Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: new files have appeared in 70 folders

  1. #1
    Senior Member
    Join Date
    Mar 2002
    Location
    Snohomish WA
    Posts
    315

    new files have appeared in 70 folders

    I left my computer online to do updates/patches. I'm running windows XP Home Edition and use a dial-up internet connection.
    This morning when I went to reboot I stumbled upon a download folder that contained a total of 83 files I'd never seen before.
    All the files appear with the .doc icon, but are .exe files.
    names are:
    Atkins Diet.doc.exe
    Britney Spears.pic.exe
    Adobe photoshop.exe
    etc.......
    three of them are shortcuts to DOS named:
    Dark Angels new DOS shortcut
    Dark Angel ....etc.

    I did a search and found all of these files copied into a total of 70 folders throughout my entire system. The files were all created yesterday evening shortly after I left for work.
    I did a system restore (it took almost half an hour to complete....which I've never seen it do before.)

    How do I recover from this? Is simply deleting all the files sufficient?

    Any suggestions would be appreciated.
    Faqt


    If you want to make God laugh....make plans.

  2. #2
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    Run an Antivirus/anti-trojan, spybot and adaware right now. I think you're computer might have been compromised.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    You got hit!

    You need an up to date AV and a Firewall.

    Try the Trend Micro "housecall" online AV scanner also the one from Panda Software.

    I would also install & run Spybot Search & Destroy, and AdAware from Lavasoft...........run those and your resident AV in safe mode.

    Download "The Cleaner" from Moosoft (30 day trial) and run that..........you will have to do it from within Windows.

    Remember to turn off system restore (instructions on all AV sites) and create a new restore point once you are clean.

    Good luck

  4. #4
    Senior Member
    Join Date
    Feb 2004
    Posts
    105

    re: getting hit...?

    Sorry, but I have to ask to obvious question...

    Is there anyone else in your living space who might have used the machine? Brother, sister, mom, son, grandpa...etc.

    Also, have you checked any of the event logs, firewall logs, etc for evidence to support the compromise theory?

    Without reading your reply, I personally wouldn't jump to the conclusion that your machine was compromised.


    Cheers,
    <0
    Ego is the great Logic killer

  5. #5
    Junior Member
    Join Date
    Dec 2003
    Posts
    4
    Have you cleaned your Web Browsers Cache or internet Temporary files? it seems that you may have actually went to a website prior or during your download. They have autoloaders now. Beware you may have gator, a hideous Adware.

    First recommendation is to monitor the computer. First install a Firewall. Do not use the XP built-in firewall because it is not flexible enough to see any activities. i recommend Sygate's Personal Firewall. It is free and very good. You then can monitor all the incoming and outgoing traffic. Also, run an anti-virus software.

    If it is a compromised machine, you will need to format the computer to make sure that trojans are not placed on your machine to access at the CRACKERS own choice. To format an XP Home machine, you will need to boot first from your XP CD and format as well as fdisk to confirm all files are completely gone.
    Info
    And the Truth shall set you Free. Free In Deed.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I am calling it a "hit"(spyware/adware), rather than a "compromise" (trojan/bot) because you detected it so easily.

    You must have software that detects stuff trying to phone home to be sure?

    Check what starts (nice tools in Spybot S&D), your BHOs and so on..............you might have had more than one fish nibbling at the bait?

    Good luck

  7. #7
    Senior Member
    Join Date
    Mar 2002
    Location
    Snohomish WA
    Posts
    315
    Adaware just returned the normal data track cookies.
    After updating my virus definitions and running a virus scan with Nortons...I came up with a total of 5715 files infected with W32.Netsky.P@mm.
    I had nortons quarantine all the infected files and a second scan is coming back clean.
    Is this sufficient?
    Faqt


    If you want to make God laugh....make plans.

  8. #8
    Junior Member
    Join Date
    Mar 2003
    Posts
    10
    You might also want to check out your "HKEYLOCALMACHINE" "RUN" section you may find that there is a few entries in there that are unfamilar (If you are sure what you are doing with Regedit, try a regcleaner, which will allow you to make a back up of any changes so you can retore if you do the edit incorrectly
    Lack Of Planning on your part Does NOT constitute an EMERGENCY on mine !!!!!!!!!!!

  9. #9
    After reading a little bit about netsky.p I have this to say: you are either using a file-sharing program (kazaa and the like) or have not adopted good security practices.

    http://www.sarc.com/avcenter/venc/da...tsky.p@mm.html
    Info on netsky.p

    You probably opened an e-mail with a file attached. You then downloaded the file and attempted to view the file. This launched the virus on your machine.

    Here's what you need to know, do not download any attachments from no-one AND I MEAN NO-ONE (even your mother or best friend) until you have confirmation that they sent the file.

    If it wasn't picked up from an e-mail then you downloaded it from a P2P network. Be wary of any files that have the same name, but many different sizes. Also, files with 50+ people sharing should also be avoided.

    Did norton get rid of the virus? maybe... Sometimes users need to download removal tools from symantec/mcaffe/panda. I never really understood the whole "Quarantine" thing. I guess being offline for 1 1/2 years can make you fall behind.
    You are so bored that you are reading my signature?

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Actually, you don't need to be running peer to peer to see this activity from netsky. It searches for any folder that has the consecutive letters "shar" in them. If it finds this then it assumes that this machine is part of a P2P network and places a folders there with a whole bunch of copies of itself nice aand juicily names like "WinXP crack.exe" in the hope that some other P2P numbskull will D/L and execute it.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •