|Possibly infected with a virus or spyware|
I feel like a fool
| 3:20 pm on Aug 15, 2006 (gmt 0)|
I was going through the logs for one of the websites I manage, and found some requests that didn't look right. I looked up the IP and found it belongs to a well-known U.S. datacenter. For some dumb reason, and I don't even know why I did it, I pasted the IP into my browser's address bar to visit it (having disabled lots of stuff first).
Of course, it wasn't a webpage at all; Windows Media Player immediately opened with a file that it couldn't play due to the source file being "corrupted."
Fortunately I know enough to be worried when something like that happens. The first thing I did was pull the ethernet cable out of my computer so at least, if I am infected, it can't spread across our LAN or transmit data back to wherever. I then ran scans with Windows Defender and AntiVir, both at the highest security level and both fully-updated as of about midnight last night. No detections so far. I'll be running AdAware and Spybot shortly, although unfortunately I'll have to briefly go online again to download updates for those.
No unrecognized processes are running on my PC, at least nothing that shows in the Task Manager (and I know some things can hide). There was some hard drive activity right when Media Player opened, but that's normal so it doesn't necessarily (but might) indicate that something malicious was being installed.
So my question is: Assuming none of these scans turn up anything, would anyone here trust the box as it sits, or should I just bite the bullet and do a full reinstall of the OS? I don't mind doing that if I have to, but I'd rather not do it if it's not necessary.
I'm on Windows 2000, SP4, kept fairly up to date. Stupidly, I was running on an administrator account. I guess I'd gotten kind of lax since I figured I was smart enough to avoid getting infected. Not anymore. I'll be switching to a user-only account for the future, but of course that doesn't fix whatever may have already happened.
By the way, does anyone know when the most recent Media Player vulnerability was? The latest I can find was in April, and I know I've applied patches since then. It could be that I was attacked, but was sufficiently patched to survive it. What do you think?
| 5:06 pm on Aug 15, 2006 (gmt 0)|
First stop, search: [google.com...]
| 5:56 pm on Aug 15, 2006 (gmt 0)|
Thanks, but I did search before I came here. :) I found lots of information on the vulnerability (at least, I found enough to understand that I was almost certainly attacked) but what I haven't been able to find is if any of the current virus or spyware scanning tools can detect this vulnerability once the exploit has already taken place. If they can, I'm probably okay. If they can't, I'll probably need to reformat.
| 3:19 am on Aug 16, 2006 (gmt 0)|
You might want to check out NOD32. IMO it is by far the best AV/security software in existence. *Nothing* gets by it. It's free to try for a month, so even if you don't want to purchase it, it's well worth downloading it just long enough to use the on-demand scanner a few times. BTW I don't work for NOD32 - I'm just really impressed with their product.
| 4:36 pm on Aug 16, 2006 (gmt 0)|
Use an http header checker to determine the mime type that caused Media Player to open. It may simply be that it needs DivX installed or some other codec and there was no attack.
| 5:23 pm on Aug 16, 2006 (gmt 0)|
The link I posted leads to a scanner for the published Media Player vulnerability as one of the top results.
As kaled says, this may just be the result of the recent Adsense bug [webmasterworld.com] that forced an Acrobat reader or media player start-up.
| 6:41 pm on Aug 16, 2006 (gmt 0)|
Have you tried searching for the address of the site you visited to see if anyone else has had problems?
If it was malicious then I'm sure you weren't the first...
| 9:04 pm on Aug 16, 2006 (gmt 0)|
Thanks for the replies folks. I wasn't able to get back to the thread until now due to my recent reformatting activities! ;) (Yes, I chickened out and took the most secure route I could think of - I handle some sensitive data and can't take any chances.)
Bman, I've heard a lot of good things about Nod32 before, but it seems I've also heard that it's tough on system resources (I could be mistaken). What's your experience in that respect?
Unfortunately, I doubt it was the AdSense bug that triggered this. The page itself never displayed anything, AdSense or otherwise, plus I was using Firefox.
I've also decided to face the real world and take the security steps I knew I should have been using before but wasn't because they were a little inconvenient. I'm now using a "user-only" Windows account, I'm going to leave live virus checking turned on in AntiVir (which I used to leave off because of the slight performance hit) and I've changed my Firefox download settings to save every download instead of opening them in specified applications. These steps, plus regular spyware/adware/virus scans, should help me stay as safe as anyone can be on Windows these days.
| 3:30 am on Aug 19, 2006 (gmt 0)|
I haven't noticed any decrease in performance since I've started using NOD32. In fact I just checked it in task manager and it consumes less than 1% of the total resources. Definitely can't say that about Norton.