Virus attacks on new PC 4

[kwunder]

Hi,
Just unpacked my brand new Laptop. Installed my ADSL modem and ISP software. Then Installed Norton Anti Virus and went on to download the latest virus definitions. Then BANG. I get a virus while the latest definitions are downloading (W32 Sasser). Downloaded the sasser removal tool from symantec and it deleted it, then BANG AGAIN Norton tells me it's found BLOODHOUND PACKED and it says it can't fix it. I then get repeated Messenger Service messages directing me to various sites including porn sites. Then BANG AGAIN another virus is found that can't be fixed. I ran the system recovery CD's and re installed to factory spec and tried again. The same has happened. How can I stop this invasion. I have got the latest definitions downloaded and installed before the latter of these attacks happen.
What should I do ?

Thanks !

 

[jrbarnett]

Have you tried enabling Internet connection firewall (or installing a third party software firewall) product on your ISP connection before going online?

To enable ICF, go to Start -> Network and Dialup connections -> your connection -> Right click -> properties -> advanced and tick the appropriate box.

John

 

[kwunder]

Hi John. Will do that now. I also have McAfee Firewall so I'll install that too.
Just did as Symantec advised :-
Restarted in safe mode and did a full scan.
7 virus' were found and none could be repaired. They were:-

W32.sasser.E.worm (two files affected)
W32.korgo.f
Bloodhound Packed
W32.randex.gen (three files affected)

It recommended that I quarantine all 7 files so I did, then went in a deleted them from there.

I'll try your suggestion now.......

 

[jrbarnett]

If you are using XP, you must disable system restore before doing any sort of antivirus removal or clearup because otherwise XP will just reinstate them at the next reboot.

Look at the FAQs in the Virus/Spyware discussion forum for more information about why this is.

John

 

[kwunder]

Yes. I have turned OFF system restore.
Thanks John

 

[linney]

As you only just started you wont loose too much by reverting yet again to a clean factory condition. This time have one firewall protecting you (not two).
It only takes a couple of seconds to get infected nowadays.

You are at least learning a good lesson in security from all this.

 

[broant]

hey,

i noticed in your original post that you stated that u were getting the grey Messenger Service popups with porn ads. you may want to disable the Messenger Service as well.
Rt click My Computer, click manage
go to Services and Applications
change the startup type to 'disabled' then click 'stop' to stop the service from running.

since this is a new pc and i feel like you really want it to perform optimumly, i also suggest you install a spyware tool for future references. adaware (which can be found at lavasoft.com) is the tool i recommend. let me know if this helps.

 

[bcastner]

Must reads:

http://www.microsoft.com/security/incident/sasser.asp315/3/41.asp&NoWebContent=1

http://www.sans.org/rr/papers/index.php?id=1298

 

[SGTRawlins]

When running the virs rempoval tool it is recomended you run it in safe mode aswell.

Don't forget that alot of these virus' such as the sasser.worm will need a windows patch to prevent future infection, these are available though the windows update app.

 

[bcastner]

My links were bad.

Must read:

. Detect and remove, and prevent Sasser:

http://www.microsoft.com/security/incident/sasser.mspx

. Detect and remove, and prevent Blaster:

http://www.microsoft.com/security/incident/blast.asp

. First Day advice for any internet connected computer:

http://www.sans.org/rr/papers/index.php?id=1298

 

[kwunder]

jrbarnett

All seems well now. Have had internet access for half an hour or so without any hassle. Seems to have worked !!
Thanks again !

Linney

I think I may reinstall again but I'm going to have a play first and get the mistakes I'm sure I'll make out of the way first !

Broant

Have set messenger to disabled as you said so hopefully those messages won't return. Incidentally, one of the messages said "My PC was vulnerable. please go to

http://www.windowspatch.com

and get the patch to fix it. Like a fool, guess what I did ???
Could this have made the problems I had even worse ?

BCastner

Thanks for the links. Plenty to learn from those !

SGT

I was running NAV in safe mode too. Thanks !

Thanks guys.
(P.s. - have got adaware on my other PC so I'll get it on the new one A.S.A.P

Thanks again

 

[bcastner]

Kwunder,

If it might make you feel better at all:

. I was at a recent MSFT security conference, and at lunch all everyone could talk about was how they spent Christmas Day and the next two days, sorting Blaster issues on client new Christmas present computers. They were seriously angry.

. Service Pack 2 enables the new version of Windows Firewall by default. Hopefully this will not happen again.

Note to all: In setting up a new machine, please enable, prior to accessing the internet for the first time, the native ICF firewall. You can change it later to a third-party program, or wait six more weeks for Service Pack 2. But do not connect the new computer to the internet without the firewall active. Been there, done that, as have many. You will be very unhappy after less than two minutes on most ISP connections.

 

[kwunder]

Bcastner:

Nice one !
It has made me feel better actually. I couldn't quite understand how I was being attacked so quickly after setting up the connection. To activate the in built firewall is as you say an absolute MUST and an excellent tip.

Many thanks

 

[CharlesCook]

Get Spybot Search and Destroy (it is free) ASAP!!!!!!

CharlesCook.com
ADP - PeopleSoft - SAP
ReportSmith - Crystal Reports - SQR - Query - Access
Reporting - Interfaces - Data Mining

 

[jrbarnett]

I have updated my WinXP firewall FAQ based on information in this thread.

John

 

[kwunder]

I have decided to re-install now but just before I set up my ISP details, I know that after the ISP software is installed, the PC restarts and then ALWAYS connects to my ISP to finalise settings. Problem there is that I can't enable the in built ICF until my account is set up as the connection doesn't show in the connections dialogue until I have gone through the restart and connect to ISP procedure. Hence, I HAVE to go online before I can implement the in built ICF. Looks like I'll have to run the risk and enable the ICF immediatelt after the ISP is set up. Unless anyone knows of a workaround ??

Cheers

 

[jrbarnett]

Try this - if you don't have to reboot, don't, then re enable it. If it is forced, go to STart -> run then enter "shutdown -a" in the box (without the quotes) and hit Enter. This should abort any forced shutdown.
You should then be able to enable ICF. After that, do a full reboot and carry on with your ISP signup procedure.

John

 

[bcastner]

kwunder,

Create a new DUN connection, and give it your home phone number. Then enable the firewall on the adapter. Then install your ISP software, etc...

All you want is to make the ICF active, so creating first a fake DUN connectoid will let you do this.

Bill

 

[kwunder]

John. Had a go but the setup didn't actually create the connection until after I'd rebooted. Thanks

Bill. I created a fake connection and enabled it. Installed the REAL ISP software, rebooted, deleted the fake one and enabled the ICF on the REAL one and all seems well !

Thanks again. Couldn't have done it without you guys !

 

[dbMark]

What is amazing to me is the Microsoft has made NO changes to the Windows XP install disk since SP1. While the discovery and patch of the Sasser vulnerability is less than 2 months old, Blaster blazed into infamy last August about 10 months ago. Meanwhile they've been continuing to distribute the same old install disk all this time. While it is good that SP2 is almost here, why didn't they at least try to recall whatever disks were in the channel and put out SP1a or something that set the firewall on by default?

I still think that anyone who buys a new computer with a current operation system meant for the masses has a reasonable expectation that they wouldn't have to deal with old issues that are so disastrous to their first minutes of online computing experience.