Strange malware on "clean" WinXP install

Hello -

I am upgrading and cleaning my old desktop system. I did not have any observable problems with my old system, which ran McAfee Virus Scanner. The procedure I followed to upgrade my system was:
0) Backed up my existing files to an external harddrve and disconnected the external drive (at no point after this step did I reconnect the external drive)
1) Powered down my system
2) Replaced all of my RAM
3) Powered up my system
4) Inserted a WinXP install CD (an OEM distribution from DELL in 2003)
5) Used the WinXP setup utility to delete the old partitions on my hard drive (the system only has one drive)
6) Reformatted the drive for NTFS
7) Ran through the WinXP setup utility and installed Windows.

Once I had an operable base standalone system working, I:

1) Installed the Broadcomm drivers for my network card (off another OEM cd) -- I have a cable modem that was previously configured for DHCP
2) Restarted the computer
3) Clicked on Start > Windows Updates

Once Internet Explorer browsed to Microsoft's website and started to download critical updates for the past 3 years and WinXP SP2 (I used the express update feature), I started to receive multiple suspicous pop-ups and a few system error dialogs. The two pop-ups appeared to be advertisements. One stated my registry is corrupt and I needed to bowse to a website to download a registry cleaner. Another message indicated I needed a Win32.exe cleaner. Both dialogs appeared as application dialogs. I did not directly interact with the dialogs and instead opened the taskmgr and ended the process trees associated with each dialog. I then receieved an error message stating that my RPC service was unavailable (I also dismissed this dialog with taskmgr). I then received the following dialog pop-up (again, while the security updates are downloading and installing). I had not browsed to any other webpage or interacted with the system in a manner other than previously described.



When I went to the taskmgr, I noticed a process named "i1m3v5h2k2c1.exe," which was associated with the dialog. This process appeared to run from the following application loaded on my c:\ root directory:



Now, I cannot update my computer to SP2 since a program or service controls the ftp.exe program (which the install program downloaded from Microsoft relies upon to obtain the SP2 installation package). I assume it's this offending program.

My primary questions are i) what is it? and ii) how to get rid of it (I have scanned the registry, terminated the process tree and deleted the file)?

My secondary questions are how did it get there in the first place if I was only using a clean system and connecting directly to Microsoft's website? Are there known attacks the attempt to infect new, unprotected Windows-based machines when they attempt to contact the microsoft website for security updates?

After installing Webroot's SpySweeper, the only item found was a 2o7.exe spyware mentioned in the registry (and how did this get there since I only loaded this from a manufacturer's CD without installing anything else?).

Little help lifting the fog?

Thanks.

 

In a nutshell you went *live* on the web with an unpatched OS and no firewall active to shield it from the WWW and all thoes worms/trojans flying around.I'm surprised that you did'nt get totally hosed during your visit to update your OS.

Also if you have *messenger service* enabled you will be receiving SPAM via that service...

Best advice is to have your firewall software installed before venturing onto the web to retrieve updates/patchs etc

Your system is a honeypot for malware without it

Best to start again afresh

 

Download SP2 (back it up) and instal it after clean setup, before powering up the modem.

 

Thanks - I'll give the above a shot. Seems I underestimated the time required to compromise a system since the time between physically connecting the network card and the time I started having problems was around 20 minutes (again, only accessing the official Microsoft site to download patches). Would an SSL connection to Microsoft's website help at all (not that they'd offer one)?

I'm still a little doubtful that an attacker would be able to detect my machine on the network and successfully penetrate in so little time (I am on a wired cable modem) ... unless the attacker were a man-in-the-middle that automatically detects connection attempts to the Microsoft update site (I only say this since I have re-formatted & re-installed twice with a couple overwrites of the motherboard BIOS with the same results (before reading the above suggestions). I sincerely appreciate the advice, and I will try the above. My only remaining question is: are these exploiters really that efficient, or do I need to have a discussion with my service provider to see if their systems are compromised (since I doubt a consistent man-in-the-middle attack would be more than a few hops from me)? Are there other common intrusion methods that may explain this behavior?

(These are more questions of curiosity than anything else).

Thanks again!

 

Did you have a firewall enabled?
Some experts claim that a unpatched/unfirewalled XP install gets infected in about 10 minutes on the net.

 

No firewall or even limited TCP/IP filtering. I didn't think I needed it for so short a time. Lesson learned.

 

That's why I hate the on-line activation of winXPproSP2 sooo much, which forces me to go on-line during an off-line installation from scratch. My only weak point in creating clean archives/images.
MS still thinks that internet is a safe place.

 

I learned my lesson the hard way too. The internet is ablaze! with crawling viruses and many other threats preprogrammed to identify and zero right in on open targets almost immediately upon "connected". I took that chance once after a fresh install that i could get to my firewall site and install before any problems arose and proceeded to open the door to a mess of droppers and such that woke me from my slumber. I can't explain how in the world malware is laced all over the HTTP like it is, but it is and it's there. Without at least a firewall, your computer is a MAGNET.

 

wsf, you were hit rather quickly. Over the years I have read several reports that an unpatched XP w/out a firewall that is connected to the internet will be infected in less than 30 minutes.

I would highly recommend an inexpensive cable/dsl router for $20-30 which will act as an incoming hardware firewall (among other things). Here are some suggestions that you can do now since you have an active internet connection:

1) Download the XP SP2 offline network install package

2) Download Autopatcher XP Full

3) Download all of the current drivers

Next time you reinstall XP:

1) Unplug your ethernet cable
2) Install XP
3) Install SP2
4) Install Autopatcher XP
5) Enable the XP Firewall
6) Install your other drivers
7) Install your Antivirus
Activate Windows (if necessary)

Now you can go to Windows Update for the rest of the goodies.

 

Hello,

Things are very simple.

Install Windows. Install your firewall (from a CD you keep in a drawer).
Connect to the net. Download Firefox.
Optional - download windows updates.
End of story.

Mrk

 

Many thanks for all who have replied. I'll give the above a shot as soon as work slows. If all else fails, I'll stop splitting my time between Windows- and Linux-based systems and go to Linux exclusively.

 

I think a part of the install problem is that a lot of software is now installed from a direct download from a website instead of a CD or floppy disk which is how it was done back in the 1980's. But even with those, it is still not foolproof. I still have 5.25 inch floppies that contain viruses (such as the marijuana or "stoned" virus) as a keepsake.

 

Heres a way to activate windows xp without having to go online 'IF' you are REinstalling windows xp on the same system.

http://sniptools.com/tipstricks/reinstall-windows-xp-without-product-activation

 

Thats why i have a handy little app to help me activate windows without having to go online, no weak points in my creation process

 

Hello,
What I meant is anyone should have a CD full of goodies, kept aside, including not only firewall, but all and every program they like. And occasionally update this collection.
Mrk

 

the easy way of installing windows updates safely is to buy a cheap firewalled router.
this way you will be protected while you download the updates.
it works perfectly.
i used this setup for my neighbours laptop.
setup the firewalled router then installed the updates.
then installed and updated the secuirty software.
lodore

 

Well said! I have usb memory stick with all my favourite security programs and other programs i might need if i need to do a fresh install.

Kristian

 

My 2GB memory stick fell out of my pocket the other day and I lost it! Not much you can do about that. I got another free at a security show to replace it, but I now password protect the zip files on it. I also attached it to my house and car keyring, so if I lose it again, I'll be properly stuffed! Eventually, we'll have USB stick brain implants so if you lose it, you also lose your marbles!

 

ROFLMAO

 

The survival time of an unprotected system is around 6 minutes now.
http://isc.sans.org/survivaltime.html

Here's a guide from the Sans institute titled, "Windows XP: Surviving the First Day".
http://www.sans.org/reading_room/whitepapers/windows/1298.php