Re: suspicious little link...
- From: "qubit" <lauraeaves@xxxxxxxxx>
- To: <programmingblind@xxxxxxxxxxxxx>
- Date: Sun, 5 Sep 2010 17:40:20 -0500
Hi trouble -- well I still disagree, unless I am not understanding you --
you need to (1) show all files, including OS files (see folder options); (2)
show extensions for known file types (also in folder options); and (3) edit
the registry as I said to remove the NEVERSHOWEXT attribute from everything
that is hidden that way.
Then you will indeed get (hopefully) all of it.
--le
----- Original Message -----
From: "Trouble" <trouble1@xxxxxxxxxxxxxxx>
To: <programmingblind@xxxxxxxxxxxxx>
Sent: Sunday, September 05, 2010 5:02 PM
Subject: Re: suspicious little link...
Not only doing the show all files, but checking hide known file
types. With those two set right all files do show.
At 10:56 PM 9/4/2010, you wrote:
>Tyler --
>Thanks for the little bit of research.
>I still don't like a link with no text... but there is one thing I need to
>say yet again for the dozenth time -- the folder options view settings
>don't
>unhide all file types. There are many system specific ones, like .pif,
>.lnk,
>and some others, that are still hidden. Not knowing this caused me a big
>headache the first time my machine got infected with a virus. I infected
>it
>by opening a file called fun.mp3. It's real name was fun.mp3.pif and it
>was
>a little piece of software that took me a week and some sighted assistance
>to remove.
>If you go to the registry and search for all lines containing the word
>NEVERSHOWEXT and delete those lines and save the registry, you will
>suddenly
>see all kinds of stuff that you probably didn't notice before. Now this is
>on XP. My win7 machine is newer and I haven't done the "surgery" on it as
>yet. I'm going to see if I can get along without it. But the point is,
>folder options are not enough.
>Happy hacking.
>--le
>
>----- Original Message -----
>From: "Tyler Littlefield" <tyler@xxxxxxxxxxxxx>
>To: <programmingblind@xxxxxxxxxxxxx>
>Sent: Saturday, September 04, 2010 9:17 PM
>Subject: Re: suspicious little link...
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Laura,
>I just did a bit more research for you, and came across this--I'll just
>quote the forum post.
>It seems as if you can drag a file to the icon and it will upload. so
>that .lnk you found was just to allow people to drag it to that icon.
>So it's not a trogen, just blocking the confirmation.
>Also, you don't need to go to the registry to unhide filetypes. just go
>to tools and folder options in any folder, then go to the view tab, and
>go to hide extentions for known filetypes.
>Anyway, the promised post:
>For the benefit of anyone stumbling on this topic in the future:
>Simply appending /defaults to the commandline in the shortcut will fail.
>It will cause the shortcut to change behavior from bringing up the
>confirmation dialog, uploading (after user input) and exiting.. to
>simply opening the program, not touching the file.
>
>Instead, place the /defaults switch before the /uploadifany switch. The
>latter actually takes a parameter (just like /upload) and so you have to
>act accordingly.
>
>It's odd that the program creates the shortcut with the /uploadifany
>switch when there isn't any documentation on it anywhere, as far as I
>can tell - even googling the entire internet only turns up 3 irrelevant
>results - two in German, one in Japanese. AFAICT, /uploadifany is simply
>a version of /upload that does not return an error if it's used without
>a file list present.
>
>
>HTH,
>- --
>Thanks,
>Tyler Littlefield
>
>On 9/4/2010 8:02 PM, Katherine moss wrote:
> > I think it's a Trojan, dude. Scan your computer with
> > www.eset.com/onlinescan. That should tell you unless they were silly
> > enough
> > to overlook it. And also, check the directories that WinCP puts on your
> > system. You could have just been unaware of it.
> >
> > -----Original Message-----
> > From: programmingblind-bounce@xxxxxxxxxxxxx
> > [mailto:programmingblind-bounce@xxxxxxxxxxxxx] On Behalf Of qubit
> > Sent: Friday, September 03, 2010 11:45 PM
> > To: bprogramming
> > Subject: suspicious little link...
> >
> > Hi all --
> > Could someone tell me if this is part of an attack and if so, how do I
> > rid
> > my computer of it?
> > I was cleaning off my desktop of old files and discovered a file with
> > the
> > name of " .lnk" (note that .lnk indicates it is a shortcut. I have
> > fiddled
> > with the registry to unhide all extensions in windows explorer.)
> > Note that the above shortcut has the base name of a single space. I
> > looked
> > at the properties to see what this thing was pointing to, and found the
> > following.
> > target: c:\program files\WinSCP\WinSCP.exe /UploadIfAny
> >
> > I did in fact install WinSCP some time ago, but I was not aware of a
> > little
> > shortcut named space uploading who-knows-what.
> > I don't know the target server of the upload or the directory on my
> > machine
> > that it would look at.
> >
> > I wouldn't be surprised if there was a trojan on this laptop as I have
> > indiscriminantly installed a number of programs, but given the
> > suspicious
> > appearance of this shortcut I fear there are data files being
> > compromised.
> > My machine is running xp pro, but I don't have server software running
> > on
> > it.
> > So does anyone recognize this file? Could it be legitimate? Where would
> > I
> > look for related files?
> >
> > I suppose the admin logs would shed light on any uploads.
> > Thanks.
> > --le
> >
> > __________
> > View the list's information and change your settings at
> > //www.freelists.org/list/programmingblind
> >
> >
> >
> > __________ Information from ESET NOD32 Antivirus, version of virus
> > signature
> > database 5423 (20100904) __________
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
> >
> >
> > __________ Information from ESET NOD32 Antivirus, version of virus
> > signature
> > database 5423 (20100904) __________
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
> >
> >
> >
> > __________ Information from ESET NOD32 Antivirus, version of virus
> > signature
> > database 5423 (20100904) __________
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
> >
> >
> > __________
> > View the list's information and change your settings at
> > //www.freelists.org/list/programmingblind
> >
> >
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.10 (MingW32)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iQEcBAEBAgAGBQJMgv2uAAoJELDPyrppriJP3+wIALkVixuoKk7+yOpQQQe52qGz
>1b/n2HgIX5omXkBXvT7IX40uNZEncrR5s5IJBgeh1J0B62Olc2vbl4Ju9Igv6BiK
>G9fqEIOwsO4MhmHe1DlDwI1vBCXR8KM/jSiweMz63FmIHklUrAQZEFe0SrTmHnOO
>FU4jKlNCoUsK20UDs5Nfw9fGTEzigCmAHwqAF/it/9iF/Vnl6dICm2vUdk7KTuDQ
>MYyxbnyAb3aH0KuwBBKdN1ELrQVy3i5T4IWKH7ZEt55WXX7xtmZerGlWC+EyCeH2
>EJJGFz8FkdD0xEvkbMNtjuZLpUhHUw0JdDFwJngPceWENeQTA9koXIT1v8de2u8=
>=jbrd
>-----END PGP SIGNATURE-----
>__________
>View the list's information and change your settings at
>//www.freelists.org/list/programmingblind
>
>__________
>View the list's information and change your settings at
>//www.freelists.org/list/programmingblind
Tim
trouble
Verizon FIOS support tech
"Never offend people with style when you can offend them with substance."
--Sam Brown
Blindeudora list owner.
To subscribe or info: //www.freelists.org/webpage/blindeudora
__________
View the list's information and change your settings at
//www.freelists.org/list/programmingblind
__________
View the list's information and change your settings at
//www.freelists.org/list/programmingblind
Other related posts:
