Rather annoying......

[haggisnneeps]

So i built my UnAttended installation after much ,trouble strife and help from here, Ryan VM, driverpacks etc and after a few technical glitches it worked like a dream (technically it still does)

I am now adding my apps etc before going for what i will call "The Full Bhoona" CD creation before throwing myself wholeheartedly at the current pain in the A*&e that is the missing ability to perform all the partition work as part of a Unattended Install - Anyhoo - digress.......

Thinking further down the line i decided to do things in this order:

1)secure my PC with AVG 7.5 (with firewall)

2) add Windows defender and update etc

3) go to windows live security centre and scan from here just to be absoutely sure belts and braces and buckles....

4)Secure Hosts added (this slows down internet access the first time you log on)

5) Secure the HKLM restricted sites (from the msfn forum

So now you're all saying - well that sounds pretty secure. I thought so (was i being naiive?)

6) Install IE7 (i think this was my big mistake)

7)Install WMP11

8) INstall LIve Messenger

9) Go to bed for a while

10 >>>> Never got to step 10 as when i woke up AVG had found a virus c:\op32.exe. Checking my C drive i found 3 other .exe file which shouldnt have been there - dll32.exe, devcon.exe and ntsystem.exe

WTF??!!!?!??

All my accounts have strong passwords on them too before you ask (and yes theyre all members of administrators )

Its lucky that i'm about to blast it with thf full bhoona image this weekend coz i wouldn't trust it anymore anyway after that

Anyone any ideas how this could have happened and what these files are/do?

Thanks in advance

[jcarle]

Something you installed was already infected I would suspect.

[cluberti]

Note that particular virus is pretty nasty, as it uses the alternate data stream on a folder in C: to hide itself (a real PITA to remove). I'd suggest reformatting and starting over, making sure to download all installation files necessary from another, noninfected machine, because you're not going to be plugging that new machine into any networks during the reinstall.

1. Get AVG on that box first.

2. Install applications in order, one at a time. Scan the machine after each app install, and you'll probably find the culprit.

Otherwise, it came in from the outside, or from another machine on your network. Since you probably have a decent hardware firewall/router in place, this isn't likely, but anything is possible.

[haggisnneeps]

Nah its a home network behind a (hopefully uncompromised) D-Link wireless router (i'll be resetting and re firmwaring that tonight)

Only 3 possibilities i can think of-

1) my installation files were compromised somehow. i used a vanilla XPCD, SP2 direct from MS site, Ryan VM files from his site, driverpacks from driverpack's site and nLite to finish off and burn DVD etc. During all of the making of the CD i had to use XP vanilla coz iot kept crashing so i guess my OS volume was very vulnerable and possibly it infected teh files on my G drive ( i had 5 partitions - 4 expendable and the fifth for storing all my project files and xpcd on (tis was regularly scanned without incident - even after the infection was found)

2)This virus (possibly more than one) got throught XPCD SP2 with all the latest patches and running windows defender and AVG 7.5 + firewall + secure hosts + regfix for HKLM restricted sites

3) IE7 or WMP 11 has a hole in it which was exploited sometime over saturday night

All things being equal i'm guessing option 1 followed by option 3 and at the very outside option 2

Oh well i'll reburn and experiment i guess (gawd i hope its not options 1 2 or 3 )

i'll let you know how i get on

[jcarle]

Note that particular virus is pretty nasty, as it uses the alternate data stream on a folder in C: to hide itself (a real PITA to remove).

Infections of NTFS ADS shouldn't be too hard to remove if you run the Sysinternals Streams utility with the command: streams -s -d C:\*.*

Unless I'm missing something?

[cluberti]

Most of these are rootkits, and streams won't detect it (they're hidden, and streams only shows you ones that are not). However, I believe that gmer can find and detect ADS rootkits - most A/V engines don't catch these yet (even at their highest levels of protection) until it's too late (or, not at all, in most cases).

[jcarle]

Thank you Sony for bringing around a new form of viruses.