Virus attack

Though I use my computer very carefully and always keep in mind to beware of virus and spyware, I still got my computer attacked by a worm virus last week. I was noticed by our network administrator that my internet connection was cut off because they received complaint from a Denish network administrator that my computer kept scanning their computers in hacking manners. Our admin suggested me to reinstall my system and rebuild my computer but I think this is very troublesome because I have to reinstall all the applications on my computer. So I tried to resolve this security issue by digging into the system.

1. Since last Thursday, I found a popup error message for “remotetest1.3.exe” and asked me if I want to report this error to Microsoft or not. I got this message for the first time when I was using my computer via remote desktop from home. And after that I lost the network connection to my office computer, I believe they cut it down. Then I checked my registry and found a suspect key “Microsoft Update Service=cssrs.exe“, which appears in both HKLM/Software/Microsoft/Windows/CurrentVersion/Run/” and “HKLM/Software/Microsoft/Windows/CurrentVersion/RunServices/“. I searched the internet and found it’s a worm virus. The filename “cssrs.exe” is very like the “csrss.exe” from the system so can be easily ignored. These registries were deleted.

2. I scanned my computer with Norton AntiVirus and Webroot Spy Sweeper with latest virus definitions loaded, to make sure that my computer is now virus and spyware free. During this procedure, a “NetSky” worm virus was found and deleted. Besides that, I found some suspect files in my web server root directory, including an “explorer.exe” file, which is loaded into memory when Windows starts up. They were deleted as well.

3. I upgraded the system to Microsoft Windows XP SP2 for enhanced security features. And autoupdate for Windows is always on.

4. I installed a third-party firewall software, ZoneLabs Integrity Desktop, which can control both inbound and outbound network traffic. And every in/out-bound network traffic needs my authorization. This is much better than the firewall comes with XP SP2, which can only block incoming access.

After all these steps, my computer works very well so far.