Strange malware on "clean" WinXP install

Discussion in 'malware problems & news' started by wsf, May 8, 2007.

Thread Status:
Not open for further replies.
  1. wsf

    wsf Registered Member

    Joined:
    May 8, 2007
    Posts:
    4
    Hello -

    I am upgrading and cleaning my old desktop system. I did not have any observable problems with my old system, which ran McAfee Virus Scanner. The procedure I followed to upgrade my system was:
    0) Backed up my existing files to an external harddrve and disconnected the external drive (at no point after this step did I reconnect the external drive)
    1) Powered down my system
    2) Replaced all of my RAM
    3) Powered up my system
    4) Inserted a WinXP install CD (an OEM distribution from DELL in 2003)
    5) Used the WinXP setup utility to delete the old partitions on my hard drive (the system only has one drive)
    6) Reformatted the drive for NTFS
    7) Ran through the WinXP setup utility and installed Windows.

    Once I had an operable base standalone system working, I:

    1) Installed the Broadcomm drivers for my network card (off another OEM cd) -- I have a cable modem that was previously configured for DHCP
    2) Restarted the computer
    3) Clicked on Start > Windows Updates

    Once Internet Explorer browsed to Microsoft's website and started to download critical updates for the past 3 years and WinXP SP2 (I used the express update feature), I started to receive multiple suspicous pop-ups and a few system error dialogs. The two pop-ups appeared to be advertisements. One stated my registry is corrupt and I needed to bowse to a website to download a registry cleaner. Another message indicated I needed a Win32.exe cleaner. Both dialogs appeared as application dialogs. I did not directly interact with the dialogs and instead opened the taskmgr and ended the process trees associated with each dialog. I then receieved an error message stating that my RPC service was unavailable (I also dismissed this dialog with taskmgr). I then received the following dialog pop-up (again, while the security updates are downloading and installing). I had not browsed to any other webpage or interacted with the system in a manner other than previously described.

    dialog_pic.JPG

    When I went to the taskmgr, I noticed a process named "i1m3v5h2k2c1.exe," which was associated with the dialog. This process appeared to run from the following application loaded on my c:\ root directory:

    icon_pic.JPG

    Now, I cannot update my computer to SP2 since a program or service controls the ftp.exe program (which the install program downloaded from Microsoft relies upon to obtain the SP2 installation package). I assume it's this offending program.

    My primary questions are i) what is it? and ii) how to get rid of it (I have scanned the registry, terminated the process tree and deleted the file)?

    My secondary questions are how did it get there in the first place if I was only using a clean system and connecting directly to Microsoft's website? Are there known attacks the attempt to infect new, unprotected Windows-based machines when they attempt to contact the microsoft website for security updates?

    After installing Webroot's SpySweeper, the only item found was a 2o7.exe spyware mentioned in the registry (and how did this get there since I only loaded this from a manufacturer's CD without installing anything else?).

    Little help lifting the fog?

    Thanks.
     
  2. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    In a nutshell you went *live* on the web with an unpatched OS and no firewall active to shield it from the WWW and all thoes worms/trojans flying around.I'm surprised that you did'nt get totally hosed during your visit to update your OS.

    Also if you have *messenger service* enabled you will be receiving SPAM via that service...

    Best advice is to have your firewall software installed before venturing onto the web to retrieve updates/patchs etc

    Your system is a honeypot for malware without it;)

    Best to start again afresh:thumb:
     
    Last edited: May 8, 2007
  3. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Download SP2 (back it up) and instal it after clean setup, before powering up the modem.
     
  4. wsf

    wsf Registered Member

    Joined:
    May 8, 2007
    Posts:
    4
    Thanks - I'll give the above a shot. Seems I underestimated the time required to compromise a system since the time between physically connecting the network card and the time I started having problems was around 20 minutes (again, only accessing the official Microsoft site to download patches). Would an SSL connection to Microsoft's website help at all (not that they'd offer one)?

    I'm still a little doubtful that an attacker would be able to detect my machine on the network and successfully penetrate in so little time (I am on a wired cable modem) ... unless the attacker were a man-in-the-middle that automatically detects connection attempts to the Microsoft update site (I only say this since I have re-formatted & re-installed twice with a couple overwrites of the motherboard BIOS with the same results (before reading the above suggestions). I sincerely appreciate the advice, and I will try the above. My only remaining question is: are these exploiters really that efficient, or do I need to have a discussion with my service provider to see if their systems are compromised (since I doubt a consistent man-in-the-middle attack would be more than a few hops from me)? Are there other common intrusion methods that may explain this behavior?

    (These are more questions of curiosity than anything else).

    Thanks again!
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Did you have a firewall enabled?
    Some experts claim that a unpatched/unfirewalled XP install gets infected in about 10 minutes on the net.
     
  6. wsf

    wsf Registered Member

    Joined:
    May 8, 2007
    Posts:
    4
    No firewall or even limited TCP/IP filtering. I didn't think I needed it for so short a time. Lesson learned.
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That's why I hate the on-line activation of winXPproSP2 sooo much, which forces me to go on-line during an off-line installation from scratch. My only weak point in creating clean archives/images.
    MS still thinks that internet is a safe place. :rolleyes:
     
  8. EASTER.2010

    EASTER.2010 Guest

    I learned my lesson the hard way too. The internet is ablaze! with crawling viruses and many other threats preprogrammed to identify and zero right in on open targets almost immediately upon "connected". I took that chance once after a fresh install that i could get to my firewall site and install before any problems arose and proceeded to open the door to a mess of droppers and such that woke me from my slumber. I can't explain how in the world malware is laced all over the HTTP like it is, but it is and it's there. Without at least a firewall, your computer is a MAGNET. :ouch:
     
  9. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    wsf, you were hit rather quickly. Over the years I have read several reports that an unpatched XP w/out a firewall that is connected to the internet will be infected in less than 30 minutes.

    I would highly recommend an inexpensive cable/dsl router for $20-30 which will act as an incoming hardware firewall (among other things). Here are some suggestions that you can do now since you have an active internet connection:

    1) Download the XP SP2 offline network install package

    2) Download Autopatcher XP Full

    3) Download all of the current drivers

    Next time you reinstall XP:

    1) Unplug your ethernet cable
    2) Install XP
    3) Install SP2
    4) Install Autopatcher XP
    5) Enable the XP Firewall
    6) Install your other drivers
    7) Install your Antivirus
    :cool: Activate Windows (if necessary)

    Now you can go to Windows Update for the rest of the goodies. :D
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Things are very simple.

    Install Windows. Install your firewall (from a CD you keep in a drawer).
    Connect to the net. Download Firefox.
    Optional - download windows updates.
    End of story.

    Mrk
     
  11. wsf

    wsf Registered Member

    Joined:
    May 8, 2007
    Posts:
    4
    Many thanks for all who have replied. I'll give the above a shot as soon as work slows. If all else fails, I'll stop splitting my time between Windows- and Linux-based systems and go to Linux exclusively. ;)
     
  12. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    I think a part of the install problem is that a lot of software is now installed from a direct download from a website instead of a CD or floppy disk which is how it was done back in the 1980's. But even with those, it is still not foolproof. I still have 5.25 inch floppies that contain viruses (such as the marijuana or "stoned" virus) as a keepsake. :cool:
     
  13. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
  14. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Thats why i have a handy little app to help me activate windows without having to go online, no weak points in my creation process :p
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    What I meant is anyone should have a CD full of goodies, kept aside, including not only firewall, but all and every program they like. And occasionally update this collection.
    Mrk
     
  16. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    the easy way of installing windows updates safely is to buy a cheap firewalled router.
    this way you will be protected while you download the updates.
    it works perfectly.
    i used this setup for my neighbours laptop.
    setup the firewalled router then installed the updates.
    then installed and updated the secuirty software.
    lodore
     
  17. Bio-Hazard

    Bio-Hazard Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    529
    Location:
    Cornwall, UK
    Well said! I have usb memory stick with all my favourite security programs and other programs i might need if i need to do a fresh install.

    Kristian
     
  18. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    My 2GB memory stick fell out of my pocket the other day and I lost it! Not much you can do about that. I got another free at a security show to replace it, but I now password protect the zip files on it. I also attached it to my house and car keyring, so if I lose it again, I'll be properly stuffed! Eventually, we'll have USB stick brain implants so if you lose it, you also lose your marbles! :) :eek: :D ;)
     
  19. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    ROFLMAO :eek: :D
     
  20. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
Loading...
Thread Status:
Not open for further replies.