Virus action not caught by NAV, Blackice, or Zone Alarm

[Guest]

Just about every day while I am on the internet a program in my computer runs and creates a file with the name simply ~ with no extension. This file contains a lot of code, but also contains all my e-mail addresses from my WAB file and all the recent history in my computer. Once it had even copied an open word document's contents. I believe my Zone Alarm has stopped it from going out, but my Norton antivirus 2003 (fully updated) does not detect any infection. This has happened about 6 months after I had installed my XP, NAV, Zone Alarm and BlackIce programs. I might sound a bit over protected and paranoid except that I have had some bad experiences with viruses in the past and wanted to be sure it never happened again. Is this some kind of fragment saved to my desktop as a result of a problem with Outlook or is it the indication of a virus? Is there a monitoring program that can log all program events in the computer durring a one or two hour time frame? I am not concerned about the file size, but if I can log the events on my computer I can track the program that created that file by comparing the file properties and the log time. If I can find out what creates the file I can then go to Symantec and get a fix. Please help, and thanks.

 

[Trafton]

Hi Brian,

Sorry you are having difficulties. Please perform the following actions:

1. Go to the START menu
2. Go to RUN
3. Type in "regedit" (with no quotes)
4. Go to HKEY_CURRENT_USERS
5. Go to SOFTWARE
6. Go to MICROSOFT
7. Go to WINDOWS
8. Go to CURRENTVERSION
9. Go to RUN

Can you list everything contained within there and what files they are
pointed to? This may help isolate whether you have a virus or not, which is
a possibility.

Sincerely,
Benjamin Johnstone-Anderson
Microsoft "MVP" - Windows Security
Remove "SPAM" from email address to reply!

 

[Carey Frisch [MVP]]

Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

Virus Removal Tools
http://securityresponse.symantec.com/avcenter/tools.list.html

Online Virus Removal Tutorials
http://www.symantec.com/techsupp/virusremoval/virusremoval_info_tutorial.html

There is a very helpful virus removal newsgroup you may wish to post to:
news://msnews.microsoft.com/microsoft.public.security.virus

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

---------------------------------------------------------------------------------------------------


| Just about every day while I am on the internet a program in my computer runs and creates a file with the
name simply ~ with no extension. This file contains a lot of code, but also contains all my e-mail addresses
from my WAB file and all the recent history in my computer. Once it had even copied an open word document's
contents. I believe my Zone Alarm has stopped it from going out, but my Norton antivirus 2003 (fully updated)
does not detect any infection. This has happened about 6 months after I had installed my XP, NAV, Zone Alarm
and BlackIce programs. I might sound a bit over protected and paranoid except that I have had some bad
experiences with viruses in the past and wanted to be sure it never happened again. Is this some kind of
fragment saved to my desktop as a result of a problem with Outlook or is it the indication of a virus? Is
there a monitoring program that can log all program events in the computer durring a one or two hour time
frame? I am not concerned about the file size, but if I can log the events on my computer I can track the
program that created that file by comparing the file properties and the log time. If I can find out what
creates the file I can then go to Symantec and get a fix. Please help, and thanks.

 

[Haus]

Hello
You are experiencing an issue that has accrued with one of the updates that
come out last year.
It will install an Icon on the desktop labeled "~" (without the quotes)
MS knows about the issue and it has something to do with Outlook Express,
and will install that file on the desktop at certain times. Keep checking
the update site and I am sure MS will have a fix before long if not already
I have not seen this issue in a while.

--
Hope This Helps
Haus
Not a MS-MVP
Not a MVP
Not nothing, just a good ole boy.

 

[Juan]

Greetings:

I saved this message from last year, hope it clears your doubts.
----------------------------------------------------------------------------
--------------------
Mystery solved! It is the result of a windows update 330994 patch. You get
the temp file after a change is made to your address book in Outlook
express. You can see if you have the patch by going to IE....Help...About
and seeing if the patch is listed there. I made a change to my address book
this morning and "Bingo" the file appeared!
Here is the info I obtained! Phewwwwww! Glad that's over with!

One of the "fixes" from MS several months ago causes this glitch.
What that file is (which I believe you will see is named "~") is your
yourname.wa~ file which on my PC resides in C:\Windows\Application
Data\Microsoft\Address Book .
That file is the backup for yourname.wab (the OE Address Book). But now,
after the glitch, the .wa~ file is no longer getting updated when you make a
change to Address Book. Rather it goes to your Desktop as "~" instead of to
C:\Windows\Application Data\Microsoft\Address Book as yourname.wa~.
However, your Address Book, itself, is still getting updated. So unless you
worry about the backup no longer being updated(what good is it, anyway??),
you can delete the "~" file. Or if you cannot live without the updated
backup .wa~ file, then just rename that suspicious "~" file to yourname.wa~
and send it to the C:\Windows\Application Data\Microsoft\Address Book folder
(replacing the existing and now outdated yourname.wa~ file).
Supposedly MS was working on a fix many months ago, but I have seen no
announcement of one yet, and none of the recent MS fixes have cured the
problem.
----------------------------------------------------------------------------
------
That "~" (tilde) file is most probably appearing as the result of installing
the "April 2003, Cumulative Patch for Outlook Express (330994)". Microsoft
is aware of the problem and is supposedly working on a fix. Many people are
experiencing this problem and from what I've read about this problem that
icon will also reappear when you reply to an e-mail and you have your
Outlook Express set up to enter the persons e-mail address to your address
book whenever you reply to an e-mail. You can either just put up with it or
follow the uninstall directions for the patch at the link below.
http://www.microsoft.com/windows/ie/downloads/critical/330994/default.asp
Back to top

DaBoss
Site Admin


Joined: 11 Mar 2003
Posts: 316
Location: Santa Maria, CA



http://www.filext.com

http://filext.com/faq/article.php?id=002


---------------------Original Message------------------------

Just about every day while I am on the internet a program in my computer

runs and creates a file with the name simply ~ with no extension. This file
contains a lot of code, but also contains all my e-mail addresses from my
WAB file and all the recent history in my computer. Once it had even copied
an open word document's contents. I believe my Zone Alarm has stopped it
from going out, but my Norton antivirus 2003 (fully updated) does not detect
any infection. This has happened about 6 months after I had installed my XP,
NAV, Zone Alarm and BlackIce programs. I might sound a bit over protected
and paranoid except that I have had some bad experiences with viruses in the
past and wanted to be sure it never happened again. Is this some kind of
fragment saved to my desktop as a result of a problem with Outlook or is it
the indication of a virus? Is there a monitoring program that can log all
program events in the computer durring a one or two hour time frame? I am
not concerned about the file size, but if I can log the events on my
computer I can track the program that created that file by comparing the
file properties and the log time. If I can find out what creates the file I
can then go to Symantec and get a fix. Please help, and thanks.

 

[Guest]

Yeah, thanks, but Symantec suggested looking into the registry run sections in current user and others. They suggested looking for programs such as Regedit.exe and some that are commonly associated with virus programs. I didn't see any that fit their descriptions and everything looked like it belonged
heres the list as it is in the HKey_local registry (nothing is in the current user area
AdaptecDirectCD (ok
B'sClip (my CDRW software
ccApp (common client, ok
ccRegVfy (symantec
C-Media Mixer (came with my Philps 5.1 speaker system
CMESys (I hate this program, but it has been harmless in the past even though I have never been able to completely remove all of its hidden files, it is that stupid download manager wizard that some web sites use, like CNet
ConMgr (my earthlink account manager program, it caries their signature, but I question its motives
Drag'n'drop_Autolaunch (part of Iomega Hotburn, ok
Multimedia Keyboard (another program I hate, but it is integrated into the proper operation of this darn keyboard
excuse me a sec... some A**hole just sent me a copy of W32.Swen.A@mm in my e-mail, see what I mean about the viruses? NAV caught it though :-
now back to the list..
Pointer (my mouse software , Microsoft trackball
TkBellExe (another one I hate from the Real player I downloaded, but don't use
TotalRecorderScheduler (an internet media recorder that I bought and have used flawlessly for quite a while
and finally Zone Labs Client (Zone Alarm
I feel a bit exposed giving this info out, but maybe you guys see one that I may be misinterpreting


----- Trafton wrote: ----

Hi Brian

Sorry you are having difficulties. Please perform the following actions

1. Go to the START men
2. Go to RU
3. Type in "regedit" (with no quotes
4. Go to HKEY_CURRENT_USER
5. Go to SOFTWAR
6. Go to MICROSOF
7. Go to WINDOW
8. Go to CURRENTVERSIO
9. Go to RU

Can you list everything contained within there and what files they are
pointed to? This may help isolate whether you have a virus or not, which is
a possibility

Sincerely
Benjamin Johnstone-Anderso
Microsoft "MVP" - Windows Securit
Remove "SPAM" from email address to reply

 

[Guest]

Thanks, I'll look into these sites. I may already have been to a few of them though, but I will post to the NG

----- Carey Frisch [MVP] wrote: ----

Symantec Security Chec
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sy

Virus Removal Tool
http://securityresponse.symantec.com/avcenter/tools.list.htm

Online Virus Removal Tutorial
http://www.symantec.com/techsupp/virusremoval/virusremoval_info_tutorial.htm

There is a very helpful virus removal newsgroup you may wish to post to
news://msnews.microsoft.com/microsoft.public.security.viru

--
Carey Frisc
Microsoft MV
Windows XP - Shell/Use

Be Smart! Protect your PC
http://www.microsoft.com/security/protect

--------------------------------------------------------------------------------------------------


| Just about every day while I am on the internet a program in my computer runs and creates a file with the
name simply ~ with no extension. This file contains a lot of code, but also contains all my e-mail addresses
from my WAB file and all the recent history in my computer. Once it had even copied an open word document's
contents. I believe my Zone Alarm has stopped it from going out, but my Norton antivirus 2003 (fully updated)
does not detect any infection. This has happened about 6 months after I had installed my XP, NAV, Zone Alarm
and BlackIce programs. I might sound a bit over protected and paranoid except that I have had some bad
experiences with viruses in the past and wanted to be sure it never happened again. Is this some kind of
fragment saved to my desktop as a result of a problem with Outlook or is it the indication of a virus? Is
there a monitoring program that can log all program events in the computer durring a one or two hour time
frame? I am not concerned about the file size, but if I can log the events on my computer I can track the
program that created that file by comparing the file properties and the log time. If I can find out what
creates the file I can then go to Symantec and get a fix. Please help, and thanks.

 

[Trafton]

Hi Brian,

I don't personally see anything in there, and I think the subsequent posters
hit the proverbial nail on the head. In case you deleted Juan's excellent
post, here is a relevant link from it:

http://filext.com/faq/article.php?id=002

Hope this helps and good luck!

Sincerely,
Benjamin Johnstone-Anderson
Microsoft "MVP" - Windows Security
Remove "SPAM" from email address to reply!

 

[Guest]

Thanks. That sounds like what I am seeing, but then why did it copy an entire word documet that was open at the time? Outlook shouldn't access other software that is open unless it is trying to be invasive. I think that Microsoft had better look into a severe security issue if it does. Still, I will be watching MS updates for security and Outlook issues that cover this

----- Haus wrote: ----

Hell
You are experiencing an issue that has accrued with one of the updates tha
come out last year
It will install an Icon on the desktop labeled "~" (without the quotes
MS knows about the issue and it has something to do with Outlook Express
and will install that file on the desktop at certain times. Keep checkin
the update site and I am sure MS will have a fix before long if not alread
I have not seen this issue in a while

--
Hope This Help
Hau
Not a MS-MV
Not a MV
Not nothing, just a good ole boy

 

[Guest]

Thanks, I think I will uninstall the patch. I remember seeing that file *.WA~ listed in the same folder as my *.WAB file (also the tilde file itself was there and on my desktop). I found it when I did a search for the tilde (~) on my computer to try and find out where it came from. I recognized the *.WA~ as the way that MS makes backup copies and distribution copies in their software packages (like on the XP disk) so I left it alone, but my concern at the time was tha t some invasive program was making copies of that file and trying to send it out through my mail. One more thing that I remember about that tilde file is that it is also very specific about copying my cookies associated with my history files including my login files for such sites as Amazon, E-Bay, and my bank. I may be experiencing a problem with a simple glitch in one of MS's programs, but the information it is trying to send out is not a simple matter. If it were just my address book entries, ok, add my recent history, ...o...k, add my cookies, i'm nervous, add a Word doc that is open when the program creates the tilde file, now I can no longer accept that this is just a glitch. I believe MS has a security issue that had better be looked into. BTW since I began writing to this site (today) and responding to these replys to my post I have been hit with four viruses in my e-mail which hasn't happened in over three months

----- Juan wrote: ----

Greetings

I saved this message from last year, hope it clears your doubts
---------------------------------------------------------------------------
-------------------
Mystery solved! It is the result of a windows update 330994 patch. You ge
the temp file after a change is made to your address book in Outloo
express. You can see if you have the patch by going to IE....Help...Abou
and seeing if the patch is listed there. I made a change to my address boo
this morning and "Bingo" the file appeared
Here is the info I obtained! Phewwwwww! Glad that's over with

One of the "fixes" from MS several months ago causes this glitch
What that file is (which I believe you will see is named "~") is you
yourname.wa~ file which on my PC resides in C:\Windows\Applicatio
Data\Microsoft\Address Book
That file is the backup for yourname.wab (the OE Address Book). But now
after the glitch, the .wa~ file is no longer getting updated when you make
change to Address Book. Rather it goes to your Desktop as "~" instead of t
C:\Windows\Application Data\Microsoft\Address Book as yourname.wa~
However, your Address Book, itself, is still getting updated. So unless yo
worry about the backup no longer being updated(what good is it, anyway??)
you can delete the "~" file. Or if you cannot live without the update
backup .wa~ file, then just rename that suspicious "~" file to yourname.wa
and send it to the C:\Windows\Application Data\Microsoft\Address Book folde
(replacing the existing and now outdated yourname.wa~ file)
Supposedly MS was working on a fix many months ago, but I have seen n
announcement of one yet, and none of the recent MS fixes have cured th
problem
---------------------------------------------------------------------------
-----
That "~" (tilde) file is most probably appearing as the result of installin
the "April 2003, Cumulative Patch for Outlook Express (330994)". Microsof
is aware of the problem and is supposedly working on a fix. Many people ar
experiencing this problem and from what I've read about this problem tha
icon will also reappear when you reply to an e-mail and you have you
Outlook Express set up to enter the persons e-mail address to your addres
book whenever you reply to an e-mail. You can either just put up with it o
follow the uninstall directions for the patch at the link below
http://www.microsoft.com/windows/ie/downloads/critical/330994/default.as
Back to to

DaBoss
Site Admin


Joined: 11 Mar 2003
Posts: 316
Location: Santa Maria, CA



http://www.filext.com

http://filext.com/faq/article.php?id=002


---------------------Original Message------------------------

Just about every day while I am on the internet a program in my computer

runs and creates a file with the name simply ~ with no extension. This file
contains a lot of code, but also contains all my e-mail addresses from my
WAB file and all the recent history in my computer. Once it had even copied
an open word document's contents. I believe my Zone Alarm has stopped it
from going out, but my Norton antivirus 2003 (fully updated) does not detect
any infection. This has happened about 6 months after I had installed my XP,
NAV, Zone Alarm and BlackIce programs. I might sound a bit over protected
and paranoid except that I have had some bad experiences with viruses in the
past and wanted to be sure it never happened again. Is this some kind of
fragment saved to my desktop as a result of a problem with Outlook or is it
the indication of a virus? Is there a monitoring program that can log all
program events in the computer durring a one or two hour time frame? I am
not concerned about the file size, but if I can log the events on my
computer I can track the program that created that file by comparing the
file properties and the log time. If I can find out what creates the file I
can then go to Symantec and get a fix. Please help, and thanks.

 

[Bruce Chambers]

Greetings --

One of the recent "hotfixes" for OE causes the file to be created
when you update the address book. It's just a duplicate copy of the
address book and can be safely deleted. A permanent fix is in
development.


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Guest]

you are running to many security features and they are conflicting with each other
get rid of zone alarm.....