Good afternoon

This is a reminder message to our new readers who may
not have read the welcome message properly
and our older readers who may have been away for some
time.

This email list is now located at freelists and is
actively submitted to at that location. To subscribe
to the new/active list please send an email to
hackfix-virushelp-request@... with the
subject line
"subscribe" (without the quotes). Be sure to reply
to the confirmation email freelists will send to
complete the process.

If you have any questions regarding this list and its
activity please feel free to email us at
hackfix-virushelp-moderators@.... Please
understand we are not able to advise through that
address on how to remove/detect trojans or anything
to do with antivirus/security programs.

Thank you

Listowners

Another RPC based vulnerability...blaster like possibilities.  Patch now:

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

Ken

Malicious Code Intelligence Manager
PGP KeyID: 0x6A8AC63F
iDEFENSE Inc. - www.idefense.com
The power of intelligence starts here!

Greetings All,
I just wanted to drop a note to let you know that there are multiple new
worms gaining ground in the wild that you should know about:

BugBear
Opaserv
Kak variant

There's another that's spreading on *nix servers but that's not of concern
to the average home user.  The opaserv one is because it spreads through
open shares, which you have if you are broadband and have sharing enabled
with no passwords, etc.  Avoid the use of Netbios and sharing on home PCs
where one is connected to the Internet via broadband.  Install a firewall
and use updated anti-virus software.  Configure your firewall to block all
incoming UDP traffic (find it in the settings if you have that option).
Update against all known vulnerabilities in products like Internet
Explorer - get your updates from Microsoft at microsoft.com.  Finally, be
wary of all e-mails containing mixed content and attachments - consider them
infected until proven otherwise.  Practice safe computing out there!

Ken Dunham
Senior Intelligence Analyst
iDEFENSE Inc. - http://www.idefense.com/
The power of intelligence starts here

Good Afternoon

This is an administrative posting for
Hackfix-VirusHelp.  You are receiving this email
because you are a part of our Hackfix-VirusHelp list
at yahoogroups.  You may currently be set as
nomail/vacation and/or digest so we are sending this
email via private email as this is important list
information.  This email is being sent as an
Individual email as well as To our list so you may
receive it twice depending on your list settings.  We
do apologize for the duplication however we want to
be sure all of our readers are aware of this
important announcement.

Our Hackfix lists have been hosted at yahoogroups for
a few years, we have progressed through the list
changes (from onelist->egroups->yahoogroups)  we have
watched as the list formats have changed (placements
of ads etc) and we have dealt with all of yahoogroups
administrative changes regarding charges/marketing
preferences and what not.

It has come to a point in our list that yahoogroups
in no longer suitable for our needs.   With that we
have decided to move our list to another AD Free
listserv.  One that doesn't require userID's and
preferences and constant checking to be sure our
settings haven't been changed!

We have decided to move our list to Freelists.org.
There is nothing you will need to do as subscribers.
  Our subscriber list will be moved over in one easy
step.   Your list preferences (regular
email/digest/nomail) settings will remain as you have
them set now.

The only thing you are subscribers to our list will
have to do is change/edit your own personal email
client filters (if applicable) and change the actual
address you post to (hackfix-virushelp@...)

Once our list is moved over to the new listerver you
will be sent a welcome message with an option to
receive an email explaining the different list
options (how to change subscriptions).  If anyone has
Any problems with this change please feel free to let
us know (OFFLIST) at
Hackfix-VirusHelp-owner@yahoogroups.com or at
Hackfix-VirusHelp-moderators@...  (please
only email to One of the addresses not both to
prevent duplicates)

We do plan on keeping our original yahoogroups
Hackfix-VirusHelp list active to retain the archives
however the Hackfix-VirusHelp@yahoogroups will be a
NO post list.  You will no longer receive posts from
that address after our list is completely moved over.

We do understand that some of our readers will not
like this change, however we hope you will give the
new listserver a chance, you may find that you wont
mind the change.  For those that don't wish to make
the change to the new list, we are sorry you feel
that way but again we do understand.   Please do let
us know if you prefer not to be subscribed to the new
list.  We hope not to lose any readers over this
change.

We do apologize for any inconveniences this may
cause.  Please bear with us.  This notice is being
sent to you 24 hours prior to the list moving.  Our
list should be completely transferred to the new
listserver late on Saturday evening/night   Posts to
the new list will begin on the new list after the
userbase switch is complete with a personal note from
me to the list (this will help those that need to
edit filters)

Christy on behalf of all of us here at
Hackfix-VirusHelp
Hackfix-VirusHelp@yahoogroups.com
Hackfix-VirusHelp@...
http://www.hackfix.org/

Awwwww..... that just made this a warm fuzzy Friday that I really
needed.  Thanks all.
For what it's worth, I have determined that I typically err, or rush to
judgement when I am
reading/replying to the posts here while I am trying to work.  So... this
will be my last to
come from this particular fixed IP address.  Still got the occasional 10 or
20 minutes to
reply from home though.

.........(hope that "rambled-off" rather than on....)

See ya in the living room!!!!





At 08:16 PM 4/26/2002 +1000, you wrote:
>Dear Mark,
>
>No misunderstanding here. I read, made note, and then thought it useful
>enough to forward to a number of my friends. In fact I've just received
>responses from friends who've encountered precisely the same problem as you
>have, and were relieved to find a solution so close at hand! So thanks for
>deciding to post. I don't know if the rash of replies I got was an
>indication of how far spread the 'lop.com' code is, but it was timely all
>the same.

[Moderators note:  Post allowed so Mark could have his $0.02 towards the
missend!  Consider Marks final words here as the End of this thread!  Mark on
other topics you better not keep your helful and informative tidbits to
yourself!]

Sorry.  Can't argue with anything you had to say there.
Think I'm gonna lay low for awhile...

Oh, I'll be around, just not quite so visible....

Again, sorry.
Me.



At 06:33 PM 4/25/2002 -0400, you wrote:
>Good evening
>
>It appears Mark has been reading too much email today
><g>.  I have a feeling he was reading  One post and
>thought he was reading another (it happens to me all
>the time).  It seems he has confused two different
>threads/topics.   Thinking someone thought he Posted
>an url to an infected site when the url(s) He posted
>were to site(s) that explained/helped/provided
>Removal information for his topic
>
>I hope every one will Disregard this post as a
>missend.   Mistakes happen!  he wont do it again
>(atleast for a few days <g>)
>
>Mark tends to "Ramble on" <g> but his ramblings are
>generally very informative and meant to Help.  He
>would Never send anyone to a site of a known
>infection.
>
>Christy
>
>Adding the general:  This is an admin type post
>please do not reply to it Or to marks post (in a
>flaming manner) on list please!
>
>*********** REPLY SEPARATOR  ***********
>

Dear Mark,

No misunderstanding here. I read, made note, and then thought it useful
enough to forward to a number of my friends. In fact I've just received
responses from friends who've encountered precisely the same problem as you
have, and were relieved to find a solution so close at hand! So thanks for
deciding to post. I don't know if the rash of replies I got was an
indication of how far spread the 'lop.com' code is, but it was timely all
the same.

I might also squeeze in a hearty thanks to a number of you here on the list,
that have offered up nifty solutions in the past few weeks. The solo
'thanks' seldom make the list, but believe me, I and all to whom I forward
your tips are very grateful.

Oh wait...I see Christy's post! If I reply to a mis-send have I mis-sent
too? Do two mis-sends cancel each other out?

[Moderators Note:  Nope, we will just pretend Marks mispost never existed and go
on with helping each other as we always have! (this goes for you too mark <g>)]


-Ivana


----- Original Message -----
From: "moverby" <moverby@...>
To: <Hackfix-VirusHelp@yahoogroups.com>
Sent: Friday, April 26, 2002 7:29 AM
Subject: Re: [Hackfix-VirusHelp] hepcatfox

----- Original Message -----
From: "Lim, Franciscus" <Franciscus.Lim@...>
To: <Hackfix-VirusHelp@yahoogroups.com>
Sent: Thursday, April 25, 2002 2:02 PM
Subject: [Hackfix-VirusHelp]


> hi ...
>
> My friend has this problem:
> He can't open Office files and the message "the tahoma font is not
present.
> To restore it, click detect and repair on the help "
> After clicking OK, the file open but empty and has squares (check boxes).
It
> happens also when he opened Outlook Express, the word is very messy .. has
> squares (check boxes), triangles, circles, etc.
>
> He scan using nimda, fixsirc, F-klez, norton and mc afee...., but still
has
> the problems.
>
> Any solutions to this?
> What kind of virus is that?

Change your default font.

On Tue, 23 Apr John Galvin wrote:

  >>Hi everyone,
  >>I  have  downloaded  Command  Anti Virus, and have been using it now
  >>for
  >about  a  week.  However,  I am not completely happy with it. It >>doesn't
  >>seem  to  consistently  catch  virii.

Did you update it?Command AV programs need to be updated like
WINDOWS base antivirus programs.

F-PROT Antivirus for DOS Downloader/Installer/Updater (Free)
http://www.epix.net/%7Eartnpeg/fprot.html

AVP/KAV Antivirus for DOS Updater (Free)
http://www.epix.net/%7Eartnpeg/avpdos.html

McAfee Antivirus for DOS Updater (Free)
http://www.epix.net/%7Eartnpeg/mcafee.html

Babak

Good evening

It appears Mark has been reading too much email today
<g>.  I have a feeling he was reading  One post and
thought he was reading another (it happens to me all
the time).  It seems he has confused two different
threads/topics.   Thinking someone thought he Posted
an url to an infected site when the url(s) He posted
were to site(s) that explained/helped/provided
Removal information for his topic

I hope every one will Disregard this post as a
missend.   Mistakes happen!  he wont do it again
(atleast for a few days <g>)

Mark tends to "Ramble on" <g> but his ramblings are
generally very informative and meant to Help.  He
would Never send anyone to a site of a known
infection.

Christy

Adding the general:  This is an admin type post
please do not reply to it Or to marks post (in a
flaming manner) on list please!

*********** REPLY SEPARATOR  ***********

On 4/25/02 at 5:29 PM moverby wrote:

>>Hmmmm........
>
>I don't think people actually READ my email post
before they
>responded.  Not trying to be mean here, it just
seems that I was grossly
>misunderstood.
>One person described activeX controls and then said
that they "didn't know
>anything about lop.com."
>Then another person said that they hoped that no one
clicked on my URL,
>and
>that they didn't need me passing around a virus to
people in the group.....
>

This weeks Virus Pattern Updates (04/25/2002)


All Software listed Alphabetically by Company name as some
companies manufacture more then one product.


Aladdin Knowledge Systems

Esafe Desktop/Gateway/Enterprise
Last Updated Apr 25/2002
To update your software
Visit: http://www.esafe.com/esafe/downloads/virusig.asp
Or
From the Esafe folder in your Start Menu select Download Updates
~~~~~

AlWil Software

Avast Antivirus
Last Updated Apr 24/2002
To update your software:
Visit: http://www.avast.com/latest.htm
Or
Right click on the AVAST icon in the system tray, Select iAVS Update,
AVAST will check for updates and download the appropriate files as needed.
~~~~~

Command Software Systems

Command antivirus/Fprot
Last Updated Apr 19/2002
To update your software
Visit: http://www.complex.is/f-prot/Download.html (F-Prot)
http://www.commandcom.com/downloads/virus_definition_updates.html (Command)
Or
Open Command antivirus click Update Deffiles
~~~~~

Computer Associates

InoculateIT/E-Trust
Last updated Apr 25/2002
To update your software
For InoculateIT (all versions including E-trust)
http://support.cai.com/Download/virussig.html
Or
From the Respective folder in your Start Menu select Autodownload

For Vet Anti virus
http://www.vet.com.au/html/software/update.html

Be sure to have your Customer ID and your registered email address
handy for verification.

**Note**

We knew this time would come eventually, that Computer Associates would
not continue to support/update the older program
https://www2.my-etrust.com/services/ipe_support??
~~~~~~


GeCad Software

Rav (Reliable AntiVirus)
Last Updated:  Apr 25/2002
To update your software:
Visit: http://www.ravantivirus.com/pages/dldupdate.php?type=Daily
Or
Open Rav and select Rav Update from the toolbar
~~~~~

Grisoft Inc.

AVG
Last updated Apr 19/2002
To update your software
Visit: http://www.grisoft.com/html/us_updt.php
Or
Open AVG and click Virus Database to check for updates
Or
Open AVG control centre and click Update Manager/update now

**Note:  To help speed up AVG updates you can set your program to use
an alternate download site.
Open AVG control centre->update manager->download from server.  The
drop downbox should have listed www.grisoft.com (default)  and
www.grisoft.cz. (be sure to select "apply" when done to save the changes)
The default site is most often used so can at times become temporarily
unavailable.  By using the secondary site (www.grisoft.cz) helps to ease
the server and makes your update go quicker as most don't use it!
~~~~~

Kaspersky

Kaspersky Anti-Virus (formerly AVP)
Last updated Apr 19/2002
To update your software
Visit: http://www.kasperskylabs.com/updates.asp
Or
Open AVP from the top toolbar click Tools-> Update virus  definition
Or
From the Kaspersky folder in your Start Menu select AVP updater


*Note*  Avp now has available a cumulative update and a
daily update with the daily being any important items they
feel shouldn't wait till the next cumulative update.  Our
dates here are based on the most recent Major update.

**Note:  Improved update accessiblity.  To ease the update web traffic
Kaspersky labs has additional servers for autoupdating.  The program
defaults to use one server but can be altered to check a variety of
servers. Select Kaspersky updater, select update via the internet to
open the drop down box(es) select "location"  Check the box labeled
"Use alternate locations from the list"  select next and next to update.
This option should stay selected after the first time.  This helps
Kaspersky lighten the load for updates and helps you obtain updates
easier.
~~~~~

Network Associates

Mcafee
Last updated Apr 24/2002
To update your software
For Mcafee Visit
http://www.nai.com/naicommon/download/dats/superdat.asp
(for Virus and Engine updates)
http://www.nai.com/naicommon/download/dats/mcafee_4x.asp
(for Just virus pattern updates)

For Drsolomn (Product no longer available for new users however
updates still available for current users):  Go to the following
Internet site: http://download.mcafee.com/updates/4x.asp
IMPORTANT: When you get to this site you may notice that it refers
to VirusScan. This update is not only for VirusScan. It also works
with Dr.Solomon's.

Or
Open your respective software virus scan scheduler, double click
Auto update, click Run Now to do a manual live update, or click
Schedule to set up a timed live update.
~~~~~

Norman Data Defence

Norman Virus Control
Last updated Apr 22/2002
To update your software
Visit: http://www.norman.com/downloads.shtml#definition_files_updates
Be sure to have your Valid Username and password handy for verification.
Or
From the Norman folder in your Start Menu select Internet Update

**Note Norman Virus Control web updates are only for version prior to
5.0.  Norman 5.0 can only be updated via the update in the program itself.

Thunderbyte Anti Virus
Current Version: This product is no longer being supported.
http://www.norman.com/tbav.shtml
~~~~~

Softwin

BitDefender (Previously known as AVX - AntiVirus eXpert as of Nov 06/01)
Last Updated Apr 19/2002
To update your software
Visit: http://www.bitdefender.com/html/updates.php
Or
Open BitDefender select Protection Options->live upgrade
Or
From the BitDefender folder in your Start Menu select Bitdefender Live

Press Release on the software change
http://www.bitdefender.com/press/ref1.php
~~~~~

Sophos

Sophos Anti Virus
Last IDE available Apr 25/2002
To obtain the latest IDE files
Visit: http://www.sophos.com/downloads/ide/

**Note:  Sophos does not update as other products do.  They update
the Engine/software once a month (or so) to include all the previous
IDE files.  New IDE files are available with new virus threats and must
be downloaded individually until the next software update is available.
Our update dates reflect the most recent available IDE file.
~~~~~

Symantec

Nortons AntiVirus
Last updated Apr 24/2002
To update your software
Visit: http://www.symantec.com/avcenter/defs.download.html select
your language -> product from the list
Or
Open Nortons software and click the "live update" button
Or
From the Nortons folder in your Start Menu select LiveUpdate -
Norton Antivirus
~~~~~
**Note** Trend Micro has introduced Pc-cillin2002 which incorporates
their award winning antivirus technology with Firewall protection.  For
more information please see:
http://www.antivirus.com/pc-cillin/products/features.htm

Trend Micro

PcCillin
Last updated Apr 23/2002
To update your software
Visit: http://www.antivirus.com/download/pattern.asp
Be sure to have your Registration number handy for verification
Or
Open PcCillin click Update then click Update Now (or Update later
to Schedule a timed update)
~~~~~~~~~

If there is an Anti Virus program that is Not listed here that
you would like to see added to the weekly updates list Please
feel free to let us know.

Remember Your anti virus software is only as good as the user...
If you don't keep it updated it won't provide you with maximum
protection.

This weekly Update will be sent every Thursday on or after
6pm (eastern) to keep you up to date on virus pattern updates
available. Virus patterns are checked for most recent update
date as of 6pm Thursdays.

~~~~

~ Hackfix Project Staff
staff@...
Http://www.hackfix.org

3017 St Clair Ave #176
Burlington, Ontario
L7R 3L7

>Hmmmm........

I don't think people actually READ my email post before they
responded.  Not trying to be mean here, it just seems that I was grossly
misunderstood.
One person described activeX controls and then said that they "didn't know
anything about lop.com."
Then another person said that they hoped that no one clicked on my URL, and
that they didn't need me passing around a virus to people in the group.....

Folks... I'll make it simple (I never meant for this to get so
confusing)....Just two things......

1.           BE VERY AWARE of lop.com   (not a clickable URL where I come from)

2.           To learn more about how someone can hijack your computer,
learn more about lop.com, or to REMOVE lop.com should you get hit at
sometime, go here:
http://www.spywareinfo.com/index.html           (the clickable URL that I
pasted into my original email).

That is it.   Its that simple.  Please understand that I would never be so
ignorant or inconsiderate as paste the actual URL into an email that gave
me the virus.. especially to an email posting site that exists for the sole
purpose of helping, rather than harming people.
I'm wondering if I should have maybe gone with my original instinct which
was NOT to post any information about it, but just wait until someone
actually has the problem themselves, and then posts here to the group
looking for a way to fix it.

I'm not trying to stir up trouble.... I'm just thinking that I may have to
limit my posts here to responses.  Again...
You will not get the trojan if you visit that site.  You WILL learn all
kinds of stuff that can only help you if you click the URL that is pasted
into this email a few lines above.

That is all.
moverby
Ramble on...
Mark

Hello again David  (and everybody else too).....

Yeah, I'm aware of all of the stuff you mentioned..... like I said in the
post, it was my friend's machine that actually installed the trojan.  I
removed cookies and temp files on my machine just to do a little
preventative maintenance.
I always stay up to date on all of my Microsoft and virus software updates
as everyone should.

Again, I thought my post would mainly serve to inform of a new threat... at
least new in the sense that I have never heard of it or seen anything about
it posted here.  I also always set all of my Browser/Java/activeX
components for at the very most, prompt, if not disable... as I always
recommend to everyone I know.  And since I am up to date on my Microsoft
update I'm sure that the "Active X thing" that you refer to is still a VERY
REAL ISSUE..... but ONLY if you have the acitveX controls in your browser
settings set for active, rather than disabled.

My thinking was that this "lop.com"  could have recently, maybe even as
recently as this morning, made themselves a very large presence on the
net.  So I guess I wanted to provide a unique post here in the sense that
it would warn, inform, describe, and then actually offer the removal
information and tools as well.  That way..... should you or anybody else
get hit, you have this wonderful email full of solutions to the lop.com
trojan already sitting nicely in one of your email boxes.

And finally.... you mentioned this   (I quote)...
" I don't know anything about lop.com."

Well...... that was the whole point of my post here.  Neither did I, my
friend who got infected, Norton AV 2002, AdAware, etc....
But hopefully you went to that site (after you responded to my post) that I
supplied and read about it.  That was really all I wanted anyone to do......
Learn about it.  And possibly fix it if they were as unfortunate as some
people apparently have been.

Thanks.
moverby

At 02:35 PM 4/25/2002 -0500, you wrote:
>Hi Mark.
>First off, gee, I didn't know that ctrl+w worked on MSIE for windows.  It
>does.  Neat. =)
>Second, yes, it can happen.  Malicious code can, in certain cases, gain
>control of your computer when you visit a website.  It works basically like
>this:  They made browsers so that they *allow* websites to run code on your
>computer, if the code is from a "trusted source".  So, all a malicious
>webmaster has to do is trick your browser into thinking that her code is
>"trusted".  It should be very hard to do that, right?  But, unfortunately,
>there are some bugs, particularly in Microsoft Internet Explorer.  These
>bugs allow, for example, any object to identify itself as a certain
>(trusted) ActiveX object.  And the browser believes it.  It's a very old
>bug.  There is a fix.  But most people haven't gotten the fix.
>If you update Windows, Internet Explorer, etc, using
>http://windowsupdate.microsoft.com , this ActiveX thing is not an issue
>anymore.  The pages will just load and say "Done, with errors on page."
>Third, I'm not sure if lop.com uses that security hole I mentioned, or
>anyother one for that matter.  There are plenty of malicious things a
>webmaster can do even without "full control".  I don't know anything about
>lop.com.
>Hope that this helps and is informative, etc. =)
>--David Loyall
>ps, My little explaination of the MSIE hole probably uses wrong terminology,
>or maybe it's just wrong.  *shrug*  Double check, if it's important.

Ramble on...
Mark

[Moderators Note:  im beginning to feel like a broken record lately..  It seems
to be an epidemic/infection on this list Just recently.    Please remember to
trim your posts when replying!  Not directed at this post in specific but to all
who have not been trimming these past few days!]

You're the only one that got the screen shot.  I ran my avg, am now at
housecall.  Thanks for the info appreciate it.
----- Original Message -----
From: "wxs" <visionww@...>
To: "TexasPatches" <TexasPatches@...>;
<Hackfix-VirusHelp@yahoogroups.com>
Sent: Thursday, April 25, 2002 3:14 PM
Subject: Re: [Hackfix-VirusHelp] hepcatfox


Thanks a lot!
get rid of it and clean out your system
it's an older Klez, wanting to download on your system all it's nasty stuff.
hope nobody tried the URL from your screen shot!
I don't need a copy from you
Thanks for all the trouble!
Jooske

http://www.thebostonchannel.com/technology/1413659/detail.html

To be exactly, this is the page to the file/cure.
the following url takes you to a site with complete instructions on removal
of lop.com. The site is Mike Healan's. He is associated with the Lavasoft
people who make Ad-aware which removes spyware applications in case you
don't know of him or this fine application.
http://www.spywareinfo.com/lopgone.html
Good luck and thanks a lot for all your additional info!
this is really very important!
There is a lot going on about browser and system hijacking, so thanks for
posting!
Jooske

http://forums.delphiforums.com/helpcomputer
http://www.security-pro.co.uk/yabb/YaBB.pl
He! check this out! Australian initiative so this IS good!
Big Cats, Giant Panda and the Rain Forest
http://rainforest.care2.com/welcome?w=921987908

----- Original Message -----
From: "moverby"
Sent: Thursday, April 25, 2002 6:17 PM

It basically turns your machine into many things, the most
quantifiable one being an MP3 search engine where your files, your
resources and your CPU are hijacked and used significantly.

I strongly urge EVERYONE to go here,     (this is the place that told us
how to remove it, but had other important info as well)

http://www.spywareinfo.com/index.html

Mark

Yes, i'm one of their beta-testers.
It does react like paranoia on everything it can, if you set it to look for
all kinds of file extensions.
For instance TXT and HTML files, PPS, whatever, will even show a txt file
with the word "virus" or "infection" and explanations in other files about
all those matters. You might call some of them false alarms.
It did alarm on animated e-cards, for example, not strange, as those things
are kind of scripts which play automatically at opening, but after sending
them some of the scanned and clean files they have added such false
positives to their database to prevent such alarms.
But i really was a bit confused about an alarm on a list of herbs, where it
alarmed on herbs names.
But it finds about all worms/trojans/executable and other nasties (less the
viruses is my impression)
Jooske

they have a user forum at their www.safersite.com btw.

http://forums.delphiforums.com/helpcomputer
http://www.security-pro.co.uk/yabb/YaBB.pl
He! check this out! Australian initiative so this IS good!
Big Cats, Giant Panda and the Rain Forest
http://rainforest.care2.com/welcome?w=921987908

----- Original Message -----
From: "Edward Greig" <rdc41@...>
To: <Hackfix-VirusHelp@yahoogroups.com>
Sent: Thursday, April 25, 2002 8:15 PM
Subject: [Hackfix-VirusHelp] PestPatrol


Hi
I recently downloaded a program called PestPatrol from
www.sunbelt-software.com This program ($20) is supposed to find all sorts of
'pests' etc that ordinary anti-virus software misses (it found 96 pests on
my Norton 2002 professional internet security protected personal PC -
although all but one was rated a low risk). Has anyone out there seen any
reviews or have any opinions about the effectiveness of this software for
the averagely paranoid internet user:).
Edward

Thanks a lot!
get rid of it and clean out your system
it's an older Klez, wanting to download on your system all it's nasty stuff.
hope nobody tried the URL from your screen shot!
I don't need a copy from you
Thanks for all the trouble!
Jooske

http://www.thebostonchannel.com/technology/1413659/detail.html

http://forums.delphiforums.com/helpcomputer
http://www.security-pro.co.uk/yabb/YaBB.pl
He! check this out! Australian initiative so this IS good!
Big Cats, Giant Panda and the Rain Forest
http://rainforest.care2.com/welcome?w=921987908

----- Original Message -----
From: "TexasPatches" <TexasPatches@...>
To: <visionww@...>
Sent: Thursday, April 25, 2002 9:11 PM
Subject: Fw: [Hackfix-VirusHelp] hepcatfox


Here's a screen shot.

----- Original Message -----
From: "wxs" <visionww@...>
To: <Hackfix-VirusHelp@yahoogroups.com>
Sent: Thursday, April 25, 2002 2:29 PM
Subject: Re: [Hackfix-VirusHelp] hepcatfox


If you do a right-mouse click scan on the file, what does it say?
would wait with deleting.
You might like to copy it to a special folder you create on your system
(i have a special folder in which i copy all suspicious and infected stuff
for scanning/testing purposes.)
(complete email + attachment for instance) and zip the whole thing.
After that you might like to delete the original email and attachment and
empty recyclebins of system and email program.
If it is a normal hybris, magistr, mtx, sircam, badtrans, klez
a/b/c/d/d/f/g/h not needed to send it in, if it is something different
please let us know.
(in that case i might like to add it to my zoo, so don't delete please!)
In the search engines only a personal profile of a user with that name
showed up here.

How do you know btw it is an infection if nothing alarmed on it?
Thanks in advance for the info!
Jooske

Hi Mark.
First off, gee, I didn't know that ctrl+w worked on MSIE for windows.  It
does.  Neat. =)
Second, yes, it can happen.  Malicious code can, in certain cases, gain
control of your computer when you visit a website.  It works basically like
this:  They made browsers so that they *allow* websites to run code on your
computer, if the code is from a "trusted source".  So, all a malicious
webmaster has to do is trick your browser into thinking that her code is
"trusted".  It should be very hard to do that, right?  But, unfortunately,
there are some bugs, particularly in Microsoft Internet Explorer.  These
bugs allow, for example, any object to identify itself as a certain
(trusted) ActiveX object.  And the browser believes it.  It's a very old
bug.  There is a fix.  But most people haven't gotten the fix.
If you update Windows, Internet Explorer, etc, using
http://windowsupdate.microsoft.com , this ActiveX thing is not an issue
anymore.  The pages will just load and say "Done, with errors on page."
Third, I'm not sure if lop.com uses that security hole I mentioned, or
anyother one for that matter.  There are plenty of malicious things a
webmaster can do even without "full control".  I don't know anything about
lop.com.
Hope that this helps and is informative, etc. =)
--David Loyall
ps, My little explaination of the MSIE hole probably uses wrong terminology,
or maybe it's just wrong.  *shrug*  Double check, if it's important.

-----Original Message-----
From: moverby [mailto:moverby@...]
Sent: Thursday, April 25, 2002 11:17 AM
To: hackfix-VirusHelp@yahoogroups.com
Subject: [Hackfix-VirusHelp] Browser and CPU Hijacked!!!


Hello all.

[snip!]

Lets just put it this way.  We both went to a site..... I saw something
start downloading and quickly control/w'd to close that window and all the
other windows that started popping up.  I think I halted the installation,
but my friend didn't.  He ended up with a flash type/activeX program that
opened some sort of Flash kind of tool called lop.com    .     This is a
TROJAN.  Suffice it to say, every time we tried something, for example,
emptying temp Internet files, looking for the folder in the program files,
or going to add/remove programs and find and uninstall it, We could not
find it, could not uninstall it, and it popped up on his desktop every time
he restarted.

[snip!]

Just go there and read up.  Also, to the moderators of this site, I would
suggest that you apply your knowledge and experience to this particular
situation if you could.  I was quite surprised that this happened and I
hadn't at least read about lop.com  here yet, as I read just about every
email I get from this site.

[snip!]

Careful out there!!!!

Ramble on...
Mark

Hi
I recently downloaded a program called PestPatrol from www.sunbelt-software.com
This program ($20) is supposed to find all sorts of 'pests' etc that ordinary
anti-virus software misses (it found 96 pests on my Norton 2002 professional
internet security protected personal PC - although all but one was rated a low
risk). Has anyone out there seen any reviews or have any opinions about the
effectiveness of this software for the averagely paranoid internet user:).
Edward

[Non-text portions of this message have been removed]

If you do a right-mouse click scan on the file, what does it say?
would wait with deleting.
You might like to copy it to a special folder you create on your system
(i have a special folder in which i copy all suspicious and infected stuff
for scanning/testing purposes.)
(complete email + attachment for instance) and zip the whole thing.
After that you might like to delete the original email and attachment and
empty recyclebins of system and email program.
If it is a normal hybris, magistr, mtx, sircam, badtrans, klez
a/b/c/d/d/f/g/h not needed to send it in, if it is something different
please let us know.
(in that case i might like to add it to my zoo, so don't delete please!)
In the search engines only a personal profile of a user with that name
showed up here.

How do you know btw it is an infection if nothing alarmed on it?
Thanks in advance for the info!
Jooske

http://forums.delphiforums.com/helpcomputer
http://www.security-pro.co.uk/yabb/YaBB.pl
He! check this out! Australian initiative so this IS good!
Big Cats, Giant Panda and the Rain Forest
http://rainforest.care2.com/welcome?w=921987908

----- Original Message -----
From: "TexasPatches" <
Sent: Thursday, April 25, 2002 4:42 PM


This addy sent to my list, or actually to me as list owner, this message.
This is a WinXP patch
I wish you would like it.

This person is not on my list.  I did not open the attachment.  Does anyone
want to see it, or shall I just delete it?  I'm sure it's a virus, but
nothing has hit on it so far.  Probably because I didn't open it.  I'm even
afraid to investigate for an addy.

Hello all.

A little long, I know, but I strongly recommend that you all take the time
to read this post.
Usually my posts to this site are replies to the other posts I see
here.  Well, now it's my turn.   I consider myself and my computer pretty
secure, but I have now learned the true potential of being victimized by IE
integrated browser hacking. I am working, so I can't go into it too deeply
cause I have already spent hours repairing my friend's PC as well as
mine.  I will say this much..... BECAUSE I am at work, this wasn't even any
sort of porn site.  This was just basic everyday browsing consistent with
what I do on a daily basis.

Lets just put it this way.  We both went to a site..... I saw something
start downloading and quickly control/w'd to close that window and all the
other windows that started popping up.  I think I halted the installation,
but my friend didn't.  He ended up with a flash type/activeX program that
opened some sort of Flash kind of tool called lop.com    .     This is a
TROJAN.  Suffice it to say, every time we tried something, for example,
emptying temp Internet files, looking for the folder in the program files,
or going to add/remove programs and find and uninstall it, We could not
find it, could not uninstall it, and it popped up on his desktop every time
he restarted.

After some research we found out what exactly happens (by the way... our
Corporate Norton AV here at work and Ad-aware were NOT able to detect or
remove it, and nothing came up at symantec.com when I searched for
lop.com).   It basically turns your machine into many things, the most
quantifiable one being an MP3 search engine where your files, your
resources and your CPU are hijacked and used significantly.

We were finally able to remove it. Then I did some PC house cleaning of my
own to remove all cookies etc. to be on the safe side.

I strongly urge EVERYONE to go here,     (this is the place that told us
how to remove it, but had other important info as well)

http://www.spywareinfo.com/index.html

even if you don't suspect that you are the victim of any similar type of
hijacking.  You will learn just how powerful this sort of thing is, how
powerless most people are to prevent it, and what you can do to protect
yourself right now and prevent it from happening to you.
This thing can actually rewrite your administrative privileges so that you
can't even run regedit on your own computer to fix it... EVEN IF YOU ARE
THE ADMINISTRATOR!!!!!!.  Then you are completely screwed.  Luckily, it did
not penetrate my friends computer that deeply.  It's very scary.

Just go there and read up.  Also, to the moderators of this site, I would
suggest that you apply your knowledge and experience to this particular
situation if you could.  I was quite surprised that this happened and I
hadn't at least read about lop.com  here yet, as I read just about every
email I get from this site.

Thank you for your time, and I hope that this info helped solve or at least
prevent this problem from affecting anyone of the others who participate in
this post.

Careful out there!!!!

Ramble on...
Mark


[Non-text portions of this message have been removed]

This addy sent to my list, or actually to me as list owner, this message.
This is a WinXP patch
I wish you would like it.

This person is not on my list.  I did not open the attachment.  Does anyone
want to see it, or shall I just delete it?  I'm sure it's a virus, but
nothing has hit on it so far.  Probably because I didn't open it.  I'm even
afraid to investigate for an addy.





---
Outgoing mail is certified Virus Free.  Keep your Virus Protection Updated
Daily!
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/02

It's not a virus.  The messages states exactly what the problem is.  All
he needs to do is restore the deleted (or damaged) font.  I would need
more information to provide help, specifically, what operating system?

Fuzzy
--
Quidquid Latine dictum sit, altum videtur.
Si hoc legere scis, nimium eruditionis habes.
Vir sapit qui pauca loquitur.
Cras amet qui numquam amavit, quique amavit cras plus amet.
Uno itinere non potest perveniri ad tam grande secretum.

On Thu, 25 Apr 2002, Lim, Franciscus wrote:

> hi ...
>
> My friend has this problem:
> He can't open Office files and the message "the tahoma font is not present.
> To restore it, click detect and repair on the help "
> After clicking OK, the file open but empty and has squares (check boxes). It
> happens also when he opened Outlook Express, the word is very messy .. has
> squares (check boxes), triangles, circles, etc.
>
> He scan using nimda, fixsirc, F-klez, norton and mc afee...., but still has
> the problems.
>
> Any solutions to this?
> What kind of virus is that?
>
> Thanks
> Frans

hi ...

My friend has this problem:
He can't open Office files and the message "the tahoma font is not present.
To restore it, click detect and repair on the help "
After clicking OK, the file open but empty and has squares (check boxes). It
happens also when he opened Outlook Express, the word is very messy .. has
squares (check boxes), triangles, circles, etc.

He scan using nimda, fixsirc, F-klez, norton and mc afee...., but still has
the problems.

Any solutions to this?
What kind of virus is that?


Thanks
Frans



[Non-text portions of this message have been removed]

Hi, if my local av/at software would fail --and it did, for how else could
the nasty have activated and found it's way to the system-- it's certainly
time to get an online scan at the known places like
www.housecall.antivirus.com or www.bitdefender.com or
http://www.pandasoftware.es/
(always good to change at times) and delete the finds. At least update the
own local software as soon as possible.
Hope after the cleaning all is working fine again.
And i do hope it is just the Magistr, as i'm not aware that one should also
have the ability of disabling scanners software.
Justy see bitdefender seems under maintenance, but their free removal tools
page is accessable:
http://www.bitdefender.com/html/free_tools.php

I'm not sure why i read so often these days NAV fails, maybe this is with
more av/at scanners but i might only see it really frequent with NAV users,
or there are other reasons like wrong use or configurations, i am not sure.
Hope the scanning helps you, as magistr is rather easy to get rid of.

Jooske

http://forums.delphiforums.com/helpcomputer
http://www.security-pro.co.uk/yabb/YaBB.pl
He! check this out! Australian initiative so this IS good!
Big Cats, Giant Panda and the Rain Forest
http://rainforest.care2.com/welcome?w=921987908

----- Original Message -----
From: "Lim, Franciscus"
Sent: Wednesday, April 24, 2002 3:05 AM


Hi ..

My friend computer get hit by virus. The icons on desktop moving around when
he tried to click on it. And the norton antivirus 2002 changes around and
doesn't do the email scan.
please help.

thanks in advance


Rgds,
Frans

Christy is involved in something else.  Re the moving icons, she says it
sounds like a Magistr infection.  Go to
http://securityresponse.symantec.com/avcenter/venc/data/w32.magistr.24876@mm.htm\
l

Hi ..

My friend computer get hit by virus. The icons on desktop moving around when
he tried to click on it. And the norton antivirus 2002 changes around and
doesn't do the email scan.
please help.

thanks in advance


Rgds,
Frans


[Non-text portions of this message have been removed]

[Moderators Note:  didnt i just recently send a reminder to Trim?  Please Trim
your posts to help our readers!]

To show all extensions, left click'my computer', 'view', 'folder options',
'view', and a short way down the list you will see, 'show all files'. Make sure
it is checked...that should do it.
   ----- Original Message -----
   From: David Hellwege
   To: Hackfix-VirusHelp@yahoogroups.com
   Cc: dunhamk@...
   Sent: Tuesday, April 23, 2002 3:25 PM
   Subject: RE: [Hackfix-VirusHelp] unknown attachment


   See below.
   > Therefore, I strongly recommend configuring all
   > computers to show the real extension of all file
   > types, none  hidden, and backing up
   > work on a regular basis.
   >
   > Sincerely,
   > Ken
   > Senior Intelligence Analyst
   > iDEFENSE - http://www.idefense.com/
   > The power of intelligence starts here

   How does one do this configuration?

[Moderators Note: Trim before hitting Send Please!]

One handy site to have if you wanna know what extension is what

http://extsearch.com/

-----Original Message-----
From: Pam [mailto:ltf01@...]
Sent: Tuesday, April 23, 2002 8:37 AM
To: Hackfix-VirusHelp
Subject: [Hackfix-VirusHelp] unknown attachment

I just got an attachment from someone whom I don't think would be sending
attachments.  PC-Cillin did not alert on it. It's called Butterfly.pps
(326kb).
I'm not worried so much about opening the file if there's nothing wrong with
it as I am about IF my virus detector missed something that it shouldn't
have missed.  I suppose there's no way to find out either way is there?

Thanks,
Pam

You can try to send the file to me. our server is save and can give warning
if it contains virus.

-----Original Message-----
From: Pam [mailto:ltf01@...]
Sent: Tuesday, April 23, 2002 9:37 PM
To: Hackfix-VirusHelp
Subject: [Hackfix-VirusHelp] unknown attachment


I just got an attachment from someone whom I don't think would be sending
attachments.  PC-Cillin did not alert on it. It's called Butterfly.pps
(326kb).
I'm not worried so much about opening the file if there's nothing wrong with
it as I am about IF my virus detector missed something that it shouldn't
have missed.  I suppose there's no way to find out either way is there?

Thanks,
Pam


[Non-text portions of this message have been removed]