lexback.exe 'downloader trojan'

[Cluttermagnet]

Hi, guys-I have really about three related questions about this nasty. Found it Wednesday Feb 11th on a friend's computer. He is clueless and should not be online, but it looks like he picked it up about 4 days before my lengthy Wed. session to try to improve and harden his system (defrag, better browsers, email clients, a supplemental new ISP, many diagnostic and security utilities, etc). I managed to get almost everything on his long list done except hooking up the printer for which they have lost the power cord. An HP and the cord is non- standard. Arrrghh! BTW I found his unpartitioned 20G hard drive in an amazing state of disarray- the Speed Disk map was not a pretty sight, and Norton reported it at 55+ percent fragmented. Yikes! Probably rarely if ever defragged in its long tortured life to date.He has the usual AOL mess running some version of IE. AOL is v.9. My god I hate those people with a passion usually only reserved for the likes of Juno and Netzero and Gator and the worst of blackhat miscreants. Oh, BTW his obnoxious MSN messenger is getting hijacked and I did not take the time to figure out how to put a muzzle on it. Maybe in retrospect that was a big mistake. Remember, folks, I'm a 98SE diehard and do not own a machine that has XP on it. And that's what I'm having to deal with, like it or not. His floppy drive was not working for some unexplicable reason. I did see it work on Feb 7th. That was very frustrating and increases the level of difficulty, as I had a copy of a much better file editor only on floppy and not on any of my CDs. I will remedy that promptly. So I had to put up with the crappy Windows Explorer which MS has made ever so more awful in XP. Let's just say that XP has control issues- it wants to control everything- and that is like a bull and a red flag for me, as I have some control issues of my own and don't like being pushed around. Let's just say that after now about 6 months plus of light exposure to XP, I not only hate it, but I hate it with an ever increasing passion! Am I making my point? It was a tough 7-1/2 hour shift. I prefer software that accomodates itself to me, not vice versa. I'm funny that way...Anyway, during a lengthy session with his computer, an AMD type with XP Pro at about 550MHz, as I began to add security programs and run them for the first time, I noticed for the first time something was dropping the OS in its tracks and forcing a reboot. This always happened when running Spybot S&D and also NAV 2002 with latest updates. Both programs start but neither is allowed to run to completion. NAV gets throttled much sooner. At some point, something crashes Windows. I was immediately suspicious. NAV then started popping up a window complaining about a virus c:\windows\system(32)\lexbac.exe and could not handle it. The NAV alarm window is an endless loop and non-closable. I think it is supposedly in both system and system32, plus no doubt liberally sprinkled crap at various other HD locations.Earlier Wed. I had noticed a new process I had not seen on this box at last visit. It was diagnosed as a webdialer by Ad Aware and was more or less deleted. That one was called "Webdialer_od-stnd550". Can anyone identify what I'm dealing with? I did some web searching, and there is already some grief out there on the net related to the lexbac executable. Anybody know what I am dealing with? I suspect they might have to get some of the AV pros to write a removal utility for most of us slowpokes. I mess with the registry sometimes, but am still real timid. Yes, I backup. Well, at least this unknown beastie is not on one of my machines. I'm stuck with cleaning it off of his, however.Second question- the few sparse references on the web include a post to Computer Cops where the person lists their logfile from a running of HijackThis v1.97.7 and an experienced moderator suggests which registry items and files to dump, including at least one hidden one. It sounded a little complicated but possibly doable by me. So I went looking for a download of Hijack This and the site has been dead all evening and morning, probably hammered by all the desperate hordes. Anyone know of a clean alternative source for this small 149K utility?Finally, is it within the expertise of our little group to formulate a plan of attack for removing this little beastie based on a "Hijack This" logfile? If not, should I just be patient and wait for Symantec and all? Earlier Wed. evening, they made no mention of it in their latest crop of threats. I think this one is a little bigger than me at the moment. Besides, I'm a beginner in the sense that I have never, ever, to my knowledge, gotten virused or trojaned on any of my machines- but I did have a part in this mess. In effect, by agreeing to give lessons to my friend, I may have left him with an inapropriate sense of competance and empowerment. I honestly don't know if the dialer trojan exactly happened on my watch or not. Maybe he surfed some porn sites after I left- who knows? He had another experienced helper over the next day, but I don't think it is her fault. She helped with some file moves aimed towards posting online resumes on Sun. 8th. The install date of the dialer trojan showed as Feb. 7th, and unfortunately I was present for at least part of that day. I knew we were in over our heads, but where do you start with folks who are struggling to learn AOL for the first time. You know what, boys and girls? AOL is not at all easy or intuitive for a beginner. You do fumble around for a while, and that's with someone who is pretty good at file management and has 7 years experience with Win computers, namely me. That AOL is a real piece of , er, work. I hate it, I hate it, etc. He never had a fighting chance going online the way I found his machine set up. So now I'm dealing with my first official virus/trojan and I have gone back to being a newbie. Oh, joy! Comments? Thanks, Clutter

[RichNRockville]

Clutter, from my viewpoint, It looks like a complete wipe by using the hard disk manufacturers utility disk.There are times that starting from Zero is the easiest.of course copy all the data files to backup.And then the first thing to do after the clean install is to install anti-virus and update it.I have had to do this a couple of times and based on time, it is a lot easier..

[Cluttermagnet]

Clutter, from my viewpoint, It looks like a complete wipe by using the hard disk manufacturers utility disk. There are times that starting from Zero is the easiest.

May be, Rich-But I'm certainly feeling a lot of initial resistance to your suggestion. What did you think of the exchange at the url I gave? Sounds like that mod knew just how to easily purge that beastie. Actually, upon rereading, the procedure he outlined sounds easy enough, and the registry mods are handled by "Hijack This", not by a rookie operator. It still sounds doable to me, if I could only get a copy of that little utility.Oh, and I've got to ask you- you mention using the hard drive manufacturer's utility disk. Don't you mean the computer manufacturer? Usually it is Dell or HP or whoever that provides whatever disks or more likely hidden images of the pristine HD as set up by them. Or are you talking about a low level reformat of the entire drive as opposed to a Windows/DOS reformat?

[nlinecomputers]

I haven't read your link yet but I've used Hijack This and it is very good at removing items that are imbedded into the OS. The only bad thing about it is that it lists everything that is loaded so if you just try and remove everything you'll yank out needed links to Java, or Adobe Acrobat and so forth.As for usabilty in XP. I find that users like you will be happier if you goto the display control in control panel and select Themes and select the classic theme. This will give you a desktop that is more like Windows 2000 and that is closer to Windows 98.I then goto Explorer hit the tools menu item Folder options and change tasks to "use windows classic folders" in the next tab "view" I turn off the hidding of file extenstions and the blocking of folder views like the windows system folders. I put full paths in the title bar and so on. I then goto Drive C and change the view to detail view and go back to the view tab and hit apply to all folders. That gets rid of all the fricken' big toy icons and gets you some lists and tree views you can work with.

[Guest LilBambi]

Cluttermagnet,Are you trying to download HiJackThis! from the computer in question? Hope not.You are better off taking this computer home where you can have Internet access on another computer for research along the way for questions on running files, files found, specific virii or spyware/malware found, etc. Also, makes it easier to get the things you need as you go, because there could easily be a curveball you hadn't anticipated. If they have some of the nastier spyware/malware, trojans, etc., this will likely take HOURS!You need to get all your downloads for spyware removal (including latest reference files, updates from the sites), HiJackThis!, latest CWShredder removal tool, KaZaA BeGone, CleanXP, etc. and burn them to CDR on your system and take it with you. Don't forget manual installer for updates or updates for their antivirus program. Firewall and/or antivirus program if they don't have one, etc.You may also want to download for your CDR a copy of SpySweeper (free trial). Also, be sure to read up on your lexbac.exe trojan downloader prior to doing anything:http://www.google.com/search?q=lexbac.exe&...=utf-8&oe=utf-8See Spywareinfo.com (choose the software link at the top, and Spyware Warrior for download links along the right. You really need to read up a bit on what you are finding on that computer and removing some of these horrible things. It can take HOURS and reboots after reboots between pieces of removal.If after you read the above and you really still feel you should at least give it a try.First! Disconnect the computer from the Internet even if you have to unplug it first from the network connection or modem. Then turn off System Restore on the system.Close Messenger from the system tray and then rename the C:\Program Files\Messenger directory to anything other than Messenger.Move all start items (except ones related to hardware) to a disabled start items folder temporarily. Can put back what is absolutely needed later.Go into msconfig.exe (from Start|Run) and we are hoping you can actually get it to open! Some backdoor trojans immediately close msconfig and other tools including "alt+cntrl+del" process/task list....anyway...in msconfig, turn off all but the absolute necessities to run the system.Reboot the computer.Install your spyware removal tools etc, and the updates, ref files etc. but don't run them yet.I would first customize Fred Langa's CleanXP batch file for that computer's configuration and run CleanXP first to get rid of the superfluous stuff that gets put over time in the temp files and temporary internet files. Or any other similar type program to get rid of temp and temporary internet files that you feel comfortable with.The reason to get rid of the temp and temporary internet files first is that is often where these types of things hide or leave backups of themselves. Also, all your programs will run faster if they don't have to go through a bazillion temp and temporary internet files.Then run SpyBot*, then Ad-aware* ... they will both likely ask you if it can run on next boot, tell it yes. But don't reboot till you run them both once.Reboot.If you put SpySweeper* trial on, run that and remove all that it finds. Reboot.NOTE: In all the above, do not remove CDilla! That is a monitoring item, but is part of DRM for some programs like Intuit's programs, etc. They will not be able to use them if you remove this.Rinse repeat above* till no no items are found, even after opening IE.Reboot.All three of the removal tools will find stuff that the other one didn't so be sure to run them all and the other little tools like CWShredder, KaZaA BeGone, HiJackThis! (be careful with HiJackThis! as Nathan indicated).After you have done all this. Run the update for the Antivirus software (not online! Use what you burned to CDR). Run the AV software full system scan on ALL files with heuristic scanning.LOL! Gee ... I know I am forgetting something. Oh, yeah, make sure you get the WinsockXPFix.exe on the CDR as well from the shaw.ca site ...since some removals can break the winsock.Once you feel pretty confident that there are no more pieces of crap running or on the computer.Install a personal firewall if they don't have one, and reconnect the Internet NIC connection (if on a networked situation), or dial in if on dialup. Attempt to load google.com. If you can get to a site great, if not ... run the WinsockXPFix.exe ... if you still can't get Google, reconfigure the network card.If you still can't get in, you may just have to remove and reinstall network card, or possibly the whole OS if you can't figure out what file was corrupted by one of the problems you removed.If/After you get back online after the computer appears to be clean. Go get a second antivirus software packages' opinion. I often use TrendMicro's Housecall for this, or you can use Symantec's online scanning or any other good online AV scanner.Get all WindowsUpdates, etc.---Rich is so right ... You really have to weigh the time cost to you versus the needs of the client, or in this case your friend. Would he be better served by having a fresh install and getting all the hardening items in place so it will be less likely that this will happen again?What are you trying to accomplish? Simply learning something about these dastardly things? How would your friend be better served? There are times when you have to really decide which way is best for them.There are many times when Rich is absolutely right, cutting your losses and starting fresh are often a much better option for the person's computer in the long run, because the OS will be much more stable and you can get all the hardening taken care of before it sees the Internet again. Not always, but very often.But it depends on why you are trying to clean it up in the first place. There are always mitigating factors.NOTE: These are only some basic things to try ... each set of problems takes diagnostics specific to the situation and what you find on a computer.Your call.Hope this helps some ... This morning several of the spyware removal tool sites are giving me fits for downloads including this one. If you are still having problems getting to some of the sites...see below:Alternate location for HiJackThis!:http://www.tomcoyote.org/hjt/Other places to check for help on manual removal of spyware/malware etc.:http://www.doxdesk.com/parasite/Also, if you still can't get the latest HiJackThis! from their site, I have uploaded the latest versions that I have from this past week (just an http file list) here for: HiJackThis!, KaZaA BeGone, CWShredder -- only valid for this week (2/12/04) because you really need the latest versions to take care of all known problems, but these will get you by for now, but they will be on my site this week. Hopefully the apparent DoS or trememdous use of these sites (hopefully this is all it is) will be under control on spywareinfo.com and a couple other spyware removal download sites by next week.There are so many other things that should be done, printout of BelarcAdvisor (for hardware, product keys and licenses, etc.), backup of drivers, backup of data and personal files, and more. ... We usually boot the computer to knoppix and attach to a Linux computer to copy all the personal data/files etc. These files will need to be virus scanned and spyware scanned as well before put back on the computer if a reinstall turns out to be necessary or prudent which it often is.

[Rons]

He is clueless and should not be online

LOL

[redmaledeer]

1) Just seconding LilBambi's comment that several anti=spyware sites were having problems. I wasn't able to get to Spywareinfo or its CWShredder updates for a day or so. Okay now. 2) A bit off=topic. But since Cluttermagnet mentions antivirus programs being throttled or causing crashes, there is something else fairly new doing this. Also a REMOVAL UTILITY. From http://www.majorgeeks.com/download4113.html :"CoolWWWSearch.SmartKiller (v1 and v2) is a new, real ugly variant of CoolWWWSearch. When running, it will close every browser window you use to visit a large list of anti-spyware-sites, and even will close Spybot-S&D and some other anti-spyware applications as well. "So if your copy of Spybot-S&D (or the anti-spyware application of your choice) closes a few seconds after starting, or your browser closes whenever you try to visit an anti-spyware site, try this CWS.SmartKiller removal utility."

[Rons]

Why not just switch to a browser such as Mozilla?I got hacked once and made the switch. You can then spend more time surfing the net without having to worry about spyware, killers, destroyers, hijack this, hijack that, hijack everything, update this, update, that, download this, fix this, repair that, uninstall, format, fdisk, clean sweep, no sweep, search for, hide from, look for, beware of, don't go here, don't go there,.................LOL

[Cluttermagnet]

Thanks, guys-Some very helpful and enlightening comments so far, and I am just beginning to grasp the seriousness of the task, should I decide to do battle. And I havent even visited the Google reference or other sites suggested because I know in my heart I am not going to like what I am going to learn. The moment I laid eyes on Rich's suggestion, I knew in my heart he was right- darn it! I have not discussed all this at any length with my friend yet. FWIW, I have remembered and reconstructed 'what happened on Sat Feb 7th. I showed up about 10-10:30AM and we worked together about 5 hours, or til about 3-3:30PM. The install date/time on the dialer trojan I saw on Feb 11th was Feb 7th at about 4:47PM. He got loose alone on the internet with AOL and his lovely IE browser and got driveby downloaded. More later as I work my way through this. I think I'm gonna be sick...

[Cluttermagnet]

Although I'm really just getting into it, I'm struck by how ambiguous a situation this trojan represents. I'm thinking that the full extent of the payload may not yet have been grasped? It's a paradox- on the one hand, it is described as being mild, not too dustructive, yet it downloads and installs a number of executables into Windows system. Here is some descriptive remarks about lexdlr.a from a Trend Micro writeup:

Virus Type: TrojanDestructive: NoPattern file needed: 713Scan engine needed: 5.400Overall risk rating:  Very LowReported infections:  LowDamage Potential:  LowDistribution Potential:  LowDescription:Upon execution, this Trojan contacts a Web site that contains a list of files that are downloaded  and executed by this malware. These files are mostly dropped in the Windows system folder.It runs on Windows 95, 98, ME, NT, 2000 and XP.

Doesn't sound too bad, does it? To fix it, you have to delete a number of files using Windows Task Manager and make a registry backup and then change a handful of registry entries. Depending on who is talking about it, it is a relatively easy one to recover from, all the way up to something that is so intransigent and so dangerous that you are better off wiping your hard drive and starting over. I'm confused.I have yet to hear any comments about the purpose of this little nasty. What does it do, what does it have the potential to do? So far I have not heard any conclusions from anyone. Maybe it is still too new for the threat to have been fully analyzed. It may be the first wave of what could later be the quick and easy total takeover of all affected computers? BTW this is not apparently one that is at all contagious. I'm hearing nothing about it propagating. It is apparently just a driveby exploit of IE or else a clever human- engineered ruse to get some unlucky sap to 'click here' and install it. I doubt the full story is out yet on this one.BTW Trend Micro also had a different page about a trojan called pitux.a which is apparently also associated with lexbac.exe. That description also fits what I saw on that machine, in fact slightly better than the lexdldr.a writeup, so I'm not even sure which variant I am dealing with.

[Cluttermagnet]

Why not just switch to a browser such as Mozilla?I got hacked once and made the switch.

Oh, you are soooooo right! Trouble is, the trojan got to him 4 days before I could get over there and make these changes. He has a copy of Firebird on his HD, for all the good that is doing us now.

[Cluttermagnet]

"CoolWWWSearch.SmartKiller (v1 and v2) is a new, real ugly variant of CoolWWWSearch. When running, it will close every browser window you use to visit a large list of anti-spyware-sites, and even will close Spybot-S&D and some other anti-spyware applications as well. "So if your copy of Spybot-S&D (or the anti-spyware application of your choice) closes a few seconds after starting, or your browser closes whenever you try to visit an anti-spyware site, try this CWS.SmartKiller removal utility."

A good point. Well, the bahavior I actually saw was that the trojan did not shut down Spybot S&D for quite a long time. It did eventually kill XP, however, but that was after a minute or two where S&D appeared to run normally and find various stuff. OTOH it killed XP very soon after launching a NAV check of the HD. It was so very clear that this was an 'intelligent' process, so very obvious. This was/is a very stable XP OS that I had never seen crash, and then I saw it crash consistently when I tried to run security software. I was able to run S&D for a while, tell it to halt, and use it to remove some spybots it found, including the "Webdialer_od-astnd550" dialer it found. Same with Ad Aware 6.0. As I recall, I was able to run it long enough to get a number of 'hits', then halt it in mid- process and delete what it had found. NAV is really hated by the spybot, however, and that process lasted only a short time before something crashed the OS.I think this trojan does not kill browser incidences that are used to navigate to anti-spyware sites. I got to the S&D site just fine. It definitely does not kill S&D in seconds, it is more like a minute or two.

[siebkens]

Program Name: Internet Explorer UpdaterExecutable Name: lexbac.exeRequired: NO!! Virus, spyware, or resource hogComments: Added as a result of the DOWNLOAD VIRUS!

This is what I found at the Startup Programs and Executables Listing at this page: [http://www.lafn.org/webconnect/mentor/star...up/PENINDEX.HTM] I didn't provide a direct link per the author's request at the top of the page - hopefully this fulfills his wishes.CM - does this tell you any more than you knew already? What other kind of info are you looking for?

[Ed_P]

Why not just switch to a browser such as Mozilla?

I don't think he can. His friend is tied into AOL. He could use it to download anti-spyware/adware tools though.If Trend Micro is classifying this thing as a virus why not just download PC-cillin, using Mozilla or Netscape, and run it to get rid of it? PC-cillin can be downloaded and used for 30 days free of charge. They also have a online free Housecall but this "thing" may interfere with it's running since it requires IE. The idea of downloading a bunch of tools and utilities at home then burning them to a cd to take with you is a very good idea. You could take PC-cillin over that way. Make sure you download the most current update for PC-cillin and take that too.

[Rons]

CMI had a similar situation with a system last month. ran S&D, Ad-Aware, HijackThis, Updated Norton, Trend-Micro and other software [reg. cleaners]. I spent so much time trying to get the system back to normal - I could of drove across the country and back.Though I had been successful in the past cleaning up systems using these same tools, no manner what I did on this particular system, it would appear to work for awhile, then BANG! Back to square one. Did the big "F" and a reinstall. EdPOops....missed the AOL part. But I do remember reading a post from someone, somewhere stating:"AOL software has destroyed more computer systems than any virus ever has." Or was that Microsoft updates...........LOL

[nlinecomputers]

You can use what everbrowser you wish with AOL as long as you let AOL connect first. Once it is fully connected then you can startup Mozilla. But with AOL running resources will be low as it is a HEAVY resource hog.

[Ed_P]

You can use what everbrowser you wish with AOL as long as you let AOL connect first. Once it is fully connected then you can startup Mozilla.

You know that, I know that, and I'd venture to wager that 95% of the posters here know that. What do you think the odds are that Cluttermagnet's friend know's that?

[Cluttermagnet]

CM - does this tell you any more than you knew already?  What other kind of info are you looking for?

Hi, siebkens-Well, not really much new there. All four lines look familiar and I do think you are talking about substantially the same beastie I am. It does appear there are variants around, however. I have already turned up two different ones Trend Micro is calling by different names. Both have the file lexbac.exe in common, but there are also some other files downloaded which differ. One was called lexdldr.a and the other is pitux.a. Based on some lists of files expected, it looks rather more like pitux to me- but both are associated with lexbac.exe, so what do I know? Oh, if you want to get precise, they actually call them "troj_lexdldr.a" and so on. You can probably find it without the prefix, however.What I really have heard very little of is a good threat assessment. The early writeups on the Trend Micro site were pretty reassuring, but if this thing is so harmless, how do they know that? Their tech writeup added little more to my knowledge. I can only repeat the summary from Trend Micro

Virus Type: TrojanDestructive: NoPattern file needed: 713Scan engine needed: 5.400Overall risk rating:  Very LowReported infections:  LowDamage Potential:  LowDistribution Potential:  LowDescription:Upon execution, this Trojan contacts a Web site that contains a list of files that are downloaded  and executed by this malware. These files are mostly dropped in the Windows system folder.It runs on Windows 95, 98, ME, NT, 2000 and XP.

Sounds fairly harmless and perhaps even easy to remove by anyone experienced with these? I don't know.EdP made a good suggestion. I can try PC-cillin.I may look into letting CW Shredder have a whack at it too, if that makes any sense.Sorry, Rons, sounds like you got one of the latest, nastiest ones.Yes, Nathan and Ed, we all know that (use any browser after connecting to AOL, also in several other services), and my friend will soon be clued in that regard.

[Rons]

CM - good luck and I hope you are successful getting those bugs off your friends system.Let us know what happens.

[Guest LilBambi]

Here's Sopho's entry for this baddie:Troj/Lexup-AThis one makes a reference to the following Sophos link for specific removal instructions for trojans on various types of Windows here too:Removing TrojansThis lexbac.exe isn't even specifically noted in Symantec's listings. The only lex related item I could find was this one:http://securityresponse.symantec.com/avcen....niovadoor.htmlIt does similar things with AV software, opens port, registry key entries, but it drops this file: PIDLex.exe ... totally different file.Often the biggest problem with these types of trojans is not so much the trojan itself (and as they noted, it's not that hard to remove the trojan itself), but more importantly what the trojan creator places on the computer after the trojan compromises the system for them.Hope some of this is helpful Cluttermagnet.Good luck!

[Cluttermagnet]

Often the biggest problem with these types of trojans is not so much the trojan itself (and as they noted, it's not that hard to remove the trojan itself), but more importantly what the trojan creator places on the computer after the trojan compromises the system for them.

Thanks LilBambi-I'm still trying to pull together some semblance of a battle plan for Sunday, my next scheduled bout with this trojan. The owner has been out sick a couple days now, but he knows not to connect to the internet until further notice.

...what the trojan creator places on the computer after the trojan compromises the system for them.

You hit the nail on the head. I have yet to hear from anyone who really knows that, and it creeps me out. For all I know, he has now been root kitted. Or perhaps at worst there is a keylogger now set up. Who knows? I will have to quiz him a bit more as to what of any real value is on there. I personally entered his credit card info in setting up his new ISP- that was before I realized he had been virused- so for all I know, that account may now be compromised if there is a keylogger on board. My sense of it is not really much of value. Some personal stuff like resumes in various versions, but he has copies of all them on another machine anyway. I do remember seeing active processes that are known trojans, though I didn't know it at the time, and all evidence points to their all having been put on there once he got the downloader trojan on his hard drive. Rich is probably right, scrubbing the HD might be the only way to ever be sure you got it all. Having quizzed the owner as to whether or not his son has the install CD for XP I could not really get a straight answer. This guy is not one of the computer illuminati- heck, he's not even -literati if you get my drift. Outside the computer world he is actually quite a bright and successful man. On his computer, he has done the equivalent of driving on a learner's permit without having an experienced, licensed adult on the passenger side- and he promptly ran it into a ditch on his own. Arrghhh! Bah Humbug!

[Guest LilBambi]

Well, good luck to you Cluttermagnet ... these things sure do make for some of the most interesting challenges LOL!It it would be of any benefit, there are a couple programs that you can use on Win2K/XP (does not work on Win9x) to check for any known keyloggers:For more advanced users:KL-DetectFor most users (per KL-Detect's page: applies the same principle as KL-Detector, but is simpler and easier to use.):KeyLogger Hunter

[Cluttermagnet]

Well, good luck to you Cluttermagnet ... these things sure do make for some of the most interesting challenges LOL!It it would be of any benefit, there are a couple programs that you can use on Win2K/XP (does not work on Win9x) to check for any known keyloggers:For more advanced users:KL-DetectFor most users (per KL-Detect's page: applies the same principle as KL-Detector, but is simpler and easier to use.):KeyLogger Hunter

Many thanks, Fran.I have downloaded and will of course try both. Late Saturday night I will burn a CD with quite a number of items such as this. BTW so far Trend Micro has stiffed me on any evaluation copy of PC-cillin. I fill out the simple form and submit, they serve a window promising to email me 'soon' with the secret code (url for evaluation download) and the email never arrives. Despite repeated attempts. And they think that this level of service is going to induce me to buy their software?

[siebkens]

BTW so far Trend Micro has stiffed me on any evaluation copy of PC-cillin. I fill out the simple form and submit, they serve a window promising to email me 'soon' with the secret code (url for evaluation download) and the email never arrives. Despite repeated attempts.

Is it possible that their reply is being filtered as spam before it gets to your inbox? I'm finding this to be a problem from time to time with both of my email accounts since ISP's and email services are trying new ways to combat spam. Has only begun happening to me in the last 6 months or so.

[Rons]

Fred Langa [Langalist Newsletter] did a test in which he sent some 10,400 plain text messages to all volunteers that were expecting it - nothing that should trip a spam filter was included.4 out of every 10 were not delivered to the sender.

[Cluttermagnet]

Is it possible that their reply is being filtered as spam before it gets to your inbox?  I'm finding this to be a problem from time to time with both of my email accounts since ISP's and email services are trying new ways to combat spam.  Has only begun happening to me in the last 6 months or so.

Hi, Siebkens-It is of course possible, but not very likely. I'm in the starpower domain, and I doubt they do much filtering much of the time. Of course, things can change over time. I did ask my other ISP and they told me straight out that they only filter for those who are doing web mail with them. OTOH, anyone who does pop mail with them is getting the interent totally unfiltered. I suspect the same is true for starpower. I do 99 percent pop email using Mailwasher to prescreen. My spam levels are still quite acceptable, and I do not mind deleting a few spams on my ISP server. I would really rather I had to do that, as opposed to having any ISP filtering going on behind my back. I don't want it. I can deal with my own spam.

[Cluttermagnet]

Fred Langa [Langalist Newsletter] did a test in which he sent some 10,400 plain text messages to all volunteers that were expecting it - nothing that should trip a spam filter was included.4 out of every 10 were not delivered to the sender.

It was an unrealistic test IMHO, and although Fred substantially stood his ground and said he believed the test was indeed valid, I think it was somewhat flawed. The problem is he used a word or words in the subject line that are highly associated with spam, and a lot of folks who are filtering automatically dumped his email. Others pointed out that the unknown email addy plus the suspicious subject line probably caused them to manually delete it promptly as spam. So they reported having never seen the test email, either. Go search the internet and read the past issues of the LangaLetter to get more of a feel for what happened. More than one interpretation of the results he reported is definitely possible.That aside, let me hasten to add that I think very highly of Fred and trust him explicitly. I very much enjoy his newsletter and always recommend it enthusiastically when I'm with the 'right persons' with somewhat advanced skill levels who can definitely benefit from it. Same with Scot's newsletter. Always read it fully as any new copy comes out. I look foreward to the newsletters because I have learned so many new things from them first, and gotten put on to so much wonderful software and Windows techniques, etc.

[nlinecomputers]

It was an unrealistic test IMHO, and although Fred substantially stood his ground and said he believed the test was indeed valid, I think it was somewhat flawed. The problem is he used a word or words in the subject line that are highly associated with spam, and a lot of folks who are filtering automatically dumped his email. Others pointed out that the unknown email addy plus the suspicious subject line probably caused them to manually delete it promptly as spam. So they reported having never seen the test email, either. Go search the internet and read the past issues of the LangaLetter to get more of a feel for what happened. More than one interpretation of the results he reported is definitely possible.

Wasn't that part of the point of the test? I was in his test and was expecting some sort of mail from him. But without clues on what to search for I had to manually scan my spam can in order to find and respond to the test. All of his mail ended up in my spam box. But all most all new email newsletters or signup acknowledgements end up in my can as well. Once I train my filter(most of the time it takes a single sample) I don't have that problem but I have to remember to scan the spam can in order to find them.The only problem with his test was there was no way to inform him that I found the messages manually over finding them via a sort filter.

[Rons]

I read all of the rants and raves directed toward Fred and why his testing method was flawed and invalid. I think he was trying to show that email may be becoming unreliable for various reasons. Even if his testing showed that 9 out of 10 arrived to the sender - no matter what the reasons were - 1 didn't make it.I also believe he was trying to show that our email system needs to be revamped. That a system of verification may be needed to stem the tide of spam. Congress can pass anti-spam laws forever, and I seriously doubt it will do much good.my 2 cents.................

[Cluttermagnet]

I read all of the rants and raves directed toward Fred and why his testing method was flawed and invalid. I think he was trying to show that email may be becoming unreliable for various reasons. Even if his testing showed that 9 out of 10 arrived to the sender - no matter what the reasons were - 1 didn't make it.I also believe he was trying to show that our email system needs to be revamped. That a system of verification may be needed to stem the tide of spam. Congress and pass anti-spam laws forever, and I seriously doubt it will do much good.my 2 cents.................

That is basically right, Rons, and from Fred's viewpoint, the undelivered and bounced mails are intolerable. I'm glad I don't have to deal with what he does. Yes email is fatally flawed and it will be nice when they finally agree on a new method to clean up this mess. Still, I think it was, er, controversial to say the least that he used a word like (as best I recall) "hi" or was it "hello" in his subject line. Apparently such words get you deleted as spam. I have sent such messages myself- simply not grasping the significance of choosing the word "hello" to use in my subject line. Maybe that's why certain of my emails never got answered, I guess. Slowly I am learning...