Fax sending PORN from my temp folder instead of my fax???

[Noozer]

I'm on a Windows XP SP1 machine. I'm connected to a Windows 2003 server with
fax sharing installed. I went to send a fax today and at the end of the fax
I hit the preview button. The first page was the expected coverpage, but
when I flipped to the second page I ended up with a porn picture that was
located in my TEMP folder. I deleted the file and then the fax preview
wouldn't work.

I'm definately glad I caught this before sending it, but HOW did it happen?
AV is VERY up to date, popup blockers installed on browser. High security
settings. I'm behind a hardware firewall. XP has al updates applied.

I'm hoping to figure out what happened based of the modified date of the
porn picture, but XP's search doesn't allow specifying any specific time
range and there are LOTS of files modified on that date.

Any idea how I can ensure that this doesn't happen again?????

Thanks!

 

[Noozer]

I'm on a Windows XP SP1 machine. I'm connected to a Windows 2003 server with
fax sharing installed. I went to send a fax today and at the end of the fax
I hit the preview button. The first page was the expected coverpage, but
when I flipped to the second page I ended up with a porn picture that was
located in my TEMP folder. I deleted the file and then the fax preview
wouldn't work.

<snip>

....AND, I just realized that the date on the picture was today at the time I
actually sent the fax, so it was dynamically generated! ACK!

 

[Yves Leclerc]

Run AD-Aware 6 or Spybot: Search and Destroy! You may be the victim of a
spyware software that got onto you XP system.

 

[Hal Hostetler [MVP DTS]]

You're seeing temp files that are in your Temporary Internet Files folder.
Right click one of the unwanted images and go to 'Properties|Location';
you'll see the path to the image. Running Disk Cleanup or clearing your
Temporary Internet Files folder should clear it up.

Start|All Programs|Accessories|System Tools|Disk Cleanup.

Hal
--
Hal Hostetler, CPBE -- (e-mail address removed)
Senior Engineer/MIS -- MS MVP-DTS -- WA7BGX
http://www.kvoa.com -- "When News breaks, we fix it!"
KVOA Television, Tucson, AZ. NBC NBC-IN
Got Blues? - www.badnewsbluesband.com

 

[Lawrence]

Then again, you shouldn't have "Porn" files on your computer anyway!

 

[Noozer]

I did... all it detected was an "attempted browser hijack" because my start
page is "about:blank"

 

[Victor D.]

Somebody is going to porn sites with your computer if your
not.....hummmmmmm!

 

[Noozer]

Doh!

You're telling me... I don't know how it got there unless it happened to be
in a banner or something on another page I visited.

But ***WHY*** was the creation date/time the exact same date/time that I
created my fax?

I can't replicate it but I still think something fishy is going on here!

 

[Noozer]

That makes sense, but, how did it get there in the first place?

Also, why was it's creation time/date the same as when I created my fax?

 

[Victor D.]

If you go to your temp files and right click on one of the porn pics will
bring up properties that will tell you when it was created, modified and
accessed. Of course accessed would be the time you right click on it. The
"created" description would be when it was downloaded on your computer.

 

[Wislu Plethora]

-----Original Message-----
I'm on a Windows XP SP1 machine. I'm connected to a Windows 2003 server with
fax sharing installed. I went to send a fax today and at the end of the fax
I hit the preview button. The first page was the expected coverpage, but
when I flipped to the second page I ended up with a porn picture that was
located in my TEMP folder. I deleted the file and then the fax preview
wouldn't work.

I'm definately glad I caught this before sending it, but HOW did it happen?
AV is VERY up to date, popup blockers installed on browser. High security
settings. I'm behind a hardware firewall. XP has al updates applied.

I'm hoping to figure out what happened based of the modified date of the
porn picture, but XP's search doesn't allow specifying any specific time
range and there are LOTS of files modified on that date.

Any idea how I can ensure that this doesn't happen again?????

Thanks!

If I give you my number, can you send me some faxes?

 

[Death]

That makes sense, but, how did it get there in the first place?

Probabally as mentioned above: Someone else using your computer.
Either that or the attempted browser hijack was successful and it
accessed the content in question regardless...I have had to clean
RoughRider.EXE (Self-Installing pornware) from three machines today
manually because neither AdAware 6 or Spybot S&D couldn't do anything
with it. :-(
fax?

Again as previously mentioned: It's possibly using the "LastAccessed"
value from the filesystem rather than the "Created" value.
Although at the same time, it is possible to fake dynamic file
creation with ActiveX and/or VBscript* using code like the following
sample:
'-------------------------------------------------------------
'CODE SAMPLE - VBscript:
Option Explicit
On Error Resume Next

'Dim objFSO,objFileConn,binDataStore
'Set objFSO = CreateObject("WScript.FileSystemObject")

Set objFileConn = objFSO.OpenTextFile("MyImage.jpg",1,True)
While NOT objFileConn.AtEndOfStream
binDataStore = binDataStore & objFileConn.ReadLine & vbCrLf
Wend
objFileConn.Close
Set objFileConn = objFSO.OpenTextFile("MyImage.jpg",2,True)
objFileConn.Write(blnDataStore)
objFileConn.Close

'In reality, the above example probabally won't work properly
'but you should be able to see that it reads the file, then
'overwrites it back unchanged, thus fooling the OS into
'thinking that the file was created when this code was run.
'END CODE
'-------------------------------------------------------------
(* - VBscript is the newbie virus writers wet-dream...Thanks to the
insecurity of the general ActiveX environment, ANYONE who can use a
computer can write a virus that could wipe the system registry or make
changes to the file system without the user knowing about it. Another
of Mr. B Gates brain farts I guess! :-D)

I know it may be a bit complex, but hope it helps anyway! :-D

Farewell...
+------------------+
| Usenet N00bie... |
+------------------+