tracing spam

Jason Gurtz jason at tommyk.com
Fri Nov 19 07:22:18 PST 2004


On 11/19/2004 05:08, Dirk wrote:

> Does this scenareo make sense? ( It is what I think what is happening.)
> 
> Some one's PC (running on M$) gets infected with a virus/worm.  This
> takes advantage of a dial up connection and a local list of e-mail to
> disseminate itself.  Adresses to and from randomly selected from local
> adress list.  And who knows what else this virus/worm is doing.

That's very very possible  :/

Along with what Anthony posted take a look at:
Ad-aware
<http://www.lavasoftusa.com/software/adaware/>

Spybot Search and Destroy
<http://www.safer-networking.org/en/index.html>

CWShredder
<http://www.intermute.com/spysubtract/cwshredder_download.html>

The combination of all three of those will almost assure you of a clean
winhose.  To make them even more effective do this (assumes Win2k/XP):

1. Reboot into safe mode
2. hit <ctrl><alt>+<esc> to bring up taskmanager
3. start a command window
4. start up one of the above programs (probably best to do each one in the
order listed above)
5. use task manager to end task all instances of explorer.exe and iexplore.exe
6. Run the scan function in antispyware program after ensuring that it is
doing a deep, full system scan
7. after scanning/cleansing is done type explorer.exe in the command
window to bring the shell back
8. Goto step 1. but in step 4 change to the next antispyware program
9. Download Firefox or Mozilla Suite and set as default browser.  :)
10. Delete IE icon from desktop, start menu, and quicklaunch bar to
prevent (l)user from co-opting your Good Orderly Direction  ;)

To be extra thourough:

1. use the autoruns program from sysinternals to manually verify each and
every process that starts automatically.  Plugging the .exe name into
google can be instructive.
2. manually verify the hosts file
(%systemroot%/system32/drivers/etc/hosts) to be sure it contains no
unwanted entries
3. Set the above hosts file to read only mode.  In addition, set the ntfs
permissions so that no one has permission for anything other than read
permissions.  If, in the future, you want to make additions, you'll have
to change the perms first.

Nasty stuff

~Jason

-- 



More information about the lfs-chat mailing list