haggisnneeps Posted November 27, 2006 Share Posted November 27, 2006 So i built my UnAttended installation after much ,trouble strife and help from here, Ryan VM, driverpacks etc and after a few technical glitches it worked like a dream (technically it still does)I am now adding my apps etc before going for what i will call "The Full Bhoona" CD creation before throwing myself wholeheartedly at the current pain in the A*&e that is the missing ability to perform all the partition work as part of a Unattended Install - Anyhoo - digress.......Thinking further down the line i decided to do things in this order:1)secure my PC with AVG 7.5 (with firewall)2) add Windows defender and update etc3) go to windows live security centre and scan from here just to be absoutely sure belts and braces and buckles....4)Secure Hosts added (this slows down internet access the first time you log on)5) Secure the HKLM restricted sites (from the msfn forumSo now you're all saying - well that sounds pretty secure. I thought so (was i being naiive?)6) Install IE7 (i think this was my big mistake)7)Install WMP118) INstall LIve Messenger9) Go to bed for a while10 >>>> Never got to step 10 as when i woke up AVG had found a virus c:\op32.exe. Checking my C drive i found 3 other .exe file which shouldnt have been there - dll32.exe, devcon.exe and ntsystem.exeWTF??!!!?!??All my accounts have strong passwords on them too before you ask (and yes theyre all members of administrators )Its lucky that i'm about to blast it with thf full bhoona image this weekend coz i wouldn't trust it anymore anyway after thatAnyone any ideas how this could have happened and what these files are/do?Thanks in advance Link to comment Share on other sites More sharing options...
jcarle Posted November 27, 2006 Share Posted November 27, 2006 Something you installed was already infected I would suspect. Link to comment Share on other sites More sharing options...
cluberti Posted November 27, 2006 Share Posted November 27, 2006 Note that particular virus is pretty nasty, as it uses the alternate data stream on a folder in C: to hide itself (a real PITA to remove). I'd suggest reformatting and starting over, making sure to download all installation files necessary from another, noninfected machine, because you're not going to be plugging that new machine into any networks during the reinstall.1. Get AVG on that box first.2. Install applications in order, one at a time. Scan the machine after each app install, and you'll probably find the culprit.Otherwise, it came in from the outside, or from another machine on your network. Since you probably have a decent hardware firewall/router in place, this isn't likely, but anything is possible. Link to comment Share on other sites More sharing options...
haggisnneeps Posted November 27, 2006 Author Share Posted November 27, 2006 Nah its a home network behind a (hopefully uncompromised) D-Link wireless router (i'll be resetting and re firmwaring that tonight)Only 3 possibilities i can think of-1) my installation files were compromised somehow. i used a vanilla XPCD, SP2 direct from MS site, Ryan VM files from his site, driverpacks from driverpack's site and nLite to finish off and burn DVD etc. During all of the making of the CD i had to use XP vanilla coz iot kept crashing so i guess my OS volume was very vulnerable and possibly it infected teh files on my G drive ( i had 5 partitions - 4 expendable and the fifth for storing all my project files and xpcd on (tis was regularly scanned without incident - even after the infection was found)2)This virus (possibly more than one) got throught XPCD SP2 with all the latest patches and running windows defender and AVG 7.5 + firewall + secure hosts + regfix for HKLM restricted sites3) IE7 or WMP 11 has a hole in it which was exploited sometime over saturday nightAll things being equal i'm guessing option 1 followed by option 3 and at the very outside option 2 Oh well i'll reburn and experiment i guess (gawd i hope its not options 1 2 or 3 )i'll let you know how i get on Link to comment Share on other sites More sharing options...
jcarle Posted November 27, 2006 Share Posted November 27, 2006 Note that particular virus is pretty nasty, as it uses the alternate data stream on a folder in C: to hide itself (a real PITA to remove).Infections of NTFS ADS shouldn't be too hard to remove if you run the Sysinternals Streams utility with the command: streams -s -d C:\*.*Unless I'm missing something? Link to comment Share on other sites More sharing options...
cluberti Posted November 27, 2006 Share Posted November 27, 2006 Most of these are rootkits, and streams won't detect it (they're hidden, and streams only shows you ones that are not). However, I believe that gmer can find and detect ADS rootkits - most A/V engines don't catch these yet (even at their highest levels of protection) until it's too late (or, not at all, in most cases). Link to comment Share on other sites More sharing options...
jcarle Posted November 27, 2006 Share Posted November 27, 2006 Thank you Sony for bringing around a new form of viruses. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now