| View previous topic :: View next topic |
| Author |
Message |
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16515
|
|
| Back to top |
|
 |
denn988
Guest
IP: 66.44.*.*
|
 Posted: Wed Nov 19, 2003 2:40 pm Post subject: |
|
|
Ikeb,
You are close.
To start out...here is a link to the TRegExpr v.0.947 tool for checking Regular Expressions used in MWP. I think rusticdog provided this link somewhere else on this forum, but I can't remember for sure.
Download the 'regexp.zip' file and the appropriate help file and extraxt them both to the same directory on your hard drive. This program should provide the same results as the filters in MWP will.
As far as your interpretation of the RegEx you provided:
| Quote: | | (?# match any number of letters)\w+ |
\w matches alphanumeric charactors including letters, numbers and the '_' underscore.
| Quote: |
(?# followed by any number of 'd' characters???)d+ |
Sure looks malformed to me also...perhaps it should be \d+ to trap numerics.
| Quote: | | (?# followed by any number of characters and/or numbers).+ |
Actually, the dot matches anything.
Note...if you preceed the expression with the perl extension (?-s), it will not match line separators.
| Quote: | So I might expect the following to trigger this filter?
abcd-replyto-12345-ddddd@1d23ne67dhg.12sd.com
Does this make sense? I didn't expect to find this.
|
That is probably because of the malformed d+ mentioned above.
| Quote: | | BTW, am I correct that any number of "." characters (i.e. dots) will match the ".+" part of the expression? |
Any number of charactors, including 'dots' will match the ".+"
| Quote: | | And the second "." followed by "com" completes the match right? Why doesn't the first "." match the "\." part of the expression? |
because the expression is looking for ".com" as written. the first part is matched by the ".+".
By the way....the difference between the + and the * is that the plus will match 1 or more while the * will match 0 or more. In other words." \d+a" requires at least one number, then an a...."\d*a" will match without any number prior to the a.
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16515
|
| Posted: Wed Nov 19, 2003 3:55 pm Post subject: |
|
|
Thanks reviewing my understanding of the filter Denn988. The missing '\' in front of that 'd' sure threw me off. I thought perhaps the '-' characters did something I should know about. Instead I found a bug in one of Gary's filters it seems.... 
Actually I downloaded the TRegExpr stuff last night. I also downloaded Visual RegExp only to discover I'd have to install TCL as well. While the author does point to ActiveTCL, a free 12MB download, I could find nothing - even at the ActiveState site - that explains what what TCL's purpose is. Any idea?
|
|
| Back to top |
|
|
denn988
Guest
IP: 66.44.*.*
|
| Posted: Wed Nov 19, 2003 6:08 pm Post subject: |
|
|
Ikeb,
I don't know much about it, but TCL stands for "Tool Command Language". It is a scripting language and it is required for using Visual RegExp.
By the way....there are a lot of things about Gary's filters that seem a bit strange.
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16515
|
| Posted: Wed Nov 19, 2003 7:28 pm Post subject: |
|
|
| denn988 wrote: | | I don't know much about it, but TCL stands for "Tool Command Language". It is a scripting language and it is required for using Visual RegExp. |
Thank's for the TLC reference. While TLC looks interesting I don't have a pressing need for it. After using TRegExpr, I don't think I'll bother to finish installing Visual RegExp.
| denn988 wrote: | | By the way....there are a lot of things about Gary's filters that seem a bit strange. |
I'd be interested in any errors you've found and, while he hasn't been around much, I suspect Gary would as well.
|
|
| Back to top |
|
|
Perry
Lieutenant
Joined: Oct 19, 2003
Posts: 291
Location: USA
|
| Posted: Thu Nov 20, 2003 1:17 am Post subject: |
|
|
| Ikeb wrote: | Thanks reviewing my understanding of the filter Denn988. The missing '\' in front of that 'd' sure threw me off. I thought perhaps the '-' characters did something I should know about. Instead I found a bug in one of Gary's filters it seems....
Actually I downloaded the TRegExpr stuff last night. I also downloaded Visual RegExp only to discover I'd have to install TCL as well. While the author does point to ActiveTCL, a free 12MB download, I could find nothing - even at the ActiveState site - that explains what what TCL's purpose is. Any idea? |
And what is this toolbar this site tried to install on my machine which would not close the install box without going to task manager and terminating it?
Could not tell if it was a legit do not install or not, however the program was already running.
Perry
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16515
|
| Posted: Thu Nov 20, 2003 3:36 am Post subject: |
|
|
| Perry wrote: | | And what is this toolbar this site tried to install on my machine which would not close the install box without going to task manager and terminating it? |
At the TRegExpr site you mean? Good question. There's no info at the site as to the utility or just who GAIN Publishing is. The MS 'Security Warning' window is brought up every time a new page is selected at the site.
I just had to click 'No'.
| Perry wrote: | | Could not tell if it was a legit do not install or not, however the program was already running. |
Already running? You installed it already then?
|
|
| Back to top |
|
|
Perry
Guest
IP: 142.152.*.*
|
| Posted: Thu Nov 20, 2003 6:59 am Post subject: |
|
|
| Ikeb wrote: | | Perry wrote: | | And what is this toolbar this site tried to install on my machine which would not close the install box without going to task manager and terminating it? |
At the TRegExpr site you mean? Good question. There's no info at the site as to the utility or just who GAIN Publishing is. The MS 'Security Warning' window is brought up every time a new page is selected at the site.
I just had to click 'No'.
| Perry wrote: | | Could not tell if it was a legit do not install or not, however the program was already running. |
Already running? You installed it already then? |
This is a good question.
I never intentionally hit anything that accepted the XP warning or the certificate acceptance window. I did this just before work so need to do some more scanning on the hard drive.
I found tb_setup.exe along with toolbar.dll and one other in the temp directory as well as in the MSIE cache directories and go rid of them. However I did have to terminate the process via taskmanager.
Basically the box said that toolbar whatever was installed do you wish to keep it, yes/no. I tried simply to close the box but could not, so killed it in task manager.
I can't find any artifacts anywhere so hopefully it is gone.
The reason I mentioned 'intentionally' is because I selected the download of the regexp help file and then my mouse moved to the download box via the setting in the mouse properties. Then I went to hit the save button in the file requester. At this point I got the popup box for the toolbar and closed it out. When I went back at this point the file had not started the download at all so I am thinking that I actually nailed a box that didn't stay up long enough to see that positioned itself in front of the file requester box save button.
I don't know for sure on this or if there is another little trick that actually installed it into the temp directory.
I suggest that anyone that saw this toolbar do a check on their hard drive for tb_setup.exe, maybe others got it as well and don't know it yet.
I looked at the files and they show no author ownership, but does show a version number. Gain publishing was shown in the certificate, but I didn't see it in the files.
Tomorrow when I get home I'll scan the rest of the machine, but for right now I am fairly sure I caught it in time. That reminds me now though to go look for Gain publishing on the net to see what it comes up with.
Thanks for letting me know that you saw it as well so I can eliminate any other site that I went to just prior to this including this one.
Perry
|
|
| Back to top |
|
|
gary
Lieutenant
Premium Member
Joined: Dec 22, 2002
Posts: 260
Location: Dallas/Ft. Worth, USA
|
| Posted: Thu Nov 20, 2003 8:48 pm Post subject: |
|
|
| Ikeb wrote: | | I thought perhaps the '-' characters did something I should know about. Instead I found a bug in one of Gary's filters it seems.... |
Oops, it sure looks that way. I test each filter to make sure they work as expected, but somehow some errors have still been creeping in. The "-" was just a literal, in this case.
| Ikeb wrote: |
denn988 wrote:
By the way....there are a lot of things about Gary's filters that seem a bit strange.
I'd be interested in any errors you've found and, while he hasn't been around much, I suspect Gary would as well. |
I still drop by every once in a while!  Work has been keeping me hopping, sorry. That's why I've still not put out a new revision, even though one is ready to go.
The syntax for some of the filters probably makes some people scratch their heads, but if you'll post questions or bugs, I'd be more than happy to answer or fix any problems. Some of the syntax is also tailored around specific issues with the RegExpr library being used, so it may be even less obvious what the filter is trying to accomplish.
Thanks!
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16515
|
| Posted: Fri Nov 21, 2003 12:22 am Post subject: |
|
|
| gary wrote: | | Ikeb wrote: | | I thought perhaps the '-' characters did something I should know about. Instead I found a bug in one of Gary's filters it seems.... |
Oops, it sure looks that way. I test each filter to make sure they work as expected, but somehow some errors have still been creeping in. The "-" was just a literal, in this case. |
And it would be tough to go through all the regex filters by hand.
| gary wrote: | | Ikeb wrote: |
denn988 wrote:
By the way....there are a lot of things about Gary's filters that seem a bit strange.
I'd be interested in any errors you've found and, while he hasn't been around much, I suspect Gary would as well. |
I still drop by every once in a while! Work has been keeping me hopping, sorry. That's why I've still not put out a new revision, even though one is ready to go.
The syntax for some of the filters probably makes some people scratch their heads, but if you'll post questions or bugs, I'd be more than happy to answer or fix any problems. Some of the syntax is also tailored around specific issues with the RegExpr library being used, so it may be even less obvious what the filter is trying to accomplish.
|
It might be a good idea to publish the test file(s) used to qualify a set of filters. That way someone other than yourself could review the same set of filters to a) verify that the regular expressions work against the text properly (i.e. catch finger problems) and b) more easily allow the regex test(s) to be reviewed for anything important missing from the test (i.e. catch functional problems). Also, comments accompanying each regex, could help part b) and, if the comment relates to the test file, could help part a) as well.
Just a "minor" suggestion to "ease" your workload..... 
|
|
| Back to top |
|
|
Perry
Lieutenant
Joined: Oct 19, 2003
Posts: 291
Location: USA
|
| Posted: Sat Nov 22, 2003 7:30 am Post subject: |
|
|
| Ikeb wrote: | | Perry wrote: | | And what is this toolbar this site tried to install on my machine which would not close the install box without going to task manager and terminating it? |
At the TRegExpr site you mean? Good question. There's no info at the site as to the utility or just who GAIN Publishing is. The MS 'Security Warning' window is brought up every time a new page is selected at the site.
I just had to click 'No'.
| Perry wrote: | | Could not tell if it was a legit do not install or not, however the program was already running. |
Already running? You installed it already then? |
Well, that is one site I will not revisit.
It now appears to be a little more devious when it comes to its install. This is what appears to be going on. First off it places itself in two place as far as the setup program, you your temp directory and your temp internet files. Deleting them here has no effect on the next boot. tb_setup is present as a registry setting at:
HKLM software\microsoft\windows\current version\run
The key will show the path to the temp directory for tb_setup.
This needs to be killed, but then one has to ask, how does it run if the file is missing? Good question. Upon a little inspection I ran into a second file sitting in system 32. Unfortunately I killed it so fast after spotting it I didn't catch the exact name, but it was running in task manager -bti something .dll. I am now thinking that it sits in there and creates the other file in the temp directory upon bootup, which is then launch via the run settings in the above key. SpyBot picked up about 30 registry settings to this file when I ran it after I previously killed the file. If not I have no explanation on how tb_setup.exe gets back into the temp directory.
As far as the no - do not install box, didn't do anything at all as far as uninstall itself.
I suggest anyone that went to this site do a drive search for tb_set.exe and kill it along with an associated dll. Maybe others got a package they did not know they received.
Perry
|
|
| Back to top |
|
|
sasha3428
Cadet
Joined: Nov 29, 2003
Posts: 1
Location: USA
|
| Posted: Sat Nov 29, 2003 8:34 am Post subject: tb_setup |
|
|
ive been haveing the same problem with this file and it seems no matter what i do it comes back i have deleted the key and all. i also found 2 other files comeing from the same location. "tb://dst.trafficsyndicate.com/dnl/general/tb_setup.cab
if anyone has any ideas on how to get rid of this please help.
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16515
|
| Posted: Sat Nov 29, 2003 5:22 pm Post subject: Re: tb_setup |
|
|
| sasha3428 wrote: | ive been haveing the same problem with this file and it seems no matter what i do it comes back i have deleted the key and all. i also found 2 other files comeing from the same location. "tb://dst.trafficsyndicate.com/dnl/general/tb_setup.cab
if anyone has any ideas on how to get rid of this please help. |
I can tell you that the utility that attempted to install on my machine is actually a Spyware utility compliments of Gator Corp. My advice to you would be to search for an answer in the Spyware forum at this web site. If the search yields nothing, post your question there.
It appears that this is something FireTrust might want to look into. The MWP Help file links to a web site that is apparently infected with a Spyware utility. Not a good situation. Rusticdog, could you check into this?
|
|
| Back to top |
|
|
stan_qaz
Premium Member
Joined: Mar 31, 2003
Posts: 10629
|
| Posted: Sat Nov 29, 2003 9:52 pm Post subject: |
|
|
Why not grab a copy of Spybot Search and Destroy and or LavaSoft AdAware and see if they will dig it out.
Both are good tools and free. Make sure to download the latest data updates the first time you run the program.
_________________
Questions? Try the wiki
http://wiki.castlecops.com/MailWasher_Pro
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
