Email worm... need help identifying. - epjvwek.gif (0/1)

K

kurt wismer

David said:
From: "Sylvia M." <[email protected]>
| Thanks, Dave.
| I went there and downloaded (also printed out
| window), but I cant seem to 'open' a .zip
|
| Sylvia M.
| I know that I know not...
|

http://www.winzip.com/
http://www.pkware.com/home_and_small_office/downloads/
http://nct.digitalriver.com/fulfill/0018.18

Or one of the many other ZIP archival software packages.

my vote's for izarc (http://www.izarc.org)... i don't know any freeware
package that handles more formats...
 
M

Max Wachtel

(e-mail address removed) AKA Peter Seiler on 1/9/2006 in
Sylvia M. - 09.01.2006 04:14 :
"John Coutts" <[email protected]>
wrote in message
each running program can have one
processes running at the same time.

[...]

could you please explain why your reposting produces such a wrong
linefeed with such wrong quoting-maekers? Please check it by yourself.
******************Reply Separator*************************

She is using Outlook Express,need I say more?
BTW-what is a maeker?
max

--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Forums for HiJackThis Logs:
http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.html
To reply by e-mail change nomail.afraid.org to gmail.com
nomail.afraid.org is setup specifically for use in USENET
feel free to use it yourself. Registered Linux User #393236
 
P

Peter Seiler

Max Wachtel - 09.01.2006 13:57 :
(e-mail address removed) AKA Peter Seiler on 1/9/2006 in

******************Reply Separator*************************

She is using Outlook Express,need I say more?
BTW-what is a maeker?
max

using OE perhaps is one explanation. But other OE-users produce not this
misbehavior because they configure their NewsClient (OE) well. Isn't it
a shame that the widest spread NewsClient shows (per default?) such a
misbehavior?

Sorry, meant (quoting) marker ">" ">>" etc.
 
M

Max Wachtel

(e-mail address removed) AKA Peter Seiler on 1/9/2006 in
Max Wachtel - 09.01.2006 13:57 :


using OE perhaps is one explanation. But other OE-users produce not
this misbehavior because they configure their NewsClient (OE) well.
Isn't it a shame that the widest spread NewsClient shows (per
default?) such a misbehavior?

Yes,they should have some type of instructions that a user has to read
before it even starts.
Sorry, meant (quoting) marker ">" ">>" etc.

my poor attempt at humor.
max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Forums for HiJackThis Logs:
http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.html
To reply by e-mail change nomail.afraid.org to gmail.com
nomail.afraid.org is setup specifically for use in USENET
feel free to use it yourself. Registered Linux User #393236
 
S

Sylvia M.

Max Wachtel said:
(e-mail address removed) AKA Peter Seiler on 1/9/2006 in
<[email protected]> after much thought,came up with this

Yes,they should have some type of instructions that a user has to read
before it even starts.


my poor attempt at humor.
max
--
<Sigh> yes, it was set for 50 instead of 70...I'm sorry.
Thanks for letting me know.
Sylvia
 
M

Max Wachtel

(e-mail address removed) AKA Sylvia M. on 1/10/2006 in
<Sigh> yes, it was set for 50 instead of 70...I'm sorry.
Thanks for letting me know.
Sylvia
******************Reply Separator*************************

The quoting is still bad.
OE Quotefix is one solution.
http://home.in.tum.de/~jain/software/oe-quotefix/
Using XanaNews as your news client is another.
http://www.wilsonc.demon.co.uk/d9xananews.htm

max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Forums for HiJackThis Logs:
http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.html
To reply by e-mail change nomail.afraid.org to gmail.com
nomail.afraid.org is setup specifically for use in USENET
feel free to use it yourself. Registered Linux User #393236
 
P

prka

NightRunner je napisao/la:
Hey all,

I got NAILED bigtime yesterday whilst carousing on a site I should
have known better than to use MSIE on. I aquired MANY infections, but
have I think all but one contained now... I just noticed today that a
netstat -an command is showing a huge number of connections to various
IP addresses. Soooo I got myself a packet sniffer, and found out that
my machine is spamming like MAD through Outlook Express. I can't seem
to find the causative program, and none of my various Spyware/Adware
or AV programs are catching it, so this is where I REALLY need help.
The basic content of each email follows:

From: Mcnamara (this is randomly generated it seems)
To: (e-mail address removed) (also apparantly random)
Subject: Online

Message body --

Hey, epjvwek


Attached file:

epjvwek.gif

Contents of this file appears to be drug advertisements... It's
harmless enough, so I've attached it in the prayer that someone will
recognize it and know what it is and how to get rid of it from my
system. NERVE WRACKING.

I should also mention that winlogon.exe is consuming very high cpu
resources, like 80-90%, and it shows up on TDIMon as the program doing
all the accessing of those IP addresses.

Thanks for any help!!!

Rick

"The usual approach of science of constructing a mathematical
model cannot answer the questions of why there should be a
universe for the model to describe. Why does the universe go
to all the bother of existing?"

- Stephen Hawking

---------------------------------------
Amateur Astronomy Page:
http://www.angelfire.com/alt2/nightrunner/skyview.html

Our Webcam:
http://web.infoave.net/~missy1/cam/webcam.html
It is installed as winlogon extension.
check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions keys.
Delete suspicious entries. If they keep showing up then use PsSuspend
(www.sysinternals.com) utility to suspend Winlogon process and then
delete keys and reboot. Don't kill it or windows will crash. If that
doesn't help, use DLLView (also from sysinternals) and check all DLL's
winlogon loaded. After identification use some of available SFC patches
to disable windows file protection and delete trojan dll.


I got infected with similar trojan few days ago and couldn't get rid of
him with any of AV.
Used Nod32, Sophos and AVG but none of them recognized it so I had to
do it manually.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top