April 2nd, 2004, 01:37 AM
new files have appeared in 70 folders
I left my computer online to do updates/patches. I'm running windows XP Home Edition and use a dial-up internet connection.
This morning when I went to reboot I stumbled upon a download folder that contained a total of 83 files I'd never seen before.
All the files appear with the .doc icon, but are .exe files.
three of them are shortcuts to DOS named:
Dark Angels new DOS shortcut
Dark Angel ....etc.
I did a search and found all of these files copied into a total of 70 folders throughout my entire system. The files were all created yesterday evening shortly after I left for work.
I did a system restore (it took almost half an hour to complete....which I've never seen it do before.)
How do I recover from this? Is simply deleting all the files sufficient?
Any suggestions would be appreciated.
If you want to make God laugh....make plans.
April 2nd, 2004, 01:52 AM
Run an Antivirus/anti-trojan, spybot and adaware right now. I think you're computer might have been compromised.
April 2nd, 2004, 01:53 AM
You got hit!
You need an up to date AV and a Firewall.
Try the Trend Micro "housecall" online AV scanner also the one from Panda Software.
I would also install & run Spybot Search & Destroy, and AdAware from Lavasoft...........run those and your resident AV in safe mode.
Download "The Cleaner" from Moosoft (30 day trial) and run that..........you will have to do it from within Windows.
Remember to turn off system restore (instructions on all AV sites) and create a new restore point once you are clean.
April 2nd, 2004, 02:00 AM
re: getting hit...?
Sorry, but I have to ask to obvious question...
Is there anyone else in your living space who might have used the machine? Brother, sister, mom, son, grandpa...etc.
Also, have you checked any of the event logs, firewall logs, etc for evidence to support the compromise theory?
Without reading your reply, I personally wouldn't jump to the conclusion that your machine was compromised.
Ego is the great Logic killer
April 2nd, 2004, 02:23 AM
Have you cleaned your Web Browsers Cache or internet Temporary files? it seems that you may have actually went to a website prior or during your download. They have autoloaders now. Beware you may have gator, a hideous Adware.
First recommendation is to monitor the computer. First install a Firewall. Do not use the XP built-in firewall because it is not flexible enough to see any activities. i recommend Sygate's Personal Firewall. It is free and very good. You then can monitor all the incoming and outgoing traffic. Also, run an anti-virus software.
If it is a compromised machine, you will need to format the computer to make sure that trojans are not placed on your machine to access at the CRACKERS own choice. To format an XP Home machine, you will need to boot first from your XP CD and format as well as fdisk to confirm all files are completely gone.
And the Truth shall set you Free. Free In Deed.
April 2nd, 2004, 02:41 AM
I am calling it a "hit"(spyware/adware), rather than a "compromise" (trojan/bot) because you detected it so easily.
You must have software that detects stuff trying to phone home to be sure?
Check what starts (nice tools in Spybot S&D), your BHOs and so on..............you might have had more than one fish nibbling at the bait?
April 2nd, 2004, 04:16 AM
Adaware just returned the normal data track cookies.
After updating my virus definitions and running a virus scan with Nortons...I came up with a total of 5715 files infected with W32.Netsky.P@mm.
I had nortons quarantine all the infected files and a second scan is coming back clean.
Is this sufficient?
If you want to make God laugh....make plans.
April 2nd, 2004, 10:13 AM
You might also want to check out your "HKEYLOCALMACHINE" "RUN" section you may find that there is a few entries in there that are unfamilar (If you are sure what you are doing with Regedit, try a regcleaner, which will allow you to make a back up of any changes so you can retore if you do the edit incorrectly
April 2nd, 2004, 10:36 AM
After reading a little bit about netsky.p I have this to say: you are either using a file-sharing program (kazaa and the like) or have not adopted good security practices.
Info on netsky.p
You probably opened an e-mail with a file attached. You then downloaded the file and attempted to view the file. This launched the virus on your machine.
Here's what you need to know, do not download any attachments from no-one AND I MEAN NO-ONE (even your mother or best friend) until you have confirmation that they sent the file.
If it wasn't picked up from an e-mail then you downloaded it from a P2P network. Be wary of any files that have the same name, but many different sizes. Also, files with 50+ people sharing should also be avoided.
Did norton get rid of the virus? maybe... Sometimes users need to download removal tools from symantec/mcaffe/panda. I never really understood the whole "Quarantine" thing. I guess being offline for 1 1/2 years can make you fall behind.
You are so bored that you are reading my signature?
April 2nd, 2004, 11:48 AM
Actually, you don't need to be running peer to peer to see this activity from netsky. It searches for any folder that has the consecutive letters "shar" in them. If it finds this then it assumes that this machine is part of a P2P network and places a folders there with a whole bunch of copies of itself nice aand juicily names like "WinXP crack.exe" in the hope that some other P2P numbskull will D/L and execute it.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides