Spyware method of infection? And is it still present?

Let me start by explaining that I am a software developer with a decade of
experience in developing software for Windows. I have Windows Firewall,
Windows Antispyware, Computer Associates Internet Security Suite and
Symtanec Antivirus and a Symtantec router with hardware firewall and the
popup blocker is on.

So, you can imagine how suprised I was to find that I apparently acquired
spyware while browsing using Internet Explorer on Windows XP Home Edition
Service Pack 2. I did visit some sites that had heavy ads. I am at a loss to
explain how I got spyware when I did not consent to downloading or executing
any code. Could there be an undiscovered loophole?

It is impossible to troubleshoot, because I think the first piece of spyware
downloaded many more pieces of spyware before I had a chance to stop it. I
deleted executable files with random or suspicious names from all over the
place. According to Symtanec Antivirus, LavaSoft AdAware and SpyBot, there
were about a dozen different pieces of spyware that had to be removed. And I
still found pieces they all missed.

Right now, I am not sure of the spyware is really gone. When I open most
programs (including Notepad and Internet Explorer), it creates a subfolder
of my Temp folder, then a small file inside of that folder, then deletes it.
The file is NOT an executable. That can't be normal behaviour, can it? What
kind of vulnerability can hook into the starting of most programs? I could
not find any non-standard shell execute hooks or an AppInit_DLLs registry
key.

So, I have two big concerns now:
1. How did I get spyware when I did not consent to downloading or executing
any code in Internet Explorer, and did not install any software of any kind
for weeks?
2. Is the spyware still present?

Can anyone offer any thoughts or advice?

Paul

Malke
Fri Dec 16 09:28:00 CST 2005

Paul Baker wrote:

> Let me start by explaining that I am a software developer with a
> decade of experience in developing software for Windows. I have
> Windows Firewall, Windows Antispyware, Computer Associates Internet
> Security Suite and Symtanec Antivirus and a Symtantec router with
> hardware firewall and the popup blocker is on.
>
> So, you can imagine how suprised I was to find that I apparently
> acquired spyware while browsing using Internet Explorer on Windows XP
> Home Edition Service Pack 2. I did visit some sites that had heavy
> ads. I am at a loss to explain how I got spyware when I did not
> consent to downloading or executing any code. Could there be an
> undiscovered loophole?
>
> It is impossible to troubleshoot, because I think the first piece of
> spyware downloaded many more pieces of spyware before I had a chance
> to stop it. I deleted executable files with random or suspicious names
> from all over the place. According to Symtanec Antivirus, LavaSoft
> AdAware and SpyBot, there were about a dozen different pieces of
> spyware that had to be removed. And I still found pieces they all
> missed.
>
> Right now, I am not sure of the spyware is really gone. When I open
> most programs (including Notepad and Internet Explorer), it creates a
> subfolder of my Temp folder, then a small file inside of that folder,
> then deletes it. The file is NOT an executable. That can't be normal
> behaviour, can it? What kind of vulnerability can hook into the
> starting of most programs? I could not find any non-standard shell
> execute hooks or an AppInit_DLLs registry key.
>
> So, I have two big concerns now:
> 1. How did I get spyware when I did not consent to downloading or
> executing any code in Internet Explorer, and did not install any
> software of any kind for weeks?
> 2. Is the spyware still present?

Answer to Question 1 - welcome to the wonderful world of spyware.
There's no way to tell you definitively how the cr*p got on your
system. Maybe through an IE or Java security vulnerability. If you
really want to get your eyes opened about how this stuff works, check
out some of these sites:

http://www.benedelman.org/
http://www.bleepingcomputer.com/forums/forum22.html
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://www.spywarewarrior.com

Answer to Question 2 - Run HijackThis and post your log to one of the
following forums (not here, please):

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

Malke
--
MS-MVP Windows User/Shell
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

Paul
Fri Dec 16 10:13:28 CST 2005

Malke,

Thanks for a swift and informative answer!

Paul

"Malke" <notreally@invalid.com> wrote in message
news:OBMWQVlAGHA.312@TK2MSFTNGP09.phx.gbl...
> > Paul Baker wrote:
> > [boo hoo, how did I get spyware?]
> Answer to Question 1 - welcome to the wonderful world of spyware.
> There's no way to tell you definitively how the cr*p got on your
> system. Maybe through an IE or Java security vulnerability. If you
> really want to get your eyes opened about how this stuff works, check
> out some of these sites:
>
> http://www.benedelman.org/
> http://www.bleepingcomputer.com/forums/forum22.html
> http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
> http://www.spywarewarrior.com
>

> > [boo hoo, is it really gone?]
> Answer to Question 2 - Run HijackThis and post your log to one of the
> following forums (not here, please):
>
> http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
> http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
> another tutorial
> http://aumha.net/viewforum.php?f=30
> http://castlecops.com/forum67.html
> http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
> forum
> http://www.wilderssecurity.com/
> http://forums.tomcoyote.org/
>
> Malke
> --
> MS-MVP Windows User/Shell
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic"

PA
Fri Dec 16 11:55:50 CST 2005

So How Did I Get Infected Anyway?
http://www.wilderssecurity.com/showthread.php?t=27971

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/archive/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/

When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

Paul Baker wrote:
> Let me start by explaining that I am a software developer with a decade of
> experience in developing software for Windows. I have Windows Firewall,
> Windows Antispyware, Computer Associates Internet Security Suite and
> Symtanec Antivirus and a Symtantec router with hardware firewall and the
> popup blocker is on.
>
> So, you can imagine how suprised I was to find that I apparently acquired
> spyware while browsing using Internet Explorer on Windows XP Home Edition
> Service Pack 2. I did visit some sites that had heavy ads. I am at a loss
> to explain how I got spyware when I did not consent to downloading or
> executing any code. Could there be an undiscovered loophole?
>
> It is impossible to troubleshoot, because I think the first piece of
> spyware downloaded many more pieces of spyware before I had a chance to
> stop it. I deleted executable files with random or suspicious names from
> all over the place. According to Symtanec Antivirus, LavaSoft AdAware and
> SpyBot, there were about a dozen different pieces of spyware that had to
> be removed. And I still found pieces they all missed.
>
> Right now, I am not sure of the spyware is really gone. When I open most
> programs (including Notepad and Internet Explorer), it creates a subfolder
> of my Temp folder, then a small file inside of that folder, then deletes
> it. The file is NOT an executable. That can't be normal behaviour, can
> it? What kind of vulnerability can hook into the starting of most
> programs? I could not find any non-standard shell execute hooks or an
> AppInit_DLLs registry key.
>
> So, I have two big concerns now:
> 1. How did I get spyware when I did not consent to downloading or
> executing any code in Internet Explorer, and did not install any software
> of any kind for weeks?
> 2. Is the spyware still present?
>
> Can anyone offer any thoughts or advice?
>
> Paul

Paul
Fri Dec 16 15:29:04 CST 2005

Thanks :)

"PA Bear" <PABearMVP@gmail.com> wrote in message
news:%23%23%23FxnmAGHA.356@TK2MSFTNGP12.phx.gbl...
> So How Did I Get Infected Anyway?
> http://www.wilderssecurity.com/showthread.php?t=27971
>
> Checking for/Help with Hijackware
> http://aumha.org/a/parasite.htm
> http://aumha.org/a/quickfix.htm
> http://aumha.net/viewtopic.php?t=5878
> http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/data/prevention.htm
> http://inetexplorer.mvps.org/archive/tshoot.html
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> http://defendingyourmachine.blogspot.com/
>
> When all else fails, HijackThis v1.99.1
> (http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
> It will help you to both identify and remove any hijackware/spyware.
> **Post your log to http://forums.spybot.info/forumdisplay.php?f=22,
> http://castlecops.com/forum67.html,
> http://forums.subratam.org/index.php?showforum=7,
> http://aumha.net/viewforum.php?f=30, or other appropriate forums for
> expert analysis, not here.**
>
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

PA
Fri Dec 16 17:16:41 CST 2005

YW. Let us know how you make out.
--
~PA Bear

Paul Baker wrote:
> Thanks :)
>
> "PA Bear" <PABearMVP@gmail.com> wrote in message
> news:%23%23%23FxnmAGHA.356@TK2MSFTNGP12.phx.gbl...
> > So How Did I Get Infected Anyway?
> > http://www.wilderssecurity.com/showthread.php?t=27971
> >
> > Checking for/Help with Hijackware
> > http://aumha.org/a/parasite.htm
> > http://aumha.org/a/quickfix.htm
> > http://aumha.net/viewtopic.php?t=5878
> > http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
> > http://mvps.org/winhelp2002/unwanted.htm
> > http://inetexplorer.mvps.org/data/prevention.htm
> > http://inetexplorer.mvps.org/archive/tshoot.html
> > http://www.mvps.org/sramesh2k/Malware_Defence.htm
> > http://defendingyourmachine.blogspot.com/
> >
> > When all else fails, HijackThis v1.99.1
> > (http://aumha.net/downloads/hijackthis.zip) is the preferred tool to
> > use. It will help you to both identify and remove any
> > hijackware/spyware. **Post your log to
> > http://forums.spybot.info/forumdisplay.php?f=22,
> > http://castlecops.com/forum67.html,
> > http://forums.subratam.org/index.php?showforum=7,
> > http://aumha.net/viewforum.php?f=30, or other appropriate forums for
> > expert analysis, not here.**
> >
> > --
> > ~Robear Dyer (PA Bear)
> > MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

Paul
Mon Dec 19 10:18:51 CST 2005

Someone helped me on spybot's forum.

I still don't know how I got infected, but I had a "Winlogon Notify" entry
and two services referencing Spyware, even after the numerous cleanups and
my own extensive tours of the registry :) HijackThis was a god-send in
finding these things I had previously failed to see using regedit.

I think Symtantec Antivirus eventually cleaned up these things, and all my
problems went away. But it did not clean them up completely. They helped me
get rid of orphaned registry entries.

Paul

"PA Bear" <PABearMVP@gmail.com> wrote in message
news:u5PkDbpAGHA.2812@TK2MSFTNGP09.phx.gbl...
> YW. Let us know how you make out.
> --
> ~PA Bear
>
> Paul Baker wrote:
>> Thanks :)
>>
>> "PA Bear" <PABearMVP@gmail.com> wrote in message
>> news:%23%23%23FxnmAGHA.356@TK2MSFTNGP12.phx.gbl...
>> > So How Did I Get Infected Anyway?
>> > http://www.wilderssecurity.com/showthread.php?t=27971
>> >
>> > Checking for/Help with Hijackware
>> > http://aumha.org/a/parasite.htm
>> > http://aumha.org/a/quickfix.htm
>> > http://aumha.net/viewtopic.php?t=5878
>> > http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
>> > http://mvps.org/winhelp2002/unwanted.htm
>> > http://inetexplorer.mvps.org/data/prevention.htm
>> > http://inetexplorer.mvps.org/archive/tshoot.html
>> > http://www.mvps.org/sramesh2k/Malware_Defence.htm
>> > http://defendingyourmachine.blogspot.com/
>> >
>> > When all else fails, HijackThis v1.99.1
>> > (http://aumha.net/downloads/hijackthis.zip) is the preferred tool to
>> > use. It will help you to both identify and remove any
>> > hijackware/spyware. **Post your log to
>> > http://forums.spybot.info/forumdisplay.php?f=22,
>> > http://castlecops.com/forum67.html,
>> > http://forums.subratam.org/index.php?showforum=7,
>> > http://aumha.net/viewforum.php?f=30, or other appropriate forums for
>> > expert analysis, not here.** --
>> > ~Robear Dyer (PA Bear)
>> > MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

PA
Mon Dec 19 12:32:44 CST 2005

Sounds like a Vundo/Winfixer infection. If your handler didn't have you
update Sun Java runtimes, please do so for best protection against such
hijackware:

Uninstall J2SE [1.4.2] java package via Add/Remove Programs.

Next, navigate to and delete:

C:\Program Files\Java <=this folder

Then go to http://www.java.com/en/download/manual.jsp and click the link to
download the Windows (Offline Installation) package: Save it, do NOT run it.

When the download is complete, close the browser and install it.

Also run Disk Cleanup and "flush" System Restore
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039)


Thanks for posting back.
--
~PA Bear

Paul Baker wrote:
> Someone helped me on spybot's forum.
>
> I still don't know how I got infected, but I had a "Winlogon Notify" entry
> and two services referencing Spyware, even after the numerous cleanups and
> my own extensive tours of the registry :) HijackThis was a god-send in
> finding these things I had previously failed to see using regedit.
>
> I think Symtantec Antivirus eventually cleaned up these things, and all my
> problems went away. But it did not clean them up completely. They helped
> me get rid of orphaned registry entries.
>
> Paul
>
> "PA Bear" <PABearMVP@gmail.com> wrote in message
> news:u5PkDbpAGHA.2812@TK2MSFTNGP09.phx.gbl...
> > YW. Let us know how you make out.
> > --
> > ~PA Bear
> >
> > Paul Baker wrote:
> > > Thanks :)
> > >
> > > "PA Bear" <PABearMVP@gmail.com> wrote in message
> > > news:%23%23%23FxnmAGHA.356@TK2MSFTNGP12.phx.gbl...
> > > > So How Did I Get Infected Anyway?
> > > > http://www.wilderssecurity.com/showthread.php?t=27971
> > > >
> > > > Checking for/Help with Hijackware
> > > > http://aumha.org/a/parasite.htm
> > > > http://aumha.org/a/quickfix.htm
> > > > http://aumha.net/viewtopic.php?t=5878
> > > > http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
> > > > http://mvps.org/winhelp2002/unwanted.htm
> > > > http://inetexplorer.mvps.org/data/prevention.htm
> > > > http://inetexplorer.mvps.org/archive/tshoot.html
> > > > http://www.mvps.org/sramesh2k/Malware_Defence.htm
> > > > http://defendingyourmachine.blogspot.com/
> > > >
> > > > When all else fails, HijackThis v1.99.1
> > > > (http://aumha.net/downloads/hijackthis.zip) is the preferred tool to
> > > > use. It will help you to both identify and remove any
> > > > hijackware/spyware. **Post your log to
> > > > http://forums.spybot.info/forumdisplay.php?f=22,
> > > > http://castlecops.com/forum67.html,
> > > > http://forums.subratam.org/index.php?showforum=7,
> > > > http://aumha.net/viewforum.php?f=30, or other appropriate forums for
> > > > expert analysis, not here.** --
> > > > ~Robear Dyer (PA Bear)
> > > > MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP,
> > > > DTS-L.org

Paul
Mon Dec 19 13:21:01 CST 2005

I have Java automatically update itself. I hope that is working!

I thought about System Restore, then after trying for a little while and
failing to figure out how to delete old restore points, I kind of forgot
about it.

I learned what a control set is, then found the same registry entries in my
LastKnownGood control set, so I deleted those too. The person who helped me
on Spybot's forum said they were only concerned about the current control
set. The executable files were already gone by then anyway.

I will do these things tonight.

Paul

"PA Bear" <PABearMVP@gmail.com> wrote in message
news:et9lWqMBGHA.3104@TK2MSFTNGP12.phx.gbl...
> Sounds like a Vundo/Winfixer infection. If your handler didn't have you
> update Sun Java runtimes, please do so for best protection against such
> hijackware:
>
> Uninstall J2SE [1.4.2] java package via Add/Remove Programs.
>
> Next, navigate to and delete:
>
> C:\Program Files\Java <=this folder
>
> Then go to http://www.java.com/en/download/manual.jsp and click the link
> to download the Windows (Offline Installation) package: Save it, do NOT
> run it.
>
> When the download is complete, close the browser and install it.
>
> Also run Disk Cleanup and "flush" System Restore
> (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039)
>
>
> Thanks for posting back.
> --
> ~PA Bear
>
> Paul Baker wrote:
>> Someone helped me on spybot's forum.
>>
>> I still don't know how I got infected, but I had a "Winlogon Notify"
>> entry
>> and two services referencing Spyware, even after the numerous cleanups
>> and
>> my own extensive tours of the registry :) HijackThis was a god-send in
>> finding these things I had previously failed to see using regedit.
>>
>> I think Symtantec Antivirus eventually cleaned up these things, and all
>> my
>> problems went away. But it did not clean them up completely. They helped
>> me get rid of orphaned registry entries.
>>
>> Paul
>>
>> "PA Bear" <PABearMVP@gmail.com> wrote in message
>> news:u5PkDbpAGHA.2812@TK2MSFTNGP09.phx.gbl...
>> > YW. Let us know how you make out.
>> > --
>> > ~PA Bear
>> >
>> > Paul Baker wrote:
>> > > Thanks :)
>> > >
>> > > "PA Bear" <PABearMVP@gmail.com> wrote in message
>> > > news:%23%23%23FxnmAGHA.356@TK2MSFTNGP12.phx.gbl...
>> > > > So How Did I Get Infected Anyway?
>> > > > http://www.wilderssecurity.com/showthread.php?t=27971
>> > > >
>> > > > Checking for/Help with Hijackware
>> > > > http://aumha.org/a/parasite.htm
>> > > > http://aumha.org/a/quickfix.htm
>> > > > http://aumha.net/viewtopic.php?t=5878
>> > > > http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
>> > > > http://mvps.org/winhelp2002/unwanted.htm
>> > > > http://inetexplorer.mvps.org/data/prevention.htm
>> > > > http://inetexplorer.mvps.org/archive/tshoot.html
>> > > > http://www.mvps.org/sramesh2k/Malware_Defence.htm
>> > > > http://defendingyourmachine.blogspot.com/
>> > > >
>> > > > When all else fails, HijackThis v1.99.1
>> > > > (http://aumha.net/downloads/hijackthis.zip) is the preferred tool
>> > > > to
>> > > > use. It will help you to both identify and remove any
>> > > > hijackware/spyware. **Post your log to
>> > > > http://forums.spybot.info/forumdisplay.php?f=22,
>> > > > http://castlecops.com/forum67.html,
>> > > > http://forums.subratam.org/index.php?showforum=7,
>> > > > http://aumha.net/viewforum.php?f=30, or other appropriate forums
>> > > > for
>> > > > expert analysis, not here.** --
>> > > > ~Robear Dyer (PA Bear)
>> > > > MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP,
>> > > > DTS-L.org
>

PA
Mon Dec 19 16:36:00 CST 2005

> I have Java automatically update itself. I hope that is working!

You may be very suprised!
--
~PA Bear


Paul Baker wrote:
> I have Java automatically update itself. I hope that is working!
>
> I thought about System Restore, then after trying for a little while and
> failing to figure out how to delete old restore points, I kind of forgot
> about it.
>
> I learned what a control set is, then found the same registry entries in
> my LastKnownGood control set, so I deleted those too. The person who
> helped me on Spybot's forum said they were only concerned about the
> current control set. The executable files were already gone by then
> anyway.
> I will do these things tonight.
>
> Paul
>
> "PA Bear" <PABearMVP@gmail.com> wrote in message
> news:et9lWqMBGHA.3104@TK2MSFTNGP12.phx.gbl...
> > Sounds like a Vundo/Winfixer infection. If your handler didn't have you
> > update Sun Java runtimes, please do so for best protection against such
> > hijackware:
> >
> > Uninstall J2SE [1.4.2] java package via Add/Remove Programs.
> >
> > Next, navigate to and delete:
> >
> > C:\Program Files\Java <=this folder
> >
> > Then go to http://www.java.com/en/download/manual.jsp and click the link
> > to download the Windows (Offline Installation) package: Save it, do NOT
> > run it.
> >
> > When the download is complete, close the browser and install it.
> >
> > Also run Disk Cleanup and "flush" System Restore
> > (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039)
> >
> >
> > Thanks for posting back.
> > --
> > ~PA Bear
> >
> > Paul Baker wrote:
> > > Someone helped me on spybot's forum.
> > >
> > > I still don't know how I got infected, but I had a "Winlogon Notify"
> > > entry
> > > and two services referencing Spyware, even after the numerous cleanups
> > > and
> > > my own extensive tours of the registry :) HijackThis was a god-send in
> > > finding these things I had previously failed to see using regedit.
> > >
> > > I think Symtantec Antivirus eventually cleaned up these things, and
> > > all my
> > > problems went away. But it did not clean them up completely. They
> > > helped me get rid of orphaned registry entries.
> > >
> > > Paul
> > >
> > > "PA Bear" <PABearMVP@gmail.com> wrote in message
> > > news:u5PkDbpAGHA.2812@TK2MSFTNGP09.phx.gbl...
> > > > YW. Let us know how you make out.
> > > > --
> > > > ~PA Bear
> > > >
> > > > Paul Baker wrote:
> > > > > Thanks :)
> > > > >
> > > > > "PA Bear" <PABearMVP@gmail.com> wrote in message
> > > > > news:%23%23%23FxnmAGHA.356@TK2MSFTNGP12.phx.gbl...
> > > > > > So How Did I Get Infected Anyway?
> > > > > > http://www.wilderssecurity.com/showthread.php?t=27971
> > > > > >
> > > > > > Checking for/Help with Hijackware
> > > > > > http://aumha.org/a/parasite.htm
> > > > > > http://aumha.org/a/quickfix.htm
> > > > > > http://aumha.net/viewtopic.php?t=5878
> > > > > > http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
> > > > > > http://mvps.org/winhelp2002/unwanted.htm
> > > > > > http://inetexplorer.mvps.org/data/prevention.htm
> > > > > > http://inetexplorer.mvps.org/archive/tshoot.html
> > > > > > http://www.mvps.org/sramesh2k/Malware_Defence.htm
> > > > > > http://defendingyourmachine.blogspot.com/
> > > > > >
> > > > > > When all else fails, HijackThis v1.99.1
> > > > > > (http://aumha.net/downloads/hijackthis.zip) is the preferred
> > > > > > tool to
> > > > > > use. It will help you to both identify and remove any
> > > > > > hijackware/spyware. **Post your log to
> > > > > > http://forums.spybot.info/forumdisplay.php?f=22,
> > > > > > http://castlecops.com/forum67.html,
> > > > > > http://forums.subratam.org/index.php?showforum=7,
> > > > > > http://aumha.net/viewforum.php?f=30, or other appropriate forums
> > > > > > for
> > > > > > expert analysis, not here.** --
> > > > > > ~Robear Dyer (PA Bear)
> > > > > > MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP,
> > > > > > DTS-L.org

Paul
Tue Dec 20 08:13:59 CST 2005

That could be a bit of a problem if Java cannot be relied upon for security
as much as Internet Explorer can.

After all, security is only as strong as the weakest link. Throw some Java
on a web page, and Java becomes the last line of defense.

Paul

"PA Bear" <PABearMVP@gmail.com> wrote in message
news:eV8oSyOBGHA.2912@tk2msftngp13.phx.gbl...
>> I have Java automatically update itself. I hope that is working!
>
> You may be very suprised!
> --
> ~PA Bear
>
>
> Paul Baker wrote:
>> I have Java automatically update itself. I hope that is working!

Paul
Fri Dec 23 12:33:34 CST 2005

Yeah, I had version 1.4 and should have had 5.0 (I think). I bet that's what
happened. Stupid automatic updating (not).

Paul

"Paul Baker" <paulb@online.rochester.rr.com> wrote in message
news:uICDA$WBGHA.3896@TK2MSFTNGP09.phx.gbl...
> That could be a bit of a problem if Java cannot be relied upon for
> security as much as Internet Explorer can.
>
> After all, security is only as strong as the weakest link. Throw some Java
> on a web page, and Java becomes the last line of defense.
>
> Paul
>
> "PA Bear" <PABearMVP@gmail.com> wrote in message
> news:eV8oSyOBGHA.2912@tk2msftngp13.phx.gbl...
>>> I have Java automatically update itself. I hope that is working!
>>
>> You may be very suprised!
>> --
>> ~PA Bear
>>
>>
>> Paul Baker wrote:
>>> I have Java automatically update itself. I hope that is working!
>
>

PA
Fri Dec 23 12:57:28 CST 2005

Make *certain* you uninstall any previous versions, Paul.
--
~PA Bear

Paul Baker wrote:
> Yeah, I had version 1.4 and should have had 5.0 (I think). I bet that's
> what
> happened. Stupid automatic updating (not).
>
> Paul
>
> "Paul Baker" <paulb@online.rochester.rr.com> wrote in message
> news:uICDA$WBGHA.3896@TK2MSFTNGP09.phx.gbl...
>> That could be a bit of a problem if Java cannot be relied upon for
>> security as much as Internet Explorer can.
>>
>> After all, security is only as strong as the weakest link. Throw some
>> Java
>> on a web page, and Java becomes the last line of defense.
>>
>> Paul
>>
>> "PA Bear" <PABearMVP@gmail.com> wrote in message
>> news:eV8oSyOBGHA.2912@tk2msftngp13.phx.gbl...
>>>> I have Java automatically update itself. I hope that is working!
>>>
>>> You may be very suprised!
>>> --
>>> ~PA Bear
>>>
>>>
>>> Paul Baker wrote:
>>>> I have Java automatically update itself. I hope that is working!

Paul
Tue Dec 27 17:24:20 CST 2005

Yes, I did, as according to your instructions. Thanks :)

Paul

"PA Bear" <PABearMVP@gmail.com> wrote in message
news:uz3nDL$BGHA.2920@tk2msftngp13.phx.gbl...
> Make *certain* you uninstall any previous versions, Paul.
> --
> ~PA Bear
>
> Paul Baker wrote:
>> Yeah, I had version 1.4 and should have had 5.0 (I think). I bet that's
>> what
>> happened. Stupid automatic updating (not).
>>
>> Paul
>>
>> "Paul Baker" <paulb@online.rochester.rr.com> wrote in message
>> news:uICDA$WBGHA.3896@TK2MSFTNGP09.phx.gbl...
>>> That could be a bit of a problem if Java cannot be relied upon for
>>> security as much as Internet Explorer can.
>>>
>>> After all, security is only as strong as the weakest link. Throw some
>>> Java
>>> on a web page, and Java becomes the last line of defense.
>>>
>>> Paul
>>>
>>> "PA Bear" <PABearMVP@gmail.com> wrote in message
>>> news:eV8oSyOBGHA.2912@tk2msftngp13.phx.gbl...
>>>>> I have Java automatically update itself. I hope that is working!
>>>>
>>>> You may be very suprised!
>>>> --
>>>> ~PA Bear
>>>>
>>>>
>>>> Paul Baker wrote:
>>>>> I have Java automatically update itself. I hope that is working!
>

PA
Tue Dec 27 17:50:01 CST 2005

YW & thanks for posting back.

Paul Baker wrote:
> Yes, I did, as according to your instructions. Thanks :)
>
> Paul
>
> "PA Bear" <PABearMVP@gmail.com> wrote in message
> news:uz3nDL$BGHA.2920@tk2msftngp13.phx.gbl...
> > Make *certain* you uninstall any previous versions, Paul.
> > --
> > ~PA Bear
> >
> > Paul Baker wrote:
> > > Yeah, I had version 1.4 and should have had 5.0 (I think). I bet
> > > that's what
> > > happened. Stupid automatic updating (not).
> > >
> > > Paul
> > >
> > > "Paul Baker" <paulb@online.rochester.rr.com> wrote in message
> > > news:uICDA$WBGHA.3896@TK2MSFTNGP09.phx.gbl...
> > > > That could be a bit of a problem if Java cannot be relied upon for
> > > > security as much as Internet Explorer can.
> > > >
> > > > After all, security is only as strong as the weakest link. Throw
> > > > some Java
> > > > on a web page, and Java becomes the last line of defense.
> > > >
> > > > Paul
> > > >
> > > > "PA Bear" <PABearMVP@gmail.com> wrote in message
> > > > news:eV8oSyOBGHA.2912@tk2msftngp13.phx.gbl...
> > > > > > I have Java automatically update itself. I hope that is working!
> > > > >
> > > > > You may be very suprised!
> > > > > --
> > > > > ~PA Bear
> > > > >
> > > > >
> > > > > Paul Baker wrote:
> > > > > > I have Java automatically update itself. I hope that is working!

Paul
Fri Dec 30 08:21:11 CST 2005

You know what! I just read this security advisory:
http://www.microsoft.com/technet/security/advisory/912840.mspx

I am pretty certain this is what let my spyware in! I recognize the symptoms
(this WMF thing).

And it sounds like it is still being researched and that there is no fix for
it? That is rare that an exploit is being actively exploited before
Microsoft both know about it and fix it. A scary day indeed.

Microsoft's suggestions would not have helped me. In summary:
Run various security software - done, didn't help much
Don't follow scary links in email - done, they were unscary links in search
results

Paul

"PA Bear" <PABearMVP@gmail.com> wrote in message
news:%23S8u5A0CGHA.1288@TK2MSFTNGP09.phx.gbl...
> YW & thanks for posting back.
>
> Paul Baker wrote:
>> Yes, I did, as according to your instructions. Thanks :)
>>
>> Paul
>>
>> "PA Bear" <PABearMVP@gmail.com> wrote in message
>> news:uz3nDL$BGHA.2920@tk2msftngp13.phx.gbl...
>> > Make *certain* you uninstall any previous versions, Paul.
>> > --
>> > ~PA Bear
>> >
>> > Paul Baker wrote:
>> > > Yeah, I had version 1.4 and should have had 5.0 (I think). I bet
>> > > that's what
>> > > happened. Stupid automatic updating (not).
>> > >
>> > > Paul
>> > >
>> > > "Paul Baker" <paulb@online.rochester.rr.com> wrote in message
>> > > news:uICDA$WBGHA.3896@TK2MSFTNGP09.phx.gbl...
>> > > > That could be a bit of a problem if Java cannot be relied upon for
>> > > > security as much as Internet Explorer can.
>> > > >
>> > > > After all, security is only as strong as the weakest link. Throw
>> > > > some Java
>> > > > on a web page, and Java becomes the last line of defense.
>> > > >
>> > > > Paul
>> > > >
>> > > > "PA Bear" <PABearMVP@gmail.com> wrote in message
>> > > > news:eV8oSyOBGHA.2912@tk2msftngp13.phx.gbl...
>> > > > > > I have Java automatically update itself. I hope that is
>> > > > > > working!
>> > > > >
>> > > > > You may be very suprised!
>> > > > > --
>> > > > > ~PA Bear
>> > > > >
>> > > > >
>> > > > > Paul Baker wrote:
>> > > > > > I have Java automatically update itself. I hope that is
>> > > > > > working!
>

PA
Fri Dec 30 12:22:57 CST 2005

Yes, the hijackware forums are full of this stuff.

Go back to the Security Advisory page.

Fully expand Suggest Actions > Workarounds subsection to see steps you can
take to "help block known attack vectors".

Additional Resources:

Protect Your PC
http://www.microsoft.com/athome/security/protect/

Microsoft Security Home Page
http://www.microsoft.com/security/default.mspx
--
~PA Bear


Paul Baker wrote:
> You know what! I just read this security advisory:
> http://www.microsoft.com/technet/security/advisory/912840.mspx
>
> I am pretty certain this is what let my spyware in! I recognize the
> symptoms (this WMF thing).
>
> And it sounds like it is still being researched and that there is no fix
> for it? That is rare that an exploit is being actively exploited before
> Microsoft both know about it and fix it. A scary day indeed.
>
> Microsoft's suggestions would not have helped me. In summary:
> Run various security software - done, didn't help much
> Don't follow scary links in email - done, they were unscary links in
> search results
>
> Paul
>
> "PA Bear" <PABearMVP@gmail.com> wrote in message
> news:%23S8u5A0CGHA.1288@TK2MSFTNGP09.phx.gbl...
> > YW & thanks for posting back.
> >
> > Paul Baker wrote:
> > > Yes, I did, as according to your instructions. Thanks :)
> > >
> > > Paul
> > >
> > > "PA Bear" <PABearMVP@gmail.com> wrote in message
> > > news:uz3nDL$BGHA.2920@tk2msftngp13.phx.gbl...
> > > > Make *certain* you uninstall any previous versions, Paul.
> > > > --
> > > > ~PA Bear
> > > >
> > > > Paul Baker wrote:
> > > > > Yeah, I had version 1.4 and should have had 5.0 (I think). I bet
> > > > > that's what
> > > > > happened. Stupid automatic updating (not).
> > > > >
> > > > > Paul
> > > > >
> > > > > "Paul Baker" <paulb@online.rochester.rr.com> wrote in message
> > > > > news:uICDA$WBGHA.3896@TK2MSFTNGP09.phx.gbl...
> > > > > > That could be a bit of a problem if Java cannot be relied upon
> > > > > > for security as much as Internet Explorer can.
> > > > > >
> > > > > > After all, security is only as strong as the weakest link. Throw
> > > > > > some Java
> > > > > > on a web page, and Java becomes the last line of defense.
> > > > > >
> > > > > > Paul
> > > > > >
> > > > > > "PA Bear" <PABearMVP@gmail.com> wrote in message
> > > > > > news:eV8oSyOBGHA.2912@tk2msftngp13.phx.gbl...
> > > > > > > > I have Java automatically update itself. I hope that is
> > > > > > > > working!
> > > > > > >
> > > > > > > You may be very suprised!
> > > > > > > --
> > > > > > > ~PA Bear
> > > > > > >
> > > > > > >
> > > > > > > Paul Baker wrote:
> > > > > > > > I have Java automatically update itself. I hope that is
> > > > > > > > working!

Paul
Fri Dec 30 14:02:19 CST 2005

Thanks :)

Paul

"PA Bear" <PABearMVP@gmail.com> wrote in message
news:%231NaG4WDGHA.1028@TK2MSFTNGP11.phx.gbl...
> Yes, the hijackware forums are full of this stuff.
>
> Go back to the Security Advisory page.
>
> Fully expand Suggest Actions > Workarounds subsection to see steps you can
> take to "help block known attack vectors".
>
> Additional Resources:
>
> Protect Your PC
> http://www.microsoft.com/athome/security/protect/
>
> Microsoft Security Home Page
> http://www.microsoft.com/security/default.mspx
> --
> ~PA Bear
>
>
> Paul Baker wrote:
>> You know what! I just read this security advisory:
>> http://www.microsoft.com/technet/security/advisory/912840.mspx
>>
>> I am pretty certain this is what let my spyware in! I recognize the
>> symptoms (this WMF thing).
>>
>> And it sounds like it is still being researched and that there is no fix
>> for it? That is rare that an exploit is being actively exploited before
>> Microsoft both know about it and fix it. A scary day indeed.
>>
>> Microsoft's suggestions would not have helped me. In summary:
>> Run various security software - done, didn't help much
>> Don't follow scary links in email - done, they were unscary links in
>> search results
>>
>> Paul
>>
>> "PA Bear" <PABearMVP@gmail.com> wrote in message
>> news:%23S8u5A0CGHA.1288@TK2MSFTNGP09.phx.gbl...
>> > YW & thanks for posting back.
>> >
>> > Paul Baker wrote:
>> > > Yes, I did, as according to your instructions. Thanks :)
>> > >
>> > > Paul
>> > >
>> > > "PA Bear" <PABearMVP@gmail.com> wrote in message
>> > > news:uz3nDL$BGHA.2920@tk2msftngp13.phx.gbl...
>> > > > Make *certain* you uninstall any previous versions, Paul.
>> > > > --
>> > > > ~PA Bear
>> > > >
>> > > > Paul Baker wrote:
>> > > > > Yeah, I had version 1.4 and should have had 5.0 (I think). I bet
>> > > > > that's what
>> > > > > happened. Stupid automatic updating (not).
>> > > > >
>> > > > > Paul
>> > > > >
>> > > > > "Paul Baker" <paulb@online.rochester.rr.com> wrote in message
>> > > > > news:uICDA$WBGHA.3896@TK2MSFTNGP09.phx.gbl...
>> > > > > > That could be a bit of a problem if Java cannot be relied upon
>> > > > > > for security as much as Internet Explorer can.
>> > > > > >
>> > > > > > After all, security is only as strong as the weakest link.
>> > > > > > Throw
>> > > > > > some Java
>> > > > > > on a web page, and Java becomes the last line of defense.
>> > > > > >
>> > > > > > Paul
>> > > > > >
>> > > > > > "PA Bear" <PABearMVP@gmail.com> wrote in message
>> > > > > > news:eV8oSyOBGHA.2912@tk2msftngp13.phx.gbl...
>> > > > > > > > I have Java automatically update itself. I hope that is
>> > > > > > > > working!
>> > > > > > >
>> > > > > > > You may be very suprised!
>> > > > > > > --
>> > > > > > > ~PA Bear
>> > > > > > >
>> > > > > > >
>> > > > > > > Paul Baker wrote:
>> > > > > > > > I have Java automatically update itself. I hope that is
>> > > > > > > > working!
>

PA
Fri Dec 30 14:36:33 CST 2005

YW. Make certain Automatic Updates is enabled. I'd be surprised if MS
didn't release a patch for this vulnerability very soon.

How to configure and use Automatic Updates in Windows XP:
http://support.microsoft.com/?kbid=306525
--
~PA Bear

Paul Baker wrote:
> Thanks :)
>
> Paul
>
> "PA Bear" <PABearMVP@gmail.com> wrote in message
> news:%231NaG4WDGHA.1028@TK2MSFTNGP11.phx.gbl...
> > Yes, the hijackware forums are full of this stuff.
> >
> > Go back to the Security Advisory page.
> >
> > Fully expand Suggest Actions > Workarounds subsection to see steps you
> > can take to "help block known attack vectors".
> >
> > Additional Resources:
> >
> > Protect Your PC
> > http://www.microsoft.com/athome/security/protect/
> >
> > Microsoft Security Home Page
> > http://www.microsoft.com/security/default.mspx
> > --
> > ~PA Bear
> >
> >
> > Paul Baker wrote:
> > > You know what! I just read this security advisory:
> > > http://www.microsoft.com/technet/security/advisory/912840.mspx
> > >
> > > I am pretty certain this is what let my spyware in! I recognize the
> > > symptoms (this WMF thing).
> > >
> > > And it sounds like it is still being researched and that there is no
> > > fix for it? That is rare that an exploit is being actively exploited
> > > before Microsoft both know about it and fix it. A scary day indeed.
> > >
> > > Microsoft's suggestions would not have helped me. In summary:
> > > Run various security software - done, didn't help much
> > > Don't follow scary links in email - done, they were unscary links in
> > > search results
> > >
> > > Paul
> > >
> > > "PA Bear" <PABearMVP@gmail.com> wrote in message
> > > news:%23S8u5A0CGHA.1288@TK2MSFTNGP09.phx.gbl...
> > > > YW & thanks for posting back.
> > > >
> > > > Paul Baker wrote:
> > > > > Yes, I did, as according to your instructions. Thanks :)
> > > > >
> > > > > Paul
> > > > >
> > > > > "PA Bear" <PABearMVP@gmail.com> wrote in message
> > > > > news:uz3nDL$BGHA.2920@tk2msftngp13.phx.gbl...
> > > > > > Make *certain* you uninstall any previous versions, Paul.
> > > > > > --
> > > > > > ~PA Bear
> > > > > >
> > > > > > Paul Baker wrote:
> > > > > > > Yeah, I had version 1.4 and should have had 5.0 (I think). I
> > > > > > > bet that's what
> > > > > > > happened. Stupid automatic updating (not).
> > > > > > >
> > > > > > > Paul
> > > > > > >
> > > > > > > "Paul Baker" <paulb@online.rochester.rr.com> wrote in message
> > > > > > > news:uICDA$WBGHA.3896@TK2MSFTNGP09.phx.gbl...
> > > > > > > > That could be a bit of a problem if Java cannot be relied
> > > > > > > > upon for security as much as Internet Explorer can.
> > > > > > > >
> > > > > > > > After all, security is only as strong as the weakest link.
> > > > > > > > Throw
> > > > > > > > some Java
> > > > > > > > on a web page, and Java becomes the last line of defense.
> > > > > > > >
> > > > > > > > Paul
> > > > > > > >
> > > > > > > > "PA Bear" <PABearMVP@gmail.com> wrote in message
> > > > > > > > news:eV8oSyOBGHA.2912@tk2msftngp13.phx.gbl...
> > > > > > > > > > I have Java automatically update itself. I hope that is
> > > > > > > > > > working!
> > > > > > > > >
> > > > > > > > > You may be very suprised!
> > > > > > > > > --
> > > > > > > > > ~PA Bear
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Paul Baker wrote:
> > > > > > > > > > I have Java automatically update itself. I hope that is
> > > > > > > > > > working!

Paul
Fri Dec 30 15:20:35 CST 2005

Yes, it is enabled! I really am very well protected and knowledgable. That's
why I was so shocked this happened to me.

Paul

"PA Bear" <PABearMVP@gmail.com> wrote in message
news:%23YqvwCYDGHA.3064@TK2MSFTNGP10.phx.gbl...
> YW. Make certain Automatic Updates is enabled. I'd be surprised if MS
> didn't release a patch for this vulnerability very soon.
>
> How to configure and use Automatic Updates in Windows XP:
> http://support.microsoft.com/?kbid=306525
> --
> ~PA Bear
>
> Paul Baker wrote:
>> Thanks :)
>>
>> Paul
>>
>> "PA Bear" <PABearMVP@gmail.com> wrote in message
>> news:%231NaG4WDGHA.1028@TK2MSFTNGP11.phx.gbl...
>> > Yes, the hijackware forums are full of this stuff.
>> >
>> > Go back to the Security Advisory page.
>> >
>> > Fully expand Suggest Actions > Workarounds subsection to see steps you
>> > can take to "help block known attack vectors".
>> >
>> > Additional Resources:
>> >
>> > Protect Your PC
>> > http://www.microsoft.com/athome/security/protect/
>> >
>> > Microsoft Security Home Page
>> > http://www.microsoft.com/security/default.mspx
>> > --
>> > ~PA Bear
>> >
>> >
>> > Paul Baker wrote:
>> > > You know what! I just read this security advisory:
>> > > http://www.microsoft.com/technet/security/advisory/912840.mspx
>> > >
>> > > I am pretty certain this is what let my spyware in! I recognize the
>> > > symptoms (this WMF thing).
>> > >
>> > > And it sounds like it is still being researched and that there is no
>> > > fix for it? That is rare that an exploit is being actively exploited
>> > > before Microsoft both know about it and fix it. A scary day indeed.
>> > >
>> > > Microsoft's suggestions would not have helped me. In summary:
>> > > Run various security software - done, didn't help much
>> > > Don't follow scary links in email - done, they were unscary links in
>> > > search results
>> > >
>> > > Paul
>> > >
>> > > "PA Bear" <PABearMVP@gmail.com> wrote in message
>> > > news:%23S8u5A0CGHA.1288@TK2MSFTNGP09.phx.gbl...
>> > > > YW & thanks for posting back.
>> > > >
>> > > > Paul Baker wrote:
>> > > > > Yes, I did, as according to your instructions. Thanks :)
>> > > > >
>> > > > > Paul
>> > > > >
>> > > > > "PA Bear" <PABearMVP@gmail.com> wrote in message
>> > > > > news:uz3nDL$BGHA.2920@tk2msftngp13.phx.gbl...
>> > > > > > Make *certain* you uninstall any previous versions, Paul.
>> > > > > > --
>> > > > > > ~PA Bear
>> > > > > >
>> > > > > > Paul Baker wrote:
>> > > > > > > Yeah, I had version 1.4 and should have had 5.0 (I think). I
>> > > > > > > bet that's what
>> > > > > > > happened. Stupid automatic updating (not).
>> > > > > > >
>> > > > > > > Paul
>> > > > > > >
>> > > > > > > "Paul Baker" <paulb@online.rochester.rr.com> wrote in message
>> > > > > > > news:uICDA$WBGHA.3896@TK2MSFTNGP09.phx.gbl...
>> > > > > > > > That could be a bit of a problem if Java cannot be relied
>> > > > > > > > upon for security as much as Internet Explorer can.
>> > > > > > > >
>> > > > > > > > After all, security is only as strong as the weakest link.
>> > > > > > > > Throw
>> > > > > > > > some Java
>> > > > > > > > on a web page, and Java becomes the last line of defense.
>> > > > > > > >
>> > > > > > > > Paul
>> > > > > > > >
>> > > > > > > > "PA Bear" <PABearMVP@gmail.com> wrote in message
>> > > > > > > > news:eV8oSyOBGHA.2912@tk2msftngp13.phx.gbl...
>> > > > > > > > > > I have Java automatically update itself. I hope that is
>> > > > > > > > > > working!
>> > > > > > > > >
>> > > > > > > > > You may be very suprised!
>> > > > > > > > > --
>> > > > > > > > > ~PA Bear
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > > Paul Baker wrote:
>> > > > > > > > > > I have Java automatically update itself. I hope that is
>> > > > > > > > > > working!
>

Stephen
Fri Dec 30 15:26:15 CST 2005

> YW. Make certain Automatic Updates is enabled. I'd be surprised if MS
> didn't release a patch for this vulnerability very soon.

I hope not. It will screw up the limited bandwidth of anyone with laptops
and no more than 56K access.
And I should think with the Sony Rootkit fallout, MS will think twice before
taking the choice away.

Mine is set on disabled and deliberately so.
I manually decide. I accept that not all prefer this and make less sense for
those non-technical.

SH

PA
Fri Dec 30 16:43:13 CST 2005

Stephen Howe wrote:
> > YW. Make certain Automatic Updates is enabled. I'd be surprised if MS
> > didn't release a patch for this vulnerability very soon.
>
> I hope not. It will screw up the limited bandwidth of anyone with laptops
> and no more than 56K access.
> And I should think with the Sony Rootkit fallout, MS will think twice
> before taking the choice away.
>
> Mine is set on disabled and deliberately so.
> I manually decide. I accept that not all prefer this and make less sense
> for those non-technical.

While this is veering widely OT, understand that AU can be configured to
"Notify Only" (i.e., will not automatically download or install updates).

If/when released, the Patch should only be a couple hundred KB. You
probably receive emails with pix from relatives that are larger than that.
<w>
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

Frank
Sat Dec 31 05:30:16 CST 2005

"Stephen Howe" <stephenPOINThoweATtns-globalPOINTcom> wrote in message
news:u%23GZseYDGHA.688@TK2MSFTNGP11.phx.gbl
>> YW. Make certain Automatic Updates is enabled. I'd be surprised if
>> MS didn't release a patch for this vulnerability very soon.
>
> I hope not. It will screw up the limited bandwidth of anyone with
> laptops and no more than 56K access.
> And I should think with the Sony Rootkit fallout, MS will think twice
> before taking the choice away.
>
> Mine is set on disabled and deliberately so.
> I manually decide. I accept that not all prefer this and make less
> sense for those non-technical.
>
> SH

Automatic Updates runs at a very low priority and should not screw up
anyone's bandwidth. At home I run this computer on a dialup connection that
rarely reaches 28800 bps and have never noticed any problem from AU.

--
Frank Saunders, MS-MVP OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/

Paul
Tue Jan 03 08:15:21 CST 2006

So, no problem from enabling AU. And we hardly need to mention the danger of
*disabling* AU. Everyone has to make their own choice, but it seems very
clear to me.

Paul

"Frank Saunders, MS-MVP OE" <franksaunders@mvp