I started getting warnings this morning from AVG that it had detected a virus, trojan, worm, dialer, or some other sinful program on my system. Since I do not have AVG setup to regularly scan my system, these infestations were being detected by AVG's real-time plug-in that scans pretty much any file created or opened on the system. It would seem that something running on the system was creating these files, and they were fairly well targeted.
At some point while screwing around, it occurred to me that a day or two ago I had disabled the XP Service Pack 2 firewall on the network card facing my LAN. I wanted my DVR to be able to have unrestricted access to my desktop for various reasons, and it was just getting in the way. Well, it appears that at some point my dial-up account also had its firewall dropped. I presume at this point that a remotely exploitable flaw in XP had been taken advantage of, and I just got my ass handed to me.
When I came active (and probably had dialed out), AVG hit me with "Trojan horse Downloader.Generic.ZLD" inside the recycle bin as "Dc380.exe". I did not delete anything named Dc380 that I can remember, and there was nothing in the bin named anything like that. I rebooted into safe mode and re-ran a AVG for a full system scan (a previous scan found nothing at all), and had about 6 errors trying to access a couple of directories in the recycle bin that did not show up to the user. There were Dc???.exe, Dc???.html, and stuff like that in there. I was refused access to the recycle bin directory by the XP Pro recovery console (a lot of good that piece of crap is) but was able to delete most of it under safe mode just by going in there with the command prompt.
Only two directories remain, "Dc968.0-source" and "Dc972" which are both dated in Feb of 2004. I seriously doubt I have been infected that long, but I suppose it's possible that this Dc??? crap isn't even related to the Trojans.
I have seven instances of the "Win32/Gaelicum.A" virus from 1:01AM through 1:10AM, at which time I probably turned the firewall back on. At 2:13AM, AVG picked up another Trojan called "Trojan horse Downloader.Harnig.AJ" in "Documents and Settings\pwtenny\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.xxx\Cache\xxx as "6DFD48CCd01", during a manual scan. This didn't surprise me at all, this stuff gets loaded from web pages all the time, and usually rapes Internet Explorer. All it did to Firefox was get stuffed in the cache.
The Trojan from the recycle bin, Dc380.exe, showed up again at 3:54AM as A0013891.exe in the system restore folder. I simply turned system restore off which will wipe out all previous restore points and data (don't do this unless you are CERTAIN that your system is running stable, and that you won't want to restore later.) That is after I had AVG stuff it in the Virus Vault, of course.
At 4:21, 4:23, and 7:05AM I was alerted by AVG that I new virus-laden files had surfaced called "Trojan horse BackDoor.Gobot.AE" in My Documents\Music, my custom download directory, and again in the UT2004 directory. I haven't heard a peep from AVG since.
I turned to sysinternals Process Explorer, and found nothing abnormal, even though some process was holding an open handle to those Dc??? directories in the recycle bin, because I was being denied access to them, even as an administrator. Process Explorer has never failed to show me what process is holding an open handle to a file before, so this was very disappointing. Filemon showed nothing abnormal as well. Rootkit Revealer, however, had better results. There were 12 results in total, all files, directories, and registry keys that were being hidden from the Windows API. This means that nothing I was doing was ever going to see these items, because something very high level was intercepting system calls at the kernel level, and hiding them.
Once I have the directory names, I intend to try to access them again at the system recovery console, hoping that this apparent Rootkit will not be running. If that fails, I am going to remove the hard drive and insert it as a slave into my DVR. I will create a new user account on that system so that should I screw up, and an infection takes place, at the very least it will not be able to install at the kernel level as it has on my desktop. This is as good a lesson as ever why you should not run day-to-day tasks as a system administrator, even on something as full of holes as Windows.
Once I have a list of hidden directories again (trying to save the list the first time resulted in Rootkit Revealer using 100% and becoming unresponsive), I'm going to take that box down and get this fixed if I can. If I have to, I'll do a fresh side-by-side install to this one and start again. I have no intention of living with a compromised system.
...[15 minutes later]... the Rootkit Revealer finished it's job.
It now seems certain that I do have the remnants of a rootkit, as there are directories somewhere in the filesystem that are being hidden from everything except direct examination of the filesystem itself. The good news is that if the directories had contained anything harmful, like the files responsible for hiding the directories, they would have shown up. Since they haven't, I can now safely assume that these directories pose no real threat to my system, and I can leave them alone. I can also assume (perhaps unsafely) that the driver responsible for hiding them is not hidden itself, and if I can find it, I can disable it.
Come to think of it, the hidden folders share the same modificaiton and creation date as the files I just manually deleted from the recycle bin, 7/1/04. The rootkit driver resposible for hiding those folders may very well reside in the two recycle bin folders I can't see to delete. However, as I said, I deleted most of what was in there and I believe that the only code left is the driver responsible for hiding these folders, and nothing more. The trojans were most likely the result of the firewall being down, I'll just have to wait and see.