Re: ? WINS\*.EXE installed as part of Windows

From: Alec Soroudi (a_at_a.com)
Date: 12/01/03


Date: Sun, 30 Nov 2003 20:08:04 -0500


    So you're saying that Windows becomes infected DURING the INSTALL,
that's why the files are already there as soon as the installation is
finished?

--
Alec
asoroudi@synetech.cjb.net
 
"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
news:u2$oNq5tDHA.3116@tk2msftngp13.phx.gbl...
> If these files are under the path you quote, they are products of
infection.
>
> If you connect an unpatched XP machine to the Internet without enabling
the
> XP Firewall on the connection, it will be infected within seconds.
>
> You need to unplug the Internet connections while installing until you
> ensure that the firewall is enabled on the connection.  Then download and
> apply all critical patches via WindowsUpdate.  If you need access to the
> machine for file and print sharing, you could turn the firewall off at
that
> point, but your situation sounds like one where it would be better left
on.
>
> Apparently, you either have no firewall to the Internet, or have a raft of
> infected machines on the local network--even one will accomplish this.
Have
> you checked your local network using the tools to detect
unpatched/infected
> machines?
>
> http://support.microsoft.com/default.aspx?kbid=827363
>
>
> "Alec Soroudi" <a@a.com> wrote in message
> news:eOej$R4tDHA.1876@TK2MSFTNGP09.phx.gbl...
> >     Hi,
> >
> >     You know that whole WINS thing?  %systemroot%\WINS\DLLHOST.EXE &
> > %systemroot%\WINS\SVCHOST.EXE?  Well I'm a bit confused about it.  Are
> they
> > actual Windows files that have been exploited or are they files that a
> virus
> > puts in there?  The reason I ask is that I recently did a clean install
of
> > Windows XP Professional on a bunch of machines and after the second
reboot
> > (after it does the "Saving settings" part, before the part where you set
> up
> > the users and stuff), the two files are THERE!  I booted into DOS mode
> after
> > each and every reboot during the install and after the second one, the
> files
> > were there.
> >
> >     So, what's the deal?  Are they system files?  Is the installation CD
> > infected?  Is it the MBR, or some other part of the system that's
> infected?
> > I could swear they weren't there the first time I installed XP when we
> first
> > got it...
> >
> >
> >     Thanks.
> >
> > --
> > Alec
> > asoroudi@synetech.cjb.net
> >
> >
> >
> >
>
>


Relevant Pages

  • Re: Got virus - now have to boot up twice (after off/on)
    ... There is a very good chance that you are seeing the effects of a hijackware infection! ... NB: If you had no anti-virus application installed or the subscription had expired *when the machine first got infected* and/or your subscription has since expired and/or the machine's not been kept fully-patched at Windows Update, don't waste your time with any of the below: Format & reinstall Windows. ... this bootup problem is left. ... Combofix had me install the windows recovery console. ...
    (microsoft.public.windowsxp.general)
  • Re: Getting up and running
    ... > machines that I am presently building. ... I really don't want to have to use Windows. ... distros including Debian based ones. ... Fedora is likely an easier install than 3.0x, but a big PITA after that. ...
    (Debian-User)
  • Re: Probes on Port 135 and 445 continue
    ... The house has a slow DSL connection, ... We removed more than 3000 viruses from their machines when they arrived ... about it, and you have to believe you need it, to install it. ... virus spammer infection - sending about 250 email's out from 6 infected ...
    (comp.security.misc)
  • Re: Probes on Port 135 and 445 continue
    ... The house has a slow DSL connection, ... We removed more than 3000 viruses from their machines when they arrived ... about it, and you have to believe you need it, to install it. ... virus spammer infection - sending about 250 email's out from 6 infected ...
    (comp.security.unix)
  • Re: removing w32/sdbot.worm.gen
    ... Time to blow it away and start a new install. ... boot the Windows 2000 install CD-Rom or setup disks. ... because of the worm or something I dont know. ... the infection I cannot go to that Windows update site. ...
    (microsoft.public.win2000.general)