[Dshield] Re: Dshield digest, Vol 1 #220 - 11 msgs

Neil Richardson pc_freak at cats.ucsc.edu
Sun Aug 26 02:19:22 GMT 2001

At 08:17 PM 8/24/2001, Susan wrote:
>However. I have 3 computers here to verify system properties
>against. None show explorer.exe as c:\windows \explorer.exe /n,
>/e, c:\ so figure, its a hack. Could have been written to by an
>infected email even. Mobsync? I told you I have deleted it twice

    I also have mobsync on my machine; I agree with the theory that it's 
part of M$'s web-page-synchronizer, probably part of ActiveDesktop (the 
help file pops up a window labeled "Synchronization Manager").

>I am pulling unidenitifed stuff out of registry now, I do a few lines I
>reboot i backup. Its going well but I am really just testing here i

    Eeek!  IMHO, pulling random stuff out of the registry is asking for 
trouble, since 99% of it is probably not documented in any useful manner.

    If you're really concerned, I'd say to use FDisk to erase the 
partitions, re-create them, format, then re-install Winblows.  First thing 
you then do is install a firewall you trust (I use ZoneAlarm) and a virus 
scanner.  Then scan the *entire* hard-disk, setting the heuristic 
sensitivity to maximum, "scan compressed files," and "scan all files" (not 
just program files), and tell it not to exclude any folders (I recently 
read about a virus that hides in the recycle-bin folder, which most AV 
programs skip).

    Once you're convinced the machine is clean, make a System Recovery disk 
(using the Windoze utility) and another one using the AV tools (that way 
you can scan from a clean disk).

-Neil R.
Random thought for the day:

    Is yours a real cat, or does it come when you call it?

More information about the list mailing list