Tyler -- Thanks for the little bit of research. I still don't like a link with no text... but there is one thing I need to say yet again for the dozenth time -- the folder options view settings don't unhide all file types. There are many system specific ones, like .pif, .lnk, and some others, that are still hidden. Not knowing this caused me a big headache the first time my machine got infected with a virus. I infected it by opening a file called fun.mp3. It's real name was fun.mp3.pif and it was a little piece of software that took me a week and some sighted assistance to remove. If you go to the registry and search for all lines containing the word NEVERSHOWEXT and delete those lines and save the registry, you will suddenly see all kinds of stuff that you probably didn't notice before. Now this is on XP. My win7 machine is newer and I haven't done the "surgery" on it as yet. I'm going to see if I can get along without it. But the point is, folder options are not enough. Happy hacking. --le ----- Original Message ----- From: "Tyler Littlefield" <tyler@xxxxxxxxxxxxx> To: <programmingblind@xxxxxxxxxxxxx> Sent: Saturday, September 04, 2010 9:17 PM Subject: Re: suspicious little link... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laura, I just did a bit more research for you, and came across this--I'll just quote the forum post. It seems as if you can drag a file to the icon and it will upload. so that .lnk you found was just to allow people to drag it to that icon. So it's not a trogen, just blocking the confirmation. Also, you don't need to go to the registry to unhide filetypes. just go to tools and folder options in any folder, then go to the view tab, and go to hide extentions for known filetypes. Anyway, the promised post: For the benefit of anyone stumbling on this topic in the future: Simply appending /defaults to the commandline in the shortcut will fail. It will cause the shortcut to change behavior from bringing up the confirmation dialog, uploading (after user input) and exiting.. to simply opening the program, not touching the file. Instead, place the /defaults switch before the /uploadifany switch. The latter actually takes a parameter (just like /upload) and so you have to act accordingly. It's odd that the program creates the shortcut with the /uploadifany switch when there isn't any documentation on it anywhere, as far as I can tell - even googling the entire internet only turns up 3 irrelevant results - two in German, one in Japanese. AFAICT, /uploadifany is simply a version of /upload that does not return an error if it's used without a file list present. HTH, - -- Thanks, Tyler Littlefield On 9/4/2010 8:02 PM, Katherine moss wrote: > I think it's a Trojan, dude. Scan your computer with > www.eset.com/onlinescan. That should tell you unless they were silly > enough > to overlook it. And also, check the directories that WinCP puts on your > system. You could have just been unaware of it. > > -----Original Message----- > From: programmingblind-bounce@xxxxxxxxxxxxx > [mailto:programmingblind-bounce@xxxxxxxxxxxxx] On Behalf Of qubit > Sent: Friday, September 03, 2010 11:45 PM > To: bprogramming > Subject: suspicious little link... > > Hi all -- > Could someone tell me if this is part of an attack and if so, how do I rid > my computer of it? > I was cleaning off my desktop of old files and discovered a file with the > name of " .lnk" (note that .lnk indicates it is a shortcut. I have fiddled > with the registry to unhide all extensions in windows explorer.) > Note that the above shortcut has the base name of a single space. I > looked > at the properties to see what this thing was pointing to, and found the > following. > target: c:\program files\WinSCP\WinSCP.exe /UploadIfAny > > I did in fact install WinSCP some time ago, but I was not aware of a > little > shortcut named space uploading who-knows-what. > I don't know the target server of the upload or the directory on my > machine > that it would look at. > > I wouldn't be surprised if there was a trojan on this laptop as I have > indiscriminantly installed a number of programs, but given the suspicious > appearance of this shortcut I fear there are data files being compromised. > My machine is running xp pro, but I don't have server software running on > it. > So does anyone recognize this file? Could it be legitimate? Where would I > look for related files? > > I suppose the admin logs would shed light on any uploads. > Thanks. > --le > > __________ > View the list's information and change your settings at > //www.freelists.org/list/programmingblind > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature > database 5423 (20100904) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature > database 5423 (20100904) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature > database 5423 (20100904) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > __________ > View the list's information and change your settings at > //www.freelists.org/list/programmingblind > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMgv2uAAoJELDPyrppriJP3+wIALkVixuoKk7+yOpQQQe52qGz 1b/n2HgIX5omXkBXvT7IX40uNZEncrR5s5IJBgeh1J0B62Olc2vbl4Ju9Igv6BiK G9fqEIOwsO4MhmHe1DlDwI1vBCXR8KM/jSiweMz63FmIHklUrAQZEFe0SrTmHnOO FU4jKlNCoUsK20UDs5Nfw9fGTEzigCmAHwqAF/it/9iF/Vnl6dICm2vUdk7KTuDQ MYyxbnyAb3aH0KuwBBKdN1ELrQVy3i5T4IWKH7ZEt55WXX7xtmZerGlWC+EyCeH2 EJJGFz8FkdD0xEvkbMNtjuZLpUhHUw0JdDFwJngPceWENeQTA9koXIT1v8de2u8= =jbrd -----END PGP SIGNATURE----- __________ View the list's information and change your settings at //www.freelists.org/list/programmingblind __________ View the list's information and change your settings at //www.freelists.org/list/programmingblind