
too look at modified date or created date, or accessed date, and any specific
file names to search for?

ok well before i posted this the scans ended, i didnt find anything with a
date later than an hour and a half ago today, and in the first scan
nothing... none of the ways i've tried found anything... what way do you
suggest?

i right clicked on the local disk, and i do not have a security tab...

ftp stuff >.< the only one i belive i've personally installed would be
anti-leech... about a year ago... and i'm not even positive if you could call
it an FTP... else i dont know of any... but thats not positive...

i'm sorry if i'm hard to work with ^^ i just REALLY dont like to install
stuff on my comp....


and to lengthen this post even more... PAB, you think its an overal
subscription problem? everything else on norton works fine... and thats the
only thing thats ever mentioned having being expired.... maybe its possibly
something seperate that i have to buy? (i went through the subscription
trouble shooter... didnt seem to find anything...)

"Jim Carlock" wrote:

> "Lord Loki" <LordLoki@discussions.microsoft.com> wrote:
> > Jim, you think its a trojan and i'm being hacked? or atleast my computer
> > is being used for whatever?
>
> Well, this is what I'd do:
>
> 1) Search the computer for files with dates later than the current date. If
> you find a .dll in the windows\system32 or windows\system folder dated
> later than today, then you've definitely been hacked. Hackers sometimes
> future date files trying to prevent Microsoft updates from taking affect.
>
> 2) Let us know if you find any suspiciously dated files or folders.
>
> 3) Check to see if there are some files that do you not recognize. Maybe
> all of them are unrecognized <g>. That'll help the folks here by letting
> them know your current skill set.
>
> 4) Visit http://housecall.trendmicro.com/ and use their online antivirus
> scan to scan your system. They seem to have beta software for new
> antivirus software... Their online scan does a pretty good job.
>
> 5) Download ZoneAlarm from www.zonelabs.com. If you are having
> problems installing ZoneAlarm, delete the folder where it's installed...
> maybe C:\Program Files\ZoneLabs, and then try reinstalling it again.
> If it fails again. Download a new copy from ZoneLabs then open a
> DOS prompt to the folder where the two downloads are and type in:
> fc /b <filename1> <filename2>
> where filename1 is the name of the first download and filename2 is
> the name of the second download. If the DOS fc (file compare)
> command indicates the files are different, then you'll need to clear
> your browser cache (Internet Explorer or FireFox cache) and
> download the file again. Do the file compare to detect which two
> copies are identical. This lets you know that your downloads are
> valid and non-corrupted.
>
> I'll stop there for the moment. ZoneAlarm used to make a really
> nice firewall but in 2000 they seemed to have gone overboard
> and I've lost interest in their firewall products myself. Maybe
> someone else will know and provide an honest opinion of their
> current software. I like the 1998/1999 versions of their software.
>
> > what kind of "non-viral backdoor" something OTHER than spywar,
> > adware, trojans, worms, and viruses (obviously)??? what else is
> > there....?
>
> Serv-U, other FTP server software. You can press CTRL+ALT+DEL
> and open the task manager. Provide us with a list of processes running
> on your system.
>
> Also let us know if you have NTFS installed.
> 1) Open "My Computer"
> 2) Right-click on a hard disk drive and let us know if there is a Security
> tab.
>
> --
> Jim Carlock
> Please post replies to newsgroup.
>
> Ok, I retried to scan my computer in safe mode (this time using the msconfig
> method...) and norton still wont open >.<
>
> I downloaded the latest virus definations for intellegent updator... however
> when i go to install them it says i cannot, and that its expired...
>
> "Your virus protection cannot be updated.
> Your subscription as expired. You must renew your subscription to continue
> using Intellegent Updater. Run LiveUpdate from Norton AntiVirus to renew your
> subscription and then run Intellegent Updater again."
>
> i ran live update again, just to be sure, its fully updated, tried
> installing again and got the same message... i JUST bought norton a few
> months ago its definatly not expired... is live update something i have to
> pay for myself? (darn... more and more problems keep on coming...)
>
> i'm not so sure i'm ready for the HijackThis thing... with my luck i'd
> accidently delete something very important...
>
> also... i deleted aim, but aim was no longer connected to the virus once it
> got in right? so if i reinstalled it, it'd be ok... because the one virus i
> did delete was most likely THE aim virus? (since it gets passed through aim,
> and thats what it does...) so i could reinstall aim? or should i wait longer?
>
> Jim, you think its a trojan and i'm being hacked? or atleast my computer is
> being used for whatever?
>
> what kind of "non-viral backdoor" something OTHER than spywar, adware,
> trojans, worms, and viruses (obviously)??? what else is there....?
>
> yet again, thank you both for your assistance ^^
>
> "Jim Carlock" wrote:
>
> > FWIW there is software out there that is NOT considered virus but
> > is used to open a PC up for "folks" to access it anytime "they" want.
> >
> > There is some FTP server software. Virus scanners will never catch it,
> > but a good firewall should catch it and present a message that something
> > is trying to open up a certain port (Serv-U ?).
> >
> > So if something opened up the system, "the attackers" commonly put a
> > non-viral backdoor in place that will never be detected by virus scanners.
> >
> > --
> > Jim Carlock
> > Please post replies to newsgroup.
> >
> > "PA Bear" <PABearMVP@gmail.com> wrote:
> > Lord Loki wrote:
> > > I delted it... however... i dont think its that... >.< even though it does
> > > sound right (i read the symantic thing before i deleted...) because when
> > > ever i turn on the comp it still tries to "install" something... otherwise
> > > everythings fine... i think...
> >
> > Not surprising.
> >
> > > by manually updating... you mean going to the site and manually
> > > downloading,
> > > or going into norton using live update, but dont just let live update wait
> > > for a few weeks to do it itself? (NAV users?)
> >
> > Yes, manually seek and install updated definitions. See Intelligent Updater
> > section here: http://securityresponse.symantec.com/avcenter/download.html
> > (posted earlier, too).
> >
> > > also... this morning, we found a virus on the home computer, this was a
> > > bloodhound... do you think my virus would cause that to get through the
> > > network into the home comp, or that its unrelated?
> >
> > There are literally /hundreds/ of Bloodhound variants and, yes, most likely
> > "your" Bloodhound was "dropped" by the Trojan.
> >
> > > lastly... how do you run a system scan in safe mode? i tried... and i
> > > couldnt even open norton >.<
> > > every time i tried it froze.... >.< and went to "send error report?"
> > > would a virus cause that (or hacker), or would that just be me, somehow
> > > screwing things up?
> >
> > Again, see instructions on this page for booting to Safe Mode:
> > http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
> >
> > It would be highly unusual for NAV not to work in Safe Mode but [stuff]
> > happens.
> >
> > > Thanks for your help
> >
> > YW. Let us know how you make out. Note that it might take several updates
> > and scans over several days in the coming week or so for NAV to be able to
> > find and remove everything.
> >
> > You might follow the QuickFix protocol here http://aumha.org/a/quickfix.htm,
> > then scan your system with HijackThis (don't let the name scare you) and
> > post your log to an appropriate forum. Do not post your log here, please.
> > --
> > ~PA Bear
> >
> > > "PA Bear" wrote:
> > >> Well, yes, that could be /your/ Trojan...
> > >>
> > >> Symantec Security Response - W32.Allim.A:
> > >> http://securityresponse.symantec.com/avcenter/venc/data/w32.allim.a.html
> > >>
> > >> This one displays a message "hey check out _this_!" where "this!" is a
> > >> link
> > >> to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php. A
> > >> recipient must click on the link, download a file, and then execute the
> > >> file which then installs a W32.Spybot.Worm
> > >> variant(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html).
> > >>
> > >> But Allim.A dates from a few weeks ago (Discovered on: April 26, 2005).
> > >>
> > >> From another post in this thread:
> > >>
> > >> Symantec Security Response - W32.Opanki (Discovered on: May 18, 2005)
> > >> http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html
> > >>
> > >> Here, the message is "check this out, is that you?", where "this" is a
> > >> configured link that will download a copy of the worm if a user clicks on
> > >> it.
> > >>
> > >> To be safe, I'd manually install virus definition updates via Intelligent
> > >> Updater (http://securityresponse.symantec.com/avcenter/download.html) and
> > >> then run a full system scan in Safe Mode
> > >> (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406).
> > >>
> > >> Note that NAV users who rely on LiveUpdate won't get definitions which
> > >> include W32.Opanki until 25 May, according to the page!!!
> > >>
> > >> Let us know how you make out.
> > >> --
> > >> Lord Loki wrote:
> > >>> well.... I came back from dinner today and norton had a large message
> > >>> for
> > >>> me
> > >>> saying (memorized it)
> > >>> VIRUS FOUND:
> > >>> object: C:\im.exe
> > >>> virus: W32.Allim
> > >>>
> > >>> i went to the C drive, scanned the im file to be sure, it said it was an
> > >>> unreparable virus, i quarenteened, then deleted.... its gone forever now
> > >>> right? and...... you think that is THE virus that was causeing the
> > >>> strange
> > >>> happenings? O.o ^^

PA Bear
07-09-2005, 11:52 PM
> ...everything else on norton works fine...

What's to work, fine or otherwise, if it doesn't have up-to-date
definitions? You're not protected against hundreds of Trojans/viruses!

The NAV subscription problem may or may not be related to your overall
problem(s), but IMO it's /the/ problem you should sort out first. If you
don't have current virus definitions installed and if Live Update and
Intelligent Updater doesn't work, your first line of defense is in total
shambles.

Contact Symantec Help & Support ASAP.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security

Lord Loki wrote:
<snippage>
> ...PAB, you think its an overal
> subscription problem? everything else on norton works fine... and thats
> the
> only thing thats ever mentioned having being expired.... maybe its
> possibly
> something seperate that i have to buy? (i went through the subscription
> trouble shooter... didnt seem to find anything...)

Lord Loki
07-09-2005, 11:52 PM
thats not true, live update works fine, it updates all the time, on its own
or when i update it, the intellegent updater is the only thing thats not
working

"PA Bear" wrote:

> > ...everything else on norton works fine...
>
> What's to work, fine or otherwise, if it doesn't have up-to-date
> definitions? You're not protected against hundreds of Trojans/viruses!
>
> The NAV subscription problem may or may not be related to your overall
> problem(s), but IMO it's /the/ problem you should sort out first. If you
> don't have current virus definitions installed and if Live Update and
> Intelligent Updater doesn't work, your first line of defense is in total
> shambles.
>
> Contact Symantec Help & Support ASAP.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE/OE) & Security
>
> Lord Loki wrote:
> <snippage>
> > ...PAB, you think its an overal
> > subscription problem? everything else on norton works fine... and thats
> > the
> > only thing thats ever mentioned having being expired.... maybe its
> > possibly
> > something seperate that i have to buy? (i went through the subscription
> > trouble shooter... didnt seem to find anything...)
>
>

Lord Loki
07-09-2005, 11:52 PM
ok.... i have....

WkCalRem.exe
msmsgs.exe
wmiapsrv.exe
taskmgr.exe
WkUFind.exe
msnmsgr.exe
CDAEMON.EXE
PCMService.exe
iexplore.exe
iexplore.exe
NotifyAlert.exe
CCAPP.EXE
ViewMgr.exe
mmtask.exe
realsched.exe
DadApp.exe
tfswctrl.exe
Dsentry.exe
BCMSMMSG.exe
atipaxx.exe
SynTPEnh.exe
SynTPLpr.exe
Support.exe
alg.exe
spoolsv.exe
CCEVTMGR.EXE
SPBBCSvc.exe
SNDSrvc.exe
explorer.exe
ISSVC.exe
CCSETMGR.EXE
CCPROXY.EXE
NAVAPSVC.EXE
cisvc.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
ati2evxx.exe
lsass.exe (that might be Isass.exe cant tell if its an i or l)
services.exe
winlogon.exe
csrss.exe
smss.exe
BCMWLTRY.EXE
WLTRYSVC.EXE
wdfmgr.exe
symlcsvc.exe
svchost.exe
System
System Idle Process

there, thats whats currently up, there should be 52... (thats about the
number i almost always have... i have 2 msn messages open and the msn unit, 4
internet explores, task manager and thats all i personally turned on today)
well.... I dont wanna make an error going through that list and removing
duplicates and or things that are the same as yours since some are only
different from one letter... I just hope that its info that can be freely
shared...
then again, as i just read, my ip address is included so i shouldnt worry.. XD


as for firewalls... i dont belive i have any "personal" firewalls, but i use
the windows sp2 one, i'm not positive but i belive Norton Internet Security
has a firewall of somesort, and I'm connected on a wireless connection in the
house, so i think my router also has a firewall, not positive about that

and now for the testing, for the first one, the file sharing it told me my
IP address and after the "attempting" thing it says *too lazy to summerize*
- Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE!
Standard Internet behavior requires port connection attempts to be answered
with a success or refusal response. Therefore, only an attempt to connect to
a nonexistent computer results in no response of either kind. But YOUR
computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which
represents advanced computer and port stealthing capabilities. A machine
configured in this fashion is well hardened to Internet NetBIOS attack and
intrusion.
and
-Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is
very uncommon for a Windows networking-based PC.) Relative to vulnerabilities
from Windows networking, this computer appears to be VERY SECURE since it is
NOT exposing ANY of its internal NetBIOS networking protocol over the
Internet.

under common files it said "Your system has achieved a perfect "TruStealth"
rating. Not a single packet — solicited or otherwise — was received from your
system as a result of our security probing tests. Your system ignored and
refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint
of the passing probes of any hacker, this machine does not exist on the
Internet. Some questionable personal security systems expose their users by
attempting to "counter-probe the prober", thus revealing themselves. But your
system wisely remained silent in every way. Very nice."
"GRC Port Authority Report created on UTC: 2005-05-24 at 21:32:19

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
0 Ports Closed
26 Ports Stealth
---------------------
26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.
"



and for the last thing everything was green and i bleive it said the same
thing as the one before which was
"Your system has achieved a perfect "TruStealth" rating. Not a single packet
— solicited or otherwise — was received from your system as a result of our
security probing tests. Your system ignored and refused to reply to repeated
Pings (ICMP Echo Requests). From the standpoint of the passing probes of any
hacker, this machine does not exist on the Internet. Some questionable
personal security systems expose their users by attempting to "counter-probe
the prober", thus revealing themselves. But your system wisely remained
silent in every way. Very nice."

i WAS going to ask you if they're not just doing it all good to make you
say.. feel better XD, but you said you've been using them since 98 so...
doesnt seem so...
so i read that whole page and stuff (only understood a little) at the end
when they're taling about the port 113 stuff... did you want me to go step by
step and click the stuff, or is that only for that firewall users? (i got a
little lost there)

sorry you have to read this horrendiously long post... thank you ^^

PA Bear
07-09-2005, 11:52 PM
Did I misinterpret your post of 23 May-05?
http://groups-beta.google.com/group/microsoft.public.security/msg/717029b9a649ddb9?hl=en

<QP>
I downloaded the latest virus definations for intellegent updator... however
when i go to install them it says i cannot, and that its expired...

"Your virus protection cannot be updated. Your subscription as expired. You
must renew your subscription to continue using Intellegent Updater. Run
LiveUpdate from Norton AntiVirus to renew your subscription and then run
Intellegent Updater again."

i ran live update again, just to be sure, its fully updated, tried
installing again and got the same message... i JUST bought norton a few
months ago its definatly not expired... is live update something i have to
pay for myself? (darn... more and more problems keep on coming...)
</QP>

Sounds to me like neither LiveUpdate nor Intelligent Updater was working for
you cos, according to the error message, your subscription had expired.

If LiveUpdate is working (now), good. (It's working if you have Defs
Version 70524p or later installed right now, 10:41 PM ET.)

But if you still can't install updates via Intelligent Updater, NAV is /not/
working IMO and the problem should be addressed ASAP.
--
~PA Bear

Lord Loki wrote:
> thats not true, live update works fine, it updates all the time, on its
> own or when i update it, the intellegent updater is the only thing thats
> not working
>
> "PA Bear" wrote:
>
> > > ...everything else on norton works fine...
> >
> > What's to work, fine or otherwise, if it doesn't have up-to-date
> > definitions? You're not protected against hundreds of Trojans/viruses!
> >
> > The NAV subscription problem may or may not be related to your overall
> > problem(s), but IMO it's /the/ problem you should sort out first. If
> > you don't have current virus definitions installed and if Live Update
> > and Intelligent Updater doesn't work, your first line of defense is in
> > total shambles.
> >
> > Contact Symantec Help & Support ASAP.
> > --
> > ~Robear Dyer (PA Bear)
> > MS MVP-Windows (IE/OE) & Security
> >
> > Lord Loki wrote:
> > <snippage>
> > > ...PAB, you think its an overal
> > > subscription problem? everything else on norton works fine... and
> > > thats the
> > > only thing thats ever mentioned having being expired.... maybe its
> > > possibly
> > > something seperate that i have to buy? (i went through the
> > > subscription trouble shooter... didnt seem to find anything...)

Lord Loki
07-09-2005, 11:52 PM
where do you find what the latest defs are?
anyways it updated again today, so i'm pretty sure its working, i believe
its always worked... just this is my first time using IntellegentUpdater...
you sure its something all norton things can do? not an... extra... or an
option i have to click on? (i dont see what you misintterpreted... oh well)

to contact norton... what should i do e-mail them? is there a form you fill
out? because i REALLY dont want to call, but i dont think it should come to
that

also, you guys told me to post anything you dont know what it is
i was looking through the norton options, and under threats there was ONE,
and only one, threat to exclude, and i never reconized it...
MiniBugTransporter.dll (program files ---> AWS) i certainly never installed
it, and i certainly did NOT exclude it from norton. I scaned it, nothing, i
removed it from the list, then scanned and it says its adaware... before i do
anything... wrong... i shold delete it right? (i looked on the web and they
said its a helpful program giving the weather, but it also gives out your
privacy or somehting like that) and when i delete... should i merely "delete"
or is it somehting i have to uninstall? thanks

"PA Bear" wrote:

> Did I misinterpret your post of 23 May-05?
> http://groups-beta.google.com/group/microsoft.public.security/msg/717029b9a649ddb9?hl=en
>
> <QP>
> I downloaded the latest virus definations for intellegent updator... however
> when i go to install them it says i cannot, and that its expired...
>
> "Your virus protection cannot be updated. Your subscription as expired. You
> must renew your subscription to continue using Intellegent Updater. Run
> LiveUpdate from Norton AntiVirus to renew your subscription and then run
> Intellegent Updater again."
>
> i ran live update again, just to be sure, its fully updated, tried
> installing again and got the same message... i JUST bought norton a few
> months ago its definatly not expired... is live update something i have to
> pay for myself? (darn... more and more problems keep on coming...)
> </QP>
>
> Sounds to me like neither LiveUpdate nor Intelligent Updater was working for
> you cos, according to the error message, your subscription had expired.
>
> If LiveUpdate is working (now), good. (It's working if you have Defs
> Version 70524p or later installed right now, 10:41 PM ET.)
>
> But if you still can't install updates via Intelligent Updater, NAV is /not/
> working IMO and the problem should be addressed ASAP.
> --
> ~PA Bear
>
> Lord Loki wrote:
> > thats not true, live update works fine, it updates all the time, on its
> > own or when i update it, the intellegent updater is the only thing thats
> > not working
> >
> > "PA Bear" wrote:
> >
> > > > ...everything else on norton works fine...
> > >
> > > What's to work, fine or otherwise, if it doesn't have up-to-date
> > > definitions? You're not protected against hundreds of Trojans/viruses!
> > >
> > > The NAV subscription problem may or may not be related to your overall
> > > problem(s), but IMO it's /the/ problem you should sort out first. If
> > > you don't have current virus definitions installed and if Live Update
> > > and Intelligent Updater doesn't work, your first line of defense is in
> > > total shambles.
> > >
> > > Contact Symantec Help & Support ASAP.
> > > --
> > > ~Robear Dyer (PA Bear)
> > > MS MVP-Windows (IE/OE) & Security
> > >
> > > Lord Loki wrote:
> > > <snippage>
> > > > ...PAB, you think its an overal
> > > > subscription problem? everything else on norton works fine... and
> > > > thats the
> > > > only thing thats ever mentioned having being expired.... maybe its
> > > > possibly
> > > > something seperate that i have to buy? (i went through the
> > > > subscription trouble shooter... didnt seem to find anything...)
>
>

PA Bear
07-09-2005, 11:52 PM
> where do you find what the latest defs are?

Current defs for both LiveUpdate and Intelligent Updater are listed at
http://securityresponse.symantec.com/avcenter/defs.download.html:

<QP>
Intelligent Updater:
Virus Definitions created May 25
Virus Definitions released May 25
Norton AntiVirus Corp. Edition:
Defs Version: 70525r
Sequence Number: 44973
Extended Version: 5/25/2005 rev. 18
Total Viruses Detected: 69604

LiveUpdate:
Virus Definitions created May 25
Virus Definitions released May 25
Norton AntiVirus Corp. Edition:
Defs Version: 70525r
Sequence Number: 44973
Extended Version: 5/25/2005 rev. 18
Total Viruses Detected: 69604
</QP>

> you sure its something all norton things can do?

Yes.

> to contact norton... what should i do e-mail them?

Start here: http://www.symantec.com/techsupp/

> MiniBugTransporter.dll (program files ---> AWS)

WeatherBug/WeatherCast
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453074634

Gives users hidden, "drive by" installs of hijackware (e.g., WhenUSearch
Toolbar, WeatherCast, WhenUShop, WhenUSearch SideFinder, ClockSync,
Save!/SaveNow, PriceBandit, and WhenUSearch BEST).

Now that you've posted this info and considering the problem about which you
originally posted here, any of these hijackers may be part of your problem
installing defs from Intelligent Updater, LL. And if you've got them, you
may have others.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/data/tshoot.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security


Lord Loki wrote:
> where do you find what the latest defs are?
> anyways it updated again today, so i'm pretty sure its working, i believe
> its always worked... just this is my first time using
> IntellegentUpdater... you sure its something all norton things can do?
> not an... extra... or an option i have to click on? (i dont see what you
> misintterpreted... oh well)
>
> to contact norton... what should i do e-mail them? is there a form you
> fill out? because i REALLY dont want to call, but i dont think it should
> come to that
>
> also, you guys told me to post anything you dont know what it is
> i was looking through the norton options, and under threats there was ONE,
> and only one, threat to exclude, and i never reconized it...
> MiniBugTransporter.dll (program files ---> AWS) i certainly never
> installed it, and i certainly did NOT exclude it from norton. I scaned
> it, nothing, i removed it from the list, then scanned and it says its
> adaware... before i do anything... wrong... i shold delete it right? (i
> looked on the web and they said its a helpful program giving the weather,
> but it also gives out your privacy or somehting like that) and when i
> delete... should i merely "delete" or is it somehting i have to
> uninstall? thanks
>
> "PA Bear" wrote:
>
> > Did I misinterpret your post of 23 May-05?
> > http://groups-beta.google.com/group/microsoft.public.security/msg/717029b9a649ddb9?hl=en
> >
> > <QP>
> > I downloaded the latest virus definations for intellegent updator...
> > however when i go to install them it says i cannot, and that its
> > expired...
> >
> > "Your virus protection cannot be updated. Your subscription as expired.
> > You must renew your subscription to continue using Intellegent Updater.
> > Run LiveUpdate from Norton AntiVirus to renew your subscription and
> > then run Intellegent Updater again."
> >
> > i ran live update again, just to be sure, its fully updated, tried
> > installing again and got the same message... i JUST bought norton a few
> > months ago its definatly not expired... is live update something i have
> > to pay for myself? (darn... more and more problems keep on coming...)
> > </QP>
> >
> > Sounds to me like neither LiveUpdate nor Intelligent Updater was
> > working for you cos, according to the error message, your subscription
> > had expired.
> >
> > If LiveUpdate is working (now), good. (It's working if you have Defs
> > Version 70524p or later installed right now, 10:41 PM ET.)
> >
> > But if you still can't install updates via Intelligent Updater, NAV is
> > /not/ working IMO and the problem should be addressed ASAP.
> > --
> > ~PA Bear
> >
> > Lord Loki wrote:
> > > thats not true, live update works fine, it updates all the time, on
> > > its own or when i update it, the intellegent updater is the only
> > > thing thats not working
> > >
> > > "PA Bear" wrote:
> > >
> > > > > ...everything else on norton works fine...
> > > >
> > > > What's to work, fine or otherwise, if it doesn't have up-to-date
> > > > definitions? You're not protected against hundreds of
> > > > Trojans/viruses!
> > > >
> > > > The NAV subscription problem may or may not be related to your
> > > > overall problem(s), but IMO it's /the/ problem you should sort out
> > > > first. If you don't have current virus definitions installed and
> > > > if Live Update and Intelligent Updater doesn't work, your first
> > > > line of defense is in total shambles.
> > > >
> > > > Contact Symantec Help & Support ASAP.
> > > > --
> > > > ~Robear Dyer (PA Bear)
> > > > MS MVP-Windows (IE/OE) & Security
> > > >
> > > > Lord Loki wrote:
> > > > <snippage>
> > > > > ...PAB, you think its an overal
> > > > > subscription problem? everything else on norton works fine... and
> > > > > thats the
> > > > > only thing thats ever mentioned having being expired.... maybe its
> > > > > possibly
> > > > > something seperate that i have to buy? (i went through the
> > > > > subscription trouble shooter... didnt seem to find anything...)

Jim Carlock
07-09-2005, 11:52 PM
The previous link I provided might have scanned my computer.

Try this link: http://www.grc.com/default.htm. When you get there,
Search for Shield's Up! and click on that link. Let me know.

--
Jim Carlock
Please post replies to newsgroup.

Lord Loki
07-09-2005, 11:52 PM
Pretty sure that was mine, because the IP address looks similar (i didnt
memorize it so i dont know) and i got the same exact results...

well... XD i dont wanna be paranoid or anything, but anything "strange" that
happens on my comp i'm gonna post... just now when i logged on the comp the
usual annoying stuff happens (spykiller comes up... forgot how to stop it)
and i wanted to change my bg... like i do almost every time, so i go to
change it and i got an error report, i copied down all the info clicked send,
a web page opened, copied url, and at the same time i got ANOTHER error
report... here they are... they're not like the normal ones with a program or
soemthing >.<

The first one:
Run a DLL as an App has encountered a problem and needs to close. We are
sorry for the inconvenience.

Error signature
AppName: rundll32.exe
ModVer: 1.4.0.0
App Ver: 5.1.2600.2180
ModName: subtitds.ax
Offset: 000066a2

C:\DOCUME~1\Jaimie\LOCALS~1\Temp\8922_appcompat.txt
and the URL it gave me
http://oca.microsoft.com/en/response.aspx?SGD=b589dbe2-c907-4908-95d7-8683ddacc79f&SID=803

and the second one:

DrWatson Postmortem Debugger has encountered a problem and needs to close.
We are sorry for the inconvenience.

EventType: BEX
P1: DRWTSN32.EXE
P2: 5.1.2600.0
P3: 3b7d84a2
P4: dbghelp.dll
P5: 5.1.2600.2180
P6: 4110969a
P7: 0001295d
P8: c0000409
P9: 00000000

C:\DOCUME~1\Jaimie\LOCALS~1\Temp\WERcefa.dir00\DRWTSN32.EXE.mdmp
C:\DOCUME~1\Jaimie\LOCALS~1\Temp\WERcefa.dir00\appcompat.txt

dont know if thats just happenstance, or if its some STUPID thing caused by
whatever it is (i'm not even sure its still there... maybe i have the damage
left over?) Thanks again

"Jim Carlock" wrote:

> The previous link I provided might have scanned my computer.
>
> Try this link: http://www.grc.com/default.htm. When you get there,
> Search for Shield's Up! and click on that link. Let me know.
>
> --
> Jim Carlock
> Please post replies to newsgroup.
>
>
>

Lord Loki
07-09-2005, 11:52 PM
I meant how can you tell which defs are on your comp, but i suppose if live
update is running and installing stuff then its getting the latest so that
was a stupid question

also I want to apologize, wehn i went to scan and delete it with norton i
couldnt find the delete option, and i clicked more options and then i
remembered that on my first scanning with this norton it found it and i
couldnt figure out where to delete it then either so i ignroed it... so i DID
cause that T_T sorry, and its been there for a few months now... >.> sorry
again

OK, i've done a few more things on my own since last time...
I did a chkdsk in the command prompt and since it was read only it could
only do 2 outta 3 or somehting, but on the seccond step it found and deleted
4 things
then i went and went for the full blown check disk under local disk... took
forever, and it didnt tell if it found or didnt find anything... i barely got
to glimpse at my disk space before it rebooted... so that didnt help much in
my opinion

now i'm on the symantec website and checking for viruses from there... as
soon as i clicked the instal active x stuff, an installing thing came up, i
clicked run, then the windows intaller popped up, and failed, its the same
one that appears every time the computer turns on... which is strange it says
"Norton AntiVirus 2005 does not support the Repair feature, please uninstall
and reinstall" >.<
however right this moment its scanning.... so thats ALSO strange

I'm going to do a security check too on it...
any other things that come on the computer or with symantec that i can use?

I'll check out those other links soon and try contacting norton, I didnt
have time yet (um... i also posted further up in this thread about the dr
watson thing failing... what is that? i came across it for a different
problem about a year ago...)

"PA Bear" wrote:

> > where do you find what the latest defs are?
>
> Current defs for both LiveUpdate and Intelligent Updater are listed at
> http://securityresponse.symantec.com/avcenter/defs.download.html:
>
> <QP>
> Intelligent Updater:
> Virus Definitions created May 25
> Virus Definitions released May 25
> Norton AntiVirus Corp. Edition:
> Defs Version: 70525r
> Sequence Number: 44973
> Extended Version: 5/25/2005 rev. 18
> Total Viruses Detected: 69604
>
> LiveUpdate:
> Virus Definitions created May 25
> Virus Definitions released May 25
> Norton AntiVirus Corp. Edition:
> Defs Version: 70525r
> Sequence Number: 44973
> Extended Version: 5/25/2005 rev. 18
> Total Viruses Detected: 69604
> </QP>
>
> > you sure its something all norton things can do?
>
> Yes.
>
> > to contact norton... what should i do e-mail them?
>
> Start here: http://www.symantec.com/techsupp/
>
> > MiniBugTransporter.dll (program files ---> AWS)
>
> WeatherBug/WeatherCast
> http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453074634
>
> Gives users hidden, "drive by" installs of hijackware (e.g., WhenUSearch
> Toolbar, WeatherCast, WhenUShop, WhenUSearch SideFinder, ClockSync,
> Save!/SaveNow, PriceBandit, and WhenUSearch BEST).
>
> Now that you've posted this info and considering the problem about which you
> originally posted here, any of these hijackers may be part of your problem
> installing defs from Intelligent Updater, LL. And if you've got them, you
> may have others.
>
> Checking for/Help with Hijackware
> http://aumha.org/a/parasite.htm
> http://aumha.org/a/quickfix.htm
> http://aumha.net/viewtopic.php?t=5878
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/data/prevention.htm
> http://inetexplorer.mvps.org/data/tshoot.htm
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> http://defendingyourmachine.blogspot.com/
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE/OE) & Security
>
>
> Lord Loki wrote:
> > where do you find what the latest defs are?
> > anyways it updated again today, so i'm pretty sure its working, i believe
> > its always worked... just this is my first time using
> > IntellegentUpdater... you sure its something all norton things can do?
> > not an... extra... or an option i have to click on? (i dont see what you
> > misintterpreted... oh well)
> >
> > to contact norton... what should i do e-mail them? is there a form you
> > fill out? because i REALLY dont want to call, but i dont think it should
> > come to that
> >
> > also, you guys told me to post anything you dont know what it is
> > i was looking through the norton options, and under threats there was ONE,
> > and only one, threat to exclude, and i never reconized it...
> > MiniBugTransporter.dll (program files ---> AWS) i certainly never
> > installed it, and i certainly did NOT exclude it from norton. I scaned
> > it, nothing, i removed it from the list, then scanned and it says its
> > adaware... before i do anything... wrong... i shold delete it right? (i
> > looked on the web and they said its a helpful program giving the weather,
> > but it also gives out your privacy or somehting like that) and when i
> > delete... should i merely "delete" or is it somehting i have to
> > uninstall? thanks
> >
> > "PA Bear" wrote:
> >
> > > Did I misinterpret your post of 23 May-05?
> > > http://groups-beta.google.com/group/microsoft.public.security/msg/717029b9a649ddb9?hl=en
> > >
> > > <QP>
> > > I downloaded the latest virus definations for intellegent updator...
> > > however when i go to install them it says i cannot, and that its
> > > expired...
> > >
> > > "Your virus protection cannot be updated. Your subscription as expired.
> > > You must renew your subscription to continue using Intellegent Updater.
> > > Run LiveUpdate from Norton AntiVirus to renew your subscription and
> > > then run Intellegent Updater again."
> > >
> > > i ran live update again, just to be sure, its fully updated, tried
> > > installing again and got the same message... i JUST bought norton a few
> > > months ago its definatly not expired... is live update something i have
> > > to pay for myself? (darn... more and more problems keep on coming...)
> > > </QP>
> > >
> > > Sounds to me like neither LiveUpdate nor Intelligent Updater was
> > > working for you cos, according to the error message, your subscription
> > > had expired.
> > >
> > > If LiveUpdate is working (now), good. (It's working if you have Defs
> > > Version 70524p or later installed right now, 10:41 PM ET.)
> > >
> > > But if you still can't install updates via Intelligent Updater, NAV is
> > > /not/ working IMO and the problem should be addressed ASAP.
> > > --
> > > ~PA Bear
> > >
> > > Lord Loki wrote:
> > > > thats not true, live update works fine, it updates all the time, on
> > > > its own or when i update it, the intellegent updater is the only
> > > > thing thats not working
> > > >
> > > > "PA Bear" wrote:
> > > >
> > > > > > ...everything else on norton works fine...
> > > > >
> > > > > What's to work, fine or otherwise, if it doesn't have up-to-date
> > > > > definitions? You're not protected against hundreds of
> > > > > Trojans/viruses!
> > > > >
> > > > > The NAV subscription problem may or may not be related to your
> > > > > overall problem(s), but IMO it's /the/ problem you should sort out
> > > > > first. If you don't have current virus definitions installed and
> > > > > if Live Update and Intelligent Updater doesn't work, your first
> > > > > line of defense is in total shambles.
> > > > >
> > > > > Contact Symantec Help & Support ASAP.
> > > > > --
> > > > > ~Robear Dyer (PA Bear)
> > > > > MS MVP-Windows (IE/OE) & Security
> > > > >
> > > > > Lord Loki wrote:
> > > > > <snippage>
> > > > > > ...PAB, you think its an overal
> > > > > > subscription problem? everything else on norton works fine... and
> > > > > > thats the
> > > > > > only thing thats ever mentioned having being expired.... maybe its
> > > > > > possibly
> > > > > > something seperate that i have to buy? (i went through the
> > > > > > subscription trouble shooter... didnt seem to find anything...)
>
>

Jim Carlock
07-09-2005, 11:52 PM
http://groups-beta.google.com/group/microsoft.public.windowsxp.moviemaker/browse_thread/thread/9edab7c0a087e053/29f898dd0fb79efb?q=subtitds.ax&rnum=5&hl=en#29f898dd0fb79efb

Watch the word wrap there. That link indicates that you might have
a subtitds.ax problem. It also indicates that if the problem is recurrent
you can try renaming that particular file, ie...

C:\Windows\System32\subtitds.xx

It appears to be a Windows Movie Maker file based upon what I've
found on the web. I can't find that file on my particular system, so
I'm only guessing that it located inside of the system32 folder.

As far as the SpyKiller goes, it appears to be SPYWARE. <g>

Have you tried AdAware and SpyBot Search & Destroy? The
SpyBot S&D is suggested to get rid of the SpyKiller. I haven't
run into the problem myself so I'm just posting from three or
four articles I've read on the Internet.

SpyBot S&D can be found at:
http://www.safer-networking.org/

AdAware is found here:
http://www.lavasoft.com/

For more information about SpyKiller being spyware and how to fix it,
type in the following into Google...

spykiller group:microsoft.public.security

Let us know if that helps.

--
Jim Carlock
Please post replies to newsgroup.

"Lord Loki" wrote:
well... XD i dont wanna be paranoid or anything, but anything "strange" that
happens on my comp i'm gonna post... just now when i logged on the comp the
usual annoying stuff happens (spykiller comes up... forgot how to stop it)
and i wanted to change my bg... like i do almost every time, so i go to
change it and i got an error report, i copied down all the info clicked send,
a web page opened, copied url, and at the same time i got ANOTHER error
report... here they are... they're not like the normal ones with a program or
soemthing >.<

The first one:
Run a DLL as an App has encountered a problem and needs to close. We are
sorry for the inconvenience.

Error signature
AppName: rundll32.exe
ModVer: 1.4.0.0
App Ver: 5.1.2600.2180
ModName: subtitds.ax
Offset: 000066a2

dont know if thats just happenstance, or if its some STUPID thing caused by
whatever it is (i'm not even sure its still there... maybe i have the damage
left over?) Thanks again

"Jim Carlock" wrote:

> The previous link I provided might have scanned my computer.
>
> Try this link: http://www.grc.com/default.htm. When you get there,
> Search for Shield's Up! and click on that link. Let me know.
>
> --
> Jim Carlock
> Please post replies to newsgroup.

Lord Loki
07-09-2005, 11:53 PM
ok, sorry i meant to tell you guys that i would be away this weekend >.> but
as i was typing the message i /HAD/ to go... yeah... so i'm really sorry

anyways...
so... it was just some glitch with movie maker? (odd.... i havent ever even
tried opening that program since the day i got my comp...)

thats odd.... if Spykiller is spyware... >.> i have it licensed... so i
think it was bought... (not by me in particular) but i may delete it and use
spybot >.> *doesnt trust free things too much*

well, when i was offline i fixed a few things...(and discovered a few more)
like i went to msconfig and removed spykiller from autostarting everytime i
came on... as well as a few things... however theres a TON there i dont know
what they are so i'm hoping its NOT a virus or anything >.>

well, that program that wouldnt work, psp8, i was really bored and wanted to
do something, so i went into the program files and tried opening it from
there (i dont know why i didnt before), and it still popped up wuth the
installing stuff, however after cancling it about 6 times the program came up
and works the same as always (i knew it was still there), so i redid all the
links to that one (because the others wouldnt work no matter what) and now i
can use it after pressing esc 5 times... >.> an improvement but still a pain
and confusing (like i log on and must press esc 3 times too...)

then some strange stuff happened... like for one, i'm offline with my
computer, practially nothing to do but watch stuff... i went into norton just
to loook around and it has some threats area, and i look in and on the
"protected" side it said W32 (i'm not possitive which one to be precise) and
on the "unprotected" side there wasnt anything, i was like "ok good" about a
few hours later a thng popped up on the bottom right talking about being
unprotected against a rapidly spreading threat, i look and its the same one,
now on the UNprotected side (i'm 98% positive its the same, and its:
W32.Sober.O@mm ) which i find very odd since... I'M NOT ON THE WEB!!!!!
and the strangest part of all... my virus stuff is updated since the 27th,
but.... below the w32 threat it says "Data current of Monday, May 02, 2005,
3:16:00 PM" <---?!!!!! thats almost a month ago, and NOW it tells me
something, and even though i'm all UP TO DATE, nothing removes it. >.<
it also popped up and said "norton is ready to scan thumbs.exe" or
"explorer.exe" (im pretty sure those are the files) over and over and over
again, for no apparent reason...

and the other strange and /REALLY/ bad thing is that when i go to "Protect
Me Now" the only thing it says is to turn on auto-protect, and it "turns it
on" but it really doesnt, i've tried myself over and over and over again, its
not coming on anymore.... right this second its flashing on the bottom and i
still cannot turn it on

then, i may have done something, because i connected to a foreign wireless
server, infact a few, and i dont believe i turned anything off or anything,
just allowed myself to connect, but today i found out that windows firewall
is turned off... atleast between wireless connections (maybe all together),
so i turned that on

so i have a feeling (i'm not even sure its possible) that norton itself is
infected by a virus... (i dont think its a hacker if it happened when i'm
offline...) so I think i should uninstall Norton and reinstall it.... would
that fix anything you think? the auto protect, the intellegent update not
working, the not scanning in safe mode and the strange alerts? >.<

hee hee, i'm sorry you have to read that long and horrendous post but... its
important >.> :P thank you guys so much

"Jim Carlock" wrote:

> http://groups-beta.google.com/group/microsoft.public.windowsxp.moviemaker/browse_thread/thread/9edab7c0a087e053/29f898dd0fb79efb?q=subtitds.ax&rnum=5&hl=en#29f898dd0fb79efb
>
> Watch the word wrap there. That link indicates that you might have
> a subtitds.ax problem. It also indicates that if the problem is recurrent
> you can try renaming that particular file, ie...
>
> C:\Windows\System32\subtitds.xx
>
> It appears to be a Windows Movie Maker file based upon what I've
> found on the web. I can't find that file on my particular system, so
> I'm only guessing that it located inside of the system32 folder.
>
> As far as the SpyKiller goes, it appears to be SPYWARE. <g>
>
> Have you tried AdAware and SpyBot Search & Destroy? The
> SpyBot S&D is suggested to get rid of the SpyKiller. I haven't
> run into the problem myself so I'm just posting from three or
> four articles I've read on the Internet.
>
> SpyBot S&D can be found at:
> http://www.safer-networking.org/
>
> AdAware is found here:
> http://www.lavasoft.com/
>
> For more information about SpyKiller being spyware and how to fix it,
> type in the following into Google...
>
> spykiller group:microsoft.public.security
>
> Let us know if that helps.
>
> --
> Jim Carlock
> Please post replies to newsgroup.
>
> "Lord Loki" wrote:
> well... XD i dont wanna be paranoid or anything, but anything "strange" that
> happens on my comp i'm gonna post... just now when i logged on the comp the
> usual annoying stuff happens (spykiller comes up... forgot how to stop it)
> and i wanted to change my bg... like i do almost every time, so i go to
> change it and i got an error report, i copied down all the info clicked send,
> a web page opened, copied url, and at the same time i got ANOTHER error
> report... here they are... they're not like the normal ones with a program or
> soemthing >.<
>
> The first one:
> Run a DLL as an App has encountered a problem and needs to close. We are
> sorry for the inconvenience.
>
> Error signature
> AppName: rundll32.exe
> ModVer: 1.4.0.0
> App Ver: 5.1.2600.2180
> ModName: subtitds.ax
> Offset: 000066a2
>
> dont know if thats just happenstance, or if its some STUPID thing caused by
> whatever it is (i'm not even sure its still there... maybe i have the damage
> left over?) Thanks again
>
> "Jim Carlock" wrote:
>
> > The previous link I provided might have scanned my computer.
> >
> > Try this link: http://www.grc.com/default.htm. When you get there,
> > Search for Shield's Up! and click on that link. Let me know.
> >
> > --
> > Jim Carlock
> > Please post replies to newsgroup.
>
>
>

Jim Carlock
07-09-2005, 11:53 PM
"Lord Loki" <LordLoki@discussions.microsoft.com> wrote:
> thats odd.... if Spykiller is spyware... >.> i have it licensed... so i
> think it was bought... (not by me in particular) but i may delete it and use
> spybot >.> *doesnt trust free things too much*

:-) There's some stuff out there that is spyware but they give it a name like
SpyKiller to make you think it's not.

Just Google the word SpyKiller site:
http://groups-beta.google.com/groups?as_q=SpyKiller&as_ugroup=microsoft.public.security

Read the links there.

It definitely sounds like you've got some open ports and multiple issues.
There's some free stuff that works.

Just because a cop wears a badge, does that mean the cop never commits
any crimes? If they're speeding 40 miles over the speed limit to catch
someone that is doing 5 miles over the speed limit, who's right and who's
wrong? If you believe the cops are right, you'll let them write you up a
ticket and then pay the ticket or you might slip the cop a $20 bill to get
out of it. I'm speaking from past experience.

> well, when i was offline i fixed a few things...(and discovered a few
> more) like i went to msconfig and removed spykiller from autostarting
> everytime i came on... as well as a few things... however theres a
> TON there i dont know what they are so i'm hoping its NOT a virus
> or anything >.>

Get the two links I suggested. :-)

> SpyBot Search & Destroy can be found at:
> http://www.safer-networking.org/
>
> AdAware is found here:
> http://www.lavasoft.com/

If you have any questions about running either or those feel free to
ask. Post back and let us know what's up after you use those two
products.

The way viruses work, is that they reload themselves in very ingenious
ways. Do a search for files dated later than a future date... for example
for files dated one day older than today. Most of the files found will
probably be some form of virus, trojan or whatever. Before you delete
anything, post back and let us know what you've found.

Something else you might want to try is the Microsoft AntiSpyware.
I know for a fact that it provides false positives in at least one case.
But it might be helpful in your case. It's also FREE. :-) Sometimes
FREE stuff is good.

--
Jim Carlock
Please post replies to newsgroup.



"Lord Loki" <LordLoki@discussions.microsoft.com> wrote:
well, that program that wouldnt work, psp8, i was really bored and wanted to
do something, so i went into the program files and tried opening it from
there (i dont know why i didnt before), and it still popped up wuth the
installing stuff, however after cancling it about 6 times the program came up
and works the same as always (i knew it was still there), so i redid all the
links to that one (because the others wouldnt work no matter what) and now i
can use it after pressing esc 5 times... >.> an improvement but still a pain
and confusing (like i log on and must press esc 3 times too...)

then some strange stuff happened... like for one, i'm offline with my
computer, practially nothing to do but watch stuff... i went into norton just
to loook around and it has some threats area, and i look in and on the
"protected" side it said W32 (i'm not possitive which one to be precise) and
on the "unprotected" side there wasnt anything, i was like "ok good" about a
few hours later a thng popped up on the bottom right talking about being
unprotected against a rapidly spreading threat, i look and its the same one,
now on the UNprotected side (i'm 98% positive its the same, and its:
W32.Sober.O@mm ) which i find very odd since... I'M NOT ON THE WEB!!!!!
and the strangest part of all... my virus stuff is updated since the 27th,
but.... below the w32 threat it says "Data current of Monday, May 02, 2005,
3:16:00 PM" <---?!!!!! thats almost a month ago, and NOW it tells me
something, and even though i'm all UP TO DATE, nothing removes it. >.<
it also popped up and said "norton is ready to scan thumbs.exe" or
"explorer.exe" (im pretty sure those are the files) over and over and over
again, for no apparent reason...

and the other strange and /REALLY/ bad thing is that when i go to "Protect
Me Now" the only thing it says is to turn on auto-protect, and it "turns it
on" but it really doesnt, i've tried myself over and over and over again, its
not coming on anymore.... right this second its flashing on the bottom and i
still cannot turn it on

then, i may have done something, because i connected to a foreign wireless
server, infact a few, and i dont believe i turned anything off or anything,
just allowed myself to connect, but today i found out that windows firewall
is turned off... atleast between wireless connections (maybe all together),
so i turned that on

so i have a feeling (i'm not even sure its possible) that norton itself is
infected by a virus... (i dont think its a hacker if it happened when i'm
offline...) so I think i should uninstall Norton and reinstall it.... would
that fix anything you think? the auto protect, the intellegent update not
working, the not scanning in safe mode and the strange alerts? >.<

hee hee, i'm sorry you have to read that long and horrendous post but... its
important >.> :P thank you guys so much

"Jim Carlock" wrote:

> http://groups-beta.google.com/group/microsoft.public.windowsxp.moviemaker/browse_thread/thread/9edab7c0a087e053/29f898dd0fb79efb?q=subtitds.ax&rnum=5&hl=en#29f898dd0fb79efb
>
> Watch the word wrap there. That link indicates that you might have
> a subtitds.ax problem. It also indicates that if the problem is recurrent
> you can try renaming that particular file, ie...
>
> C:\Windows\System32\subtitds.xx
>
> It appears to be a Windows Movie Maker file based upon what I've
> found on the web. I can't find that file on my particular system, so
> I'm only guessing that it located inside of the system32 folder.
>
> As far as the SpyKiller goes, it appears to be SPYWARE. <g>
>
> Have you tried AdAware and SpyBot Search & Destroy? The
> SpyBot S&D is suggested to get rid of the SpyKiller. I haven't
> run into the problem myself so I'm just posting from three or
> four articles I've read on the Internet.
>
> SpyBot S&D can be found at:
> http://www.safer-networking.org/
>
> AdAware is found here:
> http://www.lavasoft.com/
>
> For more information about SpyKiller being spyware and how to fix it,
> type in the following into Google...
>
> spykiller group:microsoft.public.security
>
> Let us know if that helps.
>
> --
> Jim Carlock
> Please post replies to newsgroup.
>
> "Lord Loki" wrote:
> well... XD i dont wanna be paranoid or anything, but anything "strange" that
> happens on my comp i'm gonna post... just now when i logged on the comp the
> usual annoying stuff happens (spykiller comes up... forgot how to stop it)
> and i wanted to change my bg... like i do almost every time, so i go to
> change it and i got an error report, i copied down all the info clicked send,
> a web page opened, copied url, and at the same time i got ANOTHER error
> report... here they are... they're not like the normal ones with a program or
> soemthing >.<
>
> The first one:
> Run a DLL as an App has encountered a problem and needs to close. We are
> sorry for the inconvenience.
>
> Error signature
> AppName: rundll32.exe
> ModVer: 1.4.0.0
> App Ver: 5.1.2600.2180
> ModName: subtitds.ax
> Offset: 000066a2
>
> dont know if thats just happenstance, or if its some STUPID thing caused by
> whatever it is (i'm not even sure its still there... maybe i have the damage
> left over?) Thanks again
>
> "Jim Carlock" wrote:
>
> > The previous link I provided might have scanned my computer.
> >
> > Try this link: http://www.grc.com/default.htm. When you get there,
> > Search for Shield's Up! and click on that link. Let me know.
> >
> > --
> > Jim Carlock
> > Please post replies to newsgroup.
>
>
>

Lord Loki
07-09-2005, 11:53 PM
hmmm... in that case deleting XD, i've had it for a year now though, i hope
it didnt delete anything important... >.<

yeah i've had adaware fro quite a while, a year or so atleast, i just need
that spybot thing... ^^ i'll dl it now

microsoft antispyware.... found at the microsoft site? *goes to look*

hmmm, i'll check again, but i already did check fro files dated later and i
didnt find any >.< (which is good i guess)

ok... on a quick side note since i cant seem to find it, since i
reconfigured a few things (start up stuff) every time i click a link on the
web all the text gets really big and bold, where do you change that? i looked
in the options, but i cant find it anymore...

so... do you think i should uninstall and reinstall norton or not??? (auto
protect is back on... it seems to come on about half the times i turn on the
comp)

(yeah i know, i hate paying for things too... I just want to be positive
something is good if its free... XD like i wasnt the one to install spykiller
so i didnt check it out, but everything else thats free i make sure it wont
be full of adware or whatnot)

thanks, i'll post to tell you if anything is found from spybot ^^ (well i'm
sure alot will be, anything outside my cookies cache i mean)
> :-) There's some stuff out there that is spyware but they give it a name like
> SpyKiller to make you think it's not.
>
> Just Google the word SpyKiller site:
> http://groups-beta.google.com/groups?as_q=SpyKiller&as_ugroup=microsoft.public.security
>
> Read the links there.
>
> It definitely sounds like you've got some open ports and multiple issues.
> There's some free stuff that works.
>
> Just because a cop wears a badge, does that mean the cop never commits
> any crimes? If they're speeding 40 miles over the speed limit to catch
> someone that is doing 5 miles over the speed limit, who's right and who's
> wrong? If you believe the cops are right, you'll let them write you up a
> ticket and then pay the ticket or you might slip the cop a $20 bill to get
> out of it. I'm speaking from past experience.
>
> > well, when i was offline i fixed a few things...(and discovered a few
> > more) like i went to msconfig and removed spykiller from autostarting
> > everytime i came on... as well as a few things... however theres a
> > TON there i dont know what they are so i'm hoping its NOT a virus
> > or anything >.>
>
> Get the two links I suggested. :-)
>
> > SpyBot Search & Destroy can be found at:
> > http://www.safer-networking.org/
> >
> > AdAware is found here:
> > http://www.lavasoft.com/
>
> If you have any questions about running either or those feel free to
> ask. Post back and let us know what's up after you use those two
> products.
>
> The way viruses work, is that they reload themselves in very ingenious
> ways. Do a search for files dated later than a future date... for example
> for files dated one day older than today. Most of the files found will
> probably be some form of virus, trojan or whatever. Before you delete
> anything, post back and let us know what you've found.
>
> Something else you might want to try is the Microsoft AntiSpyware.
> I know for a fact that it provides false positives in at least one case.
> But it might be helpful in your case. It's also FREE. :-) Sometimes
> FREE stuff is good.
>
> --
> Jim Carlock
> Please post replies to newsgroup.
>
>
>
> "Lord Loki" <LordLoki@discussions.microsoft.com> wrote:
> well, that program that wouldnt work, psp8, i was really bored and wanted to
> do something, so i went into the program files and tried opening it from
> there (i dont know why i didnt before), and it still popped up wuth the
> installing stuff, however after cancling it about 6 times the program came up
> and works the same as always (i knew it was still there), so i redid all the
> links to that one (because the others wouldnt work no matter what) and now i
> can use it after pressing esc 5 times... >.> an improvement but still a pain
> and confusing (like i log on and must press esc 3 times too...)
>
> then some strange stuff happened... like for one, i'm offline with my
> computer, practially nothing to do but watch stuff... i went into norton just
> to loook around and it has some threats area, and i look in and on the
> "protected" side it said W32 (i'm not possitive which one to be precise) and
> on the "unprotected" side there wasnt anything, i was like "ok good" about a
> few hours later a thng popped up on the bottom right talking about being
> unprotected against a rapidly spreading threat, i look and its the same one,
> now on the UNprotected side (i'm 98% positive its the same, and its:
> W32.Sober.O@mm ) which i find very odd since... I'M NOT ON THE WEB!!!!!
> and the strangest part of all... my virus stuff is updated since the 27th,
> but.... below the w32 threat it says "Data current of Monday, May 02, 2005,
> 3:16:00 PM" <---?!!!!! thats almost a month ago, and NOW it tells me
> something, and even though i'm all UP TO DATE, nothing removes it. >.<
> it also popped up and said "norton is ready to scan thumbs.exe" or
> "explorer.exe" (im pretty sure those are the files) over and over and over
> again, for no apparent reason...
>
> and the other strange and /REALLY/ bad thing is that when i go to "Protect
> Me Now" the only thing it says is to turn on auto-protect, and it "turns it
> on" but it really doesnt, i've tried myself over and over and over again, its
> not coming on anymore.... right this second its flashing on the bottom and i
> still cannot turn it on
>
> then, i may have done something, because i connected to a foreign wireless
> server, infact a few, and i dont believe i turned anything off or anything,
> just allowed myself to connect, but today i found out that windows firewall
> is turned off... atleast between wireless connections (maybe all together),
> so i turned that on
>
> so i have a feeling (i'm not even sure its possible) that norton itself is
> infected by a virus... (i dont think its a hacker if it happened when i'm
> offline...) so I think i should uninstall Norton and reinstall it.... would
> that fix anything you think? the auto protect, the intellegent update not
> working, the not scanning in safe mode and the strange alerts? >.<
>
> hee hee, i'm sorry you have to read that long and horrendous post but... its
> important >.> :P thank you guys so much
>
> "Jim Carlock" wrote:
>
> > http://groups-beta.google.com/group/microsoft.public.windowsxp.moviemaker/browse_thread/thread/9edab7c0a087e053/29f898dd0fb79efb?q=subtitds.ax&rnum=5&hl=en#29f898dd0fb79efb
> >
> > Watch the word wrap there. That link indicates that you might have
> > a subtitds.ax problem. It also indicates that if the problem is recurrent
> > you can try renaming that particular file, ie...
> >
> > C:\Windows\System32\subtitds.xx
> >
> > It appears to be a Windows Movie Maker file based upon what I've
> > found on the web. I can't find that file on my particular system, so
> > I'm only guessing that it located inside of the system32 folder.
> >
> > As far as the SpyKiller goes, it appears to be SPYWARE. <g>
> >
> > Have you tried AdAware and SpyBot Search & Destroy? The
> > SpyBot S&D is suggested to get rid of the SpyKiller. I haven't
> > run into the problem myself so I'm just posting from three or
> > four articles I've read on the Internet.
> >
> > SpyBot S&D can be found at:
> > http://www.safer-networking.org/
> >
> > AdAware is found here:
> > http://www.lavasoft.com/
> >
> > For more information about SpyKiller being spyware and how to fix it,
> > type in the following into Google...
> >
> > spykiller group:microsoft.public.security
> >
> > Let us know if that helps.
> >
> > --
> > Jim Carlock
> > Please post replies to newsgroup.
> >
> > "Lord Loki" wrote:
> > well... XD i dont wanna be paranoid or anything, but anything "strange" that
> > happens on my comp i'm gonna post... just now when i logged on the comp the
> > usual annoying stuff happens (spykiller comes up... forgot how to stop it)
> > and i wanted to change my bg... like i do almost every time, so i go to
> > change it and i got an error report, i copied down all the info clicked send,
> > a web page opened, copied url, and at the same time i got ANOTHER error
> > report... here they are... they're not like the normal ones with a program or
> > soemthing >.<
> >
> > The first one:
> > Run a DLL as an App has encountered a problem and needs to close. We are
> > sorry for the inconvenience.
> >
> > Error signature
> > AppName: rundll32.exe
> > ModVer: 1.4.0.0
> > App Ver: 5.1.2600.2180
> > ModName: subtitds.ax
> > Offset: 000066a2
> >
> > dont know if thats just happenstance, or if its some STUPID thing caused by
> > whatever it is (i'm not even sure its still there... maybe i have the damage
> > left over?) Thanks again
> >
> > "Jim Carlock" wrote:
> >
> > > The previous link I provided might have scanned my computer.
> > >
> > > Try this link: http://www.grc.com/default.htm. When you get there,
> > > Search for Shield's Up! and click on that link. Let me know.
> > >
> > > --
> > > Jim Carlock
> > > Please post replies to newsgroup.
> >
> >
> >
>
>
>

Jim Carlock
07-09-2005, 11:53 PM
The link for the Microsoft AntiSpyWare software...
http://www.microsoft.com/athome/security/spyware/software/default.mspx

--
Jim Carlock
Please post replies to newsgroup.

Lord Loki
07-09-2005, 11:53 PM
ok, thank you, i downloaded and installed it and then i ran it, and it found
some stuff, all but one i deleted (that one i quarenteened since it was a
bunch of registry keys and it wanted to quarenteen itself) also i used the
spybot thing and it found a few things (before microsoft) and som infected
registry keys.... i kinda got a little confused abotu what was happening so i
may have deleted the keys without realizing it.... >.> but atleast it set up
a restore point (if restore would even work)
that program was... strange.... reading the license agreement was kinda
amusing.... i just hope its a good program....... >.<

XD so..... now what??? think its.....gone? and damage left over? and the
norton problem is seperate, or its a norton problmemo????

"Jim Carlock" wrote:

> The link for the Microsoft AntiSpyWare software...
> http://www.microsoft.com/athome/security/spyware/software/default.mspx
>
> --
> Jim Carlock
> Please post replies to newsgroup.
>
>
>

Lord Loki
07-09-2005, 11:54 PM
OK, I want to thank you guys for your help...
but unfortunatly things got way worse... to the point i could barely even
use two things at once (be it two web pages, two messenger things, two
programs) without the use of task manager
so I reinstalled windows... so its all over ^^
thank you for your assistance though, and now i know NOT to ever bypass the
system in its warnings..... >.> ^^


AIM Send out random messages