OT - New Trojan?

http://www.cexx.org/adware.htm
http://www.pchell.com/support/spyware.shtml
http://www.spyware.co.uk/remove.shtml
http://grc.com/intro.htm

Here are some links that should help with bot removal. Just for fun I
took an un-scanned system and installed:
Adaware
SpyBot Search and Destroy
Spyware Blaster
Spy Sweeper
And Pest Patrol

I ran them in no particular order. They ALL found something. I guess
this means that no one program "does it all".

Shirley Graver
Systems Administrator
Rubber Associates

Tracking #: F265832462C1D74DA01CB9C0A5B41F15C955F631


[Non-text portions of this message have been removed]
Anybody come across this behavior on any of their workstations yet? I saw
this for the first time this morning on one of my workstations, when a user
asked me about it. You click on a commonly accessed benign URL in Internet
Explorer (our own web site), and get a site you didn't want. Then the
Internet Explorer Address dropdown box shows a list of porn sites and ad
sites. The workstation was not accessed overnight as far as I can
determine, and was OK yesterday at 5:00pm. Can't figure how/when that got
in, but I guess it could have had a timer on it. All users know better than
to open strange emails and click on suspicious sites. But if this comes in
by piggybacking on a harmless URL, that's going to be hard to beat.

I ran Spybot on that workstation and scanned with latest McAfee - looks
clean now. Anybody know anything about this particular trojan? I would be
good to know how and when it might have got in. Any thoughts or theories
would be appreciated. Maybe I'm just not fully educated on every one of the
thousands of viruses and trojans out there, but I haven't heard of anything
like this before.

Gary Polvinale
Denton ATD


[Non-text portions of this message have been removed]
Can't swear it is the same thing but once I saw a similar activity and noticed in the startup programs (in System Information - System Config) there was an odd one listed. Something like "Adware". When I deleted it and the .exe it pointed to the funny bahavior went away. Actually it was more disturbing than you have described because it would spotaniously start IE and start popping up numerous very graphic porn sites with no warning. It was on the Executive Secretary's PC in full view just outside the Owner/Chairman's office. We think it originated when she clicked on a link in an email to go to a web site to buy the "Iraqi Most Wanted" cards (I tell them and tell them and tell them...NO NO NO but....). I suspect it ran a script that loaded the startup program. This same type of script could have been accessed the usual way as well - by visiting a less than credible site.

-Todd C.

-----Original Message-----
From: Gary Polvinale [mailto:garyp@...]
Sent: Thursday, September 04, 2003 9:35 AM
To: vantage@yahoogroups.com
Subject: [Vantage] OT - New Trojan?


Anybody come across this behavior on any of their workstations yet? I saw
this for the first time this morning on one of my workstations, when a user
asked me about it. You click on a commonly accessed benign URL in Internet
Explorer (our own web site), and get a site you didn't want. Then the
Internet Explorer Address dropdown box shows a list of porn sites and ad
sites. The workstation was not accessed overnight as far as I can
determine, and was OK yesterday at 5:00pm. Can't figure how/when that got
in, but I guess it could have had a timer on it. All users know better than
to open strange emails and click on suspicious sites. But if this comes in
by piggybacking on a harmless URL, that's going to be hard to beat.

I ran Spybot on that workstation and scanned with latest McAfee - looks
clean now. Anybody know anything about this particular trojan? I would be
good to know how and when it might have got in. Any thoughts or theories
would be appreciated. Maybe I'm just not fully educated on every one of the
thousands of viruses and trojans out there, but I haven't heard of anything
like this before.

Gary Polvinale
Denton ATD


[Non-text portions of this message have been removed]



Yahoo! Groups Sponsor

ADVERTISEMENT
<http://rd.yahoo.com/M=259538.3830715.5078802.1261774/D=egroupweb/S=1705007183:HM/A=1712983/R=0/SIG=11u38u3s2/*http://hits.411web.com/cgi-bin/hit?page=1374-105951838331032> click here
<http://us.adserver.yahoo.com/l?M=259538.3830715.5078802.1261774/D=egroupmail/S=:HM/A=1712983/rand=813793532>

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and Crystal Reports and other 'goodies', please goto: http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto: http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto: http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service <http://docs.yahoo.com/info/terms/> .




[Non-text portions of this message have been removed]
Sounds to me like you are the victim of a BHO - AKA Browser Hijack
There a great program out there called hijackthis
BHO's can come from any legitimate web site that has been embedded
with BHO.

You can get it hijackthis at:
http://www.tomcoyote.org/hjt/

Learn more about BHO's at
http://www.spywareinfo.com/downloads.php

Hope that helps

James Piper
Our President had something very similar last week. There was a program in
the "c:\winnt\downloaded programs" directory that I had to remove then I had
to run regsvr32 /u on an OCX. It high jacked his default web page. I did a
search on yahoo for the new default web page and found a description of what
it was doing and all the steps to take to get rid of it. It was very
involved. I had to do it twice because when one part was uninstalled,
another program would reinstall it. It was a mess.

Jeremy Leonard
IT Manager
K-T Corporation


-----Original Message-----
From: Gary Polvinale [mailto:garyp@...]
Sent: Thursday, September 04, 2003 9:35 AM
To: vantage@yahoogroups.com
Subject: [Vantage] OT - New Trojan?


Anybody come across this behavior on any of their workstations yet? I saw
this for the first time this morning on one of my workstations, when a user
asked me about it. You click on a commonly accessed benign URL in Internet
Explorer (our own web site), and get a site you didn't want. Then the
Internet Explorer Address dropdown box shows a list of porn sites and ad
sites. The workstation was not accessed overnight as far as I can
determine, and was OK yesterday at 5:00pm. Can't figure how/when that got
in, but I guess it could have had a timer on it. All users know better than
to open strange emails and click on suspicious sites. But if this comes in
by piggybacking on a harmless URL, that's going to be hard to beat.

I ran Spybot on that workstation and scanned with latest McAfee - looks
clean now. Anybody know anything about this particular trojan? I would be
good to know how and when it might have got in. Any thoughts or theories
would be appreciated. Maybe I'm just not fully educated on every one of the
thousands of viruses and trojans out there, but I haven't heard of anything
like this before.

Gary Polvinale
Denton ATD


[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
I have a similar situation on our Shipping/Receiving workstation -- and
NOTHING seems able to remove it. Not only that, but it seems to have
disabled the UPS worldship software.

By the way, Ad-aware is a legitimate piece of software that detects planted
cookies. I'm going to try reinstalling Internet Explorer on that computer
and see if it helps. Otherwise, I think it's a reload of the OS.

Lydia

IS Administrator
Canyon Engineering Products
661-294-0084 x115



-----Original Message-----
From: Todd Caughey [mailto:caugheyt@...]
Sent: Thursday, September 04, 2003 8:17 AM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] OT - New Trojan?


Can't swear it is the same thing but once I saw a similar activity and
noticed in the startup programs (in System Information - System Config)
there was an odd one listed. Something like "Adware". When I deleted it
and the .exe it pointed to the funny bahavior went away. Actually it was
more disturbing than you have described because it would spotaniously start
IE and start popping up numerous very graphic porn sites with no warning.
It was on the Executive Secretary's PC in full view just outside the
Owner/Chairman's office. We think it originated when she clicked on a link
in an email to go to a web site to buy the "Iraqi Most Wanted" cards (I tell
them and tell them and tell them...NO NO NO but....). I suspect it ran a
script that loaded the startup program. This same type of script could have
been accessed the usual way as well - by visiting a less than credible site.

-Todd C.

-----Original Message-----
From: Gary Polvinale [mailto:garyp@...]
Sent: Thursday, September 04, 2003 9:35 AM
To: vantage@yahoogroups.com
Subject: [Vantage] OT - New Trojan?


Anybody come across this behavior on any of their workstations yet? I saw
this for the first time this morning on one of my workstations, when a user
asked me about it. You click on a commonly accessed benign URL in Internet
Explorer (our own web site), and get a site you didn't want. Then the
Internet Explorer Address dropdown box shows a list of porn sites and ad
sites. The workstation was not accessed overnight as far as I can
determine, and was OK yesterday at 5:00pm. Can't figure how/when that got
in, but I guess it could have had a timer on it. All users know better than
to open strange emails and click on suspicious sites. But if this comes in
by piggybacking on a harmless URL, that's going to be hard to beat.

I ran Spybot on that workstation and scanned with latest McAfee - looks
clean now. Anybody know anything about this particular trojan? I would be
good to know how and when it might have got in. Any thoughts or theories
would be appreciated. Maybe I'm just not fully educated on every one of the
thousands of viruses and trojans out there, but I haven't heard of anything
like this before.

Gary Polvinale
Denton ATD


[Non-text portions of this message have been removed]



Yahoo! Groups Sponsor

ADVERTISEMENT

<http://rd.yahoo.com/M=259538.3830715.5078802.1261774/D=egroupweb/S=17050071
83:HM/A=1712983/R=0/SIG=11u38u3s2/*http://hits.411web.com/cgi-bin/hit?page=1
374-105951838331032> click here

<http://us.adserver.yahoo.com/l?M=259538.3830715.5078802.1261774/D=egroupmai
l/S=:HM/A=1712983/rand=813793532>

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
<http://docs.yahoo.com/info/terms/> .




[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Reinstalling won't help, Pest Patrol, usually does a very good job of
cleaning out that junk, and there is a very real difference between
"adware" and Adaware. What I'm finding is that its an arms race with
the creeps. I was on vacation last week and half of those days were
hubby and me in pitched battle with hackers. With all the barriers I
had up they still got by them, so I've added a couple of layers, Pest
Patrol was one of them. Once we fired a couple of shots across THEIR
bow they seemed to loose interest. Without running some special tools a
hijacked browser will just keep getting hijacked. I also found a very
interesting little program from micro soft, called SECURITY BASE LINE
ANALYSER. www.microsoft.com/technet/security/ tools/Tools/mbsahome.asp
It does a very nice job of looking at things that should be closed.

Shirley Graver
Systems Administrator
Rubber Associates Inc.

-----Original Message-----
From: Lydia Coffman [mailto:lcoffman@...]
Sent: Thursday, September 04, 2003 12:13 PM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] OT - New Trojan?

I have a similar situation on our Shipping/Receiving workstation -- and
NOTHING seems able to remove it. Not only that, but it seems to have
disabled the UPS worldship software.

By the way, Ad-aware is a legitimate piece of software that detects
planted
cookies. I'm going to try reinstalling Internet Explorer on that
computer
and see if it helps. Otherwise, I think it's a reload of the OS.

Lydia

IS Administrator
Canyon Engineering Products
661-294-0084 x115
Yahoo! Groups is subject to the Yahoo!
<http://docs.yahoo.com/info/terms/> Terms of Service.

Tracking #: 81782C19FA893C4FA28E840F0289CC259E787D78


[Non-text portions of this message have been removed]
If anyone is interested ...

I just uploaded 2 of my favorite utilities to the files section of the list
...

ISFWL - 108K .... a very small utility that you can run that will purge IE -
cookies, history, web pages, etc ... I use this several times a day at work
and at home to clean out the accumulated muck from IE ...

SSFSETUP40 - 1,165K ... A anti-Spyware/Adware utility ... very nice ... same
basic concept as anti-virus software ... you install it and then download
the current spyware/adware definitions and it then scans your PC for any
references and then gives you the option to delete whatever it finds. I
ran this on a PC that belonged to one of our owners daughter's pc and found
50+ programs along these lines. Her PC had become almost unusable because
web adds and pages were popping up almost continuously.

At any rate ... they're out there

Todd Anderson



-----Original Message-----
From: Lydia Coffman [mailto:lcoffman@...]
Sent: Thursday, September 04, 2003 11:13 AM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] OT - New Trojan?


I have a similar situation on our Shipping/Receiving workstation -- and
NOTHING seems able to remove it. Not only that, but it seems to have
disabled the UPS worldship software.

By the way, Ad-aware is a legitimate piece of software that detects planted
cookies. I'm going to try reinstalling Internet Explorer on that computer
and see if it helps. Otherwise, I think it's a reload of the OS.

Lydia

IS Administrator
Canyon Engineering Products
661-294-0084 x115



-----Original Message-----
From: Todd Caughey [mailto:caugheyt@...]
Sent: Thursday, September 04, 2003 8:17 AM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] OT - New Trojan?


Can't swear it is the same thing but once I saw a similar activity and
noticed in the startup programs (in System Information - System Config)
there was an odd one listed. Something like "Adware". When I deleted it
and the .exe it pointed to the funny bahavior went away. Actually it was
more disturbing than you have described because it would spotaniously start
IE and start popping up numerous very graphic porn sites with no warning.
It was on the Executive Secretary's PC in full view just outside the
Owner/Chairman's office. We think it originated when she clicked on a link
in an email to go to a web site to buy the "Iraqi Most Wanted" cards (I tell
them and tell them and tell them...NO NO NO but....). I suspect it ran a
script that loaded the startup program. This same type of script could have
been accessed the usual way as well - by visiting a less than credible site.

-Todd C.

-----Original Message-----
From: Gary Polvinale [mailto:garyp@...]
Sent: Thursday, September 04, 2003 9:35 AM
To: vantage@yahoogroups.com
Subject: [Vantage] OT - New Trojan?


Anybody come across this behavior on any of their workstations yet? I saw
this for the first time this morning on one of my workstations, when a user
asked me about it. You click on a commonly accessed benign URL in Internet
Explorer (our own web site), and get a site you didn't want. Then the
Internet Explorer Address dropdown box shows a list of porn sites and ad
sites. The workstation was not accessed overnight as far as I can
determine, and was OK yesterday at 5:00pm. Can't figure how/when that got
in, but I guess it could have had a timer on it. All users know better than
to open strange emails and click on suspicious sites. But if this comes in
by piggybacking on a harmless URL, that's going to be hard to beat.

I ran Spybot on that workstation and scanned with latest McAfee - looks
clean now. Anybody know anything about this particular trojan? I would be
good to know how and when it might have got in. Any thoughts or theories
would be appreciated. Maybe I'm just not fully educated on every one of the
thousands of viruses and trojans out there, but I haven't heard of anything
like this before.

Gary Polvinale
Denton ATD


[Non-text portions of this message have been removed]



Yahoo! Groups Sponsor

ADVERTISEMENT

<
http://rd.yahoo.com/M=259538.3830715.5078802.1261774/D=egroupweb/S=17050071
<http://rd.yahoo.com/M=259538.3830715.5078802.1261774/D=egroupweb/S=17050071
>
83:HM/A=1712983/R=0/SIG=11u38u3s2/*
http://hits.411web.com/cgi-bin/hit?page=1
<http://hits.411web.com/cgi-bin/hit?page=1>
374-105951838331032> click here

<
http://us.adserver.yahoo.com/l?M=259538.3830715.5078802.1261774/D=egroupmai
<http://us.adserver.yahoo.com/l?M=259538.3830715.5078802.1261774/D=egroupmai
>
l/S=:HM/A=1712983/rand=813793532>

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
< http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> > .




[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
<http://docs.yahoo.com/info/terms/>



Yahoo! Groups Sponsor

ADVERTISEMENT

<http://rd.yahoo.com/M=259538.3830715.5078802.1261774/D=egroupweb/S=17050071
83:HM/A=1712983/R=0/SIG=11u38u3s2/*http://hits.411web.com/cgi-bin/hit?page=1
374-105951838331032> click here

<http://us.adserver.yahoo.com/l?M=259538.3830715.5078802.1261774/D=egroupmai
l/S=:HM/A=1712983/rand=495850691>

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
<http://docs.yahoo.com/info/terms/> .




[Non-text portions of this message have been removed]
thanks, Todd

-----Original Message-----
From: Todd Anderson [mailto:tanderson@...]
Sent: Thursday, September 04, 2003 11:40 AM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] OT - New Trojan?


If anyone is interested ...

I just uploaded 2 of my favorite utilities to the files section of the list
...

ISFWL - 108K .... a very small utility that you can run that will purge IE -
cookies, history, web pages, etc ... I use this several times a day at work
and at home to clean out the accumulated muck from IE ...

SSFSETUP40 - 1,165K ... A anti-Spyware/Adware utility ... very nice ... same
basic concept as anti-virus software ... you install it and then download
the current spyware/adware definitions and it then scans your PC for any
references and then gives you the option to delete whatever it finds. I
ran this on a PC that belonged to one of our owners daughter's pc and found
50+ programs along these lines. Her PC had become almost unusable because
web adds and pages were popping up almost continuously.

At any rate ... they're out there

Todd Anderson



-----Original Message-----
From: Lydia Coffman [mailto:lcoffman@...]
Sent: Thursday, September 04, 2003 11:13 AM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] OT - New Trojan?


I have a similar situation on our Shipping/Receiving workstation -- and
NOTHING seems able to remove it. Not only that, but it seems to have
disabled the UPS worldship software.

By the way, Ad-aware is a legitimate piece of software that detects planted
cookies. I'm going to try reinstalling Internet Explorer on that computer
and see if it helps. Otherwise, I think it's a reload of the OS.

Lydia

IS Administrator
Canyon Engineering Products
661-294-0084 x115



-----Original Message-----
From: Todd Caughey [mailto:caugheyt@...]
Sent: Thursday, September 04, 2003 8:17 AM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] OT - New Trojan?


Can't swear it is the same thing but once I saw a similar activity and
noticed in the startup programs (in System Information - System Config)
there was an odd one listed. Something like "Adware". When I deleted it
and the .exe it pointed to the funny bahavior went away. Actually it was
more disturbing than you have described because it would spotaniously start
IE and start popping up numerous very graphic porn sites with no warning.
It was on the Executive Secretary's PC in full view just outside the
Owner/Chairman's office. We think it originated when she clicked on a link
in an email to go to a web site to buy the "Iraqi Most Wanted" cards (I tell
them and tell them and tell them...NO NO NO but....). I suspect it ran a
script that loaded the startup program. This same type of script could have
been accessed the usual way as well - by visiting a less than credible site.

-Todd C.

-----Original Message-----
From: Gary Polvinale [mailto:garyp@...]
Sent: Thursday, September 04, 2003 9:35 AM
To: vantage@yahoogroups.com
Subject: [Vantage] OT - New Trojan?


Anybody come across this behavior on any of their workstations yet? I saw
this for the first time this morning on one of my workstations, when a user
asked me about it. You click on a commonly accessed benign URL in Internet
Explorer (our own web site), and get a site you didn't want. Then the
Internet Explorer Address dropdown box shows a list of porn sites and ad
sites. The workstation was not accessed overnight as far as I can
determine, and was OK yesterday at 5:00pm. Can't figure how/when that got
in, but I guess it could have had a timer on it. All users know better than
to open strange emails and click on suspicious sites. But if this comes in
by piggybacking on a harmless URL, that's going to be hard to beat.

I ran Spybot on that workstation and scanned with latest McAfee - looks
clean now. Anybody know anything about this particular trojan? I would be
good to know how and when it might have got in. Any thoughts or theories
would be appreciated. Maybe I'm just not fully educated on every one of the
thousands of viruses and trojans out there, but I haven't heard of anything
like this before.

Gary Polvinale
Denton ATD


[Non-text portions of this message have been removed]



Yahoo! Groups Sponsor

ADVERTISEMENT

<
http://rd.yahoo.com/M=259538.3830715.5078802.1261774/D=egroupweb/S=17050071
<http://rd.yahoo.com/M=259538.3830715.5078802.1261774/D=egroupweb/S=17050071
>
83:HM/A=1712983/R=0/SIG=11u38u3s2/*
http://hits.411web.com/cgi-bin/hit?page=1
<http://hits.411web.com/cgi-bin/hit?page=1>
374-105951838331032> click here

<
http://us.adserver.yahoo.com/l?M=259538.3830715.5078802.1261774/D=egroupmai
<http://us.adserver.yahoo.com/l?M=259538.3830715.5078802.1261774/D=egroupmai
>
l/S=:HM/A=1712983/rand=813793532>

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
< http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> > .




[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
<http://docs.yahoo.com/info/terms/>



Yahoo! Groups Sponsor

ADVERTISEMENT

<http://rd.yahoo.com/M=259538.3830715.5078802.1261774/D=egroupweb/S=17050071
83:HM/A=1712983/R=0/SIG=11u38u3s2/*http://hits.411web.com/cgi-bin/hit?page=1
374-105951838331032> click here

<http://us.adserver.yahoo.com/l?M=259538.3830715.5078802.1261774/D=egroupmai
l/S=:HM/A=1712983/rand=495850691>

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
<http://docs.yahoo.com/info/terms/> .




[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003
Sorry. I wasn't ignoring all these great replies to my question. I had my
Outlook delivery message shut off - I have been running Spybot (free) and
Windows Update on all workstations (only finished 17 so far). The Spybot
seems to have removed the problem from IE on the infected workstation. But
from what you guys are saying, it looks like I can expect it back soon.
I'll be checking out all these programs you mentioned. I hope some of them
run automatically - Spybot has to be done manually on each workstation. At
least I'm in good company in this problem. Thanks for all the responses.

Gary


-----Original Message-----
From: Todd Anderson [mailto:tanderson@...]
Sent: Thursday, September 04, 2003 12:40 PM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] OT - New Trojan?


If anyone is interested ...

I just uploaded 2 of my favorite utilities to the files section of the list
...

ISFWL - 108K .... a very small utility that you can run that will purge IE -
cookies, history, web pages, etc ... I use this several times a day at work
and at home to clean out the accumulated muck from IE ...

SSFSETUP40 - 1,165K ... A anti-Spyware/Adware utility ... very nice ... same
basic concept as anti-virus software ... you install it and then download
the current spyware/adware definitions and it then scans your PC for any
references and then gives you the option to delete whatever it finds. I
ran this on a PC that belonged to one of our owners daughter's pc and found
50+ programs along these lines. Her PC had become almost unusable because
web adds and pages were popping up almost continuously.

At any rate ... they're out there

Todd Anderson



-----Original Message-----
From: Lydia Coffman [mailto:lcoffman@...]
Sent: Thursday, September 04, 2003 11:13 AM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] OT - New Trojan?


I have a similar situation on our Shipping/Receiving workstation -- and
NOTHING seems able to remove it. Not only that, but it seems to have
disabled the UPS worldship software.

By the way, Ad-aware is a legitimate piece of software that detects planted
cookies. I'm going to try reinstalling Internet Explorer on that computer
and see if it helps. Otherwise, I think it's a reload of the OS.

Lydia

IS Administrator
Canyon Engineering Products
661-294-0084 x115



-----Original Message-----
From: Todd Caughey [mailto:caugheyt@...]
Sent: Thursday, September 04, 2003 8:17 AM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] OT - New Trojan?


Can't swear it is the same thing but once I saw a similar activity and
noticed in the startup programs (in System Information - System Config)
there was an odd one listed. Something like "Adware". When I deleted it
and the .exe it pointed to the funny bahavior went away. Actually it was
more disturbing than you have described because it would spotaniously start
IE and start popping up numerous very graphic porn sites with no warning.
It was on the Executive Secretary's PC in full view just outside the
Owner/Chairman's office. We think it originated when she clicked on a link
in an email to go to a web site to buy the "Iraqi Most Wanted" cards (I tell
them and tell them and tell them...NO NO NO but....). I suspect it ran a
script that loaded the startup program. This same type of script could have
been accessed the usual way as well - by visiting a less than credible site.

-Todd C.

-----Original Message-----
From: Gary Polvinale [mailto:garyp@...]
Sent: Thursday, September 04, 2003 9:35 AM
To: vantage@yahoogroups.com
Subject: [Vantage] OT - New Trojan?


Anybody come across this behavior on any of their workstations yet? I saw
this for the first time this morning on one of my workstations, when a user
asked me about it. You click on a commonly accessed benign URL in Internet
Explorer (our own web site), and get a site you didn't want. Then the
Internet Explorer Address dropdown box shows a list of porn sites and ad
sites. The workstation was not accessed overnight as far as I can
determine, and was OK yesterday at 5:00pm. Can't figure how/when that got
in, but I guess it could have had a timer on it. All users know better than
to open strange emails and click on suspicious sites. But if this comes in
by piggybacking on a harmless URL, that's going to be hard to beat.

I ran Spybot on that workstation and scanned with latest McAfee - looks
clean now. Anybody know anything about this particular trojan? I would be
good to know how and when it might have got in. Any thoughts or theories
would be appreciated. Maybe I'm just not fully educated on every one of the
thousands of viruses and trojans out there, but I haven't heard of anything
like this before.

Gary Polvinale
Denton ATD


[Non-text portions of this message have been removed]



Yahoo! Groups Sponsor

ADVERTISEMENT

<
http://rd.yahoo.com/M=259538.3830715.5078802.1261774/D=egroupweb/S=17050071
<http://rd.yahoo.com/M=259538.3830715.5078802.1261774/D=egroupweb/S=17050071
>
83:HM/A=1712983/R=0/SIG=11u38u3s2/*
http://hits.411web.com/cgi-bin/hit?page=1
<http://hits.411web.com/cgi-bin/hit?page=1>
374-105951838331032> click here

<
http://us.adserver.yahoo.com/l?M=259538.3830715.5078802.1261774/D=egroupmai
<http://us.adserver.yahoo.com/l?M=259538.3830715.5078802.1261774/D=egroupmai
>
l/S=:HM/A=1712983/rand=813793532>

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
< http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> > .




[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
<http://docs.yahoo.com/info/terms/>



Yahoo! Groups Sponsor

ADVERTISEMENT

<http://rd.yahoo.com/M=259538.3830715.5078802.1261774/D=egroupweb/S=17050071
83:HM/A=1712983/R=0/SIG=11u38u3s2/*http://hits.411web.com/cgi-bin/hit?page=1
374-105951838331032> click here

<http://us.adserver.yahoo.com/l?M=259538.3830715.5078802.1261774/D=egroupmai
l/S=:HM/A=1712983/rand=495850691>

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
<http://docs.yahoo.com/info/terms/> .




[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Jeremy,

Had you run any cleanup programs? Then have to do this? Or did you just do
it all manually?

Gary


-----Original Message-----
From: Leonard, Jeremy [mailto:jleonard@...]
Sent: Thursday, September 04, 2003 12:11 PM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] OT - New Trojan?


Our President had something very similar last week. There was a program in
the "c:\winnt\downloaded programs" directory that I had to remove then I had
to run regsvr32 /u on an OCX. It high jacked his default web page. I did a
search on yahoo for the new default web page and found a description of what
it was doing and all the steps to take to get rid of it. It was very
involved. I had to do it twice because when one part was uninstalled,
another program would reinstall it. It was a mess.

Jeremy Leonard
IT Manager
K-T Corporation


-----Original Message-----
From: Gary Polvinale [mailto:garyp@...]
Sent: Thursday, September 04, 2003 9:35 AM
To: vantage@yahoogroups.com
Subject: [Vantage] OT - New Trojan?


Anybody come across this behavior on any of their workstations yet? I saw
this for the first time this morning on one of my workstations, when a user
asked me about it. You click on a commonly accessed benign URL in Internet
Explorer (our own web site), and get a site you didn't want. Then the
Internet Explorer Address dropdown box shows a list of porn sites and ad
sites. The workstation was not accessed overnight as far as I can
determine, and was OK yesterday at 5:00pm. Can't figure how/when that got
in, but I guess it could have had a timer on it. All users know better than
to open strange emails and click on suspicious sites. But if this comes in
by piggybacking on a harmless URL, that's going to be hard to beat.

I ran Spybot on that workstation and scanned with latest McAfee - looks
clean now. Anybody know anything about this particular trojan? I would be
good to know how and when it might have got in. Any thoughts or theories
would be appreciated. Maybe I'm just not fully educated on every one of the
thousands of viruses and trojans out there, but I haven't heard of anything
like this before.

Gary Polvinale
Denton ATD


[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Lydia,

By "nothing seems able to remove it", what do you mean? How long was it
till it came back? What are the recurring symptoms? I'm just trying to
guage what I can expect with the one I'm dealing with.

Gary


-----Original Message-----
From: Lydia Coffman [mailto:lcoffman@...]
Sent: Thursday, September 04, 2003 12:13 PM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] OT - New Trojan?


I have a similar situation on our Shipping/Receiving workstation -- and
NOTHING seems able to remove it. Not only that, but it seems to have
disabled the UPS worldship software.

By the way, Ad-aware is a legitimate piece of software that detects planted
cookies. I'm going to try reinstalling Internet Explorer on that computer
and see if it helps. Otherwise, I think it's a reload of the OS.

Lydia

IS Administrator
Canyon Engineering Products
661-294-0084 x115



-----Original Message-----
From: Todd Caughey [mailto:caugheyt@...]
Sent: Thursday, September 04, 2003 8:17 AM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] OT - New Trojan?


Can't swear it is the same thing but once I saw a similar activity and
noticed in the startup programs (in System Information - System Config)
there was an odd one listed. Something like "Adware". When I deleted it
and the .exe it pointed to the funny bahavior went away. Actually it was
more disturbing than you have described because it would spotaniously start
IE and start popping up numerous very graphic porn sites with no warning.
It was on the Executive Secretary's PC in full view just outside the
Owner/Chairman's office. We think it originated when she clicked on a link
in an email to go to a web site to buy the "Iraqi Most Wanted" cards (I tell
them and tell them and tell them...NO NO NO but....). I suspect it ran a
script that loaded the startup program. This same type of script could have
been accessed the usual way as well - by visiting a less than credible site.

-Todd C.

-----Original Message-----
From: Gary Polvinale [mailto:garyp@...]
Sent: Thursday, September 04, 2003 9:35 AM
To: vantage@yahoogroups.com
Subject: [Vantage] OT - New Trojan?


Anybody come across this behavior on any of their workstations yet? I saw
this for the first time this morning on one of my workstations, when a user
asked me about it. You click on a commonly accessed benign URL in Internet
Explorer (our own web site), and get a site you didn't want. Then the
Internet Explorer Address dropdown box shows a list of porn sites and ad
sites. The workstation was not accessed overnight as far as I can
determine, and was OK yesterday at 5:00pm. Can't figure how/when that got
in, but I guess it could have had a timer on it. All users know better than
to open strange emails and click on suspicious sites. But if this comes in
by piggybacking on a harmless URL, that's going to be hard to beat.

I ran Spybot on that workstation and scanned with latest McAfee - looks
clean now. Anybody know anything about this particular trojan? I would be
good to know how and when it might have got in. Any thoughts or theories
would be appreciated. Maybe I'm just not fully educated on every one of the
thousands of viruses and trojans out there, but I haven't heard of anything
like this before.

Gary Polvinale
Denton ATD


[Non-text portions of this message have been removed]



Yahoo! Groups Sponsor

ADVERTISEMENT

<http://rd.yahoo.com/M=259538.3830715.5078802.1261774/D=egroupweb/S=17050071
83:HM/A=1712983/R=0/SIG=11u38u3s2/*http://hits.411web.com/cgi-bin/hit?page=1
374-105951838331032> click here

<http://us.adserver.yahoo.com/l?M=259538.3830715.5078802.1261774/D=egroupmai
l/S=:HM/A=1712983/rand=813793532>

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
<http://docs.yahoo.com/info/terms/> .




[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
I just did it manually.


-----Original Message-----
From: Gary Polvinale [mailto:garyp@...]
Sent: Thursday, September 04, 2003 2:11 PM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] OT - New Trojan?


Jeremy,

Had you run any cleanup programs? Then have to do this? Or did you just do
it all manually?

Gary


-----Original Message-----
From: Leonard, Jeremy [mailto:jleonard@...]
Sent: Thursday, September 04, 2003 12:11 PM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] OT - New Trojan?


Our President had something very similar last week. There was a program in
the "c:\winnt\downloaded programs" directory that I had to remove then I had
to run regsvr32 /u on an OCX. It high jacked his default web page. I did a
search on yahoo for the new default web page and found a description of what
it was doing and all the steps to take to get rid of it. It was very
involved. I had to do it twice because when one part was uninstalled,
another program would reinstall it. It was a mess.

Jeremy Leonard
IT Manager
K-T Corporation


-----Original Message-----
From: Gary Polvinale [mailto:garyp@...]
Sent: Thursday, September 04, 2003 9:35 AM
To: vantage@yahoogroups.com
Subject: [Vantage] OT - New Trojan?


Anybody come across this behavior on any of their workstations yet? I saw
this for the first time this morning on one of my workstations, when a user
asked me about it. You click on a commonly accessed benign URL in Internet
Explorer (our own web site), and get a site you didn't want. Then the
Internet Explorer Address dropdown box shows a list of porn sites and ad
sites. The workstation was not accessed overnight as far as I can
determine, and was OK yesterday at 5:00pm. Can't figure how/when that got
in, but I guess it could have had a timer on it. All users know better than
to open strange emails and click on suspicious sites. But if this comes in
by piggybacking on a harmless URL, that's going to be hard to beat.

I ran Spybot on that workstation and scanned with latest McAfee - looks
clean now. Anybody know anything about this particular trojan? I would be
good to know how and when it might have got in. Any thoughts or theories
would be appreciated. Maybe I'm just not fully educated on every one of the
thousands of viruses and trojans out there, but I haven't heard of anything
like this before.

Gary Polvinale
Denton ATD


[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/




Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Jeremy,

At least I may not have to do that, if the Spybot does its job. We'll see,
I guess, tomorrow. Thanks.

Gary


-----Original Message-----
From: Leonard, Jeremy [mailto:jleonard@...]
Sent: Thursday, September 04, 2003 4:53 PM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] OT - New Trojan?


I just did it manually.


-----Original Message-----
From: Gary Polvinale [mailto:garyp@...]
Sent: Thursday, September 04, 2003 2:11 PM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] OT - New Trojan?


Jeremy,

Had you run any cleanup programs? Then have to do this? Or did you just do
it all manually?

Gary


-----Original Message-----
From: Leonard, Jeremy [mailto:jleonard@...]
Sent: Thursday, September 04, 2003 12:11 PM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] OT - New Trojan?


Our President had something very similar last week. There was a program in
the "c:\winnt\downloaded programs" directory that I had to remove then I had
to run regsvr32 /u on an OCX. It high jacked his default web page. I did a
search on yahoo for the new default web page and found a description of what
it was doing and all the steps to take to get rid of it. It was very
involved. I had to do it twice because when one part was uninstalled,
another program would reinstall it. It was a mess.

Jeremy Leonard
IT Manager
K-T Corporation


-----Original Message-----
From: Gary Polvinale [mailto:garyp@...]
Sent: Thursday, September 04, 2003 9:35 AM
To: vantage@yahoogroups.com
Subject: [Vantage] OT - New Trojan?


Anybody come across this behavior on any of their workstations yet? I saw
this for the first time this morning on one of my workstations, when a user
asked me about it. You click on a commonly accessed benign URL in Internet
Explorer (our own web site), and get a site you didn't want. Then the
Internet Explorer Address dropdown box shows a list of porn sites and ad
sites. The workstation was not accessed overnight as far as I can
determine, and was OK yesterday at 5:00pm. Can't figure how/when that got
in, but I guess it could have had a timer on it. All users know better than
to open strange emails and click on suspicious sites. But if this comes in
by piggybacking on a harmless URL, that's going to be hard to beat.

I ran Spybot on that workstation and scanned with latest McAfee - looks
clean now. Anybody know anything about this particular trojan? I would be
good to know how and when it might have got in. Any thoughts or theories
would be appreciated. Maybe I'm just not fully educated on every one of the
thousands of viruses and trojans out there, but I haven't heard of anything
like this before.

Gary Polvinale
Denton ATD


[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/




Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/