2cpus4me
February 29th, 2004, 11:46 PM
Here's the scenario:
15:56:30 [Radius Update] Database already up-to-date - transfer aborted.
17:23:01 [ExecProt] WARNING: e:\_downloads\utils\john-16w\john-16\run\john.exe has been blocked from executing
I apparently didn't notice the warning and nothing popped up on my screen. Next thing you know, there are new icons on the desktop that looked fishy. One was called Deploy.exe and I immediately deleted them suspecting they were hostile, and things began to go downhill from there.
I launched a full virus scan and it finds no virus, but does flag some odd things in the log like boot sector 1 and 2 unreadable and a number of files in the windows\temp directory are unreadable (oh, oh). A full TDS-3 scan shows a $hitload of Trojan trace files in the alarm section, most in the windows\temp directory and some messages like please submit these in the TDS-3 status window... (double oh,oh)
Being new to TDS-3, I panicked and started yanking network cables out of the hub to prevent other workstation infections via shared drives.
I tried to open the windows\temp directory but it says it didn't exist (yea, right). Next got a weird Firewall message like 'you don't have permissions to...' Quickly I check the firewall (Blackice) and to my horror find out it has been disabled to allow all inbound traffic :(
Quickly realizing I am in deep $hit, I rebooted, went to recovery console and rewrote the boot sectors with the command line utility, and while I was there I purged the nasty windows\temp directory of 5 or 6 hostile folders. Logged back in, relaunched a full virus scan, reinstalled the Blackice firewall (I also have a hardware firewall). TDS-3 found the file listed at the top as a trojan and I submitted it.
When the virus scan finished, it flagged an errorin the log saying can't find Deploy.exe. I searched for this file and it doesn't exist on physical drives. Search of the registry found an entry listed in the Virus Scanner registry section (oh, oh). Went back and looked at the virus scanner configuration and the dang thing had inserted itself into the virus scanner settings as an excluded file. I was worried up to this point, but now I am in paranoia mode.
I have run Pestpatrol, Ad-Aware, Spy-bot, TDS-3, multiple full system virus scans, as well has having worm-guard resident in addition to a basic hardware firewall in the router. I think I contained the immediate threat, but holy $hit, it took out my firewall and inserted an entry into the virus scanner config. That's pretty sophisticated IMHO, and now I don't trust my system.
Also, TDS-3 has no entries in the logs for all those Trojan traces that it found initially (the ones that I didn't submit when I panicked and rebooted at first). Where did those go? Lost in the reboot?
Any advice? I thought running a hardware and software firewall along with TDS-3, Wormguard, PestPatrol, and Spy-Bot resident backed with the NOD32 virus scanner would keep me safe...
15:56:30 [Radius Update] Database already up-to-date - transfer aborted.
17:23:01 [ExecProt] WARNING: e:\_downloads\utils\john-16w\john-16\run\john.exe has been blocked from executing
I apparently didn't notice the warning and nothing popped up on my screen. Next thing you know, there are new icons on the desktop that looked fishy. One was called Deploy.exe and I immediately deleted them suspecting they were hostile, and things began to go downhill from there.
I launched a full virus scan and it finds no virus, but does flag some odd things in the log like boot sector 1 and 2 unreadable and a number of files in the windows\temp directory are unreadable (oh, oh). A full TDS-3 scan shows a $hitload of Trojan trace files in the alarm section, most in the windows\temp directory and some messages like please submit these in the TDS-3 status window... (double oh,oh)
Being new to TDS-3, I panicked and started yanking network cables out of the hub to prevent other workstation infections via shared drives.
I tried to open the windows\temp directory but it says it didn't exist (yea, right). Next got a weird Firewall message like 'you don't have permissions to...' Quickly I check the firewall (Blackice) and to my horror find out it has been disabled to allow all inbound traffic :(
Quickly realizing I am in deep $hit, I rebooted, went to recovery console and rewrote the boot sectors with the command line utility, and while I was there I purged the nasty windows\temp directory of 5 or 6 hostile folders. Logged back in, relaunched a full virus scan, reinstalled the Blackice firewall (I also have a hardware firewall). TDS-3 found the file listed at the top as a trojan and I submitted it.
When the virus scan finished, it flagged an errorin the log saying can't find Deploy.exe. I searched for this file and it doesn't exist on physical drives. Search of the registry found an entry listed in the Virus Scanner registry section (oh, oh). Went back and looked at the virus scanner configuration and the dang thing had inserted itself into the virus scanner settings as an excluded file. I was worried up to this point, but now I am in paranoia mode.
I have run Pestpatrol, Ad-Aware, Spy-bot, TDS-3, multiple full system virus scans, as well has having worm-guard resident in addition to a basic hardware firewall in the router. I think I contained the immediate threat, but holy $hit, it took out my firewall and inserted an entry into the virus scanner config. That's pretty sophisticated IMHO, and now I don't trust my system.
Also, TDS-3 has no entries in the logs for all those Trojan traces that it found initially (the ones that I didn't submit when I panicked and rebooted at first). Where did those go? Lost in the reboot?
Any advice? I thought running a hardware and software firewall along with TDS-3, Wormguard, PestPatrol, and Spy-Bot resident backed with the NOD32 virus scanner would keep me safe...