Warning for Windows Users

[Richard Urban]

Any .ini file I have ever opened, on any computer I have ever worked on -
opened in notepad.

What's YOUR problem!

--

Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)



"Ian" <Ian@discussions.microsoft.com> wrote in message
news:2195F293-AE95-4B21-8C48-5442A22D2CF1@microsoft.com...
> There is a hack out there that is coming in through Outlook.exe (MS OFFICE
> Professional 2007) while in the
> Send/Receive Process, it leads to more Outlook.exe changes, as well as
> changes in svchost.exe. it leads to very slow sending of documents, and
> may
> be part of the Bot Net. after this has happened, I noticed a .INI file. I
> opend it with Notepad, but did not uncheck open with this program by
> default.
> it changed all of them.I reinstalled on a Scrubbed (7 times) HD with a new
> mother board a flashed bios, but put the old C- MOSS (spelling?) in. had
> to
> reset the clock, but with a fresh NTFS format (not Quick), fresh flashed
> BIOS and brand new install, after just installing the OS i open the hidden
> system files and lo and behold the .INI files still opend by default with
> notepad.( a system setting saved by software only).
> I have done this entire process with Vista Business, and XP Pro SP 2. DELL
> has been helpful with hardware, but Kaspersky labs can not find the
> issue in their moscow lab.
> I have used multiple scanning tools since the problem, and nothing finds
> it!
>
>
>

 

[Richard Urban]

Please get back to us when Dell and Kapersky have it figured out.

--

Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)



"Ian" <Ian@discussions.microsoft.com> wrote in message
news:F3307241-9F37-4572-89DE-EB3F89F1AF3A@microsoft.com...
>i first started using PC's in 1981. by the way a fresh install only has the
> settings as you go through the first launch of windows. so ther is no user
> profile settings except your name and a fresh desktop.
> then since there are no drivers for wifi, or the ethernet port, there is
> not
> an internet connection
> i did not say anything about a virus that changes ini files, i said much
> more.
> and i said i accidently chaged the default program the ini file opens
> with,
> then after using tools you have to actually buy, that get editors highest
> ratings from various tech publications and testing labs.you clean away
> everything. but the virus contains an ini file so since i changed the
> default
> and this selection is stored in the viruses ini as well which changes the
> rest of them when the installation process takes place
> the ini file in the virus is probalby for the hackers GUI when they access
> the hack.
> admittedly i do not know. but it is real enough for Dell and Kaspersky to
> be
> concerned and trying to figure out what is going on.
>
> "Paul Adare" wrote:
>
>> On Wed, 31 Oct 2007 16:53:00 -0700, Ian wrote:
>>
>> > i know how abot this i can change it to open all ini files by default
>> > with
>> > wrod, then when i replace the mother board but not the c-moss and flash
>> > the
>> > bios scrub the drive, then it will open by default with Word on a fresh
>> > installation which according to YOU should be notepad. got it
>> > now???????
>>
>> Right, there's some kind of evil virus or malware out there that does
>> nothing more than remember your settings for how you want to open INI
>> files. Not only does it remember them, but since you've used NSA approved
>> technology (whatever that is) to scrub your drive it must be storing
>> these
>> preferences on a server in the deep dark bowels of the Internet and then
>> reapplying them every time you scrub your drive.
>> After you reinstall the OS you're not restoring your user profile are
>> you?
>>
>> This is getting really tiring. You're really not helping anyone at all
>> here
>> and you're simply adding to the high level of FUD around malware,
>> viruses,
>> and other bad things that may or may not be lurking around.
>>
>> --
>> Paul Adare
>> MVP - Virtual Machines
>> http://www.identit.ca
>> There are two ways to write error-free programs only the third one
>> works.
>>

 

[Frank Saunders MS-MVP IE,OE/WM]

"Ian" <Ian@discussions.microsoft.com> wrote in message
news:8980A1CE-AAE4-4040-BD71-95B9A0C31B96@microsoft.com...
> look at a fresh install on a new machine, the ini does not open with
> notepad,
> mine did not untill i changed it.


Install on this machine less than a month old.
The default for INI files is Notepad.

--
Frank Saunders MS-MVP IE,OE/WM
www.fjsmjs.com
Do not send email

 

[Frank Saunders MS-MVP IE,OE/WM]

"Ian" <Ian@discussions.microsoft.com> wrote in message
news:69633EB4-A6D0-47AD-A0BE-F494113C0B07@microsoft.com...
>i have worked in the software industry for 3 years


I have used Windows since 3.0 and the default for INI files has always been
Notepad.

--
Frank Saunders MS-MVP IE,OE/WM
www.fjsmjs.com
Do not send email

 

[Ian]

Let me explain this problem again, while I am not juggling work, multiple
support techs, and trying to get a quick blurb out there for the user base,
and maybe some insight.
There is a hack coming in through the Outlook.exe this occurs during the
send/receive process, at which time while the outlook.exe file is being
changed, it will hang for some time. Eventually the email goes out, but the
time it takes is more than it would have taken to have emailed over 10x the
information being sent, moreover, I get a System Admin return mail ( I am
System Admin) telling me this recipient is not in their list of allowed hosts
error #5.7.1. Also after the Outlook.exe gets changed, the Outlookimap.dll,
and the vviewer.dll get changed as well.
After the Outlook.exe change (it may be changed up to three more times)
during the send and receive process. The scvhost.exe ends up getting changed
after there are no more changes to the Outlook.exe being made.
Other exe files that are being changed are: iexplorer.exe, ieuser.exe, &
gotomeeting.exe. Gotomeeting is OBVIOUSLY not part of either the XP or Vista
OS, but it is another .exe that has access to the internet!
This keeps happening and is not just happening to me, my boss has had
similar issues, and several reports have come in to our security solution
provider regarding the Outlook.exe change. However they have done system
captures and cannot find anything. Which, according to the security solution
provider, means that the virus/Bot is on the same “levelâ€, not that it does
not exist.
This aspect may be unrelated, but just in case it is not. In the Vista
environment, I made a change to the open with selection for a hidden system
file, and accidentally left the box checked to apply my selection to all
files of this type, and the system did so with a slight pause. I believed
this to be an “INI†file as this changed the metrics for the smaller pop-up
windows in Vista were now full screen windows. These windows include the Copy
To and Move To,etc… windows which are normally smaller and not sizeable when
you are selecting which folder to send , copy, or move the file to. The
windows do not get bigger unless you mess with the metrics, which is why I
assumed that it is an “INI†file I am talking about.
This setting to open my Mysterious “INI†file, which may not have been an
ini file (as was so helpfully pointed out yesterday by some of the people
here) was retained by my system after flashing the BIOS, scrubbing my hard
drive, reformatting with NTFS, and reinstalling the OS only with NO internet
connection, these windows were still opening up full screen, but this only
happens in Vista, these windows stay the same size in XP, even after
installing other software, and importing my files. But the change, or lack
thereof, remains obvious in Vista.
I have repeated these steps multiple times, and included in the last effort
was a replacement of the motherboard, but the old CMOS and the Old raw hard
drive were still used, and the windows metrics setting that had been
accidentally changed, was still there and the windows that should be smaller
are still opening up full screen in Vista.
As I said I do not know if there is a relationship between the two, but
there is usually something left behind in a system for the hacker to use
later, so… Thanks for all the friendly advice!


"Richard Urban" wrote:

> Any .ini file I have ever opened, on any computer I have ever worked on -
> opened in notepad.
>
> What's YOUR problem!
>
> --
>
> Regards,
>
> Richard Urban
> Microsoft MVP Windows Shell/User
> (For email, remove the obvious from my address)
>
>
>
> "Ian" <Ian@discussions.microsoft.com> wrote in message
> news:2195F293-AE95-4B21-8C48-5442A22D2CF1@microsoft.com...
> > There is a hack out there that is coming in through Outlook.exe (MS OFFICE
> > Professional 2007) while in the
> > Send/Receive Process, it leads to more Outlook.exe changes, as well as
> > changes in svchost.exe. it leads to very slow sending of documents, and
> > may
> > be part of the Bot Net. after this has happened, I noticed a .INI file. I
> > opend it with Notepad, but did not uncheck open with this program by
> > default.
> > it changed all of them.I reinstalled on a Scrubbed (7 times) HD with a new
> > mother board a flashed bios, but put the old C- MOSS (spelling?) in. had
> > to
> > reset the clock, but with a fresh NTFS format (not Quick), fresh flashed
> > BIOS and brand new install, after just installing the OS i open the hidden
> > system files and lo and behold the .INI files still opend by default with
> > notepad.( a system setting saved by software only).
> > I have done this entire process with Vista Business, and XP Pro SP 2. DELL
> > has been helpful with hardware, but Kaspersky labs can not find the
> > issue in their moscow lab.
> > I have used multiple scanning tools since the problem, and nothing finds
> > it!
> >
> >
> >
>
>

 

[Ian]

Let me explain this problem again, while I am not juggling work, multiple
support techs, and trying to get a quick blurb out there for the user base,
and maybe some insight.
There is a hack coming in through the Outlook.exe this occurs during the
send/receive process, at which time while the outlook.exe file is being
changed, it will hang for some time. Eventually the email goes out, but the
time it takes is more than it would have taken to have emailed over 10x the
information being sent, moreover, I get a System Admin return mail ( I am
System Admin) telling me this recipient is not in their list of allowed hosts
error #5.7.1. Also after the Outlook.exe gets changed, the Outlookimap.dll,
and the vviewer.dll get changed as well.
After the Outlook.exe change (it may be changed up to three more times)
during the send and receive process. The scvhost.exe ends up getting changed
after there are no more changes to the Outlook.exe being made.
Other exe files that are being changed are: iexplorer.exe, ieuser.exe, &
gotomeeting.exe. Gotomeeting is OBVIOUSLY not part of either the XP or Vista
OS, but it is another .exe that has access to the internet!
This keeps happening and is not just happening to me, my boss has had
similar issues, and several reports have come in to our security solution
provider regarding the Outlook.exe change. However they have done system
captures and cannot find anything. Which, according to the security solution
provider, means that the virus/Bot is on the same “levelâ€, not that it does
not exist.
This aspect may be unrelated, but just in case it is not. In the Vista
environment, I made a change to the open with selection for a hidden system
file, and accidentally left the box checked to apply my selection to all
files of this type, and the system did so with a slight pause. I believed
this to be an “INI†file as this changed the metrics for the smaller pop-up
windows in Vista were now full screen windows. These windows include the Copy
To and Move To,etc… windows which are normally smaller and not sizeable when
you are selecting which folder to send , copy, or move the file to. The
windows do not get bigger unless you mess with the metrics, which is why I
assumed that it is an “INI†file I am talking about.
This setting to open my Mysterious “INI†file, which may not have been an
ini file (as was so helpfully pointed out yesterday by some of the people
here) was retained by my system after flashing the BIOS, scrubbing my hard
drive, reformatting with NTFS, and reinstalling the OS only with NO internet
connection, these windows were still opening up full screen, but this only
happens in Vista, these windows stay the same size in XP, even after
installing other software, and importing my files. But the change, or lack
thereof, remains obvious in Vista.
I have repeated these steps multiple times, and included in the last effort
was a replacement of the motherboard, but the old CMOS and the Old raw hard
drive were still used, and the windows metrics setting that had been
accidentally changed, was still there and the windows that should be smaller
are still opening up full screen in Vista.
As I said I do not know if there is a relationship between the two, but
there is usually something left behind in a system for the hacker to use
later, so… Thanks for all the friendly advice!


"Frank Saunders MS-MVP IE,OE/WM" wrote:

> "Ian" <Ian@discussions.microsoft.com> wrote in message
> news:8980A1CE-AAE4-4040-BD71-95B9A0C31B96@microsoft.com...
> > look at a fresh install on a new machine, the ini does not open with
> > notepad,
> > mine did not untill i changed it.
>
>
> Install on this machine less than a month old.
> The default for INI files is Notepad.
>
> --
> Frank Saunders MS-MVP IE,OE/WM
> www.fjsmjs.com
> Do not send email
>

 

[Leonard Agoado]

"Ian" <Ian@discussions.microsoft.com> wrote in message
news:416ACD42-3D6E-4C73-8720-057C224B7F4F@microsoft.com...
> yes when YOU the user opens them, then you have to select
> notepad etc to open
> it. but by default it opens with a system file and will not
> open, until you
> change it. that is why when you do an online search via the
> selection menu
> for opening a file the search comes up empty handed as an
> unknown file type


Ian,

Just to put your claim to the test, I did a clean install of
XP Pro on a wiped box two hours ago. Notepad IS the default
application assigned to the ini file extension.

Len Agoado
agoado@msn.com

 

[Leonard Agoado]

"Ian" <Ian@discussions.microsoft.com> wrote in message
news:7661525E-C434-43EB-B7A2-93CD298423FA@microsoft.com...
> Let me explain this problem again, while I am not juggling
> work, multiple
> support techs, and trying to get a quick blurb out there for
> the user base,
> and maybe some insight.
> There is a hack coming in through the Outlook.exe this occurs
> during the
> send/receive process, at which time while the outlook.exe file
> is being
> changed, it will hang for some time. Eventually the email goes
> out, but the
> time it takes is more than it would have taken to have emailed
> over 10x the
> information being sent, moreover, I get a System Admin return
> mail ( I am
> System Admin) telling me this recipient is not in their list of
> allowed hosts
> error #5.7.1.


Ian,

Without regard to claims made in the rest of the post, any
571 error is coming from the SMTP server you are connecting to,
and the System Administrator referred to is that of the recipient
system - not you. The length of time taken may be time spent
waiting for a response from the recipient SMTP server.

http://kb.wisc.edu/wiscmail/page.php?id=3998


Len Agoado
agoado@msn.com

 

[Ian]

cool, but that does not help me understand why that would begin to occur
with email to people that i have been emailing throughout the day. and it
does not explain the change in .exe files

"Leonard Agoado" wrote:

>
> "Ian" <Ian@discussions.microsoft.com> wrote in message
> news:7661525E-C434-43EB-B7A2-93CD298423FA@microsoft.com...
> > Let me explain this problem again, while I am not juggling
> > work, multiple
> > support techs, and trying to get a quick blurb out there for
> > the user base,
> > and maybe some insight.
> > There is a hack coming in through the Outlook.exe this occurs
> > during the
> > send/receive process, at which time while the outlook.exe file
> > is being
> > changed, it will hang for some time. Eventually the email goes
> > out, but the
> > time it takes is more than it would have taken to have emailed
> > over 10x the
> > information being sent, moreover, I get a System Admin return
> > mail ( I am
> > System Admin) telling me this recipient is not in their list of
> > allowed hosts
> > error #5.7.1.
>
>
> Ian,
>
> Without regard to claims made in the rest of the post, any
> 571 error is coming from the SMTP server you are connecting to,
> and the System Administrator referred to is that of the recipient
> system - not you. The length of time taken may be time spent
> waiting for a response from the recipient SMTP server.
>
> http://kb.wisc.edu/wiscmail/page.php?id=3998
>
>
> Len Agoado
> agoado@msn.com
>
>
>
>

 

[Paul Adare]

On Thu, 1 Nov 2007 11:09:02 -0700, Ian wrote:

> cool, but that does not help me understand why that would begin to occur
> with email to people that i have been emailing throughout the day. and it
> does not explain the change in .exe files

<Sigh>

What change in the exe files?

</sigh>
--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
Debug: The act of placing shoe leather against a small creeping creature.

 

[Leonard Agoado]

"Ian" <Ian@discussions.microsoft.com> wrote in message
news:FFD28412-297A-4D53-8EDA-6D6756D7067C@microsoft.com...
>
> cool, but that does not help me understand why that would begin
> to occur
> with email to people that i have been emailing throughout the
> day.


Ian,

That is the question you would have for their system
administrator/postmaster. Is it possible they have placed you in
their spam filter blacklist?

Len Agoado
agoado@msn.com

 

[Ian]

my boss and the software publishers i resell for are not putting me on thei
black list, the hang happens only with email containing document, but a email
with no attachments will get a bounce back as well.

"Leonard Agoado" wrote:

>
> "Ian" <Ian@discussions.microsoft.com> wrote in message
> news:FFD28412-297A-4D53-8EDA-6D6756D7067C@microsoft.com...
> >
> > cool, but that does not help me understand why that would begin
> > to occur
> > with email to people that i have been emailing throughout the
> > day.
>
>
> Ian,
>
> That is the question you would have for their system
> administrator/postmaster. Is it possible they have placed you in
> their spam filter blacklist?
>
> Len Agoado
> agoado@msn.com
>
>
>

 

[Ian]

these problems and the EXTENSIVENESS of the hang, are recent issues!!!! i
have been working from the same location for a little over three years.



"Leonard Agoado" wrote:

>
> "Ian" <Ian@discussions.microsoft.com> wrote in message
> news:FFD28412-297A-4D53-8EDA-6D6756D7067C@microsoft.com...
> >
> > cool, but that does not help me understand why that would begin
> > to occur
> > with email to people that i have been emailing throughout the
> > day.
>
>
> Ian,
>
> That is the question you would have for their system
> administrator/postmaster. Is it possible they have placed you in
> their spam filter blacklist?
>
> Len Agoado
> agoado@msn.com
>
>
>

 

[Leonard Agoado]

"Ian" <Ian@discussions.microsoft.com> wrote in message
newsEF2082F-0967-465D-8E27-E91448FC6C96@microsoft.com...
> my boss and the software publishers i resell for are not
> putting me on thei
> black list, the hang happens only with email containing
> document, but a email
> with no attachments will get a bounce back as well.


Ian,

Does this happen with mail sent to anyone else?

Does mail sent to these recipients by anyone else have this
same problem?

What happens if you try to send to a hotmail account?

What happens if that hotmail account tries to send to your
recipients?

Len Agoado
agoado@msn.com

 

[Ian]

no sometimes i have to have someone else send the email, but my wife who
works from the same location will be emailing fine, she is however on an
exchange serverfor email, but my point is, that it is not the server we both
go out to the net through. Our ISP server is the same. i am not emailing
people who are not expecting email from me.

"Leonard Agoado" wrote:

>
> "Ian" <Ian@discussions.microsoft.com> wrote in message
> newsEF2082F-0967-465D-8E27-E91448FC6C96@microsoft.com...
> > my boss and the software publishers i resell for are not
> > putting me on thei
> > black list, the hang happens only with email containing
> > document, but a email
> > with no attachments will get a bounce back as well.
>
>
> Ian,
>
> Does this happen with mail sent to anyone else?
>
> Does mail sent to these recipients by anyone else have this
> same problem?
>
> What happens if you try to send to a hotmail account?
>
> What happens if that hotmail account tries to send to your
> recipients?
>
> Len Agoado
> agoado@msn.com
>
>
>

 

[Frank Saunders MS-MVP IE,OE/WM]

"Ian" <Ian@discussions.microsoft.com> wrote in message
news:6E55AEF0-FE92-49B2-ADD6-F92B11D62614@microsoft.com...
> no sometimes i have to have someone else send the email, but my wife who
> works from the same location will be emailing fine, she is however on an
> exchange serverfor email, but my point is, that it is not the server we
> both
> go out to the net through. Our ISP server is the same. i am not emailing
> people who are not expecting email from me.
>
> "Leonard Agoado" wrote:
>
>>
>> "Ian" <Ian@discussions.microsoft.com> wrote in message
>> newsEF2082F-0967-465D-8E27-E91448FC6C96@microsoft.com...
>> > my boss and the software publishers i resell for are not
>> > putting me on thei
>> > black list, the hang happens only with email containing
>> > document, but a email
>> > with no attachments will get a bounce back as well.
>>
>>
>> Ian,
>>
>> Does this happen with mail sent to anyone else?
>>
>> Does mail sent to these recipients by anyone else have this
>> same problem?
>>
>> What happens if you try to send to a hotmail account?
>>
>> What happens if that hotmail account tries to send to your
>> recipients?
>>
>> Len Agoado
>> agoado@msn.com
>>
>>
>>

Do a thorough check for malware, following all of the steps at one of these
Web pages.
Help with malware:
All MS-MVP Sites.
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/darnit.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm

Unexplained computer behavior may be caused by deceptive software.
http://support.microsoft.com/kb/827315

So How Did I Get Infected Anyway?
For quite a few people it's by installing programs like Messenger Plus,
whose ads for malware don't identify the malware as such and try to convince
you that you owe it to the author. See also:
http://www.wilderssecurity.com/showthread.php?t=27971
Don't ever do a "default" install of anything. Always choose Custom and see
what else is being carried along. Don't install any extras you're not sure
of.

--
Frank Saunders MS-MVP IE,OE/WM
www.fjsmjs.com
Do not send email

 

[CanSpam]

Time to check your e-mail server for "strange things".
Especially that the change of .exe files comes after Send/Recieve, e.g. connect to e-mail server. Is that MS Exchange you have? Version? Or what else about it?


"Ian" <Ian@discussions.microsoft.com> wrote in message news:AB42A992-97D3-4D49-937E-472992591D28@microsoft.com...
> these problems and the EXTENSIVENESS of the hang, are recent issues!!!! i
> have been working from the same location for a little over three years.
>
>
>
> "Leonard Agoado" wrote:
>
>>
>> "Ian" <Ian@discussions.microsoft.com> wrote in message
>> news:FFD28412-297A-4D53-8EDA-6D6756D7067C@microsoft.com...
>> >
>> > cool, but that does not help me understand why that would begin
>> > to occur
>> > with email to people that i have been emailing throughout the
>> > day.
>>
>>
>> Ian,
>>
>> That is the question you would have for their system
>> administrator/postmaster. Is it possible they have placed you in
>> their spam filter blacklist?
>>
>> Len Agoado
>> agoado@msn.com
>>
>>
>>

 

[Ian]

you are right, it is not an email exchange server though, it is a company
which provides hosted solutions.
it is a mass mailer hack, i spoke with some one i work with from a
fincancing company who uses a different server, as i had sent him
informataion for someone who needed financing, he never got the email, as his
email had been hijacked, and was sending out mass mailers, after i heard
this, i checked the bounce back mail, i had gotten, and while the firstname
was the same, the domain was not eveb close to the person i had emailed to.
in fact the email address the email address which bounced back was sent to
wasn not and had never been in my database!
Thanks to all who were so concerned with proving me to be a fake, that they
could not realize i was explaining something that was not normal, and
including everything that was going on rather or not it was related to the
actual problem, since i do not know which of the symptoms were actually
symptoms, and which were actually unrelated. My email would not come in from
time to time, from my boss and others, so the end result of my warning a
outlook hijack, that does not get stopped by security software, which uses
your email account, to send mass mailers.
"CanSpam" wrote:

> Time to check your e-mail server for "strange things".
> Especially that the change of .exe files comes after Send/Recieve, e.g. connect to e-mail server. Is that MS Exchange you have? Version? Or what else about it?
>
>
> "Ian" <Ian@discussions.microsoft.com> wrote in message news:AB42A992-97D3-4D49-937E-472992591D28@microsoft.com...
> > these problems and the EXTENSIVENESS of the hang, are recent issues!!!! i
> > have been working from the same location for a little over three years.
> >
> >
> >
> > "Leonard Agoado" wrote:
> >
> >>
> >> "Ian" <Ian@discussions.microsoft.com> wrote in message
> >> news:FFD28412-297A-4D53-8EDA-6D6756D7067C@microsoft.com...
> >> >
> >> > cool, but that does not help me understand why that would begin
> >> > to occur
> >> > with email to people that i have been emailing throughout the
> >> > day.
> >>
> >>
> >> Ian,
> >>
> >> That is the question you would have for their system
> >> administrator/postmaster. Is it possible they have placed you in
> >> their spam filter blacklist?
> >>
> >> Len Agoado
> >> agoado@msn.com
> >>
> >>
> >>
>

 

[Ian]

it is a mass mailer hack, i spoke with some one i work with from a fincancing
company, as i had sent him informataion for someone who needed financing, he
never got the email, as his email had been hijacked, and was sending out mass
mailers, after i heard this, i checked the bounce back mail, i had gotten,
and while the firstname was the same, the domain was not eveb close to the
person i had emailed to. in fact the email address the email address which
bounced back was sent to wasn not and had never been in my database!
Thanks to all who were so concerned with proving me to be a fake, that they
could not realize i was explaining something that was not normal, and
including everything that was going on rather or not it was related to the
actual problem, since i do not know which of the symptoms were actually
symptoms, and which were actually unrelated. My email would not come in from
time to time, from my boss and others, so the end result of my warning a
outlook hijack, that does not get stopped by security software, which uses
your email account, to send mass mailers. Have a nice day

"Paul Adare" wrote:

> On Wed, 31 Oct 2007 17:15:00 -0700, Ian wrote:
>
> > i have worked in the software industry for 3 years
>
> Wow, 3 whole years. Guess that makes you an expert eh?
>
> Seriously, you need to take a step back and think about what and how you're
> posting here.
>
> --
> Paul Adare
> MVP - Virtual Machines
> http://www.identit.ca
> Interface: The opposite of "Getouttamyface."
>

 

[Gerald309]

On Oct 31, 2:16 pm, Ian <I...@discussions.microsoft.com> wrote:
> There is a hack out there that is coming in through Outlook.exe (MS OFFICE
> Professional 2007) while in the
> Send/Receive Process, it leads to more Outlook.exe changes, as well as
> changes in svchost.exe. it leads to very slow sending of documents, and may
> be part of the Bot Net. after this has happened, I noticed a .INI file. I
> opend it with Notepad, but did not uncheck open with this program by default.
> it changed all of them.I reinstalled on a Scrubbed (7 times) HD with a new
> mother board a flashed bios, but put the old C- MOSS (spelling?) in. had to
> reset the clock, but with a fresh NTFS format (not Quick), fresh flashed
> BIOS and brand new install, after just installing the OS i open the hidden
> system files and lo and behold the .INI files still opend by default with
> notepad.( a system setting saved by software only).
> I have done this entire process with Vista Business, and XP Pro SP 2. DELL
> has been helpful with hardware, but Kaspersky labs can not find the
> issue in their moscow lab.
> I have used multiple scanning tools since the problem, and nothing finds it!

Interesting you suspect possible botnet network..... this may be the
very "Zero day". As a last resort for suspected bots there is now
Norton Antibot as one of the very first. Some people like everything
free but this one is shareware (pay). It scans for botnet activity by
their behaviors. Worth a shot for 30 bucks or whatever as compared to
techs up to 200 dollars an hour.

Possible zero day problem (meaning whatever was pumped into your
machine through the exploit by botnets - 'zombie networks' - other
than the actual "URI Zero Day Exploit" SEE http://www.bluecollarpc.net/threatsfaq.html
)

Attackers take aim at IE7 flaw
http://tech.groups.yahoo.com/group/BlueCollarPC/message/30

Microsoft is warning users to avoid suspicious websites and emails
after
attacks were reported on an unpatched flaw in Internet Explorer 7. The
company would not provide exact figures, but said that a "limited
number "
of attacks had been reported. The attacks target a vulnerability in
IE7's
handling of the uniform resource indicator (URI) commands used by
browsers
to launch third-party applications.
(more.... http://www.browsersecuritynews.com/527/attackers-take-aim-at-ie7-flaw.html#
more-527

MORE
Zero-Day Hits IE-Firefox Combo
Larholm is calling this an IE zero day, blaming the vulnerability on
an input ... This is CLEARLY an issue with Firefox and its flawed URI
registration." ...
http://www.eweek.com/article2/0,1759,2156543,00.asp
Clip:
"It may be worth noticing that this is NOT an Internet Explorer flaw,
but a Firefox flaw," said a feedback post from Michael Mattson on
Larholm's site. "Why the author would title this article 'Internet
Explorer 0day Exploit' is really misleading, and shows the authors
lack of understanding of how programs register URI's. This is CLEARLY
an issue with Firefox and its flawed URI registration."

....perhaps an avenure worth exploring to backtrack possible malware
installation - meaning of course that the whole theme here hinges on
the idea that they got into your machine through the exploit and
installed further malware which no antivirus would find. Also try the
Trend Micro 'House Call' free pc scan. Trend Micro is excellent at
discovering variations of malware themes like re-written hacked
pirated software inverted for spying. One by personal experience is
the TSPY anti-cracking software employed by a badly written rootkit
attempt after apparently modifying the pirated software (TSPY
anticracking software) to employ as defense against detection and to
reinstall.

gerald philly ps usa